diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 00000000..f05421ad --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,71 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '43 20 * * 0' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'python' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] + # Learn more: + # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + + # ℹ️ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 diff --git a/CHANGELOG.md b/CHANGELOG.md index c4033df1..521a772b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,33 @@ CHANGELOG ========= +Version 61.1 (January 28, 2022) +------------------------------- + +* Fixed rsync backups not working with the default port. +* Reverted "Improve error messages in the management tools when external command-line tools are run." because of the possibility of user secrets being included in error messages. +* Fix for TLS certificate SHA fingerprint not being displayed during setup. + +Version 61 (January 21, 2023) +----------------------------- + +System: + +* fail2ban didn't start after setup. + +Mail: + +* Disable Roundcube password plugin since it was corrupting the user database. + +Control panel: + +* Fix changing existing backup settings when the rsync type is used. +* Allow setting a custom port for rsync backups. +* Fixes to DNS lookups during status checks when there are timeouts, enforce timeouts better. +* A new check is added to ensure fail2ban is running. +* Fixed a color. +* Improve error messages in the management tools when external command-line tools are run. + Version 60.1 (October 30, 2022) ------------------------------- @@ -23,12 +50,13 @@ No major features of Mail-in-a-Box have changed in this release, although some m With the newer version of Ubuntu the following software packages we use are updated: * dovecot is upgraded to 2.3.16, postfix to 3.6.4, opendmark to 1.4 (which adds ARC-Authentication-Results headers), and spampd to 2.53 (alleviating a mail delivery rate limiting bug). -* Nextcloud is upgraded to 23.0.4 (contacts to 4.2.0, calendar to 3.5.0). +* Nextcloud is upgraded to 24.0.0 * Roundcube is upgraded to 1.6.0. * certbot is upgraded to 1.21 (via the Ubuntu repository instead of a PPA). * fail2ban is upgraded to 0.11.2. * nginx is upgraded to 1.18. -* PHP is upgraded from 7.2 to 8.0. +* PHP is upgraded from 7.2 to 8.1. +* bind9 is replaced with unbound Also: diff --git a/README.md b/README.md index 42792025..53081547 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,64 @@ +Modifications are go +==================== + +This is not the original Mail-in-a-Box. See https://github.com/mail-in-a-box/mailinabox for the real deal! Many thanks to [@JoshData](https://github.com/JoshData) and other [contributors](https://github.com/mail-in-a-box/mailinabox/graphs/contributors). +I made a number of modifications to the original Mail-in-a-Box, some to fix bugs, some to ease maintenance for my personal installation, to learn and to add functionality. + +Functionality changes and additions +* Change installation target to Ubuntu 22.04. +* Add geoipblocking on the admin web console + This applies geoip filtering on acces to the admin panel of the box. Order of filtering: block continents that are not allowed, block countries that are not allowed, allow countries that are allowed (overriding continent filtering). Edit /etc/nginx/conf.d/10-geoblock.conf to configure. +* Add geoipblocking for ssh access + This applies geoip filtering for access to the ssh server. Edit /etc/geoiplookup.conf. All countries defined in this file are allowed. Works for alternate ssh ports. + This uses goiplookup from https://github.com/axllent/goiplookup +* Make fail2ban more strict + enable postfix filters, lengthen bantime and findtime +* Add fail2ban jails for both above mentioned geoipblocking filters +* Add fail2ban filters for web scanners and badbots +* Add xapian full text searching to dovecot (from https://github.com/grosjo/fts-xapian) +* Add rkhunter +* Configure domain names for which only www will be hosted + Edit /etc/miabwwwdomains.conf to configure. The box will handle incoming traffic asking for these domain names. The DNS entries are entered in an external DNS provider! If you want this box to handle the DNS entries, simply add a mail alias. (existing functionality of the vanilla Mail-in-a-Box) +* Add some munin plugins +* Update nextcloud to 24.0.0 + And updated apps +* Add nextcloud notes app +* Add roundcube context menu plugin +* Add roundcube two factor authentication plugin +* Use shorter TTL values in the DNS server + To be used before for example when changing IP addresses. Shortening TTL values will propagate changes faster. For reference, default TTL is 1 day, short TTL is 5 minutes. To use, edit file /etc/forceshortdnsttl and add a line for each domain for which shorter TTLs should be used. To use short TTLs for all known domains, add "forceshortdnsttl" +* Use the box as a Hidden Master in the DNS system + Thus only the secondary DNS servers are used as public DNS servers. When using a hidden master, no glue records are necessary at your domain hoster. To use, first setup secondary DNS servers via the Custom DNS administration page. At least two secondary servers should be set. When that functions, edit file /etc/usehiddenmasterdns and add a line for each domain for which Hidden Master should be used. To use Hidden Master for all known domains, add "usehiddenmasterdns". +* Daily ip blacklist check + Using check-dnsbl.py from https://github.com/gsauthof/utility +* Updated ssl security for web and email + Removed older cryptos following internet.nl recommendations +* Replace opendkim with dkimpy (https://launchpad.net/dkimpy-milter) + Added support for Ed25519 signing +* Replace bind9 with unbound DNS resolver +* Make backup target folder configurable + set BACKUP_ROOT to the backup target folder (default is same as STORAGE_ROOT) + +Bug fixes +* Munin error report fixed [see github issue](https://github.com/mail-in-a-box/mailinabox/issues/1555) +* Correct nextcloud carddav url [see github issue](https://github.com/mail-in-a-box/mailinabox/issues/1918) + +Maintenance (personal) +* Automatically clean spam and trash folders after 120 days +* Removed Z-Push +* After a backup, restarting of services is moved to before the execution of the after-backup script. This enables mail delivery while the after-backup script runs. +* Add weekly pflogsumm log analysis +* Enable mail delivery to root, forwarded to administrator +* Remove nextcloud skeleton to save disk space + +Fun +* Add option to define ADMIN_IP_ADDRESS + Currently only used to ignore fail2ban jails +* Add dynamic dns tools in the tools directory + Can be used to control DNS entries on the mail-in-a-box to point to a machine with a non-fixed (e.g. residential) ip address + +Original mailinabox content starts here: + Mail-in-a-Box ============= @@ -60,7 +121,7 @@ Clone this repository and checkout the tag corresponding to the most recent rele $ git clone https://github.com/mail-in-a-box/mailinabox $ cd mailinabox - $ git checkout v60.1 + $ git checkout v61.1 Begin the installation. diff --git a/Vagrantfile b/Vagrantfile index 757c2ec9..373f3659 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -19,7 +19,7 @@ Vagrant.configure("2") do |config| export PUBLIC_IP=auto export PUBLIC_IPV6=auto export PRIMARY_HOSTNAME=auto - #export SKIP_NETWORK_CHECKS=1 + export SKIP_NETWORK_CHECKS=1 # Start the setup script. cd /vagrant diff --git a/api/mailinabox.yml b/api/mailinabox.yml index f3290fb9..2b45fbd1 100644 --- a/api/mailinabox.yml +++ b/api/mailinabox.yml @@ -1262,7 +1262,7 @@ paths: $ref: '#/components/schemas/MailUserAddResponse' example: | mail user added - updated DNS: OpenDKIM configuration + updated DNS: DKIM configuration 400: description: Bad request content: @@ -1863,7 +1863,7 @@ components: type: string example: | mail user added - updated DNS: OpenDKIM configuration + updated DNS: DKIM configuration description: | Mail user add response. diff --git a/conf/cron/miab_clean_mail b/conf/cron/miab_clean_mail new file mode 100644 index 00000000..20397e4a --- /dev/null +++ b/conf/cron/miab_clean_mail @@ -0,0 +1,5 @@ +#!/bin/bash +# +doveadm expunge -A mailbox Trash savedbefore 120d +doveadm expunge -A mailbox Spam savedbefore 120d + diff --git a/conf/cron/miab_dovecot b/conf/cron/miab_dovecot new file mode 100644 index 00000000..5ed227bd --- /dev/null +++ b/conf/cron/miab_dovecot @@ -0,0 +1,2 @@ +#!/bin/bash +/usr/bin/doveadm fts optimize -A > /dev/null 2>&1 diff --git a/conf/dh4096.pem b/conf/dh4096.pem new file mode 100644 index 00000000..3cf0fcbc --- /dev/null +++ b/conf/dh4096.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e +8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx +iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K +zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= +-----END DH PARAMETERS----- diff --git a/conf/fail2ban/filter.d/miab-postfix-rdnsfail.conf b/conf/fail2ban/filter.d/miab-postfix-rdnsfail.conf new file mode 100644 index 00000000..c2eb3634 --- /dev/null +++ b/conf/fail2ban/filter.d/miab-postfix-rdnsfail.conf @@ -0,0 +1,12 @@ +[INCLUDES] + +before = common.conf + +[Definition] +miab-errors=postfix/(submission/)?smtpd.*warning: hostname .* does not resolve to address :.+ +miab-normal=postfix/(submission/)?smtpd.*warning: hostname .* does not resolve to address $ +ignoreregex = + +failregex = > + +mode = normal \ No newline at end of file diff --git a/conf/fail2ban/filter.d/miab-postfix-scanner.conf b/conf/fail2ban/filter.d/miab-postfix-scanner.conf new file mode 100644 index 00000000..191dacd6 --- /dev/null +++ b/conf/fail2ban/filter.d/miab-postfix-scanner.conf @@ -0,0 +1,7 @@ +[INCLUDES] + +before = common.conf + +[Definition] +failregex=postfix/submission/smtpd.*warning: non-SMTP command from.*\[\].*HTTP.*$ +ignoreregex = diff --git a/conf/fail2ban/filter.d/nginx-badbots.conf b/conf/fail2ban/filter.d/nginx-badbots.conf new file mode 100644 index 00000000..12d4105b --- /dev/null +++ b/conf/fail2ban/filter.d/nginx-badbots.conf @@ -0,0 +1,24 @@ +# Fail2Ban configuration file +# +# Regexp to catch known spambots and software alike. Please verify +# that it is your intent to block IPs which were driven by +# above mentioned bots. + + +[Definition] + +badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|(?:Mozilla/\d+\.\d+ )?Jorgee +badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00 + +failregex = ^ -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$ + +ignoreregex = + +datepattern = ^[^\[]*\[({DATE}) + {^LN-BEG} + +# DEV Notes: +# List of bad bots fetched from http://www.user-agents.org +# Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots. +# +# Author: Yaroslav Halchenko diff --git a/conf/fail2ban/filter.d/nginx-badrequests.conf b/conf/fail2ban/filter.d/nginx-badrequests.conf new file mode 100644 index 00000000..0265699d --- /dev/null +++ b/conf/fail2ban/filter.d/nginx-badrequests.conf @@ -0,0 +1,6 @@ +# Ban requests for non-existing or not-allowed resources + +[Definition] +# regex for nginx error.log +failregex = ^.* \[error\] .*2: No such file or directory.*client: .*$ +ignoreregex = ^.*(robots.txt|favicon.ico).*$ \ No newline at end of file diff --git a/conf/fail2ban/filter.d/nginx-geoipblock.conf b/conf/fail2ban/filter.d/nginx-geoipblock.conf new file mode 100644 index 00000000..11dccbcc --- /dev/null +++ b/conf/fail2ban/filter.d/nginx-geoipblock.conf @@ -0,0 +1,12 @@ +# Fail2Ban filter Mail-in-a-Box geo ip block + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = mailinabox + +failregex = .* - Geoip blocked +ignoreregex = diff --git a/conf/fail2ban/filter.d/nginx-missingresource.conf b/conf/fail2ban/filter.d/nginx-missingresource.conf new file mode 100644 index 00000000..22a26e7b --- /dev/null +++ b/conf/fail2ban/filter.d/nginx-missingresource.conf @@ -0,0 +1,6 @@ +# Ban requests for non-existing or not-allowed resources + +[Definition] +failregex = ^.* \[error\] .*2: No such file or directory.*client: .*$ +ignoreregex = ^.*(robots.txt|favicon.ico).*$ + diff --git a/conf/fail2ban/filter.d/ssh-geoipblock.conf b/conf/fail2ban/filter.d/ssh-geoipblock.conf new file mode 100644 index 00000000..d35e0d95 --- /dev/null +++ b/conf/fail2ban/filter.d/ssh-geoipblock.conf @@ -0,0 +1,10 @@ +# Fail2Ban filter sshd ip block according to https://www.axllent.org/docs/ssh-geoip/ + +[INCLUDES] + +before = common.conf + +[Definition] + +failregex = .* DENY geoipblocked connection from +ignoreregex = diff --git a/conf/fail2ban/filter.d/webexploits.conf b/conf/fail2ban/filter.d/webexploits.conf new file mode 100644 index 00000000..dbb297ae --- /dev/null +++ b/conf/fail2ban/filter.d/webexploits.conf @@ -0,0 +1,238 @@ +# Fail2Ban Web Exploits Filter +# Author & Copyright: Mitchell Krog - mitchellkrog@gmail.com +# REPO: https://github.com/mitchellkrogza/Fail2Ban.WebExploits +# V0.1.27 +# Last Updated: Tue May 8 11:08:42 SAST 2018 + +[Definition] + + +failregex = ^ -.*(GET|POST|HEAD).*(/\.git/config) + ^ -.*(GET|POST).*/administrator/index\.php.*500 + ^ -.*(GET|POST|HEAD).*(/:8880/) + ^ -.*(GET|POST|HEAD).*(/1\.sql) + ^ -.*(GET|POST|HEAD).*(/addons/theme/stv1/_static/image/favicon\.ico) + ^ -.*(GET|POST|HEAD).*(/addons/theme/stv1/_static/ts2/layout\.css) + ^ -.*(GET|POST|HEAD).*(/addons/theme/stv2/_static/ts2/layout\.css) + ^ -.*(GET|POST|HEAD).*(/Admin/Common/HelpLinks\.xml) + ^ -.*(GET|POST|HEAD).*(/admin-console) + ^ -.*(GET|POST|HEAD).*(/admin/inc/xml\.xslt) + ^ -.*(GET|POST|HEAD).*(/administrator/components/com_xcloner-backupandrestore/index2\.php) + # ^ -.*(GET|POST|HEAD).*(/administrator/index\.php) + ^ -.*(GET|POST|HEAD).*(/administrator/manifests/files/joomla\.xml) + ^ -.*(GET|POST|HEAD).*(/admin/mysql2/index\.php) + ^ -.*(GET|POST|HEAD).*(/admin/mysql/index\.php) + ^ -.*(GET|POST|HEAD).*(/admin/phpMyAdmin/index\.php) + ^ -.*(GET|POST|HEAD).*(/admin/pma/index\.php) + ^ -.*(GET|POST|HEAD).*(/admin/PMA/index\.php) + ^ -.*(GET|POST|HEAD).*(/admin/SouthidcEditor/ButtonImage/standard/componentmenu\.gif) + ^ -.*(GET|POST|HEAD).*(/admin/SouthidcEditor/Dialog/dialog\.js) + ^ -.*(GET|POST|HEAD).*(/admin/SouthidcEditor/ewebeditor\.asp) + ^ -.*(GET|POST|HEAD).*(/API/DW/Dwplugin/SystemLabel/SiteConfig\.htm) + ^ -.*(GET|POST|HEAD).*(/API/DW/Dwplugin/TemplateManage/login_site\.htm) + ^ -.*(GET|POST|HEAD).*(/API/DW/Dwplugin/TemplateManage/manage_site\.htm) + ^ -.*(GET|POST|HEAD).*(/API/DW/Dwplugin/TemplateManage/save_template\.htm) + ^ -.*(GET|POST|HEAD).*(/API/DW/Dwplugin/ThirdPartyTags/SiteFactory\.xml) + ^ -.*(GET|POST|HEAD).*(/api/jsonws/invoke) + ^ -.*(GET|POST|HEAD).*(/app/home/skins/default/style\.css) + ^ -.*(GET|POST|HEAD).*(/app/js/source/wcmlib/WCMConstants\.js) + ^ -.*(GET|POST|HEAD).*(/apple-app-site-association) + ^ -.*(GET|POST|HEAD).*(/app/Tpl/fanwe_1/js/) + ^ -.*(GET|POST|HEAD).*(/app/etc/local\.xml) + ^ -.*(GET|POST|HEAD).*(/Autodiscover/Autodiscover\.xml) + ^ -.*(GET|POST|HEAD).*(/_asterisk/) + ^ -.*(GET|POST|HEAD).*(/backup\.sql) + ^ -.*(GET|POST|HEAD).*(/bencandy\.php) + ^ -.*(GET|POST|HEAD).*(/blog/administrator/index\.php) + ^ -.*(GET|POST|HEAD).*(/boaform/admin/formLogin) + ^ -.*(GET|POST|HEAD).*(/cardamom\.html) + ^ -.*(GET|POST|HEAD).*(/cgi-bin/php) + ^ -.*(GET|POST|HEAD).*(/cgi-bin/php5) + ^ -.*(GET|POST|HEAD).*(/cgi/common\.cgi) + ^ -.*(GET|POST|HEAD).*(/CGI/Execute) + ^ -.*(GET|POST|HEAD).*(/check\.proxyradar\.com/azenv\.php) + ^ -.*(GET|POST|HEAD).*(/ckeditor/ckfinder/ckfinder\.html) + ^ -.*(GET|POST|HEAD).*(/ckeditor/ckfinder/install\.txt) + ^ -.*(GET|POST|HEAD).*(/ckfinder/ckfinder\.html) + ^ -.*(GET|POST|HEAD).*(/ckfinder/install\.txt) + ^ -.*(GET|POST|HEAD).*(/ckupload\.php) + ^ -.*(GET|POST|HEAD).*(/claroline/phpMyAdmin/index\.php) + ^ -.*(GET|POST|HEAD).*(/clases\.gone\.php) + ^ -.*(GET|POST|HEAD).*(/cms/administrator) + ^ -.*(GET|POST|HEAD).*(/command\.php) + ^ -.*(GET|POST|HEAD).*(/components/com_adsmanager/js/fullnoconflict\.js) + ^ -.*(GET|POST|HEAD).*(/components/com_b2jcontact/css/b2jcontact\.css) + ^ -.*(GET|POST|HEAD).*(/components/com_b2jcontact/router\.php) + ^ -.*(GET|POST|HEAD).*(/components/com_foxcontact/js/jtext\.js) + ^ -.*(GET|POST|HEAD).*(/components/com_sexycontactform/assets/js/index\.html) + ^ -.*(GET|POST|HEAD).*(/console/) + ^ -.*(GET|POST|HEAD).*(/console/auth/reg_newuser\.jsp) + ^ -.*(GET|POST|HEAD).*(/console/include/not_login\.htm) + ^ -.*(GET|POST|HEAD).*(/console/js/CTRSRequestParam\.js) + ^ -.*(GET|POST|HEAD).*(/console/js/CWCMDialogHead\.js) + ^ -.*(GET|POST|HEAD).*(/customer/account/login/referer/) + ^ -.*(GET|POST|HEAD).*(/currentsetting\.htm) + ^ -.*(GET|POST|HEAD).*(/CuteSoft_Client/CuteEditor/Help/default\.htm) + ^ -.*(GET|POST|HEAD).*(/CuteSoft_Client/CuteEditor/ImageEditor/listfiles\.aspx) + ^ -.*(GET|POST|HEAD).*(/CuteSoft_Client/CuteEditor/Images/log\.gif) + ^ -.*(GET|POST|HEAD).*(/data/admin/ver\.txt) + ^ -.*(GET|POST|HEAD).*(/database\.sql) + ^ -.*(GET|POST|HEAD).*(/data\.sql) + ^ -.*(GET|POST|HEAD).*(/datacenter/downloadApp/showDownload\.do) + ^ -.*(GET|POST|HEAD).*(/db/) + ^ -.*(GET|POST|HEAD).*(/dbadmin/) + ^ -.*(GET|POST|HEAD).*(/dbadmin/index\.php) + ^ -.*(GET|POST|HEAD).*(/db_backup\.sql) + ^ -.*(GET|POST|HEAD).*(/dbdump\.sql) + ^ -.*(GET|POST|HEAD).*(/db\.sql) + ^ -.*(GET|POST|HEAD).*(/db/index\.php) + ^ -.*(GET|POST|HEAD).*(/dump\.sql) + ^ -.*(GET|POST|HEAD).*(/deptWebsiteAction\.do) + ^ -.*(GET|POST|HEAD).*(/eams/static/scripts/grade/course/input\.js) + ^ -.*(GET|POST|HEAD).*(/editor/js/fckeditorcode_ie\.js) + ^ -.*(GET|POST|HEAD).*(\.env\.dev\.local) + ^ -.*(GET|POST|HEAD).*(/\.env\.development\.local) + ^ -.*(GET|POST|HEAD).*(/\.env\.prod\.local) + ^ -.*(GET|POST|HEAD).*(/\.env\.production\.local) + ^ -.*(GET|POST|HEAD).*(/examples/file-manager\.html) + ^ -.*(GET|POST|HEAD).*(/getcfg\.php) + ^ -.*(GET|POST|HEAD).*(/get_password\.php) + ^ -.*(GET|POST|HEAD).*(/\.git/info) + ^ -.*(GET|POST|HEAD).*(/\.git/HEAD) + ^ -.*(GET|POST|HEAD).*(/Hello\.World) + ^ -.*(GET|POST|HEAD).*(/hndUnblock\.cgi) + ^ -.*(GET|POST|HEAD).*(/images/login9/login_33\.jpg) + ^ -.*(GET|POST|HEAD).*(/include/dialog/config\.php) + ^ -.*(GET|POST|HEAD).*(/include/install_ocx\.aspx) + ^ -.*(GET|POST|HEAD).*(/index\.action) + ^ -.*(GET|POST|HEAD).*(/ip_js\.php) + ^ -.*(GET|POST|HEAD).*(/issmall/) + ^ -.*(GET|POST|HEAD).*(/jenkins/script) + ^ -.*(GET|POST|HEAD).*(/jenkins/login) + ^ -.*(GET|POST|HEAD).*(/jm-ajax/upload_file/) + ^ -.*(GET|POST|HEAD).*(/jmx-console) + ^ -.*(GET|POST|HEAD).*(/js/tools\.js) + ^ -.*(GET|POST|HEAD).*(/letrokart.sql) + ^ -.*(GET|POST|HEAD).*(/libraries/sfn\.php) + ^ -.*(GET|POST|HEAD).*(/localhost\.sql) + ^ -.*(GET|POST|HEAD).*(login\.destroy\.session) + ^ -.*(GET|POST|HEAD).*(/login/Jeecms\.do) + ^ -.*(GET|POST|HEAD).*(/logo_img\.php) + ^ -.*(GET|POST|HEAD).*(/maintlogin\.jsp) + ^ -.*(GET|POST|HEAD).*(/manager/html) + ^ -.*(GET|POST|HEAD).*(/manager/status) + ^ -.*(GET|POST|HEAD).*(/magmi/conf/magmi\.ini) + ^ -.*(GET|POST|HEAD).*(/master/login\.aspx) + ^ -.*(GET|POST|HEAD).*(/media/com_hikashop/js/hikashop\.js) + ^ -.*(GET|POST|HEAD).*(/modules/attributewizardpro/config\.xml) + ^ -.*(GET|POST|HEAD).*(/modules/columnadverts/config\.xml) + ^ -.*(GET|POST|HEAD).*(/modules/fieldvmegamenu/config\.xml) + ^ -.*(GET|POST|HEAD).*(/modules/homepageadvertise2/config\.xml) + ^ -.*(GET|POST|HEAD).*(/modules/homepageadvertise/config\.xml) + ^ -.*(GET|POST|HEAD).*(/modules/mod_simplefileuploadv1\.3/elements/udd\.php) + ^ -.*(GET|POST|HEAD).*(/modules/pk_flexmenu/config\.xml) + ^ -.*(GET|POST|HEAD).*(/modules/pk_vertflexmenu/config\.xml) + ^ -.*(GET|POST|HEAD).*(/modules/wdoptionpanel/config\.xml) + ^ -.*(GET|POST|HEAD).*(/msd) + ^ -.*(GET|POST|HEAD).*(/msd1\.24\.4) + ^ -.*(GET|POST|HEAD).*(/msd1\.24stable) + ^ -.*(GET|POST|HEAD).*(mstshash=NCRACK_USER) + ^ -.*(GET|POST|HEAD).*(/muieblackcat) + ^ -.*(GET|POST|HEAD).*(/myadmin2/index\.php) + ^ -.*(GET|POST|HEAD).*(/myadmin/index\.php) + ^ -.*(GET|POST|HEAD).*(/myadmin/scripts/setup\.php) + ^ -.*(GET|POST|HEAD).*(/MyAdmin/scripts/setup\.php) + ^ -.*(GET|POST|HEAD).*(/mysql-admin/index\.php) + ^ -.*(GET|POST|HEAD).*(/mysqladmin/index\.php) + ^ -.*(GET|POST|HEAD).*(/mysqldumper) + ^ -.*(GET|POST|HEAD).*(/mySqlDumper) + ^ -.*(GET|POST|HEAD).*(/MySQLDumper) + ^ -.*(GET|POST|HEAD).*(/mysqldump\.sql) + ^ -.*(GET|POST|HEAD).*(/mysql\.sql) + ^ -.*(GET|POST|HEAD).*(/phpadmin/index\.php) + ^ -.*(GET|POST|HEAD).*(/phpma/index\.php) + ^ -.*(GET|POST|HEAD).*(/phpMyadmin_bak/index\.php) + ^ -.*(GET|POST|HEAD).*(/phpMyAdmin/index\.php) + ^ -.*(GET|POST|HEAD).*(/phpMyAdmin/phpMyAdmin/index\.php) + ^ -.*(GET|POST|HEAD).*(/phpMyAdmin/scripts/setup\.php) + ^ -.*(GET|POST|HEAD).*(/plugins/anchor/anchor\.js) + ^ -.*(GET|POST|HEAD).*(/plugins/filemanager/filemanager/js) + ^ -.*(GET|POST|HEAD).*(/plus/download\.php) + ^ -.*(GET|POST|HEAD).*(/plus/heightsearch\.php) + ^ -.*(GET|POST|HEAD).*(/plus/rssmap\.html) + ^ -.*(GET|POST|HEAD).*(/plus/sitemap\.html) + ^ -.*(GET|POST|HEAD).*(/pma/) + ^ -.*(GET|POST|HEAD).*(/PMA/) + ^ -.*(GET|POST|HEAD).*(/PMA2/index\.php) + ^ -.*(GET|POST|HEAD).*(/pma/index\.php) + ^ -.*(GET|POST|HEAD).*(/PMA/index\.php) + ^ -.*(GET|POST|HEAD).*(/pmamy2/index\.php) + ^ -.*(GET|POST|HEAD).*(/pmamy/index\.php) + ^ -.*(GET|POST|HEAD).*(/pma-old/index\.php) + ^ -.*(GET|POST|HEAD).*(/pma/scripts/setup\.php) + ^ -.*(GET|POST|HEAD).*(/pmd/index\.php) + ^ -.*(GET|POST|HEAD).*(/privacy\.txt) + ^ -.*(GET|POST|HEAD).*(/resources/style/images/login/btn\.png) + ^ -.*(GET|POST|HEAD).*(/Scripts/jquery/maticsoft\.jquery\.min\.js) + ^ -.*(GET|POST|HEAD).*(/script/valid_formdata\.js) + ^ -.*(GET|POST|HEAD).*(/siteserver/login\.aspx) + ^ -.*(GET|POST|HEAD).*(/siteserver/upgrade/default\.aspx) + ^ -.*(GET|POST|HEAD).*(/site\.sql) + ^ -.*(GET|POST|HEAD).*(/sql\.sql) + ^ -.*(GET|POST|HEAD).*(soap:Envelope) + ^ -.*(GET|POST|HEAD).*(/solr/admin/info/system) + ^ -.*(GET|POST|HEAD).*(/stalker_portal/c) + ^ -.*(GET|POST|HEAD).*(/stalker_portal/server/adm/tv-channels/iptv-list-json) + ^ -.*(GET|POST|HEAD).*(/stalker_portal/server/adm/users/users-list-json) + ^ -.*(GET|POST|HEAD).*(/stssys\.htm) + ^ -.*(GET|POST|HEAD).*(/sys\.cache\.php) + ^ -.*(GET|POST|HEAD).*(/system/assets/jquery/jquery-2\.x\.min\.js) + ^ -.*(GET|POST|HEAD).*(/system_api\.php) + ^ -.*(GET|POST|HEAD).*(/template/1/bluewise/_files/jspxcms\.css) + ^ -.*(GET|POST|HEAD).*(/templates/jsn_glass_pro/ext/hikashop/jsn_ext_hikashop\.css) + ^ -.*(GET|POST|HEAD).*(/test_404_page/) + ^ -.*(GET|POST|HEAD).*(/test_for_404/) + ^ -.*(GET|POST|HEAD).*(/temp\.sql) + ^ -.*(GET|POST|HEAD).*(/translate\.sql) + ^ -.*(GET|POST|HEAD).*(Test Wuz Here) + ^ -.*(GET|POST|HEAD).*(/tmUnblock\.cgi) + ^ -.*(GET|POST|HEAD).*(/tools/phpMyAdmin/index\.ph) + ^ -.*(GET|POST|HEAD).*(/uc_server/control/admin/db\.php) + ^ -.*(GET|POST|HEAD).*(/upload/bank-icons/) + ^ -.*(GET|POST|HEAD).*(/UserCenter/css/admin/bgimg/admin_all_bg\.png) + ^ -.*(GET|POST|HEAD).*(/\.user\.ini) + ^ -.*(GET|POST|HEAD).*(\.bitcoin) + ^ -.*(GET|POST|HEAD).*(wallet\.dat) + ^ -.*(GET|POST|HEAD).*(bitcoin\.dat) + ^ -.*(GET|POST|HEAD).*(/magento2/admin) + ^ -.*(GET|POST|HEAD).*(/user/register?element_parents=account) + ^ -.*(GET|POST|HEAD).*(/user/themes/antimatter/js/antimatter\.js) + ^ -.*(GET|POST|HEAD).*(/user/themes/antimatter/js/modernizr\.custom\.71422\.js) + ^ -.*(GET|POST|HEAD).*(/user/themes/antimatter/js/slidebars\.min\.js) + ^ -.*(GET|POST|HEAD).*(/users\.sql) + ^ -.*(GET|POST|HEAD).*(/vendor/phpunit/phpunit) + ^ -.*(GET|POST|HEAD).*(/w00tw00t) + ^ -.*(GET|POST|HEAD).*(/webbuilder/script/locale/wb-lang-zh_CN\.js) + ^ -.*(GET|POST|HEAD).*(/web-console) + ^ -.*(GET|POST|HEAD).*(/webdav) + ^ -.*(GET|POST|HEAD).*(/web/phpMyAdmin/index\.php) + ^ -.*(GET|POST|HEAD).*(/whir_system/login\.aspx) + ^ -.*(GET|POST|HEAD).*(/whir_system/module/security/login\.aspx) + ^ -.*(GET|POST|HEAD).*(/wls-wsat/CoordinatorPortType) + ^ -.*(GET|POST|HEAD).*(/wpbase/url\.php) + ^ -.*(GET|POST|HEAD).*(/wp-content/plugins/) + ^ -.*(GET|POST|HEAD).*(/wp-content/uploads/dump\.sql) + ^ -.*(GET|POST|HEAD).*(/wp-includes/wlwmanifest\.xml) + ^ -.*(GET|POST|HEAD).*(/wp-login\.php) + ^ -.*(GET|POST|HEAD).*(/www/phpMyAdmin/index\.php) + ^ -.*(GET|POST|HEAD).*(\x00Cookie:) + ^ -.*(GET|POST|HEAD).*(\x22cache_name_function) + ^ -.*(GET|POST|HEAD).*(\x22JDatabaseDriverMysqli) + ^ -.*(GET|POST|HEAD).*(\x22JSimplepieFactory) + ^ -.*(GET|POST|HEAD).*(\x22sanitize) + ^ -.*(GET|POST|HEAD).*(\x22SimplePie) + ^ -.*(GET|POST|HEAD).*(\x5C0disconnectHandlers) + ^ -.*(GET|POST|HEAD).*(\.\./wp-config.php) + + +ignoreregex = diff --git a/conf/fail2ban/jail.d/badrequests.conf b/conf/fail2ban/jail.d/badrequests.conf new file mode 100644 index 00000000..7fd87e72 --- /dev/null +++ b/conf/fail2ban/jail.d/badrequests.conf @@ -0,0 +1,13 @@ +# Block clients that generate too many non existing resources +# Do not deploy of you host many websites on your box +# any bad html link will trigger a false positive. +# This jail is meant to catch scanners that try many +# sites. +[badrequests] +enabled = true +port = http,https +filter = nginx-badrequests +logpath = /var/log/nginx/error.log +maxretry = 8 +findtime = 15m +bantime = 15m diff --git a/conf/fail2ban/jail.d/geoipblock.conf b/conf/fail2ban/jail.d/geoipblock.conf new file mode 100644 index 00000000..c83c1023 --- /dev/null +++ b/conf/fail2ban/jail.d/geoipblock.conf @@ -0,0 +1,17 @@ +[geoipblocknginx] +enabled = true +port = http,https +filter = nginx-geoipblock +logpath = /var/log/nginx/geoipblock.log +maxretry = 1 +findtime = 120m +bantime = 15m + +[geoipblockssh] +enabled = true +port = ssh +filter = ssh-geoipblock +logpath = /var/log/syslog +maxretry = 1 +findtime = 120m +bantime = 15m diff --git a/conf/fail2ban/jail.d/nginx-general.conf b/conf/fail2ban/jail.d/nginx-general.conf new file mode 100644 index 00000000..ca1afa71 --- /dev/null +++ b/conf/fail2ban/jail.d/nginx-general.conf @@ -0,0 +1,9 @@ +[nginx-badbots] +enabled = true +port = http,https +filter = nginx-badbots +logpath = /var/log/nginx/access.log +maxretry = 2 + +[nginx-http-auth] +enabled = true diff --git a/conf/fail2ban/jail.d/postfix-extra.conf b/conf/fail2ban/jail.d/postfix-extra.conf new file mode 100644 index 00000000..217b461f --- /dev/null +++ b/conf/fail2ban/jail.d/postfix-extra.conf @@ -0,0 +1,44 @@ +# typically non smtp commands. Block fast for access to postfix +[miab-postfix-scanner] +enabled = true +port = smtp,465,587 +filter = miab-postfix-scanner +logpath = /var/log/mail.log +maxretry = 2 +findtime = 1d +bantime = 1h + +# ip lookup of hostname does not match. Go easy on block +[miab-pf-rdnsfail] +enabled = true +port = smtp,465,587 +mode = normal +filter = miab-postfix-rdnsfail +logpath = /var/log/mail.log +maxretry = 8 +findtime = 12h +bantime = 30m + +# ip lookup of hostname does not match with failure. More strict block +[miab-pf-rdnsfail-e] +enabled = true +port = smtp,465,587 +mode = errors +filter = miab-postfix-rdnsfail[mode=errors] +logpath = /var/log/mail.log +maxretry = 4 +findtime = 2d +bantime = 2h + +# aggressive filter against ddos etc +[postfix-aggressive] +enabled = true +mode = aggressive +filter = postfix[mode=aggressive] +port = smtp,465,submission +logpath = %(postfix_log)s +backend = %(postfix_backend)s +maxretry = 100 +findtime = 15m +bantime = 1h + diff --git a/conf/fail2ban/jail.d/webexploits.conf b/conf/fail2ban/jail.d/webexploits.conf new file mode 100644 index 00000000..f5edda95 --- /dev/null +++ b/conf/fail2ban/jail.d/webexploits.conf @@ -0,0 +1,12 @@ +# Block clients based on a list of specific requests +# The list contains applications that are not installed +# only scanners and bad parties will try too often +# so blocking can be fast and long +[webexploits] +enabled = true +port = http,https +filter = webexploits +logpath = /var/log/nginx/access.log +maxretry = 2 +findtime = 4h +bantime = 4h diff --git a/conf/fail2ban/jails.conf b/conf/fail2ban/jails.conf index c1514b45..80b79f57 100644 --- a/conf/fail2ban/jails.conf +++ b/conf/fail2ban/jails.conf @@ -5,13 +5,16 @@ # Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks # ping services over the public interface so we should whitelist that address of # ours too. The string is substituted during installation. -ignoreip = 127.0.0.1/8 PUBLIC_IP ::1 PUBLIC_IPV6 +ignoreip = 127.0.0.1/8 ::1/128 PUBLIC_IP PUBLIC_IPV6/64 ADMIN_HOME_IP ADMIN_HOME_IPV6 +bantime = 15m +findtime = 120m +maxretry = 4 [dovecot] enabled = true filter = dovecotimap logpath = /var/log/mail.log -findtime = 30 +findtime = 2m maxretry = 20 [miab-management] @@ -20,7 +23,7 @@ filter = miab-management-daemon port = http,https logpath = /var/log/syslog maxretry = 20 -findtime = 30 +findtime = 15m [miab-munin] enabled = true @@ -28,15 +31,15 @@ port = http,https filter = miab-munin logpath = /var/log/nginx/access.log maxretry = 20 -findtime = 30 +findtime = 15m [miab-owncloud] enabled = true port = http,https filter = miab-owncloud -logpath = STORAGE_ROOT/owncloud/nextcloud.log +logpath = /var/log/nextcloud.log maxretry = 20 -findtime = 120 +findtime = 15m [miab-postfix465] enabled = true @@ -52,7 +55,7 @@ port = 587 filter = miab-postfix-submission logpath = /var/log/mail.log maxretry = 20 -findtime = 30 +findtime = 2m [miab-roundcube] enabled = true @@ -60,11 +63,13 @@ port = http,https filter = miab-roundcube logpath = /var/log/roundcubemail/errors.log maxretry = 20 -findtime = 30 +findtime = 15m [recidive] enabled = true maxretry = 10 +bantime = 2w +findtime = 7d action = iptables-allports[name=recidive] # In the recidive section of jail.conf the action contains: # @@ -79,8 +84,17 @@ action = iptables-allports[name=recidive] [postfix-sasl] enabled = true +findtime = 7d + +[postfix] +enabled = true + +# postfix rbl also found by postfix jail, but postfix-rbl is more aggressive (maxretry = 1) +[postfix-rbl] +enabled = true [sshd] enabled = true -maxretry = 7 +maxretry = 4 bantime = 3600 +mode = aggressive diff --git a/conf/geoiplookup.conf b/conf/geoiplookup.conf new file mode 100644 index 00000000..4a709520 --- /dev/null +++ b/conf/geoiplookup.conf @@ -0,0 +1,3 @@ +# UPPERCASE space-separated country codes to ACCEPT +# See e.g. https://dev.maxmind.com/geoip/legacy/codes/iso3166/ for allowable codes +ALLOW_COUNTRIES="" diff --git a/conf/logrotate/mailinabox b/conf/logrotate/mailinabox new file mode 100644 index 00000000..ed5fd34a --- /dev/null +++ b/conf/logrotate/mailinabox @@ -0,0 +1,12 @@ +/var/log/roundcubemail/errors.log +/var/log/roundcubemail/sendmail.log +/var/log/nextcloud.log +{ + rotate 4 + weekly + missingok + notifempty + compress + delaycompress + sharedscripts +} diff --git a/conf/nginx-alldomains.conf b/conf/nginx-alldomains.conf index 4c81e3f3..e49e5af2 100644 --- a/conf/nginx-alldomains.conf +++ b/conf/nginx-alldomains.conf @@ -49,26 +49,6 @@ client_max_body_size 128M; } - # Z-Push (Microsoft Exchange ActiveSync) - location /Microsoft-Server-ActiveSync { - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME /usr/local/lib/z-push/index.php; - fastcgi_param PHP_VALUE "include_path=.:/usr/share/php:/usr/share/pear:/usr/share/awl/inc"; - fastcgi_read_timeout 630; - fastcgi_pass php-fpm; - - # Outgoing mail also goes through this endpoint, so increase the maximum - # file upload limit to match the corresponding Postfix limit. - client_max_body_size 128M; - } - location ~* ^/autodiscover/autodiscover.xml$ { - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME /usr/local/lib/z-push/autodiscover/autodiscover.php; - fastcgi_param PHP_VALUE "include_path=.:/usr/share/php:/usr/share/pear:/usr/share/awl/inc"; - fastcgi_pass php-fpm; - } - - # ADDITIONAL DIRECTIVES HERE # Disable viewing dotfiles (.htaccess, .svn, .git, etc.) diff --git a/conf/nginx-primaryonly.conf b/conf/nginx-primaryonly.conf index 31bf0095..915d45eb 100644 --- a/conf/nginx-primaryonly.conf +++ b/conf/nginx-primaryonly.conf @@ -7,11 +7,37 @@ rewrite ^/admin$ /admin/; rewrite ^/admin/munin$ /admin/munin/ redirect; location /admin/ { + # By default not blocked + set $block_test 1; + + # block the continents + if ($allowed_continent = no) { + set $block_test 0; + } + + # in addition, block the countries + if ($denied_country = no) { + set $block_test 0; + } + + # allow some countries + if ($allowed_country = yes) { + set $block_test 1; + } + + # if 0, then blocked + if ($block_test = 0) { + access_log /var/log/nginx/geoipblock.log geoipblock; + return 444; + } + proxy_pass http://127.0.0.1:10222/; proxy_set_header X-Forwarded-For $remote_addr; add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options nosniff; add_header Content-Security-Policy "frame-ancestors 'none';"; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Referrer-Policy "strict-origin"; } # Nextcloud configuration. diff --git a/conf/nginx-ssl.conf b/conf/nginx-ssl.conf index 621973df..3623c5f6 100644 --- a/conf/nginx-ssl.conf +++ b/conf/nginx-ssl.conf @@ -2,7 +2,7 @@ # Note that these settings are repeated in the SMTP and IMAP configuration. # ssl_protocols has moved to nginx.conf in bionic, check there for enabled protocols. ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; -ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem; +ssl_dhparam STORAGE_ROOT/ssl/dh4096.pem; # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html ssl_session_cache shared:SSL:50m; diff --git a/conf/nginx-top.conf b/conf/nginx-top.conf index c3f4c0d6..85d056cf 100644 --- a/conf/nginx-top.conf +++ b/conf/nginx-top.conf @@ -7,6 +7,5 @@ ## your own --- please do not ask for help from us. upstream php-fpm { - server unix:/var/run/php/php8.0-fpm.sock; + server unix:/var/run/php/php{{phpver}}-fpm.sock; } - diff --git a/conf/nginx-webonlydomains.conf b/conf/nginx-webonlydomains.conf new file mode 100644 index 00000000..68c02a32 --- /dev/null +++ b/conf/nginx-webonlydomains.conf @@ -0,0 +1,28 @@ + # Expose this directory as static files. + root $ROOT; + index index.html index.htm; + + location = /robots.txt { + log_not_found off; + access_log off; + } + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + # ADDITIONAL DIRECTIVES HERE + + # Disable viewing dotfiles (.htaccess, .svn, .git, etc.) + # This block is placed at the end. Nginx's precedence rules means this block + # takes precedence over all non-regex matches and only regex matches that + # come after it (i.e. none of those, since this is the last one.) That means + # we're blocking dotfiles in the static hosted sites but not the FastCGI- + # handled locations for Nextcloud (which serves user-uploaded files that might + # have this pattern, see #414) or some of the other services. + location ~ /\.(ht|svn|git|hg|bzr) { + log_not_found off; + access_log off; + deny all; + } diff --git a/conf/nginx/conf.d/10-geoblock.conf b/conf/nginx/conf.d/10-geoblock.conf new file mode 100644 index 00000000..c977d366 --- /dev/null +++ b/conf/nginx/conf.d/10-geoblock.conf @@ -0,0 +1,22 @@ +# GeoIP databases +geoip_country /usr/share/GeoIP/GeoIP.dat; +geoip_city /usr/share/GeoIP/GeoIPCity.dat; + +# map the list of denied countries +# see e.g. https://dev.maxmind.com/geoip/legacy/codes/iso3166/ for allowable +# countries +map $geoip_country_code $denied_country { + default yes; + } + +# map the list of allowed countries +map $geoip_country_code $allowed_country { + default no; + } + +# map the continents to allow +map $geoip_city_continent_code $allowed_continent { + default yes; + } + +log_format geoipblock '[$time_local] - Geoip blocked $remote_addr'; diff --git a/conf/rsyslog/20-nextcloud.conf b/conf/rsyslog/20-nextcloud.conf new file mode 100644 index 00000000..7a39ff7c --- /dev/null +++ b/conf/rsyslog/20-nextcloud.conf @@ -0,0 +1,4 @@ +:syslogtag, startswith, "Nextcloud" -/var/log/nextcloud.log + +# Stop logging +& stop \ No newline at end of file diff --git a/conf/unbound.conf b/conf/unbound.conf new file mode 100644 index 00000000..30880afe --- /dev/null +++ b/conf/unbound.conf @@ -0,0 +1,68 @@ +server: + # the working directory. + directory: "/etc/unbound" + + # run as the unbound user + username: unbound + + verbosity: 0 # uncomment and increase to get more logging. + # logfile: "/var/log/unbound.log" # won't work due to apparmor + # use-syslog: no + + # By default listen only to localhost + #interface: ::1 + #interface: 127.0.0.1 + port: 53 + + # Only allow localhost to use this Unbound instance. + access-control: 127.0.0.1/8 allow + access-control: ::1/128 allow + + # Private IP ranges, which shall never be returned or forwarded as public DNS response. + private-address: 10.0.0.0/8 + private-address: 172.16.0.0/12 + private-address: 192.168.0.0/16 + private-address: 169.254.0.0/16 + private-address: fd00::/8 + private-address: fe80::/10 + + # Functionality + do-ip4: yes + do-ip6: yes + do-udp: yes + do-tcp: yes + + # Performance + num-threads: 2 + cache-min-ttl: 300 + cache-max-ttl: 86400 + serve-expired: yes + neg-cache-size: 4M + msg-cache-size: 50m + rrset-cache-size: 100m + + so-reuseport: yes + so-rcvbuf: 4m + so-sndbuf: 4m + + # Privacy / hardening + # hide server info from clients + hide-identity: yes + hide-version: yes + harden-glue: yes + harden-dnssec-stripped: yes + harden-algo-downgrade: yes + harden-large-queries: yes + harden-short-bufsize: yes + + rrset-roundrobin: yes + minimal-responses: yes + identity: "Server" + + # Include possible white/blacklists + include: /etc/unbound/lists.d/*.conf + +remote-control: + control-enable: yes + control-port: 953 + diff --git a/management/backup.py b/management/backup.py index 8a82c4ad..5e063f9e 100755 --- a/management/backup.py +++ b/management/backup.py @@ -1,21 +1,24 @@ #!/usr/local/lib/mailinabox/env/bin/python -# This script performs a backup of all user data: +# This script performs a backup of all user data stored under STORAGE_ROOT: # 1) System services are stopped. -# 2) STORAGE_ROOT/backup/before-backup is executed if it exists. +# 2) BACKUP_ROOT/backup/before-backup is executed if it exists. # 3) An incremental encrypted backup is made using duplicity. # 4) The stopped services are restarted. -# 5) STORAGE_ROOT/backup/after-backup is executed if it exists. +# 5) BACKUP_ROOT/backup/after-backup is executed if it exists. +# +# By default BACKUP_ROOT is equal to STORAGE_ROOT. If the variable BACKUP_ROOT is defined in /etc/mailinabox.conf and +# the referenced folder exists, this new target is used instead to store the backups. import os, os.path, shutil, glob, re, datetime, sys import dateutil.parser, dateutil.relativedelta, dateutil.tz import rtyaml from exclusiveprocess import Lock -from utils import load_environment, shell, wait_for_service +from utils import load_environment, shell, wait_for_service, get_php_version def backup_status(env): - # If backups are dissbled, return no status. + # If backups are disabled, return no status. config = get_backup_config(env) if config["target"] == "off": return { } @@ -25,7 +28,7 @@ def backup_status(env): backups = { } now = datetime.datetime.now(dateutil.tz.tzlocal()) - backup_root = os.path.join(env["STORAGE_ROOT"], 'backup') + backup_root = get_backup_root(env) backup_cache_dir = os.path.join(backup_root, 'cache') def reldate(date, ref, clip): @@ -183,7 +186,7 @@ def get_passphrase(env): # that line is long enough to be a reasonable passphrase. It # only needs to be 43 base64-characters to match AES256's key # length of 32 bytes. - backup_root = os.path.join(env["STORAGE_ROOT"], 'backup') + backup_root = get_backup_root(env) with open(os.path.join(backup_root, 'secret_key.txt')) as f: passphrase = f.readline().strip() if len(passphrase) < 43: raise Exception("secret_key.txt's first line is too short!") @@ -213,9 +216,21 @@ def get_duplicity_additional_args(env): config = get_backup_config(env) if get_target_type(config) == 'rsync': + # Extract a port number for the ssh transport. Duplicity accepts the + # optional port number syntax in the target, but it doesn't appear to act + # on it, so we set the ssh port explicitly via the duplicity options. + from urllib.parse import urlsplit + try: + port = urlsplit(config["target"]).port + except ValueError: + port = 22 + + if port is None: + port = 22 + return [ - "--ssh-options= -i /root/.ssh/id_rsa_miab", - "--rsync-options= -e \"/usr/bin/ssh -oStrictHostKeyChecking=no -oBatchMode=yes -p 22 -i /root/.ssh/id_rsa_miab\"", + f"--ssh-options= -i /root/.ssh/id_rsa_miab -p {port}", + f"--rsync-options= -e \"/usr/bin/ssh -oStrictHostKeyChecking=no -oBatchMode=yes -p {port} -i /root/.ssh/id_rsa_miab\"", ] elif get_target_type(config) == 's3': # See note about hostname in get_duplicity_target_url. @@ -243,13 +258,14 @@ def get_target_type(config): def perform_backup(full_backup): env = load_environment() + php_fpm = f"php{get_php_version()}-fpm" # Create an global exclusive lock so that the backup script - # cannot be run more than one. + # cannot be run more than once. Lock(die=True).forever() config = get_backup_config(env) - backup_root = os.path.join(env["STORAGE_ROOT"], 'backup') + backup_root = get_backup_root(env) backup_cache_dir = os.path.join(backup_root, 'cache') backup_dir = os.path.join(backup_root, 'encrypted') @@ -278,7 +294,7 @@ def perform_backup(full_backup): if quit: sys.exit(code) - service_command("php8.0-fpm", "stop", quit=True) + service_command(php_fpm, "stop", quit=True) service_command("postfix", "stop", quit=True) service_command("dovecot", "stop", quit=True) service_command("postgrey", "stop", quit=True) @@ -289,7 +305,7 @@ def perform_backup(full_backup): pre_script = os.path.join(backup_root, 'before-backup') if os.path.exists(pre_script): shell('check_call', - ['su', env['STORAGE_USER'], '-c', pre_script, config["target"]], + ['su', env['STORAGE_USER'], '--login', '-c', pre_script, config["target"]], env=env) # Run a backup of STORAGE_ROOT (but excluding the backups themselves!). @@ -314,7 +330,7 @@ def perform_backup(full_backup): service_command("postgrey", "start", quit=False) service_command("dovecot", "start", quit=False) service_command("postfix", "start", quit=False) - service_command("php8.0-fpm", "start", quit=False) + service_command(php_fpm, "start", quit=False) # Remove old backups. This deletes all backup data no longer needed # from more than 3 days ago. @@ -344,30 +360,30 @@ def perform_backup(full_backup): ] + get_duplicity_additional_args(env), get_duplicity_env_vars(env)) - # Change ownership of backups to the user-data user, so that the after-bcakup + # Change ownership of backups to the user-data user, so that the after-backup # script can access them. if get_target_type(config) == 'file': shell('check_call', ["/bin/chown", "-R", env["STORAGE_USER"], backup_dir]) - # Execute a post-backup script that does the copying to a remote server. - # Run as the STORAGE_USER user, not as root. Pass our settings in - # environment variables so the script has access to STORAGE_ROOT. - post_script = os.path.join(backup_root, 'after-backup') - if os.path.exists(post_script): - shell('check_call', - ['su', env['STORAGE_USER'], '-c', post_script, config["target"]], - env=env) - # Our nightly cron job executes system status checks immediately after this # backup. Since it checks that dovecot and postfix are running, block for a # bit (maximum of 10 seconds each) to give each a chance to finish restarting # before the status checks might catch them down. See #381. wait_for_service(25, True, env, 10) wait_for_service(993, True, env, 10) + + # Execute a post-backup script that does the copying to a remote server. + # Run as the STORAGE_USER user, not as root. Pass our settings in + # environment variables so the script has access to STORAGE_ROOT. + post_script = os.path.join(backup_root, 'after-backup') + if os.path.exists(post_script): + shell('check_call', + ['su', env['STORAGE_USER'], '--login', '-c', post_script, config["target"]], + env=env, trap=True) def run_duplicity_verification(): env = load_environment() - backup_root = os.path.join(env["STORAGE_ROOT"], 'backup') + backup_root = get_backup_root(env) config = get_backup_config(env) backup_cache_dir = os.path.join(backup_root, 'cache') @@ -385,7 +401,8 @@ def run_duplicity_verification(): def run_duplicity_restore(args): env = load_environment() config = get_backup_config(env) - backup_cache_dir = os.path.join(env["STORAGE_ROOT"], 'backup', 'cache') + backup_root = get_backup_root(env) + backup_cache_dir = os.path.join(backup_root, 'cache') shell('check_call', [ "/usr/bin/duplicity", "restore", @@ -408,6 +425,17 @@ def list_target_files(config): rsync_fn_size_re = re.compile(r'.* ([^ ]*) [^ ]* [^ ]* (.*)') rsync_target = '{host}:{path}' + # Strip off any trailing port specifier because it's not valid in rsync's + # DEST syntax. Explicitly set the port number for the ssh transport. + user_host, *_ = target.netloc.rsplit(':', 1) + try: + port = target.port + except ValueError: + port = 22 + + if port is None: + port = 22 + target_path = target.path if not target_path.endswith('/'): target_path = target_path + '/' @@ -416,11 +444,11 @@ def list_target_files(config): rsync_command = [ 'rsync', '-e', - '/usr/bin/ssh -i /root/.ssh/id_rsa_miab -oStrictHostKeyChecking=no -oBatchMode=yes', + f'/usr/bin/ssh -i /root/.ssh/id_rsa_miab -oStrictHostKeyChecking=no -oBatchMode=yes -p {port}', '--list-only', '-r', rsync_target.format( - host=target.netloc, + host=user_host, path=target_path) ] @@ -454,7 +482,7 @@ def list_target_files(config): # separate bucket from path in target bucket = target.path[1:].split('/')[0] path = '/'.join(target.path[1:].split('/')[1:]) + '/' - + # If no prefix is specified, set the path to '', otherwise boto won't list the files if path == '/': path = '' @@ -521,7 +549,7 @@ def backup_set_custom(env, target, target_user, target_pass, min_age): return "OK" def get_backup_config(env, for_save=False, for_ui=False): - backup_root = os.path.join(env["STORAGE_ROOT"], 'backup') + backup_root = get_backup_root(env) # Defaults. config = { @@ -531,7 +559,8 @@ def get_backup_config(env, for_save=False, for_ui=False): # Merge in anything written to custom.yaml. try: - custom_config = rtyaml.load(open(os.path.join(backup_root, 'custom.yaml'))) + with open(os.path.join(backup_root, 'custom.yaml'), 'r') as f: + custom_config = rtyaml.load(f) if not isinstance(custom_config, dict): raise ValueError() # caught below config.update(custom_config) except: @@ -556,15 +585,33 @@ def get_backup_config(env, for_save=False, for_ui=False): config["target"] = "file://" + config["file_target_directory"] ssh_pub_key = os.path.join('/root', '.ssh', 'id_rsa_miab.pub') if os.path.exists(ssh_pub_key): - config["ssh_pub_key"] = open(ssh_pub_key, 'r').read() + with open(ssh_pub_key, 'r') as f: + config["ssh_pub_key"] = f.read() return config def write_backup_config(env, newconfig): - backup_root = os.path.join(env["STORAGE_ROOT"], 'backup') + backup_root = get_backup_root(env) with open(os.path.join(backup_root, 'custom.yaml'), "w") as f: f.write(rtyaml.dump(newconfig)) +def get_backup_root(env): + # Define environment variable used to store backup path + backup_root_env = "BACKUP_ROOT" + + # Read STORAGE_ROOT + backup_root = env["STORAGE_ROOT"] + + # If BACKUP_ROOT exists, overwrite backup_root variable + if backup_root_env in env: + tmp = env[backup_root_env] + if tmp and os.path.isdir(tmp): + backup_root = tmp + + backup_root = os.path.join(backup_root, 'backup') + + return backup_root + if __name__ == "__main__": import sys if sys.argv[-1] == "--verify": diff --git a/management/cli.py b/management/cli.py index 1b91b003..b32089c6 100755 --- a/management/cli.py +++ b/management/cli.py @@ -47,7 +47,8 @@ def read_password(): return first def setup_key_auth(mgmt_uri): - key = open('/var/lib/mailinabox/api.key').read().strip() + with open('/var/lib/mailinabox/api.key', 'r') as f: + key = f.read().strip() auth_handler = urllib.request.HTTPBasicAuthHandler() auth_handler.add_password( diff --git a/management/daemon.py b/management/daemon.py index cbbfd6bf..90c2836a 100755 --- a/management/daemon.py +++ b/management/daemon.py @@ -12,6 +12,7 @@ import os, os.path, re, json, time import multiprocessing.pool, subprocess +import logging from functools import wraps @@ -273,6 +274,7 @@ def dns_update(): try: return do_dns_update(env, force=request.form.get('force', '') == '1') except Exception as e: + logging.exception('dns update exc') return (str(e), 500) @app.route('/dns/secondary-nameserver') @@ -764,14 +766,21 @@ def log_failed_login(request): # APP if __name__ == '__main__': + logging_level = logging.DEBUG + if "DEBUG" in os.environ: # Turn on Flask debugging. app.debug = True + logging_level = logging.DEBUG if not app.debug: app.logger.addHandler(utils.create_syslog_handler()) #app.logger.info('API key: ' + auth_service.key) + logging.basicConfig(level=logging_level, format='MiaB %(levelname)s:%(module)s.%(funcName)s %(message)s') + logging.info('Logging level set to %s', logging.getLevelName(logging_level)) + # Start the application server. Listens on 127.0.0.1 (IPv4 only). app.run(port=10222) + diff --git a/management/daily_tasks.sh b/management/daily_tasks.sh index db496399..fefe6799 100755 --- a/management/daily_tasks.sh +++ b/management/daily_tasks.sh @@ -9,10 +9,14 @@ export LC_ALL=en_US.UTF-8 export LANG=en_US.UTF-8 export LC_TYPE=en_US.UTF-8 +source /etc/mailinabox.conf + # On Mondays, i.e. once a week, send the administrator a report of total emails # sent and received so the admin might notice server abuse. if [ `date "+%u"` -eq 1 ]; then - management/mail_log.py -t week | management/email_administrator.py "Mail-in-a-Box Usage Report" + management/mail_log.py -t week -r -s -l -g -b | management/email_administrator.py "Mail-in-a-Box Usage Report" + + /usr/sbin/pflogsumm -u 5 -h 5 --problems_first /var/log/mail.log.1 | management/email_administrator.py "Postfix log analysis summary" fi # Take a backup. @@ -23,3 +27,6 @@ management/ssl_certificates.py -q 2>&1 | management/email_administrator.py "TLS # Run status checks and email the administrator if anything changed. management/status_checks.py --show-changes 2>&1 | management/email_administrator.py "Status Checks Change Notice" + +# Check blacklists +tools/check-dnsbl.py $PUBLIC_IP $PUBLIC_IPV6 2>&1 | management/email_administrator.py "Blacklist Check Result" diff --git a/management/dns_update.py b/management/dns_update.py index 2bfc104f..0b6eb676 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -8,6 +8,7 @@ import sys, os, os.path, urllib.parse, datetime, re, hashlib, base64 import ipaddress import rtyaml import dns.resolver +import logging from utils import shell, load_env_vars_from_file, safe_domain_name, sort_domains from ssl_certificates import get_ssl_certificates, check_certificate @@ -24,9 +25,14 @@ def get_dns_domains(env): # lead to infinite recursion here) and ensure PRIMARY_HOSTNAME is in the list. from mailconfig import get_mail_domains from web_update import get_web_domains + from wwwconfig import get_www_domains + domains = set() domains |= set(get_mail_domains(env)) domains |= set(get_web_domains(env, include_www_redirects=False)) + # www_domains are hosted here, but DNS is pointed to our box from somewhere else. + # DNS is thus not hosted by us for these domains. + domains -= set(get_www_domains(set())) domains.add(env['PRIMARY_HOSTNAME']) return domains @@ -109,21 +115,22 @@ def do_dns_update(env, force=False): except: shell('check_call', ["/usr/sbin/service", "nsd", "restart"]) - # Write the OpenDKIM configuration tables for all of the mail domains. + # Write the DKIM configuration tables for all of the mail domains. from mailconfig import get_mail_domains - if write_opendkim_tables(get_mail_domains(env), env): - # Settings changed. Kick opendkim. - shell('check_call', ["/usr/sbin/service", "opendkim", "restart"]) + + if write_dkim_tables(get_mail_domains(env), env): + # Settings changed. Kick dkimpy. + shell('check_call', ["/usr/sbin/service", "dkimpy-milter", "restart"]) if len(updated_domains) == 0: # If this is the only thing that changed? - updated_domains.append("OpenDKIM configuration") + updated_domains.append("DKIM configuration") - # Clear bind9's DNS cache so our own DNS resolver is up to date. + # Clear unbound's DNS cache so our own DNS resolver is up to date. # (ignore errors with trap=True) - shell('check_call', ["/usr/sbin/rndc", "flush"], trap=True) + shell('check_call', ["/usr/sbin/unbound-control", "flush_zone", ".", "-q"], trap=True) if len(updated_domains) == 0: - # if nothing was updated (except maybe OpenDKIM's files), don't show any output + # if nothing was updated (except maybe DKIM's files), don't show any output return "" else: return "updated DNS: " + ",".join(updated_domains) + "\n" @@ -187,17 +194,29 @@ def build_zone(domain, domain_properties, additional_records, env, is_zone=True) # 'False' in the tuple indicates these records would not be used if the zone # is managed outside of the box. if is_zone: - # Obligatory NS record to ns1.PRIMARY_HOSTNAME. - records.append((None, "NS", "ns1.%s." % env["PRIMARY_HOSTNAME"], False)) - - # NS record to ns2.PRIMARY_HOSTNAME or whatever the user overrides. + # Define ns2.PRIMARY_HOSTNAME or whatever the user overrides. # User may provide one or more additional nameservers - secondary_ns_list = get_secondary_dns(additional_records, mode="NS") \ - or ["ns2." + env["PRIMARY_HOSTNAME"]] + secondary_ns_list = get_secondary_dns(additional_records, mode="NS") + + # Need at least two nameservers in the secondary dns list + useHiddenMaster = False + if os.path.exists("/etc/usehiddenmasterdns") and len(secondary_ns_list) > 1: + with open("/etc/usehiddenmasterdns") as f: + for line in f: + if line.strip() == domain or line.strip() == "usehiddenmasterdns": + useHiddenMaster = True + break + + if not useHiddenMaster: + # Obligatory definition of ns1.PRIMARY_HOSTNAME. + records.append((None, "NS", "ns1.%s." % env["PRIMARY_HOSTNAME"], False)) + + if len(secondary_ns_list) == 0: + secondary_ns_list = ["ns2." + env["PRIMARY_HOSTNAME"]] + for secondary_ns in secondary_ns_list: records.append((None, "NS", secondary_ns+'.', False)) - # In PRIMARY_HOSTNAME... if domain == env["PRIMARY_HOSTNAME"]: # Set the A/AAAA records. Do this early for the PRIMARY_HOSTNAME so that the user cannot override them @@ -295,10 +314,18 @@ def build_zone(domain, domain_properties, additional_records, env, is_zone=True) if not has_rec(None, "TXT", prefix="v=spf1 "): records.append((None, "TXT", 'v=spf1 mx -all', "Recommended. Specifies that only the box is permitted to send @%s mail." % domain)) - # Append the DKIM TXT record to the zone as generated by OpenDKIM. + # Append the DKIM TXT record to the zone as generated by DKIMpy. # Skip if the user has set a DKIM record already. - opendkim_record_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.txt') - with open(opendkim_record_file) as orf: + dkim_record_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/box-rsa.dns') + with open(dkim_record_file) as orf: + m = re.match(r'(\S+)\s+IN\s+TXT\s+\( ((?:"[^"]+"\s+)+)\)', orf.read(), re.S) + val = "".join(re.findall(r'"([^"]+)"', m.group(2))) + if not has_rec(m.group(1), "TXT", prefix="v=DKIM1; "): + records.append((m.group(1), "TXT", val, "Recommended. Provides a way for recipients to verify that this machine sent @%s mail." % domain)) + + # Also add a ed25519 DKIM record + dkim_record_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/box-ed25519.dns') + with open(dkim_record_file) as orf: m = re.match(r'(\S+)\s+IN\s+TXT\s+\( ((?:"[^"]+"\s+)+)\)', orf.read(), re.S) val = "".join(re.findall(r'"([^"]+)"', m.group(2))) if not has_rec(m.group(1), "TXT", prefix="v=DKIM1; "): @@ -494,26 +521,75 @@ def write_nsd_zone(domain, zonefile, records, env, force): # # For the refresh through TTL fields, a good reference is: # https://www.ripe.net/publications/docs/ripe-203 - # + + # Time To Refresh – How long in seconds a nameserver should wait prior to checking for a Serial Number + # increase within the primary zone file. An increased Serial Number means a transfer is needed to sync + # your records. Only applies to zones using secondary DNS. + # Time To Retry – How long in seconds a nameserver should wait prior to retrying to update a zone after + # a failed attempt. Only applies to zones using secondary DNS. + # Time To Expire – How long in seconds a nameserver should wait prior to considering data from a secondary + # zone invalid and stop answering queries for that zone. Only applies to zones using secondary DNS. + # Minimum TTL – How long in seconds that a nameserver or resolver should cache a negative response. + + # To make use of hidden master initialize the DNS to be used as secondary DNS. Then change the following + # in the zone file: + # - Name the secondary DNS server as primary DNS in the SOA record + # - Do not add NS records for the Mail-in-a-Box server + # A hash of the available DNSSEC keys are added in a comment so that when # the keys change we force a re-generation of the zone which triggers # re-signing it. zone = """ $ORIGIN {domain}. -$TTL 86400 ; default time to live +$TTL {defttl} ; default time to live -@ IN SOA ns1.{primary_domain}. hostmaster.{primary_domain}. ( - __SERIAL__ ; serial number - 7200 ; Refresh (secondary nameserver update interval) - 3600 ; Retry (when refresh fails, how often to try again, should be lower than the refresh) - 1209600 ; Expire (when refresh fails, how long secondary nameserver will keep records around anyway) - 86400 ; Negative TTL (how long negative responses are cached) - ) +@ IN SOA {primary_dns}. hostmaster.{primary_domain}. ( + __SERIAL__ ; serial number + {refresh} ; Refresh (secondary nameserver update interval) + {retry} ; Retry (when refresh fails, how often to try again) + {expire} ; Expire (when refresh fails, how long secondary nameserver will keep records around anyway) + {negttl} ; Negative TTL (how long negative responses are cached) + ) """ + # Default ttl values, following recomendations from zonemaster.iis.se + p_defttl = "1d" + p_refresh = "4h" + p_retry = "1h" + p_expire = "14d" + p_negttl = "12h" + + # Shorten dns ttl if file exists. Use before moving domains, changing secondary dns servers etc + if os.path.exists("/etc/forceshortdnsttl"): + with open("/etc/forceshortdnsttl") as f: + for line in f: + if line.strip() == domain or line.strip() == "forceshortdnsttl": + # Override the ttl values + p_defttl = "5m" + p_refresh = "30m" + p_retry = "5m" + p_expire = "1d" + p_negttl = "5m" + break + + primary_dns = "ns1." + env["PRIMARY_HOSTNAME"] + + # Obtain the secondary nameserver list + additional_records = list(get_custom_dns_config(env)) + secondary_ns_list = get_secondary_dns(additional_records, mode="NS") + + # Using hidden master for a domain if it is configured + if os.path.exists("/etc/usehiddenmasterdns") and len(secondary_ns_list) > 1: + with open("/etc/usehiddenmasterdns") as f: + for line in f: + if line.strip() == domain or line.strip() == "usehiddenmasterdns": + primary_dns = secondary_ns_list[0] + break + # Replace replacement strings. - zone = zone.format(domain=domain, primary_domain=env["PRIMARY_HOSTNAME"]) + zone = zone.format(domain=domain, primary_dns=primary_dns, primary_domain=env["PRIMARY_HOSTNAME"], defttl=p_defttl, + refresh=p_refresh, retry=p_retry, expire=p_expire, negttl=p_negttl) # Add records. for subdomain, querytype, value, explanation in records: @@ -760,14 +836,15 @@ def sign_zone(domain, zonefile, env): ######################################################################## -def write_opendkim_tables(domains, env): - # Append a record to OpenDKIM's KeyTable and SigningTable for each domain +def write_dkim_tables(domains, env): + # Append a record to DKIMpy's KeyTable and SigningTable for each domain # that we send mail from (zones and all subdomains). - opendkim_key_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.private') + dkim_rsa_key_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/box-rsa.key') + dkim_ed_key_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/box-ed25519.key') - if not os.path.exists(opendkim_key_file): - # Looks like OpenDKIM is not installed. + if not os.path.exists(dkim_rsa_key_file) or not os.path.exists(dkim_ed_key_file): + # Looks like DKIMpy is not installed. return False config = { @@ -789,7 +866,12 @@ def write_opendkim_tables(domains, env): # signing domain must match the sender's From: domain. "KeyTable": "".join( - "{domain} {domain}:mail:{key_file}\n".format(domain=domain, key_file=opendkim_key_file) + "{domain} {domain}:box-rsa:{key_file}\n".format(domain=domain, key_file=dkim_rsa_key_file) + for domain in domains + ), + "KeyTableEd25519": + "".join( + "{domain} {domain}:box-ed25519:{key_file}\n".format(domain=domain, key_file=dkim_ed_key_file) for domain in domains ), } @@ -797,25 +879,26 @@ def write_opendkim_tables(domains, env): did_update = False for filename, content in config.items(): # Don't write the file if it doesn't need an update. - if os.path.exists("/etc/opendkim/" + filename): - with open("/etc/opendkim/" + filename) as f: + if os.path.exists("/etc/dkim/" + filename): + with open("/etc/dkim/" + filename) as f: if f.read() == content: continue # The contents needs to change. - with open("/etc/opendkim/" + filename, "w") as f: + with open("/etc/dkim/" + filename, "w") as f: f.write(content) did_update = True # Return whether the files changed. If they didn't change, there's - # no need to kick the opendkim process. + # no need to kick the dkimpy process. return did_update ######################################################################## def get_custom_dns_config(env, only_real_records=False): try: - custom_dns = rtyaml.load(open(os.path.join(env['STORAGE_ROOT'], 'dns/custom.yaml'))) + with open(os.path.join(env['STORAGE_ROOT'], 'dns/custom.yaml'), 'r') as f: + custom_dns = rtyaml.load(f) if not isinstance(custom_dns, dict): raise ValueError() # caught below except: return [ ] @@ -992,6 +1075,7 @@ def set_custom_dns_record(qname, rtype, value, action, env): def get_secondary_dns(custom_dns, mode=None): resolver = dns.resolver.get_default_resolver() resolver.timeout = 10 + resolver.lifetime = 10 values = [] for qname, rtype, value in custom_dns: @@ -1009,10 +1093,17 @@ def get_secondary_dns(custom_dns, mode=None): # doesn't. if not hostname.startswith("xfr:"): if mode == "xfr": - response = dns.resolver.resolve(hostname+'.', "A", raise_on_no_answer=False) - values.extend(map(str, response)) - response = dns.resolver.resolve(hostname+'.', "AAAA", raise_on_no_answer=False) - values.extend(map(str, response)) + try: + response = resolver.resolve(hostname+'.', "A", raise_on_no_answer=False) + values.extend(map(str, response)) + except dns.exception.DNSException: + logging.debug("Secondary dns A lookup exception %s", hostname) + + try: + response = resolver.resolve(hostname+'.', "AAAA", raise_on_no_answer=False) + values.extend(map(str, response)) + except dns.exception.DNSException: + logging.debug("Secondary dns AAAA lookup exception %s", hostname) continue values.append(hostname) @@ -1030,16 +1121,33 @@ def set_secondary_dns(hostnames, env): # Validate that all hostnames are valid and that all zone-xfer IP addresses are valid. resolver = dns.resolver.get_default_resolver() resolver.timeout = 5 + resolver.lifetime = 5 + for item in hostnames: if not item.startswith("xfr:"): # Resolve hostname. - try: - response = resolver.resolve(item, "A") - except (dns.resolver.NoNameservers, dns.resolver.NXDOMAIN, dns.resolver.NoAnswer): + tries = 2 + + while tries > 0: + tries = tries - 1 try: - response = resolver.resolve(item, "AAAA") + response = resolver.resolve(item, "A") + tries = 0 except (dns.resolver.NoNameservers, dns.resolver.NXDOMAIN, dns.resolver.NoAnswer): - raise ValueError("Could not resolve the IP address of %s." % item) + logging.debug('Error on resolving ipv4 address, trying ipv6') + try: + response = resolver.resolve(item, "AAAA") + tries = 0 + except (dns.resolver.NoNameservers, dns.resolver.NXDOMAIN, dns.resolver.NoAnswer): + raise ValueError("Could not resolve the IP address of %s." % item) + except (dns.resolver.Timeout): + logging.debug('Timeout on resolving ipv6 address') + if tries < 1: + raise ValueError("Could not resolve the IP address of %s due to timeout." % item) + except (dns.resolver.Timeout): + logging.debug('Timeout on resolving ipv4 address') + if tries < 1: + raise ValueError("Could not resolve the IP address of %s due to timeout." % item) else: # Validate IP address. try: @@ -1071,7 +1179,7 @@ def get_custom_dns_records(custom_dns, qname, rtype): def build_recommended_dns(env): ret = [] for (domain, zonefile, records) in build_zones(env): - # remove records that we don't dislay + # remove records that we don't display records = [r for r in records if r[3] is not False] # put Required at the top, then Recommended, then everythiing else diff --git a/management/email_administrator.py b/management/email_administrator.py index 8ed6e2a8..5b877f1c 100755 --- a/management/email_administrator.py +++ b/management/email_administrator.py @@ -2,7 +2,7 @@ # Reads in STDIN. If the stream is not empty, mail it to the system administrator. -import sys +import sys, traceback import html import smtplib @@ -25,7 +25,12 @@ subject = sys.argv[1] admin_addr = "administrator@" + env['PRIMARY_HOSTNAME'] # Read in STDIN. -content = sys.stdin.read().strip() +try: + content = sys.stdin.read().strip() +except: + print("error occured while cleaning input text") + traceback.print_exc() + sys.exit(1) # If there's nothing coming in, just exit. if content == "": diff --git a/management/mail_log.py b/management/mail_log.py index bdf757cc..378a49d5 100755 --- a/management/mail_log.py +++ b/management/mail_log.py @@ -73,7 +73,8 @@ def scan_files(collector): continue elif fn[-3:] == '.gz': tmp_file = tempfile.NamedTemporaryFile() - shutil.copyfileobj(gzip.open(fn), tmp_file) + with gzip.open(fn, 'rb') as f: + shutil.copyfileobj(f, tmp_file) if VERBOSE: print("Processing file", fn, "...") @@ -376,7 +377,7 @@ def scan_mail_log_line(line, collector): if SCAN_BLOCKED: scan_postfix_smtpd_line(date, log, collector) elif service in ("postfix/qmgr", "postfix/pickup", "postfix/cleanup", "postfix/scache", - "spampd", "postfix/anvil", "postfix/master", "opendkim", "postfix/lmtp", + "spampd", "postfix/anvil", "postfix/master", "dkimpy", "postfix/lmtp", "postfix/tlsmgr", "anvil"): # nothing to look at return True diff --git a/management/mailconfig.py b/management/mailconfig.py index 2fcb9703..9e541679 100755 --- a/management/mailconfig.py +++ b/management/mailconfig.py @@ -533,6 +533,9 @@ def get_required_aliases(env): # The hostmaster alias is exposed in the DNS SOA for each zone. aliases.add("hostmaster@" + env['PRIMARY_HOSTNAME']) + + # Setup root alias + aliases.add("root@" + env['PRIMARY_HOSTNAME']) # Get a list of domains we serve mail for, except ones for which the only # email on that domain are the required aliases or a catch-all/domain-forwarder. @@ -566,7 +569,7 @@ def kick(env, mail_result=None): auto_aliases = { } - # Mape required aliases to the administrator alias (which should be created manually). + # Map required aliases to the administrator alias (which should be created manually). administrator = get_system_administrator(env) required_aliases = get_required_aliases(env) for alias in required_aliases: diff --git a/management/ssl_certificates.py b/management/ssl_certificates.py index ab4f2dc8..12f25e7d 100755 --- a/management/ssl_certificates.py +++ b/management/ssl_certificates.py @@ -343,6 +343,8 @@ def provision_certificates(env, limit_domains): "certonly", #"-v", # just enough to see ACME errors "--non-interactive", # will fail if user hasn't registered during Mail-in-a-Box setup + "--agree-tos", # Automatically agrees to Let's Encrypt TOS + "--register-unsafely-without-email", # The daemon takes care of renewals "-d", ",".join(domain_list), # first will be main domain @@ -535,7 +537,8 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, warn_if_expiring # Second, check that the certificate matches the private key. if ssl_private_key is not None: try: - priv_key = load_pem(open(ssl_private_key, 'rb').read()) + with open(ssl_private_key, 'rb') as f: + priv_key = load_pem(f.read()) except ValueError as e: return ("The private key file %s is not a private key file: %s" % (ssl_private_key, str(e)), None) diff --git a/management/status_checks.py b/management/status_checks.py index 0d555441..3b95dca3 100755 --- a/management/status_checks.py +++ b/management/status_checks.py @@ -12,6 +12,7 @@ import dateutil.parser, dateutil.tz import idna import psutil import postfix_mta_sts_resolver.resolver +import logging from dns_update import get_dns_zones, build_tlsa_record, get_custom_dns_config, get_secondary_dns, get_custom_dns_records from web_update import get_web_domains, get_domains_with_a_records @@ -19,16 +20,16 @@ from ssl_certificates import get_ssl_certificates, get_domain_ssl_files, check_c from mailconfig import get_mail_domains, get_mail_aliases from utils import shell, sort_domains, load_env_vars_from_file, load_settings +from backup import get_backup_root def get_services(): return [ - { "name": "Local DNS (bind9)", "port": 53, "public": False, }, - #{ "name": "NSD Control", "port": 8952, "public": False, }, - { "name": "Local DNS Control (bind9/rndc)", "port": 953, "public": False, }, + { "name": "Local DNS (unbound)", "port": 53, "public": False, }, + { "name": "Local DNS Control (unbound)", "port": 953, "public": False, }, { "name": "Dovecot LMTP LDA", "port": 10026, "public": False, }, { "name": "Postgrey", "port": 10023, "public": False, }, { "name": "Spamassassin", "port": 10025, "public": False, }, - { "name": "OpenDKIM", "port": 8891, "public": False, }, + { "name": "DKIMpy", "port": 8892, "public": False, }, { "name": "OpenDMARC", "port": 8893, "public": False, }, { "name": "Mail-in-a-Box Management Daemon", "port": 10222, "public": False, }, { "name": "SSH Login (ssh)", "port": get_ssh_port(), "public": True, }, @@ -49,15 +50,15 @@ def run_checks(rounded_values, env, output, pool, domains_to_check=None): # check that services are running if not run_services_checks(env, output, pool): - # If critical services are not running, stop. If bind9 isn't running, + # If critical services are not running, stop. If unbound isn't running, # all later DNS checks will timeout and that will take forever to # go through, and if running over the web will cause a fastcgi timeout. return - # clear bind9's DNS cache so our DNS checks are up to date - # (ignore errors; if bind9/rndc isn't running we'd already report + # clear unbound's DNS cache so our DNS checks are up to date + # (ignore errors; if unbound isn't running we'd already report # that in run_services checks.) - shell('check_call', ["/usr/sbin/rndc", "flush"], trap=True) + shell('check_call', ["/usr/sbin/unbound-control", "flush_zone", ".", "-q"], trap=True) run_system_checks(rounded_values, env, output) @@ -73,6 +74,9 @@ def get_ssh_port(): except FileNotFoundError: # sshd is not installed. That's ok. return None + except subprocess.CalledProcessError: + # error while calling shell command + return None returnNext = False for e in output.split(): @@ -95,6 +99,12 @@ def run_services_checks(env, output, pool): fatal = fatal or fatal2 output2.playback(output) + # Check fail2ban. + code, ret = shell('check_output', ["fail2ban-client", "status"], capture_stderr=True, trap=True) + if code != 0: + output.print_error("fail2ban is not running.") + all_running = False + if all_running: output.print_ok("All system services are running.") @@ -142,6 +152,8 @@ def check_service(i, service, env): # IPv4 failed. Try the private IP to see if the service is running but not accessible (except DNS because a different service runs on the private IP). elif service["port"] != 53 and try_connect("127.0.0.1"): output.print_error("%s is running but is not publicly accessible at %s:%d." % (service['name'], env['PUBLIC_IP'], service['port'])) + elif try_connect(env["PUBLIC_IPV6"]): + output.print_warning("%s is only running on ipv6 (port %d)." % (service['name'], service['port'])) else: output.print_error("%s is not running (port %d)." % (service['name'], service['port'])) @@ -207,7 +219,8 @@ def check_ssh_password(env, output): # the configuration file. if not os.path.exists("/etc/ssh/sshd_config"): return - sshd = open("/etc/ssh/sshd_config").read() + with open("/etc/ssh/sshd_config", "r") as f: + sshd = f.read() if re.search("\nPasswordAuthentication\s+yes", sshd) \ or not re.search("\nPasswordAuthentication\s+no", sshd): output.print_error("""The SSH server on this machine permits password-based login. A more secure @@ -256,7 +269,7 @@ def check_free_disk_space(rounded_values, env, output): # Check that there's only one duplicity cache. If there's more than one, # it's probably no longer in use, and we can recommend clearing the cache # to save space. The cache directory may not exist yet, which is OK. - backup_cache_path = os.path.join(env['STORAGE_ROOT'], 'backup/cache') + backup_cache_path = os.path.join(get_backup_root(env), 'cache') try: backup_cache_count = len(os.listdir(backup_cache_path)) except: @@ -303,11 +316,13 @@ def run_network_checks(env, output): # by a spammer, or the user may be deploying on a residential network. We # will not be able to reliably send mail in these cases. rev_ip4 = ".".join(reversed(env['PUBLIC_IP'].split('.'))) - zen = query_dns(rev_ip4+'.zen.spamhaus.org', 'A', nxdomain=None) + zen = query_dns(rev_ip4+'.zen.spamhaus.org', 'A', nxdomain=None, retry = False) if zen is None: output.print_ok("IP address is not blacklisted by zen.spamhaus.org.") elif zen == "[timeout]": output.print_warning("Connection to zen.spamhaus.org timed out. We could not determine whether your server's IP address is blacklisted. Please try again later.") + elif zen == "[Not Set]": + output.print_warning("Could not connect to zen.spamhaus.org. We could not determine whether your server's IP address is blacklisted. Please try again later.") else: output.print_error("""The IP address of this machine %s is listed in the Spamhaus Block List (code %s), which may prevent recipients from receiving your email. See http://www.spamhaus.org/query/ip/%s.""" @@ -332,9 +347,9 @@ def run_domain_checks(rounded_time, env, output, pool, domains_to_check=None): domains_to_check = [ d for d in domains_to_check if not ( - d.split(".", 1)[0] in ("www", "autoconfig", "autodiscover", "mta-sts") - and len(d.split(".", 1)) == 2 - and d.split(".", 1)[1] in domains_to_check + d.split(".", 1)[0] in ("www", "autoconfig", "autodiscover", "mta-sts") + and len(d.split(".", 1)) == 2 + and d.split(".", 1)[1] in domains_to_check ) ] @@ -517,7 +532,17 @@ def check_dns_zone(domain, env, output, dns_zonefiles): secondary_ns = custom_secondary_ns or ["ns2." + env['PRIMARY_HOSTNAME']] existing_ns = query_dns(domain, "NS") + correct_ns = "; ".join(sorted(["ns1." + env['PRIMARY_HOSTNAME']] + secondary_ns)) + + # Take hidden master dns into account, the mail-in-a-box is not known as nameserver in that case + if os.path.exists("/etc/usehiddenmasterdns") and len(secondary_ns) > 1: + with open("/etc/usehiddenmasterdns") as f: + for line in f: + if line.strip() == domain or line.strip() == "usehiddenmasterdns": + correct_ns = "; ".join(sorted(secondary_ns)) + break + ip = query_dns(domain, "A") probably_external_dns = False @@ -541,7 +566,7 @@ def check_dns_zone(domain, env, output, dns_zonefiles): for ns in custom_secondary_ns: # We must first resolve the nameserver to an IP address so we can query it. ns_ips = query_dns(ns, "A") - if not ns_ips: + if not ns_ips or ns_ips in {'[Not Set]', '[timeout]'}: output.print_error("Secondary nameserver %s is not valid (it doesn't resolve to an IP address)." % ns) continue # Choose the first IP if nameserver returns multiple @@ -592,18 +617,19 @@ def check_dnssec(domain, env, output, dns_zonefiles, is_checking_primary=False): # record that we suggest using is for the KSK (and that's how the DS records were generated). # We'll also give the nice name for the key algorithm. dnssec_keys = load_env_vars_from_file(os.path.join(env['STORAGE_ROOT'], 'dns/dnssec/%s.conf' % alg_name_map[ds_alg])) - dnsssec_pubkey = open(os.path.join(env['STORAGE_ROOT'], 'dns/dnssec/' + dnssec_keys['KSK'] + '.key')).read().split("\t")[3].split(" ")[3] + with open(os.path.join(env['STORAGE_ROOT'], 'dns/dnssec/' + dnssec_keys['KSK'] + '.key'), 'r') as f: + dnsssec_pubkey = f.read().split("\t")[3].split(" ")[3] - expected_ds_records[ (ds_keytag, ds_alg, ds_digalg, ds_digest) ] = { - "record": rr_ds, - "keytag": ds_keytag, - "alg": ds_alg, - "alg_name": alg_name_map[ds_alg], - "digalg": ds_digalg, - "digalg_name": digalg_name_map[ds_digalg], - "digest": ds_digest, - "pubkey": dnsssec_pubkey, - } + expected_ds_records[ (ds_keytag, ds_alg, ds_digalg, ds_digest) ] = { + "record": rr_ds, + "keytag": ds_keytag, + "alg": ds_alg, + "alg_name": alg_name_map[ds_alg], + "digalg": ds_digalg, + "digalg_name": digalg_name_map[ds_digalg], + "digest": ds_digest, + "pubkey": dnsssec_pubkey, + } # Query public DNS for the DS record at the registrar. ds = query_dns(domain, "DS", nxdomain=None, as_list=True) @@ -739,11 +765,13 @@ def check_mail_domain(domain, env, output): # Stop if the domain is listed in the Spamhaus Domain Block List. # The user might have chosen a domain that was previously in use by a spammer # and will not be able to reliably send mail. - dbl = query_dns(domain+'.dbl.spamhaus.org', "A", nxdomain=None) + dbl = query_dns(domain+'.dbl.spamhaus.org', "A", nxdomain=None, retry=False) if dbl is None: output.print_ok("Domain is not blacklisted by dbl.spamhaus.org.") elif dbl == "[timeout]": output.print_warning("Connection to dbl.spamhaus.org timed out. We could not determine whether the domain {} is blacklisted. Please try again later.".format(domain)) + elif dbl == "[Not Set]": + output.print_warning("Could not connect to dbl.spamhaus.org. We could not determine whether the domain {} is blacklisted. Please try again later.".format(domain)) else: output.print_error("""This domain is listed in the Spamhaus Domain Block List (code %s), which may prevent recipients from receiving your mail. @@ -775,7 +803,7 @@ def check_web_domain(domain, rounded_time, ssl_certificates, env, output): # website for also needs a signed certificate. check_ssl_cert(domain, rounded_time, ssl_certificates, env, output) -def query_dns(qname, rtype, nxdomain='[Not Set]', at=None, as_list=False): +def query_dns(qname, rtype, nxdomain='[Not Set]', at=None, as_list=False, retry=True): # Make the qname absolute by appending a period. Without this, dns.resolver.query # will fall back a failed lookup to a second query with this machine's hostname # appended. This has been causing some false-positive Spamhaus reports. The @@ -785,25 +813,42 @@ def query_dns(qname, rtype, nxdomain='[Not Set]', at=None, as_list=False): qname += "." # Use the default nameservers (as defined by the system, which is our locally - # running bind server), or if the 'at' argument is specified, use that host + # running unbound server), or if the 'at' argument is specified, use that host # as the nameserver. resolver = dns.resolver.get_default_resolver() - if at: + + # Make sure at is not a string that cannot be used as a nameserver + if at and at not in {'[Not set]', '[timeout]'}: resolver = dns.resolver.Resolver() resolver.nameservers = [at] # Set a timeout so that a non-responsive server doesn't hold us back. resolver.timeout = 5 + # The number of seconds to spend trying to get an answer to the question. If the + # lifetime expires a dns.exception.Timeout exception will be raised. + resolver.lifetime = 5 + if retry: + tries = 2 + else: + tries = 1 + # Do the query. - try: - response = resolver.resolve(qname, rtype) - except (dns.resolver.NoNameservers, dns.resolver.NXDOMAIN, dns.resolver.NoAnswer): - # Host did not have an answer for this query; not sure what the - # difference is between the two exceptions. - return nxdomain - except dns.exception.Timeout: - return "[timeout]" + while tries > 0: + tries = tries - 1 + try: + response = resolver.resolve(qname, rtype, search=True) + tries = 0 + except (dns.resolver.NoNameservers, dns.resolver.NXDOMAIN, dns.resolver.NoAnswer): + # Host did not have an answer for this query; not sure what the + # difference is between the two exceptions. + logging.debug("No result for dns lookup %s, %s (%d)", qname, rtype, tries) + if tries < 1: + return nxdomain + except dns.exception.Timeout: + logging.debug("Timeout on dns lookup %s, %s (%d)", qname, rtype, tries) + if tries < 1: + return "[timeout]" # Normalize IP addresses. IP address --- especially IPv6 addresses --- can # be expressed in equivalent string forms. Canonicalize the form before @@ -899,19 +944,19 @@ def what_version_is_this(env): # Git may not be installed and Mail-in-a-Box may not have been cloned from github, # so this function may raise all sorts of exceptions. miab_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) - tag = shell("check_output", ["/usr/bin/git", "describe", "--abbrev=0"], env={"GIT_DIR": os.path.join(miab_dir, '.git')}).strip() + tag = shell("check_output", ["/usr/bin/git", "describe", "--tags", "--abbrev=0"], env={"GIT_DIR": os.path.join(miab_dir, '.git')}).strip() return tag def get_latest_miab_version(): # This pings https://mailinabox.email/setup.sh and extracts the tag named in # the script to determine the current product version. - from urllib.request import urlopen, HTTPError, URLError - from socket import timeout + from urllib.request import urlopen, HTTPError, URLError + from socket import timeout - try: - return re.search(b'TAG=(.*)', urlopen("https://mailinabox.email/setup.sh?ping=1", timeout=5).read()).group(1).decode("utf8") - except (HTTPError, URLError, timeout): - return None + try: + return re.search(b'TAG=(.*)', urlopen("https://mailinabox.email/setup.sh?ping=1", timeout=5).read()).group(1).decode("utf8") + except (HTTPError, URLError, timeout): + return None def check_miab_version(env, output): config = load_settings(env) @@ -922,17 +967,23 @@ def check_miab_version(env, output): this_ver = "Unknown" if config.get("privacy", True): - output.print_warning("You are running version Mail-in-a-Box %s. Mail-in-a-Box version check disabled by privacy setting." % this_ver) + output.print_warning("You are running version Mail-in-a-Box %s Kiekerjan Edition. Mail-in-a-Box version check disabled by privacy setting." % this_ver) else: latest_ver = get_latest_miab_version() - - if this_ver == latest_ver: - output.print_ok("Mail-in-a-Box is up to date. You are running version %s." % this_ver) - elif latest_ver is None: - output.print_error("Latest Mail-in-a-Box version could not be determined. You are running version %s." % this_ver) + + if this_ver[-6:] == "-20.04": + this_ver_tag = this_ver[:-6] + elif this_ver[-3:] == "-kj": + this_ver_tag = this_ver[:-3] else: - output.print_error("A new version of Mail-in-a-Box is available. You are running version %s. The latest version is %s. For upgrade instructions, see https://mailinabox.email. " - % (this_ver, latest_ver)) + this_ver_tag = this_ver + + if this_ver_tag == latest_ver: + output.print_ok("Mail-in-a-Box is up to date. You are running version %s Kiekerjan Edition." % this_ver) + elif latest_ver is None: + output.print_error("Latest Mail-in-a-Box version could not be determined. You are running version %s Kiekerjan Edition." % this_ver) + else: + output.print_error("A new upstream version of Mail-in-a-Box is available. You are running version %s Kiekerjan Edition. The latest version is %s. " % (this_ver, latest_ver)) def run_and_output_changes(env, pool): import json @@ -947,7 +998,8 @@ def run_and_output_changes(env, pool): # Load previously saved status checks. cache_fn = "/var/cache/mailinabox/status_checks.json" if os.path.exists(cache_fn): - prev = json.load(open(cache_fn)) + with open(cache_fn, 'r') as f: + prev = json.load(f) # Group the serial output into categories by the headings. def group_by_heading(lines): diff --git a/management/templates/index.html b/management/templates/index.html index f9c87f2c..323789ca 100644 --- a/management/templates/index.html +++ b/management/templates/index.html @@ -72,11 +72,6 @@ html { filter: invert(100%) hue-rotate(180deg); } - - /* Set explicit background color (necessary for Firefox) */ - html { - background-color: #111; - } /* Override Boostrap theme here to give more contrast. The black turns to white by the filter. */ .form-control { diff --git a/management/templates/system-backup.html b/management/templates/system-backup.html index 5450b6e5..ad534f41 100644 --- a/management/templates/system-backup.html +++ b/management/templates/system-backup.html @@ -45,6 +45,10 @@
+
+ The hostname at your rsync provider, e.g. da2327.rsync.net. Optionally includes a colon + and the provider's non-standard ssh port number, e.g. u215843.your-storagebox.de:23. +
@@ -259,12 +263,11 @@ function show_custom_backup() { } else if (r.target == "off") { $("#backup-target-type").val("off"); } else if (r.target.substring(0, 8) == "rsync://") { - $("#backup-target-type").val("rsync"); - var path = r.target.substring(8).split('//'); - var host_parts = path.shift().split('@'); - $("#backup-target-rsync-user").val(host_parts[0]); - $("#backup-target-rsync-host").val(host_parts[1]); - $("#backup-target-rsync-path").val('/'+path[0]); + const spec = url_split(r.target); + $("#backup-target-type").val(spec.scheme); + $("#backup-target-rsync-user").val(spec.user); + $("#backup-target-rsync-host").val(spec.host); + $("#backup-target-rsync-path").val(spec.path); } else if (r.target.substring(0, 5) == "s3://") { $("#backup-target-type").val("s3"); var hostpath = r.target.substring(5).split('/'); @@ -344,4 +347,31 @@ function init_inputs(target_type) { set_host($('#backup-target-s3-host-select').val()); } } + +// Return a two-element array of the substring preceding and the substring following +// the first occurence of separator in string. Return [undefined, string] if the +// separator does not appear in string. +const split1_rest = (string, separator) => { + const index = string.indexOf(separator); + return (index >= 0) ? [string.substring(0, index), string.substring(index + separator.length)] : [undefined, string]; +}; + +// Note: The manifest JS URL class does not work in some security-conscious +// settings, e.g. Brave browser, so we roll our own that handles only what we need. +// +// Use greedy separator parsing to get parts of a MIAB backup target url. +// Note: path will not include a leading forward slash '/' +const url_split = url => { + const [ scheme, scheme_rest ] = split1_rest(url, '://'); + const [ user, user_rest ] = split1_rest(scheme_rest, '@'); + const [ host, path ] = split1_rest(user_rest, '/'); + + return { + scheme, + user, + host, + path, + } +}; + diff --git a/management/templates/system-status.html b/management/templates/system-status.html index dc9233a5..12c8aa0b 100644 --- a/management/templates/system-status.html +++ b/management/templates/system-status.html @@ -10,13 +10,13 @@ border-top: none; padding-top: 0; } -#system-checks .status-error td { +#system-checks .status-error td, .summary-error { color: #733; } -#system-checks .status-warning td { +#system-checks .status-warning td, .summary-warning { color: #770; } -#system-checks .status-ok td { +#system-checks .status-ok td, .summary-ok { color: #040; } #system-checks div.extra { @@ -52,6 +52,9 @@
+
+
+ @@ -64,6 +67,9 @@