From daad122236f7eca841e9a46fa19dd57f44bcb5ac Mon Sep 17 00:00:00 2001 From: lamkin <88649589+lamkin@users.noreply.github.com> Date: Mon, 16 Aug 2021 16:46:32 +0100 Subject: [PATCH 1/5] Ignore bad encoding in email addresses when parsing maillog files (#2017) local/domain parts of email address should be standard ASCII or UTF-8. Some email addresses contain extended ASCII, leading to decode failure by the UTF-8 codec (and thus failure of the Usage-Report script) This change allows maillog parsing to continue over lines containing such addresses --- management/mail_log.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/management/mail_log.py b/management/mail_log.py index 1626f820..59c32c6e 100755 --- a/management/mail_log.py +++ b/management/mail_log.py @@ -586,7 +586,7 @@ def scan_postfix_submission_line(date, log, collector): def readline(filename): """ A generator that returns the lines of a file """ - with open(filename) as file: + with open(filename, errors='replace') as file: while True: line = file.readline() if not line: From 0ba841c7b66979e00e0d790b53555f05f72e9063 Mon Sep 17 00:00:00 2001 From: NewbieOrange Date: Mon, 23 Aug 2021 02:13:58 +0800 Subject: [PATCH 2/5] fail2ban now supports ipv6 (#2015) Since fail2ban 0.10.0, ipv6 support has been added. The current Ubuntu 18.04 repository has fail2ban 0.10.2, which does have ipv6 protection. --- security.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/security.md b/security.md index 8c39437e..5de8c612 100644 --- a/security.md +++ b/security.md @@ -69,8 +69,6 @@ The following services are protected: SSH, IMAP (dovecot), SMTP submission (post Some other services running on the box may be missing fail2ban filters. -`fail2ban` only blocks IPv4 addresses, however. If the box has a public IPv6 address, it is not protected from these attacks. - Outbound Mail ------------- From 20ccda8710411552d69978aeff41a9281fbb2012 Mon Sep 17 00:00:00 2001 From: myfirstnameispaul Date: Mon, 28 Jun 2021 05:51:05 -0700 Subject: [PATCH 3/5] Re-order DS record algorithms by digest type and revise warning message. Note that 7, 4 is printed last in the status checks page but does not appear in the file, and I couldn't figure out why. --- management/status_checks.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/management/status_checks.py b/management/status_checks.py index 7e766d0f..e509ff41 100755 --- a/management/status_checks.py +++ b/management/status_checks.py @@ -619,7 +619,9 @@ def check_dnssec(domain, env, output, dns_zonefiles, is_checking_primary=False): output.print_ok("DNSSEC 'DS' record is set correctly at registrar. (Records using algorithm other than ECDSAP256SHA256 should be removed.)") return else: # no record uses alg 13 - output.print_warning("DNSSEC 'DS' record set at registrar is valid but should be updated to ECDSAP256SHA256 (see below).") + output.print_warning("""DNSSEC 'DS' record set at registrar is valid but should be updated to ECDSAP256SHA256 (see below). + IMPORTANT: Do not delete existing DNSSEC 'DS' records for this domain until confirmation that the new DNSSEC 'DS' record + for this domain is valid.""") else: if is_checking_primary: output.print_error("""The DNSSEC 'DS' record for %s is incorrect. See further details below.""" % domain) @@ -630,7 +632,8 @@ def check_dnssec(domain, env, output, dns_zonefiles, is_checking_primary=False): output.print_line("""Follow the instructions provided by your domain name registrar to set a DS record. Registrars support different sorts of DS records. Use the first option that works:""") - preferred_ds_order = [(7, 1), (7, 2), (8, 4), (13, 4), (8, 1), (8, 2), (13, 1), (13, 2)] # low to high + preferred_ds_order = [(7, 1), (8, 1), (13, 1), (7, 2), (8, 4), (13, 4), (8, 2), (13, 2)] # low to high + def preferred_ds_order_func(ds_suggestion): k = (int(ds_suggestion['alg']), int(ds_suggestion['digalg'])) if k in preferred_ds_order: From 67b5711c683df8f05acd48ce13c4afcb2c5d3008 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sun, 22 Aug 2021 14:43:33 -0400 Subject: [PATCH 4/5] Recommend that DS records be updated to not use SHA1 and exclude MUST NOT methods (SHA1) and the unlikely option RSASHA1-NSEC3-SHA1 (7) + SHA-384 (4) from the DS record suggestions --- management/status_checks.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/management/status_checks.py b/management/status_checks.py index e509ff41..e2d4b1a7 100755 --- a/management/status_checks.py +++ b/management/status_checks.py @@ -612,14 +612,14 @@ def check_dnssec(domain, env, output, dns_zonefiles, is_checking_primary=False): # # But it may not be preferred. Only algorithm 13 is preferred. Warn if any of the # matched zones uses a different algorithm. - if set(r[1] for r in matched_ds) == { '13' }: # all are alg 13 + if set(r[1] for r in matched_ds) == { '13' } and set(r[2] for r in matched_ds) <= { '2', '4' }: # all are alg 13 and digest type 2 or 4 output.print_ok("DNSSEC 'DS' record is set correctly at registrar.") return - elif '13' in set(r[1] for r in matched_ds): # some but not all are alg 13 - output.print_ok("DNSSEC 'DS' record is set correctly at registrar. (Records using algorithm other than ECDSAP256SHA256 should be removed.)") + elif len([r for r in matched_ds if r[1] == '13' and r[2] in ( '2', '4' )]) > 0: # some but not all are alg 13 + output.print_ok("DNSSEC 'DS' record is set correctly at registrar. (Records using algorithm other than ECDSAP256SHA256 and digest types other than SHA-256/384 should be removed.)") return else: # no record uses alg 13 - output.print_warning("""DNSSEC 'DS' record set at registrar is valid but should be updated to ECDSAP256SHA256 (see below). + output.print_warning("""DNSSEC 'DS' record set at registrar is valid but should be updated to ECDSAP256SHA256 and SHA-256 (see below). IMPORTANT: Do not delete existing DNSSEC 'DS' records for this domain until confirmation that the new DNSSEC 'DS' record for this domain is valid.""") else: @@ -632,7 +632,7 @@ def check_dnssec(domain, env, output, dns_zonefiles, is_checking_primary=False): output.print_line("""Follow the instructions provided by your domain name registrar to set a DS record. Registrars support different sorts of DS records. Use the first option that works:""") - preferred_ds_order = [(7, 1), (8, 1), (13, 1), (7, 2), (8, 4), (13, 4), (8, 2), (13, 2)] # low to high + preferred_ds_order = [(7, 2), (8, 4), (13, 4), (8, 2), (13, 2)] # low to high, see https://github.com/mail-in-a-box/mailinabox/issues/1998 def preferred_ds_order_func(ds_suggestion): k = (int(ds_suggestion['alg']), int(ds_suggestion['digalg'])) @@ -641,6 +641,7 @@ def check_dnssec(domain, env, output, dns_zonefiles, is_checking_primary=False): return -1 # index before first item output.print_line("") for i, ds_suggestion in enumerate(sorted(expected_ds_records.values(), key=preferred_ds_order_func, reverse=True)): + if preferred_ds_order_func(ds_suggestion) == -1: continue # don't offer record types that the RFC says we must not offer output.print_line("") output.print_line("Option " + str(i+1) + ":") output.print_line("----------") From ba80d9e72dd984af0ee733d55291a00e7f8685e6 Mon Sep 17 00:00:00 2001 From: David Duque Date: Mon, 23 Aug 2021 11:25:41 +0100 Subject: [PATCH 5/5] Show backup retention period form when configuring B2 backups (#2024) --- management/templates/system-backup.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/management/templates/system-backup.html b/management/templates/system-backup.html index a63b38e6..6cbcc4fa 100644 --- a/management/templates/system-backup.html +++ b/management/templates/system-backup.html @@ -138,7 +138,7 @@ -
+