feat: renamed PRIMARY_HOSTNAME to BOX_HOSTNAME

using "primary" to describe the domain of the box / mail server is confusing when working with multiple domains.
Usually the box domain is different from the domain you want to host your mail for.

management/daemon.py

@@ -125,7 +125,7 @@ def index():
 
 
 	return render_template('index.html',
-		hostname=env['PRIMARY_HOSTNAME'],
+		hostname=env['BOX_HOSTNAME'],
 		storage_root=env['STORAGE_ROOT'],
 
 		no_users_exist=no_users_exist,

management/dns_update.py

@@ -22,13 +22,13 @@ DOMAIN_RE = r"^(?!\-)(?:[*][.])?(?:[a-zA-Z\d\-_]{0,62}[a-zA-Z\d_]\.){1,126}(?!\d
 def get_dns_domains(env):
 	# Add all domain names in use by email users and mail aliases, any
 	# domains we serve web for (except www redirects because that would
-	# lead to infinite recursion here) and ensure PRIMARY_HOSTNAME is in the list.
+	# lead to infinite recursion here) and ensure BOX_HOSTNAME is in the list.
 	from mailconfig import get_mail_domains
 	from web_update import get_web_domains
 	domains = set()
 	domains |= set(get_mail_domains(env))
 	domains |= set(get_web_domains(env, include_www_redirects=False))
-	domains.add(env['PRIMARY_HOSTNAME'])
+	domains.add(env['BOX_HOSTNAME'])
 	return domains
 
 def get_dns_zones(env):
@@ -144,10 +144,10 @@ def build_zones(env):
 	auto_domains = web_domains - set(get_web_domains(env, include_auto=False))
 	domains |= auto_domains # www redirects not included in the initial list, see above
 
-	# Add ns1/ns2+PRIMARY_HOSTNAME which must also have A/AAAA records
+	# Add ns1/ns2+BOX_HOSTNAME which must also have A/AAAA records
 	# when the box is acting as authoritative DNS server for its domains.
 	for ns in ("ns1", "ns2"):
-		d = ns + "." + env["PRIMARY_HOSTNAME"]
+		d = ns + "." + env["BOX_HOSTNAME"]
 		domains.add(d)
 		auto_domains.add(d)
 
@@ -161,9 +161,9 @@ def build_zones(env):
 		for domain in domains
 	}
 
-	# For MTA-STS, we'll need to check if the PRIMARY_HOSTNAME certificate is
+	# For MTA-STS, we'll need to check if the BOX_HOSTNAME certificate is
 	# singned and valid. Check that now rather than repeatedly for each domain.
-	domains[env["PRIMARY_HOSTNAME"]]["certificate-is-valid"] = is_domain_cert_signed_and_valid(env["PRIMARY_HOSTNAME"], env)
+	domains[env["BOX_HOSTNAME"]]["certificate-is-valid"] = is_domain_cert_signed_and_valid(env["BOX_HOSTNAME"], env)
 
 	# Load custom records to add to zones.
 	additional_records = list(get_custom_dns_config(env))
@@ -186,19 +186,19 @@ def build_zone(domain, domain_properties, additional_records, env, is_zone=True)
 	# 'False' in the tuple indicates these records would not be used if the zone
 	# is managed outside of the box.
 	if is_zone:
-		# Obligatory NS record to ns1.PRIMARY_HOSTNAME.
-		records.append((None,  "NS",  "ns1.%s." % env["PRIMARY_HOSTNAME"], False))
+		# Obligatory NS record to ns1.BOX_HOSTNAME.
+		records.append((None,  "NS",  "ns1.%s." % env["BOX_HOSTNAME"], False))
 
-		# NS record to ns2.PRIMARY_HOSTNAME or whatever the user overrides.
+		# NS record to ns2.BOX_HOSTNAME or whatever the user overrides.
 		# User may provide one or more additional nameservers
 		secondary_ns_list = get_secondary_dns(additional_records, mode="NS") \
-			or ["ns2." + env["PRIMARY_HOSTNAME"]]
+			or ["ns2." + env["BOX_HOSTNAME"]]
 		records.extend((None,  "NS", secondary_ns+'.', False) for secondary_ns in secondary_ns_list)
 
 
-	# In PRIMARY_HOSTNAME...
-	if domain == env["PRIMARY_HOSTNAME"]:
-		# Set the A/AAAA records. Do this early for the PRIMARY_HOSTNAME so that the user cannot override them
+	# In BOX_HOSTNAME...
+	if domain == env["BOX_HOSTNAME"]:
+		# Set the A/AAAA records. Do this early for the BOX_HOSTNAME so that the user cannot override them
 		# and we can provide different explanatory text.
 		records.append((None, "A", env["PUBLIC_IP"], "Required. Sets the IP address of the box."))
 		if env.get("PUBLIC_IPV6"): records.append((None, "AAAA", env["PUBLIC_IPV6"], "Required. Sets the IPv6 address of the box."))
@@ -281,7 +281,7 @@ def build_zone(domain, domain_properties, additional_records, env, is_zone=True)
 	if domain_properties[domain]["mail"]:
 		# The MX record says where email for the domain should be delivered: Here!
 		if not has_rec(None, "MX", prefix="10 "):
-			records.append((None,  "MX",  "10 %s." % env["PRIMARY_HOSTNAME"], "Required. Specifies the hostname (and priority) of the machine that handles @%s mail." % domain))
+			records.append((None,  "MX",  "10 %s." % env["BOX_HOSTNAME"], "Required. Specifies the hostname (and priority) of the machine that handles @%s mail." % domain))
 
 		# SPF record: Permit the box ('mx', see above) to send mail on behalf of
 		# the domain, and no one else.
@@ -304,14 +304,14 @@ def build_zone(domain, domain_properties, additional_records, env, is_zone=True)
 			records.append(("_dmarc", "TXT", 'v=DMARC1; p=quarantine;', "Recommended. Specifies that mail that does not originate from the box but claims to be from @%s or which does not have a valid DKIM signature is suspect and should be quarantined by the recipient's mail system." % domain))
 
 	if domain_properties[domain]["user"]:
-		# Add CardDAV/CalDAV SRV records on the non-primary hostname that points to the primary hostname
+		# Add CardDAV/CalDAV SRV records on the non-box hostname that points to the box hostname
 		# for autoconfiguration of mail clients (so only domains hosting user accounts need it).
 		# The SRV record format is priority (0, whatever), weight (0, whatever), port, service provider hostname (w/ trailing dot).
-		if domain != env["PRIMARY_HOSTNAME"]:
+		if domain != env["BOX_HOSTNAME"]:
 			for dav in ("card", "cal"):
 				qname = "_" + dav + "davs._tcp"
 				if not has_rec(qname, "SRV"):
-					records.append((qname, "SRV", "0 0 443 " + env["PRIMARY_HOSTNAME"] + ".", "Recommended. Specifies the hostname of the server that handles CardDAV/CalDAV services for email addresses on this domain."))
+					records.append((qname, "SRV", "0 0 443 " + env["BOX_HOSTNAME"] + ".", "Recommended. Specifies the hostname of the server that handles CardDAV/CalDAV services for email addresses on this domain."))
 
 	# If this is a domain name that there are email addresses configured for, i.e. "something@"
 	# this domain name, then the domain name is a MTA-STS (https://tools.ietf.org/html/rfc8461)
@@ -324,7 +324,7 @@ def build_zone(domain, domain_properties, additional_records, env, is_zone=True)
 	#
 	# The policy itself is served at the "mta-sts" (no underscore) subdomain over HTTPS. Therefore
 	# the TLS certificate used by Postfix for STARTTLS must be a valid certificate for the MX
-	# domain name (PRIMARY_HOSTNAME) *and* the TLS certificate used by nginx for HTTPS on the mta-sts
+	# domain name (BOX_HOSTNAME) *and* the TLS certificate used by nginx for HTTPS on the mta-sts
 	# subdomain must be valid certificate for that domain. Do not set an MTA-STS policy if either
 	# certificate in use is not valid (e.g. because it is self-signed and a valid certificate has not
 	# yet been provisioned). Since we cannot provision a certificate without A/AAAA records, we
@@ -332,7 +332,7 @@ def build_zone(domain, domain_properties, additional_records, env, is_zone=True)
 	# being valid certificates.
 	mta_sts_records = [ ]
 	if domain_properties[domain]["mail"] \
-	  and domain_properties[env["PRIMARY_HOSTNAME"]]["certificate-is-valid"] \
+	  and domain_properties[env["BOX_HOSTNAME"]]["certificate-is-valid"] \
 	  and is_domain_cert_signed_and_valid("mta-sts." + domain, env):
 		# Compute an up-to-32-character hash of the policy file. We'll take a SHA-1 hash of the policy
 		# file (20 bytes) and encode it as base-64 (28 bytes, using alphanumeric alternate characters
@@ -479,7 +479,7 @@ def write_nsd_zone(domain, zonefile, records, env, force):
 	# ldns-signzone, however. It used to say '; default zone domain'.
 	#
 	# The SOA contact address for all of the domains on this system is hostmaster
-	# @ the PRIMARY_HOSTNAME. Hopefully that's legit.
+	# @ the BOX_HOSTNAME. Hopefully that's legit.
 	#
 	# For the refresh through TTL fields, a good reference is:
 	# https://www.ripe.net/publications/docs/ripe-203
@@ -492,7 +492,7 @@ def write_nsd_zone(domain, zonefile, records, env, force):
 $ORIGIN {domain}.
 $TTL 86400          ; default time to live
 
-@ IN SOA ns1.{primary_domain}. hostmaster.{primary_domain}. (
+@ IN SOA ns1.{box_domain}. hostmaster.{box_domain}. (
            __SERIAL__     ; serial number
            7200     ; Refresh (secondary nameserver update interval)
            3600     ; Retry (when refresh fails, how often to try again, should be lower than the refresh)
@@ -502,7 +502,7 @@ $TTL 86400          ; default time to live
 """
 
 	# Replace replacement strings.
-	zone = zone.format(domain=domain, primary_domain=env["PRIMARY_HOSTNAME"])
+	zone = zone.format(domain=domain, box_domain=env["BOX_HOSTNAME"])
 
 	# Add records.
 	for subdomain, querytype, value, _explanation in records:

management/email_administrator.py

@@ -22,7 +22,7 @@ env = load_environment()
 subject = sys.argv[1]
 
 # Administrator's email address.
-admin_addr = "administrator@" + env['PRIMARY_HOSTNAME']
+admin_addr = "administrator@" + env['BOX_HOSTNAME']
 
 # Read in STDIN.
 content = sys.stdin.read().strip()
@@ -37,9 +37,9 @@ msg = MIMEMultipart('alternative')
 # In Python 3.6:
 #msg = Message()
 
-msg['From'] = '"{}" <{}>'.format(env['PRIMARY_HOSTNAME'], admin_addr)
+msg['From'] = '"{}" <{}>'.format(env['BOX_HOSTNAME'], admin_addr)
 msg['To'] = admin_addr
-msg['Subject'] = "[{}] {}".format(env['PRIMARY_HOSTNAME'], subject)
+msg['Subject'] = "[{}] {}".format(env['BOX_HOSTNAME'], subject)
 
 content_html = f'<html><body><pre style="overflow-x: scroll; white-space: pre;">{html.escape(content)}</pre></body></html>'
 

management/mailconfig.py

@@ -517,7 +517,7 @@ def add_auto_aliases(aliases, env):
 	conn.commit()
 
 def get_system_administrator(env):
-	return "administrator@" + env['PRIMARY_HOSTNAME']
+	return "administrator@" + env['BOX_HOSTNAME']
 
 def get_required_aliases(env):
 	# These are the aliases that must exist.
@@ -527,7 +527,7 @@ def get_required_aliases(env):
 	aliases.add(get_system_administrator(env))
 
 	# The hostmaster alias is exposed in the DNS SOA for each zone.
-	aliases.add("hostmaster@" + env['PRIMARY_HOSTNAME'])
+	aliases.add("hostmaster@" + env['BOX_HOSTNAME'])
 
 	# Get a list of domains we serve mail for, except ones for which the only
 	# email on that domain are the required aliases or a catch-all/domain-forwarder.

management/mfa.py

@@ -83,7 +83,7 @@ def provision_totp(email, env):
 	# Make a URI that we encode within a QR code.
 	uri = pyotp.TOTP(secret).provisioning_uri(
 		name=email,
-		issuer_name=env["PRIMARY_HOSTNAME"] + " Mail-in-a-Box Control Panel"
+		issuer_name=env["BOX_HOSTNAME"] + " Mail-in-a-Box Control Panel"
 	)
 
 	# Generate a QR code as a base64-encode PNG image.

management/ssl_certificates.py

@@ -28,7 +28,7 @@ def get_ssl_certificates(env):
 			if fn == 'ssl_certificate.pem':
 				# This is always a symbolic link
 				# to the certificate to use for
-				# PRIMARY_HOSTNAME. Don't let it
+				# BOX_HOSTNAME. Don't let it
 				# be eligible for use because we
 				# could end up creating a symlink
 				# to itself --- we want to find
@@ -73,8 +73,8 @@ def get_ssl_certificates(env):
 	domains = { }
 	for cert in certificates:
 		# What domains is this certificate good for?
-		cert_domains, primary_domain = get_certificate_domains(cert["cert"])
-		cert["primary_domain"] = primary_domain
+		cert_domains, common_name = get_certificate_domains(cert["cert"])
+		cert["common_name"] = common_name
 
 		# Is there a private key file for this certificate?
 		private_key = private_keys.get(cert["cert"].public_key().public_numbers())
@@ -84,9 +84,9 @@ def get_ssl_certificates(env):
 
 		# Add this cert to the list of certs usable for the domains.
 		for domain in cert_domains:
-			# The primary hostname can only use a certificate mapped
+			# The box hostname can only use a certificate mapped
 			# to the system private key.
-			if domain == env['PRIMARY_HOSTNAME'] and cert["private_key"]["filename"] != os.path.join(env['STORAGE_ROOT'], 'ssl', 'ssl_private_key.pem'):
+			if domain == env['BOX_HOSTNAME'] and cert["private_key"]["filename"] != os.path.join(env['STORAGE_ROOT'], 'ssl', 'ssl_private_key.pem'):
 				continue
 
 			domains.setdefault(domain, []).append(cert)
@@ -134,7 +134,7 @@ def get_ssl_certificates(env):
 		ret[domain] = {
 			"private-key": cert["private_key"]["filename"],
 			"certificate": cert["filename"],
-			"primary-domain": cert["primary_domain"],
+			"common-name": cert["common_name"],
 			"certificate_object": cert["cert"],
 			}
 
@@ -148,12 +148,12 @@ def get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=False
 		system_certificate = {
 			"private-key": ssl_private_key,
 			"certificate": ssl_certificate,
-			"primary-domain": env['PRIMARY_HOSTNAME'],
+			"common-name": env['BOX_HOSTNAME'],
 			"certificate_object": load_pem(load_cert_chain(ssl_certificate)[0]),
 		}
 
-	if use_main_cert and domain == env['PRIMARY_HOSTNAME']:
-		# The primary domain must use the server certificate because
+	if use_main_cert and domain == env['BOX_HOSTNAME']:
+		# The box domain must use the server certificate because
 		# it is hard-coded in some service configuration files.
 		return system_certificate
 
@@ -263,7 +263,7 @@ def provision_certificates(env, limit_domains):
 	# we'll create a list of lists of domains where the inner lists have
 	# at most 100 items. By sorting we also get the DNS zone domain as the first
 	# entry in each list (unless we overflow beyond 100) which ends up as the
-	# primary domain listed in each certificate.
+	# first domain listed in each certificate.
 	from dns_update import get_dns_zones
 	certs = { }
 	for zone, _zonefile in get_dns_zones(env):
@@ -467,21 +467,21 @@ def install_cert_copy_file(fn, env):
 def post_install_func(env):
 	ret = []
 
-	# Get the certificate to use for PRIMARY_HOSTNAME.
+	# Get the certificate to use for BOX_HOSTNAME.
 	ssl_certificates = get_ssl_certificates(env)
-	cert = get_domain_ssl_files(env['PRIMARY_HOSTNAME'], ssl_certificates, env, use_main_cert=False)
+	cert = get_domain_ssl_files(env['BOX_HOSTNAME'], ssl_certificates, env, use_main_cert=False)
 	if not cert:
 		# Ruh-row, we don't have any certificate usable
-		# for the primary hostname.
-		ret.append("there is no valid certificate for " + env['PRIMARY_HOSTNAME'])
+		# for the box hostname.
+		ret.append("there is no valid certificate for " + env['BOX_HOSTNAME'])
 
-	# Symlink the best cert for PRIMARY_HOSTNAME to the system
+	# Symlink the best cert for BOX_HOSTNAME to the system
 	# certificate path, which is hard-coded for various purposes, and then
 	# restart postfix and dovecot.
 	system_ssl_certificate = os.path.join(os.path.join(env["STORAGE_ROOT"], 'ssl', 'ssl_certificate.pem'))
 	if cert and os.readlink(system_ssl_certificate) != cert['certificate']:
 		# Update symlink.
-		ret.append("updating primary certificate")
+		ret.append("updating box certificate")
 		ssl_certificate = cert['certificate']
 		os.unlink(system_ssl_certificate)
 		os.symlink(ssl_certificate, system_ssl_certificate)
@@ -523,7 +523,7 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, warn_if_expiring
 	# First check that the domain name is one of the names allowed by
 	# the certificate.
 	if domain is not None:
-		certificate_names, _cert_primary_name = get_certificate_domains(cert)
+		certificate_names, _cn = get_certificate_domains(cert)
 
 		# Check that the domain appears among the acceptable names, or a wildcard
 		# form of the domain name (which is a stricter check than the specs but
@@ -558,9 +558,9 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, warn_if_expiring
 	if cert.issuer == cert.subject:
 		return ("SELF-SIGNED", None)
 
-	# When selecting which certificate to use for non-primary domains, we check if the primary
-	# certificate or a www-parent-domain certificate is good for the domain. There's no need
-	# to run extra checks beyond this point.
+	# When selecting which certificate to use for non-registrable domains, we check if the
+	# registrable domain certificate or a www-parent-domain certificate is good for the domain.
+	# There's no need to run extra checks beyond this point.
 	if just_check_domain:
 		return ("OK", None)
 

management/status_checks.py

@@ -216,7 +216,7 @@ def check_software_updates(env, output):
 def check_system_aliases(env, output):
 	# Check that the administrator alias exists since that's where all
 	# admin email is automatically directed.
-	check_alias_exists("System administrator address", "administrator@" + env['PRIMARY_HOSTNAME'], env, output)
+	check_alias_exists("System administrator address", "administrator@" + env['BOX_HOSTNAME'], env, output)
 
 def check_free_disk_space(rounded_values, env, output):
 	# Check free disk space.
@@ -382,8 +382,8 @@ def run_domain_checks_on_domain(domain, rounded_time, env, dns_domains, dns_zone
 		output.add_heading(domain)
 		output.print_error("Domain name is invalid: " + str(e))
 
-	if domain == env["PRIMARY_HOSTNAME"]:
-		check_primary_hostname_dns(domain, env, output, dns_domains, dns_zonefiles)
+	if domain == env["BOX_HOSTNAME"]:
+		check_box_hostname_dns(domain, env, output, dns_domains, dns_zonefiles)
 
 	if domain in dns_domains:
 		check_dns_zone(domain, env, output, dns_zonefiles)
@@ -419,13 +419,13 @@ def run_domain_checks_on_domain(domain, rounded_time, env, dns_domains, dns_zone
 
 	return (domain, output)
 
-def check_primary_hostname_dns(domain, env, output, dns_domains, dns_zonefiles):
+def check_box_hostname_dns(domain, env, output, dns_domains, dns_zonefiles):
 	# If a DS record is set on the zone containing this domain, check DNSSEC now.
 	has_dnssec = False
 	for zone in dns_domains:
 		if (zone == domain or domain.endswith("." + zone)) and query_dns(zone, "DS", nxdomain=None) is not None:
 			has_dnssec = True
-			check_dnssec(zone, env, output, dns_zonefiles, is_checking_primary=True)
+			check_dnssec(zone, env, output, dns_zonefiles, is_checking_box_domain=True)
 
 	ip = query_dns(domain, "A")
 	ns_ips = query_dns("ns1." + domain, "A") + '/' + query_dns("ns2." + domain, "A")
@@ -437,35 +437,35 @@ def check_primary_hostname_dns(domain, env, output, dns_domains, dns_zonefiles):
 	# the nameserver, are reporting the right info --- but if the glue is incorrect this
 	# will probably fail.
 	if ns_ips == env['PUBLIC_IP'] + '/' + env['PUBLIC_IP']:
-		output.print_ok("Nameserver glue records are correct at registrar. [ns1/ns2.{} ↦ {}]".format(env['PRIMARY_HOSTNAME'], env['PUBLIC_IP']))
+		output.print_ok("Nameserver glue records are correct at registrar. [ns1/ns2.{} ↦ {}]".format(env['BOX_HOSTNAME'], env['PUBLIC_IP']))
 
 	elif ip == env['PUBLIC_IP']:
 		# The NS records are not what we expect, but the domain resolves correctly, so
 		# the user may have set up external DNS. List this discrepancy as a warning.
 		output.print_warning("""Nameserver glue records (ns1.{} and ns2.{}) should be configured at your domain name
-			registrar as having the IP address of this box ({}). They currently report addresses of {}. If you have set up External DNS, this may be OK.""".format(env['PRIMARY_HOSTNAME'], env['PRIMARY_HOSTNAME'], env['PUBLIC_IP'], ns_ips))
+			registrar as having the IP address of this box ({}). They currently report addresses of {}. If you have set up External DNS, this may be OK.""".format(env['BOX_HOSTNAME'], env['BOX_HOSTNAME'], env['PUBLIC_IP'], ns_ips))
 
 	else:
 		output.print_error("""Nameserver glue records are incorrect. The ns1.{} and ns2.{} nameservers must be configured at your domain name
 			registrar as having the IP address {}. They currently report addresses of {}. It may take several hours for
-			public DNS to update after a change.""".format(env['PRIMARY_HOSTNAME'], env['PRIMARY_HOSTNAME'], env['PUBLIC_IP'], ns_ips))
+			public DNS to update after a change.""".format(env['BOX_HOSTNAME'], env['BOX_HOSTNAME'], env['PUBLIC_IP'], ns_ips))
 
-	# Check that PRIMARY_HOSTNAME resolves to PUBLIC_IP[V6] in public DNS.
+	# Check that BOX_HOSTNAME resolves to PUBLIC_IP[V6] in public DNS.
 	ipv6 = query_dns(domain, "AAAA") if env.get("PUBLIC_IPV6") else None
 	if ip == env['PUBLIC_IP'] and not (ipv6 and env['PUBLIC_IPV6'] and ipv6 != normalize_ip(env['PUBLIC_IPV6'])):
-		output.print_ok("Domain resolves to box's IP address. [{} ↦ {}]".format(env['PRIMARY_HOSTNAME'], my_ips))
+		output.print_ok("Domain resolves to box's IP address. [{} ↦ {}]".format(env['BOX_HOSTNAME'], my_ips))
 	else:
 		output.print_error("""This domain must resolve to this box's IP address ({}) in public DNS but it currently resolves
 			to {}. It may take several hours for public DNS to update after a change. This problem may result from other
 			issues listed above.""".format(my_ips, ip + ((" / " + ipv6) if ipv6 is not None else "")))
 
 
-	# Check reverse DNS matches the PRIMARY_HOSTNAME. Note that it might not be
+	# Check reverse DNS matches the BOX_HOSTNAME. Note that it might not be
 	# a DNS zone if it is a subdomain of another domain we have a zone for.
 	existing_rdns_v4 = query_dns(dns.reversename.from_address(env['PUBLIC_IP']), "PTR")
 	existing_rdns_v6 = query_dns(dns.reversename.from_address(env['PUBLIC_IPV6']), "PTR") if env.get("PUBLIC_IPV6") else None
 	if existing_rdns_v4 == domain and existing_rdns_v6 in {None, domain}:
-		output.print_ok("Reverse DNS is set correctly at ISP. [{} ↦ {}]".format(my_ips, env['PRIMARY_HOSTNAME']))
+		output.print_ok("Reverse DNS is set correctly at ISP. [{} ↦ {}]".format(my_ips, env['BOX_HOSTNAME']))
 	elif existing_rdns_v4 == existing_rdns_v6 or existing_rdns_v6 is None:
 		output.print_error(f"""This box's reverse DNS is currently {existing_rdns_v4}, but it should be {domain}. Your ISP or cloud provider will have instructions
 			on setting up reverse DNS for this box.""" )
@@ -518,10 +518,10 @@ def check_dns_zone(domain, env, output, dns_zonefiles):
 	custom_dns_records = list(get_custom_dns_config(env)) # generator => list so we can reuse it
 	correct_ip = "; ".join(sorted(get_custom_dns_records(custom_dns_records, domain, "A"))) or env['PUBLIC_IP']
 	custom_secondary_ns = get_secondary_dns(custom_dns_records, mode="NS")
-	secondary_ns = custom_secondary_ns or ["ns2." + env['PRIMARY_HOSTNAME']]
+	secondary_ns = custom_secondary_ns or ["ns2." + env['BOX_HOSTNAME']]
 
 	existing_ns = query_dns(domain, "NS")
-	correct_ns = "; ".join(sorted(["ns1." + env["PRIMARY_HOSTNAME"], *secondary_ns]))
+	correct_ns = "; ".join(sorted(["ns1." + env["BOX_HOSTNAME"], *secondary_ns]))
 	ip = query_dns(domain, "A")
 
 	probably_external_dns = False
@@ -595,7 +595,7 @@ def check_dns_zone_suggestions(domain, env, output, dns_zonefiles, domains_with_
 		check_dnssec(domain, env, output, dns_zonefiles)
 
 
-def check_dnssec(domain, env, output, dns_zonefiles, is_checking_primary=False):
+def check_dnssec(domain, env, output, dns_zonefiles, is_checking_box_domain=False):
 	# See if the domain has a DS record set at the registrar. The DS record must
 	# match one of the keys that we've used to sign the zone. It may use one of
 	# several hashing algorithms. We've pre-generated all possible valid DS
@@ -661,7 +661,7 @@ def check_dnssec(domain, env, output, dns_zonefiles, is_checking_primary=False):
 				IMPORTANT: Do not delete existing DNSSEC 'DS' records for this domain until confirmation that the new DNSSEC 'DS' record
 				for this domain is valid.""")
 		else:
-			if is_checking_primary:
+			if is_checking_box_domain:
 				output.print_error("""The DNSSEC 'DS' record for %s is incorrect. See further details below.""" % domain)
 				return
 			output.print_error("""This domain's DNSSEC DS record is incorrect. The chain of trust is broken between the public DNS system
@@ -702,7 +702,7 @@ def check_dnssec(domain, env, output, dns_zonefiles, is_checking_primary=False):
 def check_mail_domain(domain, env, output):
 	# Check the MX record.
 
-	recommended_mx = "10 " + env['PRIMARY_HOSTNAME']
+	recommended_mx = "10 " + env['BOX_HOSTNAME']
 	mx = query_dns(domain, "MX", nxdomain=None)
 
 	if mx is None or mx == "[timeout]":
@@ -713,26 +713,26 @@ def check_mail_domain(domain, env, output):
 		mxhost = mx.split('; ')[0].split(' ')[1]
 
 	if mxhost is None:
-		# A missing MX record is okay on the primary hostname because
-		# the primary hostname's A record (the MX fallback) is... itself,
+		# A missing MX record is okay on the box hostname because
+		# the box hostname's A record (the MX fallback) is... itself,
 		# which is what we want the MX to be.
-		if domain == env['PRIMARY_HOSTNAME']:
+		if domain == env['BOX_HOSTNAME']:
 			output.print_ok(f"Domain's email is directed to this domain. [{domain} has no MX record, which is ok]")
 
 		# And a missing MX record is okay on other domains if the A record
-		# matches the A record of the PRIMARY_HOSTNAME. Actually this will
+		# matches the A record of the BOX_HOSTNAME. Actually this will
 		# probably confuse DANE TLSA, but we'll let that slide for now.
 		else:
 			domain_a = query_dns(domain, "A", nxdomain=None)
-			primary_a = query_dns(env['PRIMARY_HOSTNAME'], "A", nxdomain=None)
-			if domain_a is not None and domain_a == primary_a:
+			box_a = query_dns(env['BOX_HOSTNAME'], "A", nxdomain=None)
+			if domain_a is not None and domain_a == box_a:
 				output.print_ok(f"Domain's email is directed to this domain. [{domain} has no MX record but its A record is OK]")
 			else:
 				output.print_error(f"""This domain's DNS MX record is not set. It should be '{recommended_mx}'. Mail will not
 					be delivered to this box. It may take several hours for public DNS to update after a
 					change. This problem may result from other issues listed here.""")
 
-	elif mxhost == env['PRIMARY_HOSTNAME']:
+	elif mxhost == env['BOX_HOSTNAME']:
 		good_news = f"Domain's email is directed to this domain. [{domain} ↦ {mx}]"
 		if mx != recommended_mx:
 			good_news += f"  This configuration is non-standard.  The recommended configuration is '{recommended_mx}'."
@@ -743,7 +743,7 @@ def check_mail_domain(domain, env, output):
 		sts_resolver = postfix_mta_sts_resolver.resolver.STSResolver(loop=loop)
 		valid, policy = loop.run_until_complete(sts_resolver.resolve(domain))
 		if valid == postfix_mta_sts_resolver.resolver.STSFetchResult.VALID:
-			if policy[1].get("mx") == [env['PRIMARY_HOSTNAME']] and policy[1].get("mode") == "enforce": # policy[0] is the policyid
+			if policy[1].get("mx") == [env['BOX_HOSTNAME']] and policy[1].get("mode") == "enforce": # policy[0] is the policyid
 				output.print_ok("MTA-STS policy is present.")
 			else:
 				output.print_error(f"MTA-STS policy is present but has unexpected settings. [{policy[1]}]")
@@ -763,7 +763,7 @@ def check_mail_domain(domain, env, output):
 	# Stop if the domain is listed in the Spamhaus Domain Block List.
 	# The user might have chosen a domain that was previously in use by a spammer
 	# and will not be able to reliably send mail.
-	
+
 	# See https://www.spamhaus.org/news/article/807/using-our-public-mirrors-check-your-return-codes-now. for
 	# information on spamhaus return codes
 	dbl = query_dns(domain+'.dbl.spamhaus.org', "A", nxdomain=None)
@@ -786,9 +786,9 @@ def check_mail_domain(domain, env, output):
 
 def check_web_domain(domain, rounded_time, ssl_certificates, env, output):
 	# See if the domain's A record resolves to our PUBLIC_IP. This is already checked
-	# for PRIMARY_HOSTNAME, for which it is required for mail specifically. For it and
+	# for BOX_HOSTNAME, for which it is required for mail specifically. For it and
 	# other domains, it is required to access its website.
-	if domain != env['PRIMARY_HOSTNAME']:
+	if domain != env['BOX_HOSTNAME']:
 		ok_values = []
 		for (rtype, expected) in (("A", env['PUBLIC_IP']), ("AAAA", env.get('PUBLIC_IPV6'))):
 			if not expected: continue # IPv6 is not configured
@@ -805,7 +805,7 @@ def check_web_domain(domain, rounded_time, ssl_certificates, env, output):
 		output.print_ok("Domain resolves to this box's IP address. [{} ↦ {}]".format(domain, '; '.join(ok_values)))
 
 
-	# We need a TLS certificate for PRIMARY_HOSTNAME because that's where the
+	# We need a TLS certificate for BOX_HOSTNAME because that's where the
 	# user will log in with IMAP or webmail. Any other domain we serve a
 	# website for also needs a signed certificate.
 	check_ssl_cert(domain, rounded_time, ssl_certificates, env, output)
@@ -886,7 +886,7 @@ def check_ssl_cert(domain, rounded_time, ssl_certificates, env, output):
 
 	elif cert_status == "SELF-SIGNED":
 		# Offer instructions for purchasing a signed certificate.
-		if domain == env['PRIMARY_HOSTNAME']:
+		if domain == env['BOX_HOSTNAME']:
 			output.print_error("""The TLS (SSL) certificate for this domain is currently self-signed. You will get a security
 			warning when you check or send email and when visiting this domain in a web browser (for webmail or
 			static site hosting).""")
@@ -1140,9 +1140,9 @@ if __name__ == "__main__":
 		with multiprocessing.pool.Pool(processes=10) as pool:
 			run_and_output_changes(env, pool)
 
-	elif sys.argv[1] == "--check-primary-hostname":
-		# See if the primary hostname appears resolvable and has a signed certificate.
-		domain = env['PRIMARY_HOSTNAME']
+	elif sys.argv[1] == "--check-box-hostname":
+		# See if the box hostname appears resolvable and has a signed certificate.
+		domain = env['BOX_HOSTNAME']
 		if query_dns(domain, "A") != env['PUBLIC_IP']:
 			sys.exit(1)
 		ssl_certificates = get_ssl_certificates(env)

management/utils.py

@@ -73,8 +73,8 @@ def sort_domains(domain_names, env):
     # Sort the zones.
     zone_domains = sorted(zones.values(),
       key = lambda d : (
-        # PRIMARY_HOSTNAME or the zone that contains it is always first.
-        not (d == env['PRIMARY_HOSTNAME'] or env['PRIMARY_HOSTNAME'].endswith("." + d)),
+        # BOX_HOSTNAME or the zone that contains it is always first.
+        not (d == env['BOX_HOSTNAME'] or env['BOX_HOSTNAME'].endswith("." + d)),
 
         # Then just dumb lexicographically.
         d,
@@ -86,11 +86,11 @@ def sort_domains(domain_names, env):
         # First by zone.
         zone_domains.index(zones[d]),
 
-        # PRIMARY_HOSTNAME is always first within the zone that contains it.
-        d != env['PRIMARY_HOSTNAME'],
+        # BOX_HOSTNAME is always first within the zone that contains it.
+        d != env['BOX_HOSTNAME'],
 
         # Followed by any of its subdomains.
-        not d.endswith("." + env['PRIMARY_HOSTNAME']),
+        not d.endswith("." + env['BOX_HOSTNAME']),
 
         # Then in right-to-left lexicographic order of the .-separated parts of the name.
         list(reversed(d.split("."))),

management/web_update.py

@@ -39,10 +39,10 @@ def get_web_domains(env, include_www_redirects=True, include_auto=True, exclude_
 		# IP address than this box. Remove those domains from our list.
 		domains -= get_domains_with_a_records(env)
 
-	# Ensure the PRIMARY_HOSTNAME is in the list so we can serve webmail
+	# Ensure the BOX_HOSTNAME is in the list so we can serve webmail
 	# as well as Z-Push for Exchange ActiveSync. This can't be removed
 	# by a custom A/AAAA record and is never a 'www.' redirect.
-	domains.add(env['PRIMARY_HOSTNAME'])
+	domains.add(env['BOX_HOSTNAME'])
 
 	# Sort the list so the nginx conf gets written in a stable order.
 	return sort_domains(domains, env)
@@ -86,18 +86,18 @@ def do_web_update(env):
 	# Load the templates.
 	template0 = read_conf("nginx.conf")
 	template1 = read_conf("nginx-alldomains.conf")
-	template2 = read_conf("nginx-primaryonly.conf")
+	template2 = read_conf("nginx-boxonly.conf")
 	template3 = "\trewrite ^(.*) https://$REDIRECT_DOMAIN$1 permanent;\n"
 
-	# Add the PRIMARY_HOST configuration first so it becomes nginx's default server.
-	nginx_conf += make_domain_config(env['PRIMARY_HOSTNAME'], [template0, template1, template2], ssl_certificates, env)
+	# Add the BOX_HOSTNAME configuration first so it becomes nginx's default server.
+	nginx_conf += make_domain_config(env['BOX_HOSTNAME'], [template0, template1, template2], ssl_certificates, env)
 
 	# Add configuration all other web domains.
 	has_root_proxy_or_redirect = get_web_domains_with_root_overrides(env)
 	web_domains_not_redirect = get_web_domains(env, include_www_redirects=False)
 	for domain in get_web_domains(env):
-		if domain == env['PRIMARY_HOSTNAME']:
-			# PRIMARY_HOSTNAME is handled above.
+		if domain == env['BOX_HOSTNAME']:
+			# BOX_HOSTNAME is handled above.
 			continue
 		if domain in web_domains_not_redirect:
 			# This is a regular domain.
@@ -250,7 +250,7 @@ def get_web_domains_info(env):
 	def check_cert(domain):
 		try:
 			tls_cert = get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=True)
-		except OSError: # PRIMARY_HOSTNAME cert is missing
+		except OSError: # BOX_HOSTNAME cert is missing
 			tls_cert = None
 		if tls_cert is None: return ("danger", "No certificate installed.")
 		cert_status, cert_status_details = check_certificate(domain, tls_cert["certificate"], tls_cert["private-key"])