From 0ab43ef4fd9aa5ec84ca8575cfd86eea4766275c Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sat, 21 Jun 2014 17:08:18 +0000 Subject: [PATCH 1/4] have webfinger output a JSON file in STORAGE_ROOT/webfinger/(acct/..) --- setup/web.sh | 2 ++ tools/webfinger.php | 39 ++++++++++++++++++++++++++++++++++++--- 2 files changed, 38 insertions(+), 3 deletions(-) diff --git a/setup/web.sh b/setup/web.sh index 96b0397e..1fda1331 100755 --- a/setup/web.sh +++ b/setup/web.sh @@ -34,6 +34,8 @@ update-rc.d php-fastcgi defaults # Put our webfinger server script into a well-known location. cp tools/webfinger.php /usr/local/bin/mailinabox-webfinger.php chown www-data.www-data /usr/local/bin/mailinabox-webfinger.php +mkdir -p $STORAGE_ROOT/webfinger/acct; +chown -R $STORAGE_USER $STORAGE_ROOT/webfinger # Start services. service nginx restart diff --git a/tools/webfinger.php b/tools/webfinger.php index 2192e089..9fffbca0 100755 --- a/tools/webfinger.php +++ b/tools/webfinger.php @@ -1,9 +1,42 @@ $resource, - ), JSON_PRETTY_PRINT); + echo file_get_contents($fn); + + //json_encode(array( + // subject => $resource, + //), JSON_PRETTY_PRINT); ?> From 67d31ed998b6c0310d5983ac19f3659a3d29f191 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sat, 21 Jun 2014 22:15:53 +0000 Subject: [PATCH 2/4] move the SSL setup into its own bash script since it is used for much more than email now --- management/dns_update.py | 7 +++---- setup/mail.sh | 26 +----------------------- setup/ssl.sh | 43 ++++++++++++++++++++++++++++++++++++++++ setup/start.sh | 1 + 4 files changed, 48 insertions(+), 29 deletions(-) create mode 100755 setup/ssl.sh diff --git a/management/dns_update.py b/management/dns_update.py index d6edc7ce..8e3b135b 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -132,7 +132,7 @@ def build_zone(domain, zonefile, env, with_ns=True): records.append(("ns1", "A", env["PUBLIC_IP"])) records.append(("ns2", "A", env["PUBLIC_IP"])) - # Add a TLSA record for SMTP. + # Add a DANE TLSA record for SMTP. records.append(("_25._tcp", "TLSA", build_tlsa_record(env))) def has_rec(qname, rtype): @@ -179,9 +179,8 @@ def build_zone(domain, zonefile, env, with_ns=True): ######################################################################## def build_tlsa_record(env): - # A TLSA record in DNS specifies that connections on a port, e.g. - # the SMTP port, must use TLS and the certificate must match a - # particular certificate. + # A DANE TLSA record in DNS specifies that connections on a port + # must use TLS and the certificate must match a particular certificate. # # Thanks to http://blog.huque.com/2012/10/dnssec-and-certificates.html # for explaining all of this! diff --git a/setup/mail.sh b/setup/mail.sh index c18379d6..90a50736 100755 --- a/setup/mail.sh +++ b/setup/mail.sh @@ -18,8 +18,7 @@ source /etc/mailinabox.conf # load global vars apt_install \ postfix postgrey postfix-pcre \ - dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite sqlite3 \ - openssl + dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite sqlite3 mkdir -p $STORAGE_ROOT/mail @@ -244,29 +243,6 @@ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \ "ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \ "ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \ -# SSL CERTIFICATE - -mkdir -p $STORAGE_ROOT/ssl -if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then - # Generate a new private key if one doesn't already exist. - # Set the umask so the key file is not world-readable. - (umask 077; openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048) -fi -if [ ! -f $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr ]; then - # Generate a certificate signing request if one doesn't already exist. - openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr \ - -subj "/C=$CSR_COUNTRY/ST=/L=/O=/CN=$PUBLIC_HOSTNAME" -fi -if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then - # Generate a SSL certificate by self-signing if a SSL certificate doesn't yet exist. - openssl x509 -req -days 365 \ - -in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem -fi -echo -echo "Your SSL certificate's fingerpint is:" -openssl x509 -in /home/user-data/ssl/ssl_certificate.pem -noout -fingerprint -echo - # PERMISSIONS / RESTART SERVICES # Ensure configuration files are owned by dovecot and not world readable. diff --git a/setup/ssl.sh b/setup/ssl.sh new file mode 100755 index 00000000..724bf459 --- /dev/null +++ b/setup/ssl.sh @@ -0,0 +1,43 @@ +#!/bin/bash +# +# SSL Certificate +# +# Create a self-signed SSL certificate if one has not yet been created. +# +# The certificate is for PUBLIC_HOSTNAME specifically and is used for: +# +# * IMAP +# * SMTP submission (port 587) and opportunistic TLS (when on the receiving end) +# * the DNSSEC DANE TLSA record for SMTP +# * HTTPS (for PUBLIC_HOSTNAME only) +# +# When other domains besides PUBLIC_HOSTNAME are served over HTTPS, +# we generate a domain-specific self-signed certificate in the management +# daemon (web_update.py) as needed. + +source setup/functions.sh # load our functions +source /etc/mailinabox.conf # load global vars + +apt_install openssl + +mkdir -p $STORAGE_ROOT/ssl +if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then + # Generate a new private key if one doesn't already exist. + # Set the umask so the key file is not world-readable. + (umask 077; openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048) +fi +if [ ! -f $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr ]; then + # Generate a certificate signing request if one doesn't already exist. + openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr \ + -subj "/C=$CSR_COUNTRY/ST=/L=/O=/CN=$PUBLIC_HOSTNAME" +fi +if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then + # Generate a SSL certificate by self-signing if a SSL certificate doesn't yet exist. + openssl x509 -req -days 365 \ + -in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem +fi + +echo +echo "Your SSL certificate's fingerpint is:" +openssl x509 -in /home/user-data/ssl/ssl_certificate.pem -noout -fingerprint +echo diff --git a/setup/start.sh b/setup/start.sh index 3c3b36ce..a8d30025 100755 --- a/setup/start.sh +++ b/setup/start.sh @@ -122,6 +122,7 @@ EOF # Start service configuration. . setup/system.sh +. setup/ssl.sh . setup/dns.sh . setup/mail.sh . setup/dkim.sh From 53e15eae15bc77cb65ea306946b6b0946ae6d513 Mon Sep 17 00:00:00 2001 From: Michael Kropat Date: Sat, 21 Jun 2014 23:25:35 +0000 Subject: [PATCH 3/4] Tell Flask to log to syslog - Writes Flask warnings and errors to `/var/log/syslog` - Helps to debug issues when running in production --- management/daemon.py | 4 ++++ management/utils.py | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/management/daemon.py b/management/daemon.py index 9d652dcd..762076e1 100755 --- a/management/daemon.py +++ b/management/daemon.py @@ -97,4 +97,8 @@ def do_updates(): if __name__ == '__main__': if "DEBUG" in os.environ: app.debug = True + + if not app.debug: + app.logger.addHandler(utils.create_syslog_handler()) + app.run(port=10222) diff --git a/management/utils.py b/management/utils.py index c3c34533..bc3af8b5 100644 --- a/management/utils.py +++ b/management/utils.py @@ -95,3 +95,9 @@ def shell(method, cmd_args, env={}, capture_stderr=False, return_bytes=False): ret = getattr(subprocess, method)(cmd_args, env=env, stderr=stderr) if not return_bytes and isinstance(ret, bytes): ret = ret.decode("utf8") return ret + +def create_syslog_handler(): + import logging.handlers + handler = logging.handlers.SysLogHandler(address='/dev/log') + handler.setLevel(logging.WARNING) + return handler From e70bc5043207310b328fc649272bc8625a3c797e Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sun, 22 Jun 2014 00:34:49 +0000 Subject: [PATCH 4/4] README parallel sentence structure --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9fa86272..ae821980 100644 --- a/README.md +++ b/README.md @@ -19,8 +19,8 @@ Mail-in-a-Box turns a fresh Ubuntu 14.04 LTS 64-bit machine into a working mail * [Spam filtering](https://spamassassin.apache.org/) that puts spam into a spam folder and [greylisting](http://postgrey.schweikert.ch/) to stop spam as it arrives. * [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework), [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail), and [DMARC](https://en.wikipedia.org/wiki/DMARC) to prove to recipients that your email was from you --- the machine acts as its own DNS nameserver to automatically set this up. * [DNSSEC](https://en.wikipedia.org/wiki/DNSSEC) and [DANE TLSA](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) to force cryptographically-secure communications in certain cases, especially between Mail-in-a-Boxes, if you add "DS" records to your domain registration. -* Configuration of mailboxes and mail aliases is done using a command-line tool or an HTTP-based API (accessible from within the server only). -* Basic system services like a firewall, intrusion protection, and setting the system clock are automatically configured. +* A command-line tool and an HTTP-based API for administering mailboxes and mail aliases. +* Basic system services like a firewall, intrusion protection, and setting the system clock. This setup is what has been powering my own personal email since September 2013.