Merge pull request #30 from downtownallday/merge-upstream

Merge upstream
2025-04-01 23:57:05 +00:00 · 2024-03-23 18:11:45 -04:00 · 2024-03-23 18:11:45 -04:00 · 379fd9a25b
commit 379fd9a25b
parent a219d6fd67 6ade958e2d
6 changed files with 79 additions and 49 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,6 +1,31 @@
 CHANGELOG
 =========

+In Development
+--------------
+
+Package updates:
+
+* Roundcube updated to version 1.6.6.
+* Nextcloud is updated to version 22.0.12.
+
+Mail:
+
+* Updated postfix's configuration to guard against SMTP smuggling to the long-term fix (https://www.postfix.org/smtp-smuggling.html).
+
+Control Panel:
+
+* Improved reporting of Spamhaus response codes.
+* Improved detection of SSH port.
+* Fixed an error if last saved status check results were corrupted.
+* Other minor fixes.
+
+Other:
+
+* fail2ban is updated to see "HTTP/2.0" requests to munin also.
+* Internal improvements to the code to make it more reliable and readable.
+
+
 Version 67 (December 22, 2023)
 ------------------------------

--- a/management/dns_update.py
+++ b/management/dns_update.py
@ -19,9 +19,8 @@ import rtyaml
 import dns.resolver
 import hooks

-from utils import shell, load_env_vars_from_file, safe_domain_name, sort_domains
+from utils import shell, load_env_vars_from_file, safe_domain_name, sort_domains, get_ssh_port
 from ssl_certificates import get_ssl_certificates, check_certificate
-import contextlib

 # From https://stackoverflow.com/questions/3026957/how-to-validate-a-domain-name-using-regex-php/16491074#16491074
 # This regular expression matches domain names according to RFCs, it also accepts fqdn with an leading dot,
@ -464,14 +463,11 @@ def build_sshfp_records():
 	# if SSH has been configured to listen on a nonstandard port, we must
 	# specify that port to sshkeyscan.

-	port = 22
-	with open('/etc/ssh/sshd_config', encoding="utf-8") as f:
-		for line in f:
-			s = line.rstrip().split()
-			if len(s) == 2 and s[0] == 'Port':
-				with contextlib.suppress(ValueError):
-					port = int(s[1])
-				break
+	port = get_ssh_port()
+
+	# If nothing returned, SSH is probably not installed.
+	if not port:
+		return

 	keys = shell("check_output", ["ssh-keyscan", "-4", "-t", "rsa,dsa,ecdsa,ed25519", "-p", str(port), "localhost"])
 	keys = sorted(keys.split("\n"))
--- a/management/status_checks.py
+++ b/management/status_checks.py
@ -27,7 +27,7 @@ from web_update import get_web_domains, get_domains_with_a_records
 from ssl_certificates import get_ssl_certificates, get_domain_ssl_files, check_certificate
 from mailconfig import get_mail_domains, get_mail_aliases

-from utils import shell, sort_domains, load_env_vars_from_file, load_settings
+from utils import shell, sort_domains, load_env_vars_from_file, load_settings, get_ssh_port, get_ssh_config_value
 import hooks

 def get_services():
@ -76,25 +76,6 @@ def run_checks(rounded_values, env, output, pool, domains_to_check=None):
 	run_network_checks(env, output)
 	run_domain_checks(rounded_values, env, output, pool, domains_to_check=domains_to_check)

-
-def get_ssh_port():
-	# Returns ssh port
-	try:
-		output = shell('check_output', ['sshd', '-T'])
-	except FileNotFoundError:
-		# sshd is not installed. That's ok.
-		return None
-
-	returnNext = False
-	for e in output.split():
-		if returnNext:
-			return int(e)
-		if e == "port":
-			returnNext = True
-
-	# Did not find port!
-	return None
-
 def run_services_checks(env, output, pool):
 	# Check that system services are running.
 	all_running = True
@ -218,21 +199,15 @@ def is_port_allowed(ufw, port):
 	return any(re.match(str(port) +"[/ \t].*", item) for item in ufw)

 def check_ssh_password(env, output):
-	# Check that SSH login with password is disabled. The openssh-server
-	# package may not be installed so check that before trying to access
-	# the configuration file.
-	if not os.path.exists("/etc/ssh/sshd_config"):
-		return
-	with open("/etc/ssh/sshd_config", encoding="utf-8") as f:
-		sshd = f.read()
-	if re.search("\nPasswordAuthentication\\s+yes", sshd) \
-		or not re.search("\nPasswordAuthentication\\s+no", sshd):
-		output.print_error("""The SSH server on this machine permits password-based login. A more secure
-			way to log in is using a public key. Add your SSH public key to $HOME/.ssh/authorized_keys, check
-			that you can log in without a password, set the option 'PasswordAuthentication no' in
-			/etc/ssh/sshd_config, and then restart the openssh via 'sudo service ssh restart'.""")
-	else:
-		output.print_ok("SSH disallows password-based login.")
+	config_value = get_ssh_config_value("passwordauthentication")
+	if config_value:
+		if config_value == "no":
+			output.print_ok("SSH disallows password-based login.")
+		else:
+			output.print_error("""The SSH server on this machine permits password-based login. A more secure
+				way to log in is using a public key. Add your SSH public key to $HOME/.ssh/authorized_keys, check
+				that you can log in without a password, set the option 'PasswordAuthentication no' in
+				/etc/ssh/sshd_config, and then restart the openssh via 'sudo service ssh restart'.""")

 def is_reboot_needed_due_to_package_installation():
 	return os.path.exists("/var/run/reboot-required")
--- a/management/utils.py
+++ b/management/utils.py
@ -205,6 +205,34 @@ def wait_for_service(port, public, env, timeout):
 				return False
 		time.sleep(min(timeout/4, 1))

+def get_ssh_port():
+	port_value = get_ssh_config_value("port")
+
+	if port_value:
+		return int(port_value)
+
+	return None
+
+def get_ssh_config_value(parameter_name):
+	# Returns ssh configuration value for the provided parameter
+	try:
+		output = shell('check_output', ['sshd', '-T'])
+	except FileNotFoundError:
+		# sshd is not installed. That's ok.
+		return None
+	except subprocess.CalledProcessError:
+		# error while calling shell command
+		return None
+
+	for line in output.split("\n"):
+		if " " not in line: continue # there's a blank line at the end
+		key, values = line.split(" ", 1)
+		if key == parameter_name:
+			return values # space-delimited if there are multiple values
+
+	# Did not find the parameter!
+	return None
+
 if __name__ == "__main__":
 	from web_update import get_web_domains
 	env = load_environment()
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@ -81,10 +81,16 @@ tools/editconf.py /etc/postfix/main.cf \
 	policy-spf_time_limit=3600

 # Guard against SMTP smuggling
-# This short-term workaround is recommended at https://www.postfix.org/smtp-smuggling.html
+# This "long-term" fix is recommended at https://www.postfix.org/smtp-smuggling.html.
+# This beecame supported in a backported fix in package version 3.6.4-1ubuntu1.3. It is
+# unnecessary in Postfix 3.9+ where this is the default. The "short-term" workarounds
+# that we previously had are reverted to postfix defaults (though smtpd_discard_ehlo_keywords
+# was never included in a released version of Mail-in-a-Box).
+tools/editconf.py /etc/postfix/main.cf -e \
+       smtpd_data_restrictions= \
+       smtpd_discard_ehlo_keywords=
 tools/editconf.py /etc/postfix/main.cf \
-	smtpd_data_restrictions=reject_unauth_pipelining \
-	smtpd_discard_ehlo_keywords="chunking, silent-discard"
+       smtpd_forbid_bare_newline=normalize

 # ### Outgoing Mail

--- a/tools/editconf.py
+++ b/tools/editconf.py
@ -39,7 +39,7 @@ import sys, re

 # sanity check
 if len(sys.argv) < 3:
-	print("usage: python3 editconf.py /etc/file.conf [-s] [-w] [-c <CHARACTER>] [-t] NAME=VAL [NAME=VAL ...]")
+	print("usage: python3 editconf.py /etc/file.conf [-e] [-s] [-w] [-c <CHARACTER>] [-t] NAME=VAL [NAME=VAL ...]")
 	sys.exit(1)

 # parse command line arguments