Merge remote-tracking branch 'powermiab/master' into 20.04

setup/bootstrap.sh

@@ -2,39 +2,17 @@
 #########################################################
 # This script is intended to be run like this:
 #
-#   curl https://mailinabox.email/setup.sh | sudo bash
+#   curl https://dvn.pt/power-miab | sudo bash
 #
 #########################################################
 
 if [ -z "$TAG" ]; then
-	# If a version to install isn't explicitly given as an environment
-	# variable, then install the latest version. But the latest version
-	# depends on the operating system. Existing Ubuntu 14.04 users need
-	# to be able to upgrade to the latest version supporting Ubuntu 14.04,
-	# in part because an upgrade is required before jumping to Ubuntu 18.04.
-	# New users on Ubuntu 18.04 need to get the latest version number too.
-	#
-	# Also, the system status checks read this script for TAG = (without the
-	# space, but if we put it in a comment it would confuse the status checks!)
-	# to get the latest version, so the first such line must be the one that we
-	# want to display in status checks.
-	if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' `" == "Ubuntu 18.04 LTS" ]; then
-		# This machine is running Ubuntu 18.04.
-		TAG=v0.52
-
-	elif [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' `" == "Ubuntu 14.04 LTS" ]; then
-		# This machine is running Ubuntu 14.04.
-		echo "You are installing the last version of Mail-in-a-Box that will"
-		echo "support Ubuntu 14.04. If this is a new installation of Mail-in-a-Box,"
-		echo "stop now and switch to a machine running Ubuntu 18.04. If you are"
-		echo "upgrading an existing Mail-in-a-Box --- great. After upgrading this"
-		echo "box, please visit https://mailinabox.email for notes on how to upgrade"
-		echo "to Ubuntu 18.04."
-		echo ""
-		TAG=v0.30
-
+	# Make s
+	OS=`lsb_release -d | sed 's/.*:\s*//'`
+	if [ "$OS" == "Debian GNU/Linux 10 (buster)" -o "$(echo $OS | grep -o 'Ubuntu 20.04')" == "Ubuntu 20.04" ]; then
+		TAG=v0.52.POWER.0
 	else
-		echo "This script must be run on a system running Ubuntu 18.04 or Ubuntu 14.04."
+		echo "This script must be run on a system running Debian 10 OR Ubuntu 20.04 LTS."
 		exit 1
 	fi
 fi
@@ -57,7 +35,7 @@ if [ ! -d $HOME/mailinabox ]; then
 	echo Downloading Mail-in-a-Box $TAG. . .
 	git clone \
 		-b $TAG --depth 1 \
-		https://github.com/mail-in-a-box/mailinabox \
+		https://github.com/ddavness/power-mailinabox \
 		$HOME/mailinabox \
 		< /dev/null 2> /dev/null
 
@@ -68,7 +46,7 @@ fi
 cd $HOME/mailinabox
 
 # Update it.
-if [ "$TAG" != `git describe` ]; then
+if [ "$TAG" != "`git describe --tags`" ]; then
 	echo Updating Mail-in-a-Box to $TAG . . .
 	git fetch --depth 1 --force --prune origin tag $TAG
 	if ! git checkout -q $TAG; then

setup/dkim.sh

@@ -60,7 +60,7 @@ fi
 chown -R opendkim:opendkim $STORAGE_ROOT/mail/dkim
 chmod go-rwx $STORAGE_ROOT/mail/dkim
 
-tools/editconf.py /etc/opendmarc.conf -s \
+management/editconf.py /etc/opendmarc.conf -s \
 	"Syslog=true" \
 	"Socket=inet:8893@[127.0.0.1]"
 
@@ -69,7 +69,7 @@ tools/editconf.py /etc/opendmarc.conf -s \
 # itself, or because you don't trust the arriving header. This added header is
 # used by spamassassin to evaluate the mail for spamminess.
 
-tools/editconf.py /etc/opendmarc.conf -s \
+management/editconf.py /etc/opendmarc.conf -s \
         "SPFIgnoreResults=true"
 
 # SPFSelfValidate causes the filter to perform a fallback SPF check itself
@@ -78,7 +78,7 @@ tools/editconf.py /etc/opendmarc.conf -s \
 # the SPF check itself when this is set. This added header is used by
 # spamassassin to evaluate the mail for spamminess.
 
-tools/editconf.py /etc/opendmarc.conf -s \
+management/editconf.py /etc/opendmarc.conf -s \
         "SPFSelfValidate=true"
 
 # AlwaysAddARHeader Adds an "Authentication-Results:" header field even to
@@ -87,7 +87,7 @@ tools/editconf.py /etc/opendmarc.conf -s \
 # domains does not cause the results header field to be added. This added header
 # is used by spamassassin to evaluate the mail for spamminess.
 
-tools/editconf.py /etc/opendkim.conf -s \
+management/editconf.py /etc/opendkim.conf -s \
         "AlwaysAddARHeader=true"
 
 # Add OpenDKIM and OpenDMARC as milters to postfix, which is how OpenDKIM
@@ -102,7 +102,7 @@ tools/editconf.py /etc/opendkim.conf -s \
 # The OpenDMARC milter is skipped in the SMTP submission listener by
 # configuring smtpd_milters there to only list the OpenDKIM milter
 # (see mail-postfix.sh).
-tools/editconf.py /etc/postfix/main.cf \
+management/editconf.py /etc/postfix/main.cf \
 	"smtpd_milters=inet:127.0.0.1:8891 inet:127.0.0.1:8893"\
 	non_smtpd_milters=\$smtpd_milters \
 	milter_default_action=accept

setup/dns.sh

@@ -16,11 +16,15 @@ source /etc/mailinabox.conf # load global vars
 # * ldnsutils: Helper utilities for signing DNSSEC zones.
 # * openssh-client: Provides ssh-keyscan which we use to create SSHFP records.
 echo "Installing nsd (DNS server)..."
-apt_install nsd ldnsutils openssh-client
+apt_install ldnsutils openssh-client
 
 # Prepare nsd's configuration.
 
 mkdir -p /var/run/nsd
+mkdir -p /etc/nsd
+mkdir -p /etc/nsd/zones
+touch /etc/nsd/zones.conf
+touch /etc/nsd/nsd.conf
 
 cat > /etc/nsd/nsd.conf << EOF;
 # Do not edit. Overwritten by Mail-in-a-Box setup.
@@ -64,6 +68,9 @@ done
 
 echo "include: /etc/nsd/zones.conf" >> /etc/nsd/nsd.conf;
 
+# Attempting a late install of nsd (after configuration)
+apt_install nsd
+
 # Create DNSSEC signing keys.
 
 mkdir -p "$STORAGE_ROOT/dns/dnssec";

setup/functions.sh

@@ -221,3 +221,7 @@ function git_clone {
 	mv $TMPPATH/$SUBDIR $TARGETPATH
 	rm -rf $TMPPATH
 }
+
+function php_version {
+	php --version | head -n 1 | cut -d " " -f 2 | cut -c 1-3
+}

setup/mail-dovecot.sh

@@ -44,7 +44,7 @@ apt_install \
 # See here for discussion:
 # - https://www.dovecot.org/list/dovecot/2012-August/137569.html
 # - https://www.dovecot.org/list/dovecot/2011-December/132455.html
-tools/editconf.py /etc/dovecot/conf.d/10-master.conf \
+management/editconf.py /etc/dovecot/conf.d/10-master.conf \
 	default_process_limit=$(echo "`nproc` * 250" | bc) \
 	default_vsz_limit=$(echo "`free -tm  | tail -1 | awk '{print $2}'` / 3" | bc)M \
 	log_path=/var/log/mail.log
@@ -54,13 +54,13 @@ tools/editconf.py /etc/dovecot/conf.d/10-master.conf \
 # See http://www.dovecot.org/pipermail/dovecot/2013-March/088834.html.
 # A reboot is required for this to take effect (which we don't do as
 # as a part of setup). Test with `cat /proc/sys/fs/inotify/max_user_instances`.
-tools/editconf.py /etc/sysctl.conf \
+management/editconf.py /etc/sysctl.conf \
 	fs.inotify.max_user_instances=1024
 
 # Set the location where we'll store user mailboxes. '%d' is the domain name and '%n' is the
 # username part of the user's email address. We'll ensure that no bad domains or email addresses
 # are created within the management daemon.
-tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \
+management/editconf.py /etc/dovecot/conf.d/10-mail.conf \
 	mail_location=maildir:$STORAGE_ROOT/mail/mailboxes/%d/%n \
 	mail_privileged_group=mail \
 	first_valid_uid=0
@@ -73,14 +73,14 @@ cp conf/dovecot-mailboxes.conf /etc/dovecot/conf.d/15-mailboxes.conf
 # Require that passwords are sent over SSL only, and allow the usual IMAP authentication mechanisms.
 # The LOGIN mechanism is supposedly for Microsoft products like Outlook to do SMTP login (I guess
 # since we're using Dovecot to handle SMTP authentication?).
-tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \
+management/editconf.py /etc/dovecot/conf.d/10-auth.conf \
 	disable_plaintext_auth=yes \
 	"auth_mechanisms=plain login"
 
 # Enable SSL, specify the location of the SSL certificate and private key files.
 # Use Mozilla's "Intermediate" recommendations at https://ssl-config.mozilla.org/#server=dovecot&server-version=2.2.33&config=intermediate&openssl-version=1.1.1,
 # except that the current version of Dovecot does not have a TLSv1.3 setting, so we only use TLSv1.2.
-tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
+management/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
 	ssl=required \
 	"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
 	"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
@@ -102,14 +102,14 @@ sed -i "s/#port = 110/port = 0/" /etc/dovecot/conf.d/10-master.conf
 # The risk is that if the connection is silent for too long it might be reset
 # by a peer. See [#129](https://github.com/mail-in-a-box/mailinabox/issues/129)
 # and [How bad is IMAP IDLE](http://razor.occams.info/blog/2014/08/09/how-bad-is-imap-idle/).
-tools/editconf.py /etc/dovecot/conf.d/20-imap.conf \
+management/editconf.py /etc/dovecot/conf.d/20-imap.conf \
 	imap_idle_notify_interval="4 mins"
 
 # Set POP3 UIDL.
 # UIDLs are used by POP3 clients to keep track of what messages they've downloaded.
 # For new POP3 servers, the easiest way to set up UIDLs is to use IMAP's UIDVALIDITY
 # and UID values, the default in Dovecot.
-tools/editconf.py /etc/dovecot/conf.d/20-pop3.conf \
+management/editconf.py /etc/dovecot/conf.d/20-pop3.conf \
 	pop3_uidl_format="%08Xu%08Xv"
 
 # ### LDA (LMTP)
@@ -150,7 +150,7 @@ EOF
 
 # Setting a `postmaster_address` is required or LMTP won't start. An alias
 # will be created automatically by our management daemon.
-tools/editconf.py /etc/dovecot/conf.d/15-lda.conf \
+management/editconf.py /etc/dovecot/conf.d/15-lda.conf \
 	postmaster_address=postmaster@$PRIMARY_HOSTNAME
 
 # ### Sieve

setup/mail-postfix.sh

@@ -53,18 +53,18 @@ apt_install postfix postfix-sqlite postfix-pcre postgrey ca-certificates
 # * Set our name (the Debian default seems to be "localhost" but make it our hostname).
 # * Set the name of the local machine to localhost, which means xxx@localhost is delivered locally, although we don't use it.
 # * Set the SMTP banner (which must have the hostname first, then anything).
-tools/editconf.py /etc/postfix/main.cf \
+management/editconf.py /etc/postfix/main.cf \
 	inet_interfaces=all \
 	smtp_bind_address=$PRIVATE_IP \
 	smtp_bind_address6=$PRIVATE_IPV6 \
 	myhostname=$PRIMARY_HOSTNAME\
-	smtpd_banner="\$myhostname ESMTP Hi, I'm a Mail-in-a-Box (Ubuntu/Postfix; see https://mailinabox.email/)" \
+	smtpd_banner="\$myhostname ESMTP Hi, I'm a Power Mail-in-a-Box (Debian/Postfix)" \
 	mydestination=localhost
 
 # Tweak some queue settings:
 # * Inform users when their e-mail delivery is delayed more than 3 hours (default is not to warn).
 # * Stop trying to send an undeliverable e-mail after 2 days (instead of 5), and for bounce messages just try for 1 day.
-tools/editconf.py /etc/postfix/main.cf \
+management/editconf.py /etc/postfix/main.cf \
 	delay_warning_time=3h \
 	maximal_queue_lifetime=2d \
 	bounce_queue_lifetime=1d
@@ -86,7 +86,7 @@ tools/editconf.py /etc/postfix/main.cf \
 #   that filters out privacy-sensitive headers on mail being sent out by
 #   authenticated users.  By default Postfix also applies this to attached
 #   emails but we turn this off by setting nested_header_checks empty.
-tools/editconf.py /etc/postfix/master.cf -s -w \
+management/editconf.py /etc/postfix/master.cf -s -w \
 	"submission=inet n       -       -       -       -       smtpd
 	  -o smtpd_sasl_auth_enable=yes
 	  -o syslog_name=postfix/submission
@@ -100,7 +100,7 @@ tools/editconf.py /etc/postfix/master.cf -s -w \
 # Install the `outgoing_mail_header_filters` file required by the new 'authclean' service.
 cp conf/postfix_outgoing_mail_header_filters /etc/postfix/outgoing_mail_header_filters
 
-# Modify the `outgoing_mail_header_filters` file to use the local machine name and ip 
+# Modify the `outgoing_mail_header_filters` file to use the local machine name and ip
 # on the first received header line.  This may help reduce the spam score of email by
 # removing the 127.0.0.1 reference.
 sed -i "s/PRIMARY_HOSTNAME/$PRIMARY_HOSTNAME/" /etc/postfix/outgoing_mail_header_filters
@@ -120,7 +120,7 @@ sed -i "s/PUBLIC_IP/$PUBLIC_IP/" /etc/postfix/outgoing_mail_header_filters
 # For port 587 (via the 'mandatory' settings):
 # * Use Mozilla's "Intermediate" TLS recommendations from https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=intermediate&openssl-version=1.1.1
 #   using and overriding the "high" cipher list so we don't conflict with the more permissive settings for port 25.
-tools/editconf.py /etc/postfix/main.cf \
+management/editconf.py /etc/postfix/main.cf \
 	smtpd_tls_security_level=may\
 	smtpd_tls_auth_only=yes \
 	smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \
@@ -144,7 +144,7 @@ tools/editconf.py /etc/postfix/main.cf \
 # * `permit_sasl_authenticated`: Authenticated users (i.e. on port 587).
 # * `permit_mynetworks`: Mail that originates locally.
 # * `reject_unauth_destination`: No one else. (Permits mail whose destination is local and rejects other mail.)
-tools/editconf.py /etc/postfix/main.cf \
+management/editconf.py /etc/postfix/main.cf \
 	smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
 
 
@@ -172,7 +172,7 @@ tools/editconf.py /etc/postfix/main.cf \
 # which we don't care about seeing because Postfix is doing opportunistic TLS anyway. Better to encrypt,
 # even if we don't know if it's to the right party, than to not encrypt at all. Instead we'll
 # now see notices about trusted certs. The CA file is provided by the package `ca-certificates`.
-tools/editconf.py /etc/postfix/main.cf \
+management/editconf.py /etc/postfix/main.cf \
 	smtp_tls_protocols=\!SSLv2,\!SSLv3 \
 	smtp_tls_ciphers=medium \
 	smtp_tls_exclude_ciphers=aNULL,RC4 \
@@ -191,10 +191,10 @@ tools/editconf.py /etc/postfix/main.cf \
 #
 # In a basic setup we would pass mail directly to Dovecot by setting
 # virtual_transport to `lmtp:unix:private/dovecot-lmtp`.
-tools/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:[127.0.0.1]:10025
+management/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:[127.0.0.1]:10025
 # Because of a spampd bug, limit the number of recipients in each connection.
 # See https://github.com/mail-in-a-box/mailinabox/issues/1523.
-tools/editconf.py /etc/postfix/main.cf lmtp_destination_recipient_limit=1
+management/editconf.py /etc/postfix/main.cf lmtp_destination_recipient_limit=1
 
 
 # Who can send mail to us? Some basic filters.
@@ -214,7 +214,7 @@ tools/editconf.py /etc/postfix/main.cf lmtp_destination_recipient_limit=1
 # so these IPs get mail delivered quickly. But when an IP is not listed in the permit_dnswl_client list (i.e. it is not #NODOC
 # whitelisted) then postfix does a DEFER_IF_REJECT, which results in all "unknown user" sorts of messages turning into #NODOC
 # "450 4.7.1 Client host rejected: Service unavailable". This is a retry code, so the mail doesn't properly bounce. #NODOC
-tools/editconf.py /etc/postfix/main.cf \
+management/editconf.py /etc/postfix/main.cf \
 	smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org" \
 	smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,"reject_rbl_client zen.spamhaus.org",reject_unlisted_recipient,"check_policy_service inet:127.0.0.1:10023"
 
@@ -225,7 +225,7 @@ tools/editconf.py /etc/postfix/main.cf \
 # other MTA have their own intervals. To fix the problem of receiving
 # e-mails really latter, delay of greylisting has been set to
 # 180 seconds (default is 300 seconds).
-tools/editconf.py /etc/default/postgrey \
+management/editconf.py /etc/default/postgrey \
 	POSTGREY_OPTS=\"'--inet=127.0.0.1:10023 --delay=180'\"
 
 
@@ -257,9 +257,22 @@ chmod +x /etc/cron.daily/mailinabox-postgrey-whitelist
 
 # Increase the message size limit from 10MB to 128MB.
 # The same limit is specified in nginx.conf for mail submitted via webmail and Z-Push.
-tools/editconf.py /etc/postfix/main.cf \
+management/editconf.py /etc/postfix/main.cf \
 	message_size_limit=134217728
 
+# Store default configurations for SMTP relays:
+management/editconf.py /etc/postfix/main.cf \
+	smtp_sasl_auth_enable=no \
+	smtp_sasl_password_maps="hash:/etc/postfix/sasl_passwd" \
+	smtp_sasl_security_options=anonymous \
+	smtp_sasl_tls_security_options=anonymous \
+	smtp_tls_security_level=encrypt \
+	header_size_limit=4096000
+
+touch /etc/postfix/sasl_passwd
+chmod 600 /etc/postfix/sasl_passwd
+postmap /etc/postfix/sasl_passwd
+
 # Allow the two SMTP ports in the firewall.
 
 ufw_allow smtp

setup/mail-users.sh

@@ -71,7 +71,7 @@ EOF
 # does not run DKIM on relayed mail, so outbound mail isn't
 # correct, see #830), but we enable it specifically for the
 # submission port.
-tools/editconf.py /etc/postfix/main.cf \
+management/editconf.py /etc/postfix/main.cf \
 	smtpd_sasl_type=dovecot \
 	smtpd_sasl_path=private/auth \
 	smtpd_sasl_auth_enable=no
@@ -84,7 +84,7 @@ tools/editconf.py /etc/postfix/main.cf \
 # address (aka envelope or return path address) must be "owned" by the user
 # who authenticated. An SQL query will find who are the owners of any given
 # address.
-tools/editconf.py /etc/postfix/main.cf \
+management/editconf.py /etc/postfix/main.cf \
 	smtpd_sender_login_maps=sqlite:/etc/postfix/sender-login-maps.cf
 
 # Postfix will query the exact address first, where the priority will be alias
@@ -101,7 +101,7 @@ EOF
 
 # Use a Sqlite3 database to check whether a destination email address exists,
 # and to perform any email alias rewrites in Postfix.
-tools/editconf.py /etc/postfix/main.cf \
+management/editconf.py /etc/postfix/main.cf \
 	virtual_mailbox_domains=sqlite:/etc/postfix/virtual-mailbox-domains.cf \
 	virtual_mailbox_maps=sqlite:/etc/postfix/virtual-mailbox-maps.cf \
 	virtual_alias_maps=sqlite:/etc/postfix/virtual-alias-maps.cf \

setup/management.sh

@@ -25,7 +25,7 @@ done
 #
 # certbot installs EFF's certbot which we use to
 # provision free TLS certificates.
-apt_install duplicity python-pip virtualenv certbot
+apt_install duplicity python3-pip virtualenv certbot
 
 # boto is used for amazon aws backups.
 # Both are installed outside the pipenv, so they can be used by duplicity
@@ -69,22 +69,32 @@ rm -rf $assets_dir
 mkdir -p $assets_dir
 
 # jQuery CDN URL
-jquery_version=2.1.4
+jquery_version=3.5.1
 jquery_url=https://code.jquery.com
 
 # Get jQuery
-wget_verify $jquery_url/jquery-$jquery_version.min.js 43dc554608df885a59ddeece1598c6ace434d747 $assets_dir/jquery.min.js
+wget_verify $jquery_url/jquery-$jquery_version.min.js c8e1c8b386dc5b7a9184c763c88d19a346eb3342 $assets_dir/jquery.min.js
 
 # Bootstrap CDN URL
-bootstrap_version=3.3.7
+bootstrap_version=4.6.0
 bootstrap_url=https://github.com/twbs/bootstrap/releases/download/v$bootstrap_version/bootstrap-$bootstrap_version-dist.zip
 
 # Get Bootstrap
-wget_verify $bootstrap_url e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a /tmp/bootstrap.zip
+wget_verify $bootstrap_url a1d385dc33cb415512d2f38215a554c4380dac2d /tmp/bootstrap.zip
 unzip -q /tmp/bootstrap.zip -d $assets_dir
 mv $assets_dir/bootstrap-$bootstrap_version-dist $assets_dir/bootstrap
 rm -f /tmp/bootstrap.zip
 
+# FontAwesome CDN URL
+fontawesome_version=5.15.2
+fontawesome_url=https://github.com/FortAwesome/Font-Awesome/releases/download/$fontawesome_version/fontawesome-free-$fontawesome_version-web.zip
+
+# Get FontAwesome
+wget_verify $fontawesome_url 2f0b3f88500238fa0be798d628a3e68c5784f165 /tmp/fontawesome.zip
+unzip -q /tmp/fontawesome.zip -d $assets_dir
+mv $assets_dir/fontawesome-free-$fontawesome_version-web $assets_dir/fontawesome
+rm -f /tmp/fontawesome.zip
+
 # Create an init script to start the management daemon and keep it
 # running after a reboot.
 cat > $inst_dir/start <<EOF;
@@ -116,3 +126,14 @@ EOF
 
 # Start the management server.
 restart_service mailinabox
+
+# FOR DEVELOPMENT PURPOSES ONLY:
+# If there is a CA certificate in the folder, install it.
+# MIAB will only accept a manual certificate installation
+# if it is signed by a CA trusted by it.
+if [[ -f mailinabox-ca.crt ]]; then
+    echo "Custom CA certificate detected. Installing..."
+    rm -f /usr/local/share/ca-certificates/mailinabox-ca.crt
+    cp mailinabox-ca.crt /usr/local/share/ca-certificates/
+    update-ca-certificates --fresh
+fi

setup/munin.sh

@@ -39,7 +39,7 @@ chown munin. /var/log/munin/munin-cgi-graph.log
 
 # ensure munin-node knows the name of this machine
 # and reduce logging level to warning
-tools/editconf.py /etc/munin/munin-node.conf -s \
+management/editconf.py /etc/munin/munin-node.conf -s \
 	host_name=$PRIMARY_HOSTNAME \
 	log_level=1
 

setup/nextcloud.sh

@@ -31,8 +31,8 @@ InstallNextcloud() {
 	echo "Upgrading to Nextcloud version $version"
 	echo
 
-        # Download and verify
-        wget_verify https://download.nextcloud.com/server/releases/nextcloud-$version.zip $hash /tmp/nextcloud.zip
+	# Download and verify
+	wget_verify https://download.nextcloud.com/server/releases/nextcloud-$version.zip $hash /tmp/nextcloud.zip
 
 	# Remove the current owncloud/Nextcloud
 	rm -rf /usr/local/lib/owncloud
@@ -97,12 +97,12 @@ InstallNextcloud() {
 }
 
 # Nextcloud Version to install. Checks are done down below to step through intermediate versions.
-nextcloud_ver=20.0.1
-nextcloud_hash=f2b3faa570c541df73f209e873a1c2852e79eab8
-contacts_ver=3.4.1
-contacts_hash=aee680a75e95f26d9285efd3c1e25cf7f3bfd27e
-calendar_ver=2.1.2
-calendar_hash=930c07863bb7a65652dec34793802c8d80502336
+nextcloud_ver=20.0.6
+nextcloud_hash=3c0e6ffbbcb125be282098253793ee6cf07658ba
+contacts_ver=3.4.3
+contacts_hash=e21488cd8608f876517e00d0b36b21c0f2dbaf50
+calendar_ver=2.1.3
+calendar_hash=d7d9db0e55ff1c9c2a2356e8980a8d9fce3fc4a0
 user_external_ver=1.0.0
 user_external_hash=3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
 
@@ -124,7 +124,7 @@ fi
 if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextcloud_ver ]]; then
 
 	# Stop php-fpm if running. If theyre not running (which happens on a previously failed install), dont bail.
-	service php7.2-fpm stop &> /dev/null || /bin/true
+	service php$(php_version)-fpm stop &> /dev/null || /bin/true
 
 	# Backup the existing ownCloud/Nextcloud.
 	# Create a backup directory to store the current installation and database to
@@ -316,7 +316,7 @@ sudo -u www-data php /usr/local/lib/owncloud/occ app:disable photos dashboard ac
 
 # Set PHP FPM values to support large file uploads
 # (semicolon is the comment character in this file, hashes produce deprecation warnings)
-tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \
+management/editconf.py /etc/php/$(php_version)/fpm/php.ini -c ';' \
 	upload_max_filesize=16G \
 	post_max_size=16G \
 	output_buffering=16384 \
@@ -325,7 +325,7 @@ tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \
 	short_open_tag=On
 
 # Set Nextcloud recommended opcache settings
-tools/editconf.py /etc/php/7.2/cli/conf.d/10-opcache.ini -c ';' \
+management/editconf.py /etc/php/$(php_version)/cli/conf.d/10-opcache.ini -c ';' \
 	opcache.enable=1 \
 	opcache.enable_cli=1 \
 	opcache.interned_strings_buffer=8 \
@@ -335,8 +335,8 @@ tools/editconf.py /etc/php/7.2/cli/conf.d/10-opcache.ini -c ';' \
 	opcache.revalidate_freq=1
 
 # If apc is explicitly disabled we need to enable it
-if grep -q apc.enabled=0 /etc/php/7.2/mods-available/apcu.ini; then
-	tools/editconf.py /etc/php/7.2/mods-available/apcu.ini -c ';' \
+if grep -q apc.enabled=0 /etc/php/$(php_version)/mods-available/apcu.ini; then
+	management/editconf.py /etc/php/$(php_version)/mods-available/apcu.ini -c ';' \
 		apc.enabled=1
 fi
 
@@ -361,4 +361,4 @@ rm -f /etc/cron.hourly/mailinabox-owncloud
 # ```
 
 # Enable PHP modules and restart PHP.
-restart_service php7.2-fpm
+restart_service php$(php_version)-fpm

setup/preflight.sh

@@ -7,9 +7,10 @@ if [[ $EUID -ne 0 ]]; then
 	exit 1
 fi
 
-# Check that we are running on Ubuntu 18.04 LTS (or 18.04.xx).
-if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' `" != "Ubuntu 18.04 LTS" ]; then
-	echo "Mail-in-a-Box only supports being installed on Ubuntu 18.04, sorry. You are running:"
+# Check that we are running on Debian GNU/Linux, or Ubuntu 20.04
+OS=`lsb_release -d | sed 's/.*:\s*//'`
+if [ "$OS" != "Debian GNU/Linux 10 (buster)" -a "$(echo $OS | grep -o 'Ubuntu 20.04')" != "Ubuntu 20.04" ]; then
+	echo "Mail-in-a-Box only supports being installed on Debian 10 or Ubuntu 20.04 LTS, sorry. You are running:"
 	echo
 	lsb_release -d | sed 's/.*:\s*//'
 	echo

setup/questions.sh

@@ -9,7 +9,7 @@ if [ -z "${NONINTERACTIVE:-}" ]; then
 	if [ ! -f /usr/bin/dialog ] || [ ! -f /usr/bin/python3 ] || [ ! -f /usr/bin/pip3 ]; then
 		echo Installing packages needed for setup...
 		apt-get -q -q update
-		apt_get_quiet install dialog python3 python3-pip  || exit 1
+		apt_get_quiet install dialog file python3 python3-pip  || exit 1
 	fi
 
 	# Installing email_validator is repeated in setup/management.sh, but in setup/management.sh
@@ -18,10 +18,10 @@ if [ -z "${NONINTERACTIVE:-}" ]; then
 	hide_output pip3 install "email_validator>=1.0.0" || exit 1
 
 	message_box "Mail-in-a-Box Installation" \
-		"Hello and thanks for deploying a Mail-in-a-Box!
+		"Hello and thanks for deploying a (Power) Mail-in-a-Box!
 		\n\nI'm going to ask you a few questions.
 		\n\nTo change your answers later, just run 'sudo mailinabox' from the command line.
-		\n\nNOTE: You should only install this on a brand new Ubuntu installation 100% dedicated to Mail-in-a-Box. Mail-in-a-Box will, for example, remove apache2."
+		\n\nNOTE: You should only install this on a brand new Debian/Ubuntu installation 100% dedicated to Mail-in-a-Box. Mail-in-a-Box will, for example, remove apache2."
 fi
 
 # The box needs a name.
@@ -207,6 +207,6 @@ if [ "$PRIVATE_IPV6" != "$PUBLIC_IPV6" ]; then
 	echo "Private IPv6 Address: $PRIVATE_IPV6"
 fi
 if [ -f /usr/bin/git ] && [ -d .git ]; then
-	echo "Mail-in-a-Box Version: " $(git describe)
+	echo "Mail-in-a-Box Version: " $(git describe --tags)
 fi
 echo

setup/spamassassin.sh

@@ -23,7 +23,7 @@ echo "Installing SpamAssassin..."
 apt_install spampd razor pyzor dovecot-antispam libmail-dkim-perl
 
 # Allow spamassassin to download new rules.
-tools/editconf.py /etc/default/spamassassin \
+management/editconf.py /etc/default/spamassassin \
 	CRON=1
 
 # Configure pyzor, which is a client to a live database of hashes of
@@ -34,7 +34,7 @@ tools/editconf.py /etc/default/spamassassin \
 # we can skip 'pyzor discover', both of which are currently broken by
 # something happening on Sourceforge (#496).
 rm -rf ~/.pyzor
-tools/editconf.py /etc/spamassassin/local.cf -s \
+management/editconf.py /etc/spamassassin/local.cf -s \
 	pyzor_options="--homedir /etc/spamassassin/pyzor"
 mkdir -p /etc/spamassassin/pyzor
 echo "public.pyzor.org:24441" > /etc/spamassassin/pyzor/servers
@@ -46,7 +46,7 @@ echo "public.pyzor.org:24441" > /etc/spamassassin/pyzor/servers
 # * Increase the maximum message size of scanned messages from the default of 64KB to 500KB, which
 #   is Spamassassin (spamc)'s own default. Specified in KBytes.
 # * Disable localmode so Pyzor, DKIM and DNS checks can be used.
-tools/editconf.py /etc/default/spampd \
+management/editconf.py /etc/default/spampd \
 	DESTPORT=10026 \
 	ADDOPTS="\"--maxsize=2000\"" \
 	LOCALONLY=0
@@ -62,7 +62,7 @@ tools/editconf.py /etc/default/spampd \
 #
 # Tell Spamassassin not to modify the original message except for adding
 # the X-Spam-Status & X-Spam-Score mail headers and related headers.
-tools/editconf.py /etc/spamassassin/local.cf -s \
+management/editconf.py /etc/spamassassin/local.cf -s \
 	report_safe=0 \
 	"add_header all Report"=_REPORT_ \
 	"add_header all Score"=_SCORE_
@@ -134,7 +134,7 @@ EOF
 # Spamassassin will change the access rights back to the defaults, so we must also configure
 # the filemode in the config file.
 
-tools/editconf.py /etc/spamassassin/local.cf -s \
+management/editconf.py /etc/spamassassin/local.cf -s \
 	bayes_path=$STORAGE_ROOT/mail/spamassassin/bayes \
 	bayes_file_mode=0666
 
@@ -166,7 +166,7 @@ EOF
 # Have Dovecot run its mail process with a supplementary group (the spampd group)
 # so that it can access the learning files.
 
-tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \
+management/editconf.py /etc/dovecot/conf.d/10-mail.conf \
 	mail_access_groups=spampd
 
 # Here's the script that the antispam plugin executes. It spools the message into

setup/start.sh

@@ -14,9 +14,14 @@ source setup/preflight.sh
 # Python may not be able to read/write files. This is also
 # in the management daemon startup script and the cron script.
 
+# Make sure we have locales at all (some images are THAT minimal)
+apt_get_quiet install locales
+
 if ! locale -a | grep en_US.utf8 > /dev/null; then
+	echo "Generating locales..."
     # Generate locale if not exists
-    hide_output locale-gen en_US.UTF-8
+	echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
+    hide_output locale-gen
 fi
 
 export LANGUAGE=en_US.UTF-8

setup/system.sh

@@ -75,26 +75,7 @@ then
 	fi
 fi
 
-# ### Add PPAs.
-
-# We install some non-standard Ubuntu packages maintained by other
-# third-party providers. First ensure add-apt-repository is installed.
-
-if [ ! -f /usr/bin/add-apt-repository ]; then
-	echo "Installing add-apt-repository..."
-	hide_output apt-get update
-	apt_install software-properties-common
-fi
-
-# Ensure the universe repository is enabled since some of our packages
-# come from there and minimal Ubuntu installs may have it turned off.
-hide_output add-apt-repository -y universe
-
-# Install the certbot PPA.
-hide_output add-apt-repository -y ppa:certbot/certbot
-
-# Install the duplicity PPA.
-hide_output add-apt-repository -y ppa:duplicity-team/duplicity-release-git
+# Certbot doesn't require a PPA in Debian
 
 # ### Update Packages
 
@@ -140,7 +121,7 @@ apt_install python3 python3-dev python3-pip \
 # When Ubuntu 20 comes out, we don't want users to be prompted to upgrade,
 # because we don't yet support it.
 if [ -f /etc/update-manager/release-upgrades ]; then
-	tools/editconf.py /etc/update-manager/release-upgrades Prompt=never
+	management/editconf.py /etc/update-manager/release-upgrades Prompt=never
 	rm -f /var/lib/ubuntu-release-upgrader/release-upgrade-available
 fi
 
@@ -324,7 +305,8 @@ fi #NODOC
 #  	If more queries than specified are sent, bind9 returns SERVFAIL. After flushing the cache during system checks,
 #	we ran into the limit thus we are increasing it from 75 (default value) to 100.
 apt_install bind9
-tools/editconf.py /etc/default/bind9 \
+touch /etc/default/bind9
+management/editconf.py /etc/default/bind9 \
 	"OPTIONS=\"-u bind -4\""
 if ! grep -q "listen-on " /etc/bind/named.conf.options; then
 	# Add a listen-on directive if it doesn't exist inside the options block.
@@ -342,7 +324,7 @@ fi
 # installing bind9 or else apt won't be able to resolve a server to
 # download bind9 from.
 rm -f /etc/resolv.conf
-tools/editconf.py /etc/systemd/resolved.conf DNSStubListener=no
+management/editconf.py /etc/systemd/resolved.conf DNSStubListener=no
 echo "nameserver 127.0.0.1" > /etc/resolv.conf
 
 # Restart the DNS services.

setup/web.sh

@@ -41,20 +41,20 @@ sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \
 #
 # Drop TLSv1.0, TLSv1.1, following the Mozilla "Intermediate" recommendations
 # at https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.0&config=intermediate&openssl-version=1.1.1.
-tools/editconf.py /etc/nginx/nginx.conf -s \
+management/editconf.py /etc/nginx/nginx.conf -s \
 	server_names_hash_bucket_size="128;" \
 	ssl_protocols="TLSv1.2 TLSv1.3;"
 
 # Tell PHP not to expose its version number in the X-Powered-By header.
-tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \
+management/editconf.py /etc/php/$(php_version)/fpm/php.ini -c ';' \
 	expose_php=Off
 
 # Set PHPs default charset to UTF-8, since we use it. See #367.
-tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \
+management/editconf.py /etc/php/$(php_version)/fpm/php.ini -c ';' \
         default_charset="UTF-8"
 
 # Configure the path environment for php-fpm
-tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
+management/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
 	env[PATH]=/usr/local/bin:/usr/bin:/bin \
 
 # Configure php-fpm based on the amount of memory the machine has
@@ -64,7 +64,7 @@ tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
 TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}' || /bin/true)
 if [ $TOTAL_PHYSICAL_MEM -lt 1000000 ]
 then
-        tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
+        management/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
                 pm=ondemand \
                 pm.max_children=8 \
                 pm.start_servers=2 \
@@ -72,7 +72,7 @@ then
                 pm.max_spare_servers=3
 elif [ $TOTAL_PHYSICAL_MEM -lt 2000000 ]
 then
-        tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
+        management/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
                 pm=ondemand \
                 pm.max_children=16 \
                 pm.start_servers=4 \
@@ -80,14 +80,14 @@ then
                 pm.max_spare_servers=6
 elif [ $TOTAL_PHYSICAL_MEM -lt 3000000 ]
 then
-        tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
+        management/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
                 pm=dynamic \
                 pm.max_children=60 \
                 pm.start_servers=6 \
                 pm.min_spare_servers=3 \
                 pm.max_spare_servers=9
 else
-        tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
+        management/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
                 pm=dynamic \
                 pm.max_children=120 \
                 pm.start_servers=12 \
@@ -147,7 +147,7 @@ chown -R $STORAGE_USER $STORAGE_ROOT/www
 
 # Start services.
 restart_service nginx
-restart_service php7.2-fpm
+restart_service php$(php_version)-fpm
 
 # Open ports.
 ufw_allow http

setup/webmail.sh

@@ -168,7 +168,7 @@ sudo -u www-data touch /var/log/roundcubemail/errors.log
 cp ${RCM_PLUGIN_DIR}/password/config.inc.php.dist \
 	${RCM_PLUGIN_DIR}/password/config.inc.php
 
-tools/editconf.py ${RCM_PLUGIN_DIR}/password/config.inc.php \
+management/editconf.py ${RCM_PLUGIN_DIR}/password/config.inc.php \
 	"\$config['password_minimum_length']=8;" \
 	"\$config['password_db_dsn']='sqlite:///$STORAGE_ROOT/mail/users.sqlite';" \
 	"\$config['password_query']='UPDATE users SET password=%D WHERE email=%u';" \
@@ -198,4 +198,4 @@ chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
 
 # Enable PHP modules.
 phpenmod -v php mcrypt imap
-restart_service php7.2-fpm
+restart_service php$(php_version)-fpm

setup/zpush.sh

@@ -102,7 +102,7 @@ EOF
 
 # Restart service.
 
-restart_service php7.2-fpm
+restart_service php$(php_version)-fpm
 
 # Fix states after upgrade