mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-12-24 07:37:04 +00:00
Merge branch 'mail-in-a-box:main' into master
This commit is contained in:
commit
98c00d1c6a
@ -586,7 +586,7 @@ def scan_postfix_submission_line(date, log, collector):
|
||||
def readline(filename):
|
||||
""" A generator that returns the lines of a file
|
||||
"""
|
||||
with open(filename) as file:
|
||||
with open(filename, errors='replace') as file:
|
||||
while True:
|
||||
line = file.readline()
|
||||
if not line:
|
||||
|
@ -626,14 +626,16 @@ def check_dnssec(domain, env, output, dns_zonefiles, is_checking_primary=False):
|
||||
#
|
||||
# But it may not be preferred. Only algorithm 13 is preferred. Warn if any of the
|
||||
# matched zones uses a different algorithm.
|
||||
if set(r[1] for r in matched_ds) == { '13' }: # all are alg 13
|
||||
if set(r[1] for r in matched_ds) == { '13' } and set(r[2] for r in matched_ds) <= { '2', '4' }: # all are alg 13 and digest type 2 or 4
|
||||
output.print_ok("DNSSEC 'DS' record is set correctly at registrar.")
|
||||
return
|
||||
elif '13' in set(r[1] for r in matched_ds): # some but not all are alg 13
|
||||
output.print_ok("DNSSEC 'DS' record is set correctly at registrar. (Records using algorithm other than ECDSAP256SHA256 should be removed.)")
|
||||
elif len([r for r in matched_ds if r[1] == '13' and r[2] in ( '2', '4' )]) > 0: # some but not all are alg 13
|
||||
output.print_ok("DNSSEC 'DS' record is set correctly at registrar. (Records using algorithm other than ECDSAP256SHA256 and digest types other than SHA-256/384 should be removed.)")
|
||||
return
|
||||
else: # no record uses alg 13
|
||||
output.print_warning("DNSSEC 'DS' record set at registrar is valid but should be updated to ECDSAP256SHA256 (see below).")
|
||||
output.print_warning("""DNSSEC 'DS' record set at registrar is valid but should be updated to ECDSAP256SHA256 and SHA-256 (see below).
|
||||
IMPORTANT: Do not delete existing DNSSEC 'DS' records for this domain until confirmation that the new DNSSEC 'DS' record
|
||||
for this domain is valid.""")
|
||||
else:
|
||||
if is_checking_primary:
|
||||
output.print_error("""The DNSSEC 'DS' record for %s is incorrect. See further details below.""" % domain)
|
||||
@ -644,7 +646,8 @@ def check_dnssec(domain, env, output, dns_zonefiles, is_checking_primary=False):
|
||||
|
||||
output.print_line("""Follow the instructions provided by your domain name registrar to set a DS record.
|
||||
Registrars support different sorts of DS records. Use the first option that works:""")
|
||||
preferred_ds_order = [(7, 1), (7, 2), (8, 4), (13, 4), (8, 1), (8, 2), (13, 1), (13, 2)] # low to high
|
||||
preferred_ds_order = [(7, 2), (8, 4), (13, 4), (8, 2), (13, 2)] # low to high, see https://github.com/mail-in-a-box/mailinabox/issues/1998
|
||||
|
||||
def preferred_ds_order_func(ds_suggestion):
|
||||
k = (int(ds_suggestion['alg']), int(ds_suggestion['digalg']))
|
||||
if k in preferred_ds_order:
|
||||
@ -652,6 +655,7 @@ def check_dnssec(domain, env, output, dns_zonefiles, is_checking_primary=False):
|
||||
return -1 # index before first item
|
||||
output.print_line("")
|
||||
for i, ds_suggestion in enumerate(sorted(expected_ds_records.values(), key=preferred_ds_order_func, reverse=True)):
|
||||
if preferred_ds_order_func(ds_suggestion) == -1: continue # don't offer record types that the RFC says we must not offer
|
||||
output.print_line("")
|
||||
output.print_line("Option " + str(i+1) + ":")
|
||||
output.print_line("----------")
|
||||
|
@ -138,7 +138,7 @@
|
||||
</div>
|
||||
</div>
|
||||
<!-- Common -->
|
||||
<div class="form-group backup-target-local backup-target-rsync backup-target-s3">
|
||||
<div class="form-group backup-target-local backup-target-rsync backup-target-s3 backup-target-b2">
|
||||
<label for="min-age" class="col-sm-2 control-label">Retention Days:</label>
|
||||
<div class="col-sm-8">
|
||||
<input type="number" class="form-control" rows="1" id="min-age">
|
||||
|
@ -69,8 +69,6 @@ The following services are protected: SSH, IMAP (dovecot), SMTP submission (post
|
||||
|
||||
Some other services running on the box may be missing fail2ban filters.
|
||||
|
||||
`fail2ban` only blocks IPv4 addresses, however. If the box has a public IPv6 address, it is not protected from these attacks.
|
||||
|
||||
Outbound Mail
|
||||
-------------
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user