Merge with master, test owncloud upgrade from 8.2.7

CHANGELOG.md

@@ -4,9 +4,16 @@ CHANGELOG
 In Development
 --------------
 
+ownCloud:
+
+* Updated to ownCloud to 8.2.7.
+
+v0.19 (August 13, 2016)
+-----------------------
+
 Mail:
 
-* Roundcube is updated to version 1.2.0.
+* Roundcube is updated to version 1.2.1.
 * SSLv3 and RC4 are now no longer supported in incoming and outgoing mail (SMTP port 25).
 
 Control panel:
@@ -15,6 +22,10 @@ Control panel:
 * The HSTS header was missing.
 * New status checks were added for the ufw firewall.
 
+DNS:
+
+* Add SRV records for CardDAV/CalDAV to facilitate autoconfiguration (e.g. in DavDroid, whose latest version didn't seem to work to configure with entering just a hostname).
+
 System:
 
 * fail2ban jails added for SMTP submission, Roundcube, ownCloud, the control panel, and munin.

README.md

@@ -59,7 +59,7 @@ by me:
 	$ curl -s https://keybase.io/joshdata/key.asc | gpg --import
 	gpg: key C10BDD81: public key "Joshua Tauberer <jt@occams.info>" imported
 
-	$ git verify-tag v0.18c
+	$ git verify-tag v0.19
 	gpg: Signature made ..... using RSA key ID C10BDD81
 	gpg: Good signature from "Joshua Tauberer <jt@occams.info>"
 	gpg: WARNING: This key is not certified with a trusted signature!
@@ -72,7 +72,7 @@ and on my [personal homepage](https://razor.occams.info/). (Of course, if this r
 
 Checkout the tag corresponding to the most recent release:
 
-	$ git checkout v0.18c
+	$ git checkout v0.19
 
 Begin the installation.
 

management/dns_update.py

@@ -274,6 +274,13 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
 		if not has_rec(dmarc_qname, "TXT", prefix="v=DMARC1; "):
 			records.append((dmarc_qname, "TXT", 'v=DMARC1; p=reject', "Recommended. Prevents use of this domain name for outbound mail by specifying that the SPF rule should be honoured for mail from @%s." % (qname + "." + domain)))
 
+	# Add CardDAV/CalDAV SRV records on the non-primary hostname that points to the primary hostname.
+	# The SRV record format is priority (0, whatever), weight (0, whatever), port, service provider hostname (w/ trailing dot).
+	if domain != env["PRIMARY_HOSTNAME"]:
+		for dav in ("card", "cal"):
+			qname = "_" + dav + "davs._tcp"
+			if not has_rec(qname, "SRV"):
+				records.append((qname, "SRV", "0 0 443 " + env["PRIMARY_HOSTNAME"] + ".", "Recommended. Specifies the hostname of the server that handles CardDAV/CalDAV services for email addresses on this domain."))
 
 	# Sort the records. The None records *must* go first in the nsd zone file. Otherwise it doesn't matter.
 	records.sort(key = lambda rec : list(reversed(rec[0].split(".")) if rec[0] is not None else ""))

management/templates/aliases.html

@@ -106,37 +106,38 @@
   </table>
 </div>
 
-<h3>Mail alias API</h3>
+<h3>Mail aliases API (advanced)</h3>
 
-<p>Use your box&rsquo;s Mail alias API to add/remove aliases.</p>
+<p>Use your box&rsquo;s mail aliases API to add and remove mail aliases from the command-line or custom services you build.</p>
 
 <p>Usage:</p>
 
-<pre>curl -X <b>VERB</b> [-d "<b>value</b>"] --user {email}:{password} https://{{hostname}}/admin/mail/aliases[<b>action</b>]</pre>
+<pre>curl -X <b>VERB</b> [-d "<b>parameters</b>"] --user {email}:{password} https://{{hostname}}/admin/mail/aliases[<b>action</b>]</pre>
 
-<p>(Brackets denote an optional argument.)</p>
+<p>Brackets denote an optional argument. Please note that the POST body <code>parameters</code> must be URL-encoded.</p>
-<p>(Adding <code>?format=json</code> will give json encoded results)</p>
 
-<h4>Verbs</h4>
+<p>The email and password given to the <code>--user</code> option must be an administrative user on this system.</p>
 
-<table class="table">
+<h4 style="margin-bottom: 0">Verbs</h4>
+
+<table class="table" style="margin-top: .5em">
 <thead><th>Verb</th> <th>Action</th><th></th></thead>
-<tr><td>GET</td><td></td> <td>Returns a list of existing mail aliases.</td></tr>
+<tr><td>GET</td><td><i>(none)</i></td> <td>Returns a list of existing mail aliases. Adding <code>?format=json</code> to the URL will give JSON-encoded results.</td></tr>
-<tr><td>POST</td><td>/add</td> <td>Adds a new mail alias. Required parameters are <code>address</code> and <code>forward_to</code>.</td></tr>
+<tr><td>POST</td><td>/add</td> <td>Adds a new mail alias. Required POST-body parameters are <code>address</code> and <code>forward_to</code>.</td></tr>
-<tr><td>POST</td><td>/remove</td> <td>Removes a mail alias. Required parameter is <code>address</code>.</td></tr>
+<tr><td>POST</td><td>/remove</td> <td>Removes a mail alias. Required POST-body parameter is <code>address</code>.</td></tr>
 </table>
 
 <h4>Examples:</h4>
 
 <p>Try these examples. For simplicity the examples omit the <code>--user me@mydomain.com:yourpassword</code> command line argument which you must fill in with your email address and password.</p>
 
-<pre># Gives a json encoded list of all mail users
+<pre># Gives a JSON-encoded list of all mail aliases
-curl -X GET https://{{hostname}}/admin/mail/users?format=json
+curl -X GET https://{{hostname}}/admin/mail/aliases?format=json
 
-# adds a new email alias
+# Adds a new alias
 curl -X POST -d "address=new_alias@mydomail.com" -d "forward_to=my_email@mydomain.com" https://{{hostname}}/admin/mail/aliases/add
 
-# removes a email alias
+# Removes an alias
 curl -X POST -d "address=new_alias@mydomail.com" https://{{hostname}}/admin/mail/aliases/remove
 </pre>
 

management/templates/custom-dns.html

@@ -10,7 +10,7 @@
 
 <p>It is possible to set custom DNS records on domains hosted here.</p>
 
-<h3>Set Custom DNS Records</h3>
+<h3>Set custom DNS records</h3>
 
 <p>You can set additional DNS records, such as if you have a website running on another server, to add DKIM records for external mail providers, or for various confirmation-of-ownership tests.</p>
 
@@ -66,7 +66,7 @@
   </tbody>
 </table>
 
-<h3>Using a Secondary Nameserver</h3>
+<h3>Using a secondary nameserver</h3>
 
 <p>If your TLD requires you to have two separate nameservers, you can either set up <a href="#" onclick="return show_panel('external_dns')">external DNS</a> and ignore the DNS server on this box entirely, or use the DNS server on this box but add a secondary (aka &ldquo;slave&rdquo;) nameserver.</p>
 <p>If you choose to use a seconday nameserver, you must find a seconday nameserver service provider. Your domain name registrar or virtual cloud provider may provide this service for you. Once you set up the seconday nameserver service, enter the hostname (not the IP address) of <em>their</em> secondary nameserver in the box below.</p>

management/templates/ssl.html

@@ -8,7 +8,7 @@
 <p>You need a TLS certificate for this box&rsquo;s hostname ({{hostname}}) and every other domain name and subdomain that this box is hosting a website for (see the list below).</p>
 
 <div id="ssl_provision">
-<h3>Provision a Certificate</h3>
+<h3>Provision a certificate</h3>
 
 <div id="ssl_provision_p" style="display: none; margin-top: 1.5em">
   <button onclick='return provision_tls_cert();' class='btn btn-primary' style="float: left; margin: 0 1.5em 1em 0;">Provision</button>
@@ -36,7 +36,7 @@
 </div>
 </div>
 
-<h3>Certificate Status</h3>
+<h3>Certificate status</h3>
 
 <p style="margin-top: 1.5em">Certificates expire after a period of time. All certificates will be automatically renewed through <a href="https://letsencrypt.org/" target="_blank">Let&rsquo;s Encrypt</a> 14 days prior to expiration.</p>
 
@@ -53,7 +53,7 @@
 </table>
 
 
-<h3 id="ssl_install_header">Install Certificate</h3>
+<h3 id="ssl_install_header">Install certificate</h3>
 
 <p>There are many other places where you can get a free or cheap certificate. If you don't want to use our automatic Let's Encrypt integration, you can give <a href="https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx">Namecheap&rsquo;s $9 certificate</a>, <a href="https://www.startssl.com/">StartSSL&rsquo;s free express lane</a>, <a href="https://buy.wosign.com/free/">WoSign&rsquo;s free TLS</a></a> or any other certificate provider a try.</p>
 

management/templates/system-backup.html

@@ -74,7 +74,7 @@
   </div>
 </form>
 
-<h3>Available Backups</h3>
+<h3>Available backups</h3>
 
 <p>The backup location currently contains the backups listed below. The total size of the backups is currently <span id="backup-total-size"></span>.</p>
 

management/templates/users.html

@@ -84,45 +84,46 @@
   </table>
 </div>
 
-<h3>Mail user API</h3>
+<h3>Mail user API (advanced)</h3>
 
-<p>Use your box&rsquo;s Mail user API to add/change/remove users.</p>
+<p>Use your box&rsquo;s mail user API to add/change/remove users from the command-line or custom services you build.</p>
 
 <p>Usage:</p>
 
-<pre>curl -X <b>VERB</b> [-d "<b>value</b>"] --user {email}:{password} https://{{hostname}}/admin/mail/users[<b>action</b>]</pre>
+<pre>curl -X <b>VERB</b> [-d "<b>parameters</b>"] --user {email}:{password} https://{{hostname}}/admin/mail/users[<b>action</b>]</pre>
 
-<p>(Brackets denote an optional argument.)</p>
+<p>Brackets denote an optional argument. Please note that the POST body <code>parameters</code> must be URL-encoded.</p>
-<p>(Adding <code>?format=json</code> will give json encoded results)</p>
 
-<h4>Verbs</h4>
+<p>The email and password given to the <code>--user</code> option must be an administrative user on this system.</p>
 
-<table class="table">
+<h4 style="margin-bottom: 0">Verbs</h4>
+
+<table class="table" style="margin-top: .5em">
 <thead><th>Verb</th> <th>Action</th><th></th></thead>
-<tr><td>GET</td><td></td> <td>Returns a list of existing mail users.</td></tr>
+<tr><td>GET</td><td><i>(none)</i></td> <td>Returns a list of existing mail users. Adding <code>?format=json</code> to the URL will give JSON-encoded results.</td></tr>
-<tr><td>POST</td><td>/add</td> <td>Adds a new mail user. Required parameters are <code>email</code> and <code>password</code>.</td></tr>
+<tr><td>POST</td><td>/add</td> <td>Adds a new mail user. Required POST-body parameters are <code>email</code> and <code>password</code>.</td></tr>
-<tr><td>POST</td><td>/remove</td> <td>Removes a mail user. Required parameter is <code>email</code>.</td></tr>
+<tr><td>POST</td><td>/remove</td> <td>Removes a mail user. Required POST-by parameter is <code>email</code>.</td></tr>
-<tr><td>POST</td><td>/privileges/add</td> <td>Used to make a mail user an admin. Required parameters are <code>email</code> and <code>privilege=admin</code>.</td></tr>
+<tr><td>POST</td><td>/privileges/add</td> <td>Used to make a mail user an admin. Required POST-body parameters are <code>email</code> and <code>privilege=admin</code>.</td></tr>
-<tr><td>POST</td><td>/privileges/remove</td> <td>Used to remove the admin privilege from a mail user. Required parameter is <code>email</code>.</td></tr>
+<tr><td>POST</td><td>/privileges/remove</td> <td>Used to remove the admin privilege from a mail user. Required POST-body parameter is <code>email</code>.</td></tr>
 </table>
 
 <h4>Examples:</h4>
 
-<p>Try these examples. For simplicity the examples omit the <code>--user me@mydomain.com:yourpassword</code> command line argument which you must fill in with your email address and password.</p>
+<p>Try these examples. For simplicity the examples omit the <code>--user me@mydomain.com:yourpassword</code> command line argument which you must fill in with your administrative email address and password.</p>
 
-<pre># Gives a json encoded list of all mail users
+<pre># Gives a JSON-encoded list of all mail users
 curl -X GET https://{{hostname}}/admin/mail/users?format=json
 
-# adds a new email user
+# Adds a new email user
 curl -X POST -d "email=new_user@mydomail.com" -d "password=s3curE_pa5Sw0rD" https://{{hostname}}/admin/mail/users/add
 
-# removes a email user
+# Removes a email user
 curl -X POST -d "email=new_user@mydomail.com" https://{{hostname}}/admin/mail/users/remove
 
-# adds admin privilege to an email user
+# Adds admin privilege to an email user
 curl -X POST -d "email=new_user@mydomail.com" -d "privilege=admin" https://{{hostname}}/admin/mail/users/privileges/add
 
-# removes admin privilege from an email user
+# Removes admin privilege from an email user
 curl -X POST -d "email=new_user@mydomail.com" https://{{hostname}}/admin/mail/users/privileges/remove
 </pre>
 

security.md

@@ -69,6 +69,16 @@ The [setup guide video](https://mailinabox.email/) explains how to verify the ho
 
 If DNSSEC is enabled at the box's domain name's registrar, the SSHFP record that the box automatically puts into DNS can also be used to verify the host key fingerprint by setting `VerifyHostKeyDNS yes` in your `ssh/.config` file or by logging in with `ssh -o VerifyHostKeyDNS=yes`. ([source](management/dns_update.py))
 
+### Brute-force attack mitigation
+
+`fail2ban` provides some protection from brute-force login attacks (repeated logins that guess account passwords) by blocking offending IP addresses at the network level.
+
+The following services are protected: SSH, IMAP (dovecot), SMTP submission (postfix), webmail (roundcube), ownCloud/CalDAV/CardDAV (over HTTP), and the Mail-in-a-Box control panel & munin (over HTTP).
+
+Some other services running on the box may be missing fail2ban filters.
+
+`fail2ban` only blocks IPv4 addresses, however. If the box has a public IPv6 address, it is not protected from these attacks.
+
 Outbound Mail
 -------------
 

setup/bootstrap.sh

@@ -7,7 +7,7 @@
 #########################################################
 
 if [ -z "$TAG" ]; then
-	TAG=v0.18c
+	TAG=v0.19
 fi
 
 # Are we running as root?

setup/webmail.sh

@@ -34,8 +34,8 @@ apt-get purge -qq -y roundcube* #NODOC
 # Install Roundcube from source if it is not already present or if it is out of date.
 # Combine the Roundcube version number with the commit hash of vacation_sieve to track
 # whether we have the latest version.
-VERSION=1.2.0
+VERSION=1.2.1
-HASH=2088985fb613b4e4e3373933ca44b26fce0489fb
+HASH=81fbfba4683522f6e54006d0300a48e6da3f3bbd
 VACATION_SIEVE_VERSION=91ea6f52216390073d1f5b70b5f6bea0bfaee7e5
 PERSISTENT_LOGIN_VERSION=1e9d724476a370ce917a2fcd5b3217b0c306c24e
 HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5