mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2025-04-01 23:57:05 +00:00
Merge pull request #30 from downtownallday/merge-upstream
Merge upstream
This commit is contained in:
commit
379fd9a25b
25
CHANGELOG.md
25
CHANGELOG.md
@ -1,6 +1,31 @@
|
||||
CHANGELOG
|
||||
=========
|
||||
|
||||
In Development
|
||||
--------------
|
||||
|
||||
Package updates:
|
||||
|
||||
* Roundcube updated to version 1.6.6.
|
||||
* Nextcloud is updated to version 22.0.12.
|
||||
|
||||
Mail:
|
||||
|
||||
* Updated postfix's configuration to guard against SMTP smuggling to the long-term fix (https://www.postfix.org/smtp-smuggling.html).
|
||||
|
||||
Control Panel:
|
||||
|
||||
* Improved reporting of Spamhaus response codes.
|
||||
* Improved detection of SSH port.
|
||||
* Fixed an error if last saved status check results were corrupted.
|
||||
* Other minor fixes.
|
||||
|
||||
Other:
|
||||
|
||||
* fail2ban is updated to see "HTTP/2.0" requests to munin also.
|
||||
* Internal improvements to the code to make it more reliable and readable.
|
||||
|
||||
|
||||
Version 67 (December 22, 2023)
|
||||
------------------------------
|
||||
|
||||
|
@ -19,9 +19,8 @@ import rtyaml
|
||||
import dns.resolver
|
||||
import hooks
|
||||
|
||||
from utils import shell, load_env_vars_from_file, safe_domain_name, sort_domains
|
||||
from utils import shell, load_env_vars_from_file, safe_domain_name, sort_domains, get_ssh_port
|
||||
from ssl_certificates import get_ssl_certificates, check_certificate
|
||||
import contextlib
|
||||
|
||||
# From https://stackoverflow.com/questions/3026957/how-to-validate-a-domain-name-using-regex-php/16491074#16491074
|
||||
# This regular expression matches domain names according to RFCs, it also accepts fqdn with an leading dot,
|
||||
@ -464,14 +463,11 @@ def build_sshfp_records():
|
||||
# if SSH has been configured to listen on a nonstandard port, we must
|
||||
# specify that port to sshkeyscan.
|
||||
|
||||
port = 22
|
||||
with open('/etc/ssh/sshd_config', encoding="utf-8") as f:
|
||||
for line in f:
|
||||
s = line.rstrip().split()
|
||||
if len(s) == 2 and s[0] == 'Port':
|
||||
with contextlib.suppress(ValueError):
|
||||
port = int(s[1])
|
||||
break
|
||||
port = get_ssh_port()
|
||||
|
||||
# If nothing returned, SSH is probably not installed.
|
||||
if not port:
|
||||
return
|
||||
|
||||
keys = shell("check_output", ["ssh-keyscan", "-4", "-t", "rsa,dsa,ecdsa,ed25519", "-p", str(port), "localhost"])
|
||||
keys = sorted(keys.split("\n"))
|
||||
|
@ -27,7 +27,7 @@ from web_update import get_web_domains, get_domains_with_a_records
|
||||
from ssl_certificates import get_ssl_certificates, get_domain_ssl_files, check_certificate
|
||||
from mailconfig import get_mail_domains, get_mail_aliases
|
||||
|
||||
from utils import shell, sort_domains, load_env_vars_from_file, load_settings
|
||||
from utils import shell, sort_domains, load_env_vars_from_file, load_settings, get_ssh_port, get_ssh_config_value
|
||||
import hooks
|
||||
|
||||
def get_services():
|
||||
@ -76,25 +76,6 @@ def run_checks(rounded_values, env, output, pool, domains_to_check=None):
|
||||
run_network_checks(env, output)
|
||||
run_domain_checks(rounded_values, env, output, pool, domains_to_check=domains_to_check)
|
||||
|
||||
|
||||
def get_ssh_port():
|
||||
# Returns ssh port
|
||||
try:
|
||||
output = shell('check_output', ['sshd', '-T'])
|
||||
except FileNotFoundError:
|
||||
# sshd is not installed. That's ok.
|
||||
return None
|
||||
|
||||
returnNext = False
|
||||
for e in output.split():
|
||||
if returnNext:
|
||||
return int(e)
|
||||
if e == "port":
|
||||
returnNext = True
|
||||
|
||||
# Did not find port!
|
||||
return None
|
||||
|
||||
def run_services_checks(env, output, pool):
|
||||
# Check that system services are running.
|
||||
all_running = True
|
||||
@ -218,21 +199,15 @@ def is_port_allowed(ufw, port):
|
||||
return any(re.match(str(port) +"[/ \t].*", item) for item in ufw)
|
||||
|
||||
def check_ssh_password(env, output):
|
||||
# Check that SSH login with password is disabled. The openssh-server
|
||||
# package may not be installed so check that before trying to access
|
||||
# the configuration file.
|
||||
if not os.path.exists("/etc/ssh/sshd_config"):
|
||||
return
|
||||
with open("/etc/ssh/sshd_config", encoding="utf-8") as f:
|
||||
sshd = f.read()
|
||||
if re.search("\nPasswordAuthentication\\s+yes", sshd) \
|
||||
or not re.search("\nPasswordAuthentication\\s+no", sshd):
|
||||
output.print_error("""The SSH server on this machine permits password-based login. A more secure
|
||||
way to log in is using a public key. Add your SSH public key to $HOME/.ssh/authorized_keys, check
|
||||
that you can log in without a password, set the option 'PasswordAuthentication no' in
|
||||
/etc/ssh/sshd_config, and then restart the openssh via 'sudo service ssh restart'.""")
|
||||
else:
|
||||
output.print_ok("SSH disallows password-based login.")
|
||||
config_value = get_ssh_config_value("passwordauthentication")
|
||||
if config_value:
|
||||
if config_value == "no":
|
||||
output.print_ok("SSH disallows password-based login.")
|
||||
else:
|
||||
output.print_error("""The SSH server on this machine permits password-based login. A more secure
|
||||
way to log in is using a public key. Add your SSH public key to $HOME/.ssh/authorized_keys, check
|
||||
that you can log in without a password, set the option 'PasswordAuthentication no' in
|
||||
/etc/ssh/sshd_config, and then restart the openssh via 'sudo service ssh restart'.""")
|
||||
|
||||
def is_reboot_needed_due_to_package_installation():
|
||||
return os.path.exists("/var/run/reboot-required")
|
||||
|
@ -205,6 +205,34 @@ def wait_for_service(port, public, env, timeout):
|
||||
return False
|
||||
time.sleep(min(timeout/4, 1))
|
||||
|
||||
def get_ssh_port():
|
||||
port_value = get_ssh_config_value("port")
|
||||
|
||||
if port_value:
|
||||
return int(port_value)
|
||||
|
||||
return None
|
||||
|
||||
def get_ssh_config_value(parameter_name):
|
||||
# Returns ssh configuration value for the provided parameter
|
||||
try:
|
||||
output = shell('check_output', ['sshd', '-T'])
|
||||
except FileNotFoundError:
|
||||
# sshd is not installed. That's ok.
|
||||
return None
|
||||
except subprocess.CalledProcessError:
|
||||
# error while calling shell command
|
||||
return None
|
||||
|
||||
for line in output.split("\n"):
|
||||
if " " not in line: continue # there's a blank line at the end
|
||||
key, values = line.split(" ", 1)
|
||||
if key == parameter_name:
|
||||
return values # space-delimited if there are multiple values
|
||||
|
||||
# Did not find the parameter!
|
||||
return None
|
||||
|
||||
if __name__ == "__main__":
|
||||
from web_update import get_web_domains
|
||||
env = load_environment()
|
||||
|
@ -81,10 +81,16 @@ tools/editconf.py /etc/postfix/main.cf \
|
||||
policy-spf_time_limit=3600
|
||||
|
||||
# Guard against SMTP smuggling
|
||||
# This short-term workaround is recommended at https://www.postfix.org/smtp-smuggling.html
|
||||
# This "long-term" fix is recommended at https://www.postfix.org/smtp-smuggling.html.
|
||||
# This beecame supported in a backported fix in package version 3.6.4-1ubuntu1.3. It is
|
||||
# unnecessary in Postfix 3.9+ where this is the default. The "short-term" workarounds
|
||||
# that we previously had are reverted to postfix defaults (though smtpd_discard_ehlo_keywords
|
||||
# was never included in a released version of Mail-in-a-Box).
|
||||
tools/editconf.py /etc/postfix/main.cf -e \
|
||||
smtpd_data_restrictions= \
|
||||
smtpd_discard_ehlo_keywords=
|
||||
tools/editconf.py /etc/postfix/main.cf \
|
||||
smtpd_data_restrictions=reject_unauth_pipelining \
|
||||
smtpd_discard_ehlo_keywords="chunking, silent-discard"
|
||||
smtpd_forbid_bare_newline=normalize
|
||||
|
||||
# ### Outgoing Mail
|
||||
|
||||
|
@ -39,7 +39,7 @@ import sys, re
|
||||
|
||||
# sanity check
|
||||
if len(sys.argv) < 3:
|
||||
print("usage: python3 editconf.py /etc/file.conf [-s] [-w] [-c <CHARACTER>] [-t] NAME=VAL [NAME=VAL ...]")
|
||||
print("usage: python3 editconf.py /etc/file.conf [-e] [-s] [-w] [-c <CHARACTER>] [-t] NAME=VAL [NAME=VAL ...]")
|
||||
sys.exit(1)
|
||||
|
||||
# parse command line arguments
|
||||
|
Loading…
Reference in New Issue
Block a user