Merge branch 'master' into management-memory-usage

setup/mail-dovecot.sh

@@ -88,18 +88,19 @@ sed -i "s/#port = 110/port = 0/" /etc/dovecot/conf.d/10-master.conf
 # this are minimal. But for good measure, let's go to 4 minutes to halve the
 # bandwidth and number of times the device's networking might be woken up.
 # The risk is that if the connection is silent for too long it might be reset
-# by a peer. See #129 and http://razor.occams.info/blog/2014/08/09/how-bad-is-imap-idle/.
+# by a peer. See [#129](https://github.com/mail-in-a-box/mailinabox/issues/129)
+# and [How bad is IMAP IDLE](http://razor.occams.info/blog/2014/08/09/how-bad-is-imap-idle/).
 tools/editconf.py /etc/dovecot/conf.d/20-imap.conf \
 	imap_idle_notify_interval="4 mins"
 
-# Set POP3 UIDL
-# UIDLs are used by POP3 clients to keep track of what messages they've downloaded. 
+# Set POP3 UIDL.
+# UIDLs are used by POP3 clients to keep track of what messages they've downloaded.
 # For new POP3 servers, the easiest way to set up UIDLs is to use IMAP's UIDVALIDITY
 # and UID values, the default in Dovecot.
 tools/editconf.py /etc/dovecot/conf.d/20-pop3.conf \
 	pop3_uidl_format="%08Xu%08Xv"
 
-# Full Text Search - Enable full text search of mail using dovecot's lucene plugin, 
+# Full Text Search - Enable full text search of mail using dovecot's lucene plugin,
 # which *we* package and distribute (dovecot-lucene package).
 tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \
 	mail_plugins="\$mail_plugins fts fts_lucene"

setup/management.sh

@@ -4,13 +4,14 @@ source setup/functions.sh
 
 echo "Installing Mail-in-a-Box system management daemon..."
 
-# build-essential libssl-dev libffi-dev python3-dev: Required to pip install cryptography.
-apt_install python3-flask links duplicity libyaml-dev python3-dnspython python3-dateutil \
-	build-essential libssl-dev libffi-dev python3-dev python-pip
-hide_output pip3 install --upgrade rtyaml "email_validator>=1.0.0" "idna>=2.0.0" "cryptography>=1.0.2" boto psutil
+# Switching python 2 boto to package manager's, not pypi's.
+if [ -f /usr/local/lib/python2.7/dist-packages/boto/__init__.py ]; then hide_output pip uninstall -y boto; fi
 
 # duplicity uses python 2 so we need to use the python 2 package of boto
-hide_output pip install --upgrade boto
+# build-essential libssl-dev libffi-dev python3-dev: Required to pip install cryptography.
+apt_install python3-flask links duplicity python-boto libyaml-dev python3-dnspython python3-dateutil \
+	build-essential libssl-dev libffi-dev python3-dev python-pip
+hide_output pip3 install --upgrade rtyaml "email_validator>=1.0.0" "idna>=2.0.0" "cryptography>=1.0.2" boto psutil
 
 # email_validator is repeated in setup/questions.sh
 

setup/migrate.py

@@ -111,6 +111,32 @@ def migration_9(env):
 	db = os.path.join(env["STORAGE_ROOT"], 'mail/users.sqlite')
 	shell("check_call", ["sqlite3", db, "ALTER TABLE aliases ADD permitted_senders TEXT"])
 
+def migration_10(env):
+	# Clean up the SSL certificates directory.
+
+	# Move the primary certificate to a new name and then
+	# symlink it to the system certificate path.
+	import datetime
+	system_certificate = os.path.join(env["STORAGE_ROOT"], 'ssl/ssl_certificate.pem')
+	if not os.path.islink(system_certificate): # not already a symlink
+		new_path = os.path.join(env["STORAGE_ROOT"], 'ssl', env['PRIMARY_HOSTNAME'] + "-" + datetime.datetime.now().date().isoformat().replace("-", "") + ".pem")
+		print("Renamed", system_certificate, "to", new_path, "and created a symlink for the original location.")
+		shutil.move(system_certificate, new_path)
+		os.symlink(new_path, system_certificate)
+
+	# Flatten the directory structure. For any directory
+	# that contains a single file named ssl_certificate.pem,
+	# move the file out and name it the same as the directory,
+	# and remove the directory.
+	for sslcert in glob.glob(os.path.join( env["STORAGE_ROOT"], 'ssl/*/ssl_certificate.pem' )):
+		d = os.path.dirname(sslcert)
+		if len(os.listdir(d)) == 1:
+			# This certificate is the only file in that directory.
+			newname = os.path.join(env["STORAGE_ROOT"], 'ssl', os.path.basename(d) + '.pem')
+			if not os.path.exists(newname):
+				shutil.move(sslcert, newname)
+				os.rmdir(d)
+
 def get_current_migration():
 	ver = 0
 	while True:

setup/questions.sh

@@ -207,8 +207,6 @@ if [ "$PUBLIC_IPV6" = "auto" ]; then
 	PUBLIC_IPV6=$(get_publicip_from_web_service 6 || get_default_privateip 6)
 fi
 if [ "$PRIMARY_HOSTNAME" = "auto" ]; then
-	# Use reverse DNS to get this machine's hostname. Install bind9-host early.
-	hide_output apt-get -y install bind9-host
 	PRIMARY_HOSTNAME=$(get_default_hostname)
 elif [ "$PRIMARY_HOSTNAME" = "auto-easy" ]; then
 	# Generate a probably-unique subdomain under our justtesting.email domain.

setup/ssl.sh

@@ -77,12 +77,17 @@ if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
 	  -sha256 -subj "/C=$CSR_COUNTRY/ST=/L=/O=/CN=$PRIMARY_HOSTNAME"
 
 	# Generate the self-signed certificate.
+	CERT=$STORAGE_ROOT/ssl/$PRIMARY_HOSTNAME-selfsigned-$(date --rfc-3339=date | sed s/-//g).pem
 	hide_output \
 	openssl x509 -req -days 365 \
-	  -in $CSR -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem
+	  -in $CSR -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $CERT
 
-	 # Delete the certificate signing request because it has no other purpose.
-	 rm -f $CSR
+	# Delete the certificate signing request because it has no other purpose.
+	rm -f $CSR
+
+	# Symlink the certificate into the system certificate path, so system services
+	# can find it.
+	ln -s $CERT $STORAGE_ROOT/ssl/ssl_certificate.pem
 fi
 
 # Generate some Diffie-Hellman cipher bits.

setup/system.sh

@@ -1,3 +1,4 @@
+source /etc/mailinabox.conf
 source setup/functions.sh # load our functions
 
 # Basic System Configuration
@@ -11,12 +12,9 @@ source setup/functions.sh # load our functions
 # text search plugin for (and by) dovecot, which is not available in
 # Ubuntu currently.
 #
-# Add that to the system's list of repositories using add-apt-repository.
-# But add-apt-repository may not be installed. If it's not available,
-# then install it. But we have to run apt-get update before we try to
-# install anything so the package index is up to date. After adding the
-# PPA, we have to run apt-get update *again* to load the PPA's index,
-# so this must precede the apt-get update line below.
+# So, first ensure add-apt-repository is installed, then use it to install
+# the [mail-in-a-box ppa](https://launchpad.net/~mail-in-a-box/+archive/ubuntu/ppa).
+
 
 if [ ! -f /usr/bin/add-apt-repository ]; then
 	echo "Installing add-apt-repository..."
@@ -198,7 +196,9 @@ restart_service resolvconf
 # ### Fail2Ban Service
 
 # Configure the Fail2Ban installation to prevent dumb bruce-force attacks against dovecot, postfix and ssh
-cp conf/fail2ban/jail.local /etc/fail2ban/jail.local
+cat conf/fail2ban/jail.local \
+	| sed "s/PUBLIC_IP/$PUBLIC_IP/g" \
+	> /etc/fail2ban/jail.local
 cp conf/fail2ban/dovecotimap.conf /etc/fail2ban/filter.d/dovecotimap.conf
 
 restart_service fail2ban