From 30885bcc8a35a95f904adbe0cc7ed09ba469e93f Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Mon, 20 Jan 2020 05:50:52 -0500 Subject: [PATCH 1/7] Downgrade TLS settings for port 25, partially reverting f53b18ebb9b1c4c9aba95b3a26bee2be85f8002f Port 25 now is aligned with Mozilla's "Old" recommendations at https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=old&openssl-version=1.1.1. See #1705 --- setup/mail-postfix.sh | 36 ++++++++++++++++++++++-------------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index 695884ea..0a66cb0f 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -80,7 +80,7 @@ tools/editconf.py /etc/postfix/main.cf \ # OpenDKIM milter only. See dkim.sh. # * Even though we dont allow auth over non-TLS connections (smtpd_tls_auth_only below, and without auth the client cant # send outbound mail), don't allow non-TLS mail submission on this port anyway to prevent accidental misconfiguration. -# By putting this setting here we leave opportunistic TLS on incoming mail at default cipher settings (any cipher is better than none). +# Setting smtpd_tls_security_level=encrypt also triggers the use of the 'mandatory' settings below. # * Give it a different name in syslog to distinguish it from the port 25 smtpd server. # * Add a new cleanup service specific to the submission service ('authclean') # that filters out privacy-sensitive headers on mail being sent out by @@ -106,25 +106,34 @@ cp conf/postfix_outgoing_mail_header_filters /etc/postfix/outgoing_mail_header_f sed -i "s/PRIMARY_HOSTNAME/$PRIMARY_HOSTNAME/" /etc/postfix/outgoing_mail_header_filters sed -i "s/PUBLIC_IP/$PUBLIC_IP/" /etc/postfix/outgoing_mail_header_filters -# Enable TLS on these and all other connections (i.e. ports 25 *and* 587) and -# require TLS before a user is allowed to authenticate. This also makes -# opportunistic TLS available on *incoming* mail. -# Set stronger DH parameters, which via openssl tend to default to 1024 bits. -# Use Mozilla's "Intermediate" TLS recommendations from https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=intermediate&openssl-version=1.1.1 -# (but use and override the "high" cipher list so we don't conflict with the -# more permissive settings for outgoing mail). +# Enable TLS on incoming connections. It is not required on port 25, allowing for opportunistic +# encryption. On port 587 it is mandatory (see above). Shared and non-shared settings are +# given here. Shared settings include: +# * Require TLS before a user is allowed to authenticate. +# * Set the path to the server TLS certificate and 2048-bit DH parameters for old DH ciphers. +# For port 25 only: +# * Disable extremely old versions of TLS and extremely unsafe ciphers, but some mail servers out in +# the world are very far behind and if we disable too much, they may not be able to use TLS and +# won't fall back to cleartext. So we don't disable too much. smtpd_tls_exclude_ciphers applies to +# both port 25 and port 587, but because we override the cipher list for both, it probably isn't used. +# Use Mozilla's "Old" recommendations at https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=old&openssl-version=1.1.1 +# For port 587 (via the 'mandatory' settings): +# * Use Mozilla's "Intermediate" TLS recommendations from https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=intermediate&openssl-version=1.1.1 +# using and overriding the "high" cipher list so we don't conflict with the more permissive settings for port 25. tools/editconf.py /etc/postfix/main.cf \ smtpd_tls_security_level=may\ smtpd_tls_auth_only=yes \ smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \ smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \ smtpd_tls_dh1024_param_file=$STORAGE_ROOT/ssl/dh2048.pem \ - smtpd_tls_protocols="!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \ + smtpd_tls_protocols="!SSLv2,!SSLv3" \ + smtpd_tls_ciphers=medium \ + tls_medium_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA \ + smtpd_tls_exclude_ciphers=aNULL,RC4 \ smtpd_tls_mandatory_protocols="!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \ - smtpd_tls_ciphers=high \ smtpd_tls_mandatory_ciphers=high \ - smtpd_tls_exclude_ciphers= \ tls_high_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 \ + smtpd_tls_mandatory_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4 \ tls_preempt_cipherlist=no \ smtpd_tls_received_header=yes @@ -150,7 +159,7 @@ tools/editconf.py /etc/postfix/main.cf \ # Since we'd rather have poor encryption than none at all, we use Mozilla's # "Old" recommendations at https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=old&openssl-version=1.1.1 # for opportunistic encryption but "Intermediate" recommendations when DANE -# is used (see next and above). +# is used (see next and above). The cipher lists are set above. # DANE takes this a step further: # Postfix queries DNS for the TLSA record on the destination MX host. If no TLSA records are found, @@ -166,8 +175,7 @@ tools/editconf.py /etc/postfix/main.cf \ tools/editconf.py /etc/postfix/main.cf \ smtp_tls_protocols=\!SSLv2,\!SSLv3 \ smtp_tls_ciphers=medium \ - tls_medium_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA \ - smtp_tls_exclude_ciphers= \ + smtp_tls_exclude_ciphers=aNULL,RC4 \ smtp_tls_security_level=dane \ smtp_dns_support_level=dnssec \ smtp_tls_mandatory_protocols="!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \ From e6294049bca1c117e6a36ceaaa2647d6a8f9bf42 Mon Sep 17 00:00:00 2001 From: jvolkenant Date: Tue, 21 Jan 2020 23:58:04 -0800 Subject: [PATCH 2/7] Update Roundcube persistent_login plugin (#1712) --- setup/webmail.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/webmail.sh b/setup/webmail.sh index f44ea047..940d7153 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -30,7 +30,7 @@ apt_install \ # whether we have the latest version of everything. VERSION=1.4.1 HASH=f4ecc63185b8f7b4ce5bccdc9fc689571e82c489 -PERSISTENT_LOGIN_VERSION=dc5ca3d3f4415cc41edb2fde533c8a8628a94c76 +PERSISTENT_LOGIN_VERSION=6b3fc450cae23ccb2f393d0ef67aa319e877e435 HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5 CARDDAV_VERSION=3.0.3 CARDDAV_HASH=d1e3b0d851ffa2c6bd42bf0c04f70d0e1d0d78f8 From b86bf07d57b1d54143b4fcd8e52838ba0b43cff8 Mon Sep 17 00:00:00 2001 From: "E.M. Makat" <29872150+emmakat@users.noreply.github.com> Date: Tue, 21 Jan 2020 23:58:40 -0800 Subject: [PATCH 3/7] Fix spelling of 'guarantee' (#1703) --- security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security.md b/security.md index bc980808..3b51f235 100644 --- a/security.md +++ b/security.md @@ -95,7 +95,7 @@ Domain policy records allow recipient MTAs to detect when the _domain_ part of o ### User Policy -While domain policy records prevent other servers from sending mail with a "From:" header that matches a domain hosted on the box (see above), those policy records do not guarnatee that the user portion of the sender email address matches the actual sender. In enterprise environments where the box may host the mail of untrusted users, it is important to guard against users impersonating other users. +While domain policy records prevent other servers from sending mail with a "From:" header that matches a domain hosted on the box (see above), those policy records do not guarantee that the user portion of the sender email address matches the actual sender. In enterprise environments where the box may host the mail of untrusted users, it is important to guard against users impersonating other users. The box restricts the envelope sender address (also called the return path or MAIL FROM address --- this is different from the "From:" header) that users may put into outbound mail. The envelope sender address must be either their own email address (their SMTP login username) or any alias that they are listed as a permitted sender of. (There is currently no restriction on the contents of the "From:" header.) From faee29ba8b6ba8a3b8de234e41c2cfedf4d3dbf6 Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Wed, 22 Jan 2020 09:06:17 +0100 Subject: [PATCH 4/7] Bump Nextcloud to 17.0.2 (#1702) --- CHANGELOG.md | 2 +- setup/nextcloud.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f7e1e870..8b6f3a2b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,7 @@ WebMail: Software updates: -* Upgraded Nextcloud from 15.0.8 to 17.0.1 (with Contacts from 3.1.1 to 3.1.6 and Calendar from 1.6.5 to 1.7.1) +* Upgraded Nextcloud from 15.0.8 to 17.0.2 (with Contacts from 3.1.1 to 3.1.6 and Calendar from 1.6.5 to 1.7.1) * Upgraded Z-Push to 2.5.1. * Upgraded Roundcube from 1.3.10 to 1.4.1. diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh index e80480a5..3ab21176 100755 --- a/setup/nextcloud.sh +++ b/setup/nextcloud.sh @@ -91,8 +91,8 @@ InstallNextcloud() { } # Nextcloud Version to install. Checks are done down below to step through intermediate versions. -nextcloud_ver=17.0.1 -nextcloud_hash=81e47f2288377927346a4b4cbbb2ecf1b6f4a0e1 +nextcloud_ver=17.0.2 +nextcloud_hash=8095fb46e9e0c536163708aee3d17fab8b498ad6 # Current Nextcloud Version, #1623 # Checking /usr/local/lib/owncloud/version.php shows version of the Nextcloud application, not the DB From 23be1031b8e867a5c3a92b27d75cf0f071f4d8f3 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Wed, 22 Jan 2020 03:08:25 -0500 Subject: [PATCH 5/7] Remove security.md's information about port 25 which is out of date --- security.md | 1 - 1 file changed, 1 deletion(-) diff --git a/security.md b/security.md index 3b51f235..8c9d43e5 100644 --- a/security.md +++ b/security.md @@ -41,7 +41,6 @@ The services all follow these rules: * TLS certificates are generated with 2048-bit RSA keys and SHA-256 fingerprints. The box provides a self-signed certificate by default. The [setup guide](https://mailinabox.email/guide.html) explains how to verify the certificate fingerprint on first login. Users are encouraged to replace the certificate with a proper CA-signed one. ([source](setup/ssl.sh)) * Only TLSv1.2+ are offered (the older SSL protocols are not offered). * We track the [Mozilla Intermediate Ciphers Recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS), balancing security with supporting a wide range of mail clients. Diffie-Hellman ciphers use a 2048-bit key for forward secrecy. For more details, see the [output of SSLyze for these ports](tests/tls_results.txt). -* SMTP port 25 (inbound) follows similar rules. Outbound SMTP (i.e. the server is the client) uses more relaxed settings. Additionally: From ddadb6c28a7915849049c071e4cadf2d66d8da2e Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Wed, 22 Jan 2020 03:25:26 -0500 Subject: [PATCH 6/7] Roundcube 1.4.2 --- CHANGELOG.md | 5 +---- setup/webmail.sh | 4 ++-- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b6f3a2b..9786361d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,14 +8,11 @@ System: * TLS settings have been upgraded following Mozilla's recommendations for servers. TLS1.2 and 1.3 are now the only supported protocols for web, IMAP, and SMTP (submission). -WebMail: -* Set the default Roundcube skin to the new "Elastic" theme. - Software updates: * Upgraded Nextcloud from 15.0.8 to 17.0.2 (with Contacts from 3.1.1 to 3.1.6 and Calendar from 1.6.5 to 1.7.1) * Upgraded Z-Push to 2.5.1. -* Upgraded Roundcube from 1.3.10 to 1.4.1. +* Upgraded Roundcube from 1.3.10 to 1.4.2 and changed the default skin (theme) to Elastic. Control panel: diff --git a/setup/webmail.sh b/setup/webmail.sh index 940d7153..89ed1722 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -28,8 +28,8 @@ apt_install \ # Install Roundcube from source if it is not already present or if it is out of date. # Combine the Roundcube version number with the commit hash of plugins to track # whether we have the latest version of everything. -VERSION=1.4.1 -HASH=f4ecc63185b8f7b4ce5bccdc9fc689571e82c489 +VERSION=1.4.2 +HASH=d53fcd7f1109a63364d5d4a43f879c6f47d34a89 PERSISTENT_LOGIN_VERSION=6b3fc450cae23ccb2f393d0ef67aa319e877e435 HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5 CARDDAV_VERSION=3.0.3 From ab5ce01bddf8dc2576492c0c67d7966d8db0ac9e Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Wed, 22 Jan 2020 03:36:02 -0500 Subject: [PATCH 7/7] Some changelog entries --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9786361d..27ae2c3a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ Under Development System: * TLS settings have been upgraded following Mozilla's recommendations for servers. TLS1.2 and 1.3 are now the only supported protocols for web, IMAP, and SMTP (submission). +* Fixed an issue starting services when Mail-in-a-Box isn't on the root filesystem. +* Changed some performance options affecting Roundcube and Nextcloud. Software updates: @@ -22,6 +24,7 @@ Control panel: Mail: * Fetching of updated whitelist for greylisting was fetching each day instead of every month. +* OpenDKIM signing has been changed to 'relaxed' mode so that some old mail lists that forward mail can do so. DNS: