mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-12-25 07:47:05 +00:00
Merge branch 'mergeupstream2204'
This commit is contained in:
commit
9a842cbc1d
24
CHANGELOG.md
24
CHANGELOG.md
@ -1,28 +1,34 @@
|
|||||||
CHANGELOG
|
CHANGELOG
|
||||||
=========
|
=========
|
||||||
|
|
||||||
Version 60 (date TBD)
|
Version 60 (October 11, 2022)
|
||||||
---------------------
|
-----------------------------
|
||||||
|
|
||||||
This is the first release for Ubuntu 22.04.
|
This is the first release for Ubuntu 22.04.
|
||||||
|
|
||||||
**Before upgrading**, you must **first upgrade your existing Ubuntu 18.04 box to Mail-in-a-Box v0.51** (or any later version of Mail-in-a-Box supporting Ubuntu 18.04), if you haven't already done so. That may not be possible after Ubuntu 18.04 reaches its end of life in April 2023, so please compete the upgrade well before then. (If you are not using Nextcloud's contacts or calendar, you can migrate to the latest version of Mail-in-a-Box from any previous version.)
|
**Before upgrading**, you must **first upgrade your existing Ubuntu 18.04 box to Mail-in-a-Box v0.51 or later**, if you haven't already done so. That may not be possible after Ubuntu 18.04 reaches its end of life in April 2023, so please complete the upgrade well before then. (If you are not using Nextcloud's contacts or calendar, you can migrate to the latest version of Mail-in-a-Box from any previous version.)
|
||||||
|
|
||||||
For complete upgrade instructions, see:
|
For complete upgrade instructions, see:
|
||||||
|
|
||||||
LINK TBD
|
https://discourse.mailinabox.email/t/version-60-for-ubuntu-22-04-is-about-to-be-released/9558
|
||||||
|
|
||||||
No features of Mail-in-a-Box have changed in this release, but with the newer version of Ubuntu the following software packages we use are updated:
|
No major features of Mail-in-a-Box have changed in this release, although some minor fixes were made.
|
||||||
|
|
||||||
* dovecot is upgraded to 2.3.16, postfix to 3.6.3, opendmark to 1.4 (which adds ARC-Authentication-Results headers), and spampd to 2.53 (alleviating a mail delivery rate limiting bug).
|
With the newer version of Ubuntu the following software packages we use are updated:
|
||||||
* Nextcloud is upgraded to 23.0.0 with PHP updated from 7.2 to 8.0.
|
|
||||||
|
* dovecot is upgraded to 2.3.16, postfix to 3.6.4, opendmark to 1.4 (which adds ARC-Authentication-Results headers), and spampd to 2.53 (alleviating a mail delivery rate limiting bug).
|
||||||
|
* Nextcloud is upgraded to 24.0.0
|
||||||
|
* Roundcube is upgraded to 1.6.0.
|
||||||
* certbot is upgraded to 1.21 (via the Ubuntu repository instead of a PPA).
|
* certbot is upgraded to 1.21 (via the Ubuntu repository instead of a PPA).
|
||||||
* fail2ban is upgraded to 0.11.2.
|
* fail2ban is upgraded to 0.11.2.
|
||||||
* nginx is upgraded to 1.18.
|
* nginx is upgraded to 1.18.
|
||||||
|
* PHP is upgraded from 7.2 to 8.1.
|
||||||
* bind9 is replaced with unbound
|
* bind9 is replaced with unbound
|
||||||
|
|
||||||
In Development
|
Also:
|
||||||
--------------
|
|
||||||
|
* Roundcube's login session cookie was tightened. Existing sessions may require a manual logout.
|
||||||
|
* Moved Postgrey's database under $STORAGE_ROOT.
|
||||||
|
|
||||||
Version 57a (June 19, 2022)
|
Version 57a (June 19, 2022)
|
||||||
---------------------------
|
---------------------------
|
||||||
|
@ -84,7 +84,7 @@ Additionally, this project has a [Code of Conduct](CODE_OF_CONDUCT.md), which su
|
|||||||
In The Box
|
In The Box
|
||||||
----------
|
----------
|
||||||
|
|
||||||
Mail-in-a-Box turns a fresh Ubuntu 22.04 or 20.04 LTS 64-bit machine into a working mail server by installing and configuring various components.
|
Mail-in-a-Box turns a fresh Ubuntu 22.04 LTS 64-bit machine into a working mail server by installing and configuring various components.
|
||||||
|
|
||||||
It is a one-click email appliance. There are no user-configurable setup options. It "just works."
|
It is a one-click email appliance. There are no user-configurable setup options. It "just works."
|
||||||
|
|
||||||
|
@ -4,6 +4,7 @@ After=multi-user.target
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=idle
|
Type=idle
|
||||||
|
IgnoreSIGPIPE=False
|
||||||
ExecStart=/usr/local/lib/mailinabox/start
|
ExecStart=/usr/local/lib/mailinabox/start
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
|
@ -1,15 +0,0 @@
|
|||||||
# Install required packages
|
|
||||||
apt-get build-dep dovecot-core
|
|
||||||
apt-get install dovecot-dev libxapian-dev git libxapian30 libicu-dev
|
|
||||||
|
|
||||||
# Clone the project
|
|
||||||
git clone https://github.com/grosjo/fts-xapian
|
|
||||||
cd fts-xapian
|
|
||||||
|
|
||||||
# Compile (don't install)
|
|
||||||
autoreconf -vi
|
|
||||||
./configure --with-dovecot=/usr/lib/dovecot
|
|
||||||
make
|
|
||||||
|
|
||||||
# install library found under src/.libs
|
|
||||||
cp src/.libs/lib21_fts_xapian_plugin.so /usr/lib/dovecot/modules
|
|
Binary file not shown.
@ -22,20 +22,8 @@ class AuthService:
|
|||||||
def init_system_api_key(self):
|
def init_system_api_key(self):
|
||||||
"""Write an API key to a local file so local processes can use the API"""
|
"""Write an API key to a local file so local processes can use the API"""
|
||||||
|
|
||||||
def create_file_with_mode(path, mode):
|
with open(self.key_path, 'r') as file:
|
||||||
# Based on answer by A-B-B: http://stackoverflow.com/a/15015748
|
self.key = file.read()
|
||||||
old_umask = os.umask(0)
|
|
||||||
try:
|
|
||||||
return os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, mode), 'w')
|
|
||||||
finally:
|
|
||||||
os.umask(old_umask)
|
|
||||||
|
|
||||||
self.key = secrets.token_hex(32)
|
|
||||||
|
|
||||||
os.makedirs(os.path.dirname(self.key_path), exist_ok=True)
|
|
||||||
|
|
||||||
with create_file_with_mode(self.key_path, 0o640) as key_file:
|
|
||||||
key_file.write(self.key + '\n')
|
|
||||||
|
|
||||||
def authenticate(self, request, env, login_only=False, logout=False):
|
def authenticate(self, request, env, login_only=False, logout=False):
|
||||||
"""Test if the HTTP Authorization header's username matches the system key, a session key,
|
"""Test if the HTTP Authorization header's username matches the system key, a session key,
|
||||||
|
@ -15,7 +15,7 @@ import dateutil.parser, dateutil.relativedelta, dateutil.tz
|
|||||||
import rtyaml
|
import rtyaml
|
||||||
from exclusiveprocess import Lock
|
from exclusiveprocess import Lock
|
||||||
|
|
||||||
from utils import load_environment, shell, wait_for_service, fix_boto, get_php_version
|
from utils import load_environment, shell, wait_for_service, get_php_version
|
||||||
|
|
||||||
def backup_status(env):
|
def backup_status(env):
|
||||||
# If backups are disabled, return no status.
|
# If backups are disabled, return no status.
|
||||||
@ -200,12 +200,7 @@ def get_duplicity_target_url(config):
|
|||||||
from urllib.parse import urlsplit, urlunsplit
|
from urllib.parse import urlsplit, urlunsplit
|
||||||
target = list(urlsplit(target))
|
target = list(urlsplit(target))
|
||||||
|
|
||||||
# Duplicity now defaults to boto3 as the backend for S3, but we have
|
# Although we store the S3 hostname in the target URL,
|
||||||
# legacy boto installed (boto3 doesn't support Ubuntu 18.04) so
|
|
||||||
# we retarget for classic boto.
|
|
||||||
target[0] = "boto+" + target[0]
|
|
||||||
|
|
||||||
# In addition, although we store the S3 hostname in the target URL,
|
|
||||||
# duplicity no longer accepts it in the target URL. The hostname in
|
# duplicity no longer accepts it in the target URL. The hostname in
|
||||||
# the target URL must be the bucket name. The hostname is passed
|
# the target URL must be the bucket name. The hostname is passed
|
||||||
# via get_duplicity_additional_args. Move the first part of the
|
# via get_duplicity_additional_args. Move the first part of the
|
||||||
@ -290,6 +285,7 @@ def perform_backup(full_backup):
|
|||||||
service_command(php_fpm, "stop", quit=True)
|
service_command(php_fpm, "stop", quit=True)
|
||||||
service_command("postfix", "stop", quit=True)
|
service_command("postfix", "stop", quit=True)
|
||||||
service_command("dovecot", "stop", quit=True)
|
service_command("dovecot", "stop", quit=True)
|
||||||
|
service_command("postgrey", "stop", quit=True)
|
||||||
|
|
||||||
# Execute a pre-backup script that copies files outside the homedir.
|
# Execute a pre-backup script that copies files outside the homedir.
|
||||||
# Run as the STORAGE_USER user, not as root. Pass our settings in
|
# Run as the STORAGE_USER user, not as root. Pass our settings in
|
||||||
@ -319,6 +315,7 @@ def perform_backup(full_backup):
|
|||||||
get_duplicity_env_vars(env))
|
get_duplicity_env_vars(env))
|
||||||
finally:
|
finally:
|
||||||
# Start services again.
|
# Start services again.
|
||||||
|
service_command("postgrey", "start", quit=False)
|
||||||
service_command("dovecot", "start", quit=False)
|
service_command("dovecot", "start", quit=False)
|
||||||
service_command("postfix", "start", quit=False)
|
service_command("postfix", "start", quit=False)
|
||||||
service_command(php_fpm, "start", quit=False)
|
service_command(php_fpm, "start", quit=False)
|
||||||
@ -456,26 +453,13 @@ def list_target_files(config):
|
|||||||
raise ValueError("Connection to rsync host failed: {}".format(reason))
|
raise ValueError("Connection to rsync host failed: {}".format(reason))
|
||||||
|
|
||||||
elif target.scheme == "s3":
|
elif target.scheme == "s3":
|
||||||
# match to a Region
|
import boto3.s3
|
||||||
fix_boto() # must call prior to importing boto
|
from botocore.exceptions import ClientError
|
||||||
import boto.s3
|
|
||||||
from boto.exception import BotoServerError
|
|
||||||
custom_region = False
|
|
||||||
for region in boto.s3.regions():
|
|
||||||
if region.endpoint == target.hostname:
|
|
||||||
break
|
|
||||||
else:
|
|
||||||
# If region is not found this is a custom region
|
|
||||||
custom_region = True
|
|
||||||
|
|
||||||
|
# separate bucket from path in target
|
||||||
bucket = target.path[1:].split('/')[0]
|
bucket = target.path[1:].split('/')[0]
|
||||||
path = '/'.join(target.path[1:].split('/')[1:]) + '/'
|
path = '/'.join(target.path[1:].split('/')[1:]) + '/'
|
||||||
|
|
||||||
# Create a custom region with custom endpoint
|
|
||||||
if custom_region:
|
|
||||||
from boto.s3.connection import S3Connection
|
|
||||||
region = boto.s3.S3RegionInfo(name=bucket, endpoint=target.hostname, connection_cls=S3Connection)
|
|
||||||
|
|
||||||
# If no prefix is specified, set the path to '', otherwise boto won't list the files
|
# If no prefix is specified, set the path to '', otherwise boto won't list the files
|
||||||
if path == '/':
|
if path == '/':
|
||||||
path = ''
|
path = ''
|
||||||
@ -485,18 +469,15 @@ def list_target_files(config):
|
|||||||
|
|
||||||
# connect to the region & bucket
|
# connect to the region & bucket
|
||||||
try:
|
try:
|
||||||
conn = region.connect(aws_access_key_id=config["target_user"], aws_secret_access_key=config["target_pass"])
|
s3 = boto3.client('s3', \
|
||||||
bucket = conn.get_bucket(bucket)
|
endpoint_url=f'https://{target.hostname}', \
|
||||||
except BotoServerError as e:
|
aws_access_key_id=config['target_user'], \
|
||||||
if e.status == 403:
|
aws_secret_access_key=config['target_pass'])
|
||||||
raise ValueError("Invalid S3 access key or secret access key.")
|
bucket_objects = s3.list_objects_v2(Bucket=bucket, Prefix=path)['Contents']
|
||||||
elif e.status == 404:
|
backup_list = [(key['Key'][len(path):], key['Size']) for key in bucket_objects]
|
||||||
raise ValueError("Invalid S3 bucket name.")
|
except ClientError as e:
|
||||||
elif e.status == 301:
|
raise ValueError(e)
|
||||||
raise ValueError("Incorrect region for this bucket.")
|
return backup_list
|
||||||
raise ValueError(e.reason)
|
|
||||||
|
|
||||||
return [(key.name[len(path):], key.size) for key in bucket.list(prefix=path)]
|
|
||||||
elif target.scheme == 'b2':
|
elif target.scheme == 'b2':
|
||||||
from b2sdk.v1 import InMemoryAccountInfo, B2Api
|
from b2sdk.v1 import InMemoryAccountInfo, B2Api
|
||||||
from b2sdk.v1.exception import NonExistentBucket
|
from b2sdk.v1.exception import NonExistentBucket
|
||||||
@ -634,4 +615,3 @@ if __name__ == "__main__":
|
|||||||
# possibly performing an incremental backup.
|
# possibly performing an incremental backup.
|
||||||
full_backup = "--full" in sys.argv
|
full_backup = "--full" in sys.argv
|
||||||
perform_backup(full_backup)
|
perform_backup(full_backup)
|
||||||
|
|
||||||
|
@ -122,9 +122,9 @@ def index():
|
|||||||
no_users_exist = (len(get_mail_users(env)) == 0)
|
no_users_exist = (len(get_mail_users(env)) == 0)
|
||||||
no_admins_exist = (len(get_admins(env)) == 0)
|
no_admins_exist = (len(get_admins(env)) == 0)
|
||||||
|
|
||||||
utils.fix_boto() # must call prior to importing boto
|
import boto3.s3
|
||||||
import boto.s3
|
backup_s3_hosts = [(r, f"s3.{r}.amazonaws.com") for r in boto3.session.Session().get_available_regions('s3')]
|
||||||
backup_s3_hosts = [(r.name, r.endpoint) for r in boto.s3.regions()]
|
|
||||||
|
|
||||||
return render_template('index.html',
|
return render_template('index.html',
|
||||||
hostname=env['PRIMARY_HOSTNAME'],
|
hostname=env['PRIMARY_HOSTNAME'],
|
||||||
@ -573,6 +573,8 @@ def system_status():
|
|||||||
# Create a temporary pool of processes for the status checks
|
# Create a temporary pool of processes for the status checks
|
||||||
with multiprocessing.pool.Pool(processes=5) as pool:
|
with multiprocessing.pool.Pool(processes=5) as pool:
|
||||||
run_checks(False, env, output, pool)
|
run_checks(False, env, output, pool)
|
||||||
|
pool.close()
|
||||||
|
pool.join()
|
||||||
return json_response(output.items)
|
return json_response(output.items)
|
||||||
|
|
||||||
@app.route('/system/updates')
|
@app.route('/system/updates')
|
||||||
|
@ -102,9 +102,9 @@ def do_dns_update(env, force=False):
|
|||||||
if len(updated_domains) == 0:
|
if len(updated_domains) == 0:
|
||||||
updated_domains.append("DNS configuration")
|
updated_domains.append("DNS configuration")
|
||||||
|
|
||||||
# Kick nsd if anything changed.
|
# Tell nsd to reload changed zone files.
|
||||||
if len(updated_domains) > 0:
|
if len(updated_domains) > 0:
|
||||||
shell('check_call', ["/usr/sbin/service", "nsd", "restart"])
|
shell('check_call', ["/usr/sbin/nsd-control", "reload"])
|
||||||
|
|
||||||
# Write the DKIM configuration tables for all of the mail domains.
|
# Write the DKIM configuration tables for all of the mail domains.
|
||||||
from mailconfig import get_mail_domains
|
from mailconfig import get_mail_domains
|
||||||
@ -325,7 +325,7 @@ def build_zone(domain, domain_properties, additional_records, env, is_zone=True)
|
|||||||
# Append a DMARC record.
|
# Append a DMARC record.
|
||||||
# Skip if the user has set a DMARC record already.
|
# Skip if the user has set a DMARC record already.
|
||||||
if not has_rec("_dmarc", "TXT", prefix="v=DMARC1; "):
|
if not has_rec("_dmarc", "TXT", prefix="v=DMARC1; "):
|
||||||
records.append(("_dmarc", "TXT", 'v=DMARC1; p=quarantine', "Recommended. Specifies that mail that does not originate from the box but claims to be from @%s or which does not have a valid DKIM signature is suspect and should be quarantined by the recipient's mail system." % domain))
|
records.append(("_dmarc", "TXT", 'v=DMARC1; p=quarantine;', "Recommended. Specifies that mail that does not originate from the box but claims to be from @%s or which does not have a valid DKIM signature is suspect and should be quarantined by the recipient's mail system." % domain))
|
||||||
|
|
||||||
if domain_properties[domain]["user"]:
|
if domain_properties[domain]["user"]:
|
||||||
# Add CardDAV/CalDAV SRV records on the non-primary hostname that points to the primary hostname
|
# Add CardDAV/CalDAV SRV records on the non-primary hostname that points to the primary hostname
|
||||||
@ -390,7 +390,7 @@ def build_zone(domain, domain_properties, additional_records, env, is_zone=True)
|
|||||||
if not has_rec(qname, "TXT", prefix="v=spf1 "):
|
if not has_rec(qname, "TXT", prefix="v=spf1 "):
|
||||||
records.append((qname, "TXT", 'v=spf1 -all', "Recommended. Prevents use of this domain name for outbound mail by specifying that no servers are valid sources for mail from @%s. If you do send email from this domain name you should either override this record such that the SPF rule does allow the originating server, or, take the recommended approach and have the box handle mail for this domain (simply add any receiving alias at this domain name to make this machine treat the domain name as one of its mail domains)." % d))
|
records.append((qname, "TXT", 'v=spf1 -all', "Recommended. Prevents use of this domain name for outbound mail by specifying that no servers are valid sources for mail from @%s. If you do send email from this domain name you should either override this record such that the SPF rule does allow the originating server, or, take the recommended approach and have the box handle mail for this domain (simply add any receiving alias at this domain name to make this machine treat the domain name as one of its mail domains)." % d))
|
||||||
if not has_rec("_dmarc" + ("."+qname if qname else ""), "TXT", prefix="v=DMARC1; "):
|
if not has_rec("_dmarc" + ("."+qname if qname else ""), "TXT", prefix="v=DMARC1; "):
|
||||||
records.append(("_dmarc" + ("."+qname if qname else ""), "TXT", 'v=DMARC1; p=reject', "Recommended. Prevents use of this domain name for outbound mail by specifying that the SPF rule should be honoured for mail from @%s." % d))
|
records.append(("_dmarc" + ("."+qname if qname else ""), "TXT", 'v=DMARC1; p=reject;', "Recommended. Prevents use of this domain name for outbound mail by specifying that the SPF rule should be honoured for mail from @%s." % d))
|
||||||
|
|
||||||
# And with a null MX record (https://explained-from-first-principles.com/email/#null-mx-record)
|
# And with a null MX record (https://explained-from-first-principles.com/email/#null-mx-record)
|
||||||
if not has_rec(qname, "MX"):
|
if not has_rec(qname, "MX"):
|
||||||
|
@ -58,36 +58,33 @@ def get_ssl_certificates(env):
|
|||||||
# Not a valid PEM format for a PEM type we care about.
|
# Not a valid PEM format for a PEM type we care about.
|
||||||
continue
|
continue
|
||||||
|
|
||||||
# Remember where we got this object.
|
|
||||||
pem._filename = fn
|
|
||||||
|
|
||||||
# Is it a private key?
|
# Is it a private key?
|
||||||
if isinstance(pem, RSAPrivateKey):
|
if isinstance(pem, RSAPrivateKey):
|
||||||
private_keys[pem.public_key().public_numbers()] = pem
|
private_keys[pem.public_key().public_numbers()] = { "filename": fn, "key": pem }
|
||||||
|
|
||||||
# Is it a certificate?
|
# Is it a certificate?
|
||||||
if isinstance(pem, Certificate):
|
if isinstance(pem, Certificate):
|
||||||
certificates.append(pem)
|
certificates.append({ "filename": fn, "cert": pem })
|
||||||
|
|
||||||
# Process the certificates.
|
# Process the certificates.
|
||||||
domains = { }
|
domains = { }
|
||||||
for cert in certificates:
|
for cert in certificates:
|
||||||
# What domains is this certificate good for?
|
# What domains is this certificate good for?
|
||||||
cert_domains, primary_domain = get_certificate_domains(cert)
|
cert_domains, primary_domain = get_certificate_domains(cert["cert"])
|
||||||
cert._primary_domain = primary_domain
|
cert["primary_domain"] = primary_domain
|
||||||
|
|
||||||
# Is there a private key file for this certificate?
|
# Is there a private key file for this certificate?
|
||||||
private_key = private_keys.get(cert.public_key().public_numbers())
|
private_key = private_keys.get(cert["cert"].public_key().public_numbers())
|
||||||
if not private_key:
|
if not private_key:
|
||||||
continue
|
continue
|
||||||
cert._private_key = private_key
|
cert["private_key"] = private_key
|
||||||
|
|
||||||
# Add this cert to the list of certs usable for the domains.
|
# Add this cert to the list of certs usable for the domains.
|
||||||
for domain in cert_domains:
|
for domain in cert_domains:
|
||||||
# The primary hostname can only use a certificate mapped
|
# The primary hostname can only use a certificate mapped
|
||||||
# to the system private key.
|
# to the system private key.
|
||||||
if domain == env['PRIMARY_HOSTNAME']:
|
if domain == env['PRIMARY_HOSTNAME']:
|
||||||
if cert._private_key._filename != os.path.join(env['STORAGE_ROOT'], 'ssl', 'ssl_private_key.pem'):
|
if cert["private_key"]["filename"] != os.path.join(env['STORAGE_ROOT'], 'ssl', 'ssl_private_key.pem'):
|
||||||
continue
|
continue
|
||||||
|
|
||||||
domains.setdefault(domain, []).append(cert)
|
domains.setdefault(domain, []).append(cert)
|
||||||
@ -100,10 +97,10 @@ def get_ssl_certificates(env):
|
|||||||
#for c in cert_list: print(domain, c.not_valid_before, c.not_valid_after, "("+str(now)+")", c.issuer, c.subject, c._filename)
|
#for c in cert_list: print(domain, c.not_valid_before, c.not_valid_after, "("+str(now)+")", c.issuer, c.subject, c._filename)
|
||||||
cert_list.sort(key = lambda cert : (
|
cert_list.sort(key = lambda cert : (
|
||||||
# must be valid NOW
|
# must be valid NOW
|
||||||
cert.not_valid_before <= now <= cert.not_valid_after,
|
cert["cert"].not_valid_before <= now <= cert["cert"].not_valid_after,
|
||||||
|
|
||||||
# prefer one that is not self-signed
|
# prefer one that is not self-signed
|
||||||
cert.issuer != cert.subject,
|
cert["cert"].issuer != cert["cert"].subject,
|
||||||
|
|
||||||
###########################################################
|
###########################################################
|
||||||
# The above lines ensure that valid certificates are chosen
|
# The above lines ensure that valid certificates are chosen
|
||||||
@ -113,7 +110,7 @@ def get_ssl_certificates(env):
|
|||||||
|
|
||||||
# prefer one with the expiration furthest into the future so
|
# prefer one with the expiration furthest into the future so
|
||||||
# that we can easily rotate to new certs as we get them
|
# that we can easily rotate to new certs as we get them
|
||||||
cert.not_valid_after,
|
cert["cert"].not_valid_after,
|
||||||
|
|
||||||
###########################################################
|
###########################################################
|
||||||
# We always choose the certificate that is good for the
|
# We always choose the certificate that is good for the
|
||||||
@ -128,15 +125,15 @@ def get_ssl_certificates(env):
|
|||||||
|
|
||||||
# in case a certificate is installed in multiple paths,
|
# in case a certificate is installed in multiple paths,
|
||||||
# prefer the... lexicographically last one?
|
# prefer the... lexicographically last one?
|
||||||
cert._filename,
|
cert["filename"],
|
||||||
|
|
||||||
), reverse=True)
|
), reverse=True)
|
||||||
cert = cert_list.pop(0)
|
cert = cert_list.pop(0)
|
||||||
ret[domain] = {
|
ret[domain] = {
|
||||||
"private-key": cert._private_key._filename,
|
"private-key": cert["private_key"]["filename"],
|
||||||
"certificate": cert._filename,
|
"certificate": cert["filename"],
|
||||||
"primary-domain": cert._primary_domain,
|
"primary-domain": cert["primary_domain"],
|
||||||
"certificate_object": cert,
|
"certificate_object": cert["cert"],
|
||||||
}
|
}
|
||||||
|
|
||||||
return ret
|
return ret
|
||||||
|
@ -338,9 +338,9 @@ def run_domain_checks(rounded_time, env, output, pool, domains_to_check=None):
|
|||||||
domains_to_check = [
|
domains_to_check = [
|
||||||
d for d in domains_to_check
|
d for d in domains_to_check
|
||||||
if not (
|
if not (
|
||||||
d.split(".", 1)[0] in ("www", "autoconfig", "autodiscover", "mta-sts")
|
d.split(".", 1)[0] in ("www", "autoconfig", "autodiscover", "mta-sts")
|
||||||
and len(d.split(".", 1)) == 2
|
and len(d.split(".", 1)) == 2
|
||||||
and d.split(".", 1)[1] in domains_to_check
|
and d.split(".", 1)[1] in domains_to_check
|
||||||
)
|
)
|
||||||
]
|
]
|
||||||
|
|
||||||
@ -810,8 +810,8 @@ def query_dns(qname, rtype, nxdomain='[Not Set]', at=None, as_list=False, retry=
|
|||||||
# Make sure at is not a string that cannot be used as a nameserver
|
# Make sure at is not a string that cannot be used as a nameserver
|
||||||
if at:
|
if at:
|
||||||
if at not in {'[Not set]', '[timeout]'}:
|
if at not in {'[Not set]', '[timeout]'}:
|
||||||
resolver = dns.resolver.Resolver()
|
resolver = dns.resolver.Resolver()
|
||||||
resolver.nameservers = [at]
|
resolver.nameservers = [at]
|
||||||
else:
|
else:
|
||||||
logging.error("at not set to a usable nameserver, %s", at)
|
logging.error("at not set to a usable nameserver, %s", at)
|
||||||
|
|
||||||
@ -941,13 +941,13 @@ def what_version_is_this(env):
|
|||||||
def get_latest_miab_version():
|
def get_latest_miab_version():
|
||||||
# This pings https://mailinabox.email/setup.sh and extracts the tag named in
|
# This pings https://mailinabox.email/setup.sh and extracts the tag named in
|
||||||
# the script to determine the current product version.
|
# the script to determine the current product version.
|
||||||
from urllib.request import urlopen, HTTPError, URLError
|
from urllib.request import urlopen, HTTPError, URLError
|
||||||
from socket import timeout
|
from socket import timeout
|
||||||
|
|
||||||
try:
|
try:
|
||||||
return re.search(b'TAG=(.*)', urlopen("https://mailinabox.email/setup.sh?ping=1", timeout=5).read()).group(1).decode("utf8")
|
return re.search(b'TAG=(.*)', urlopen("https://mailinabox.email/setup.sh?ping=1", timeout=5).read()).group(1).decode("utf8")
|
||||||
except (HTTPError, URLError, timeout):
|
except (HTTPError, URLError, timeout):
|
||||||
return None
|
return None
|
||||||
|
|
||||||
def check_miab_version(env, output):
|
def check_miab_version(env, output):
|
||||||
config = load_settings(env)
|
config = load_settings(env)
|
||||||
|
@ -269,6 +269,7 @@ function show_custom_backup() {
|
|||||||
$("#backup-target-type").val("s3");
|
$("#backup-target-type").val("s3");
|
||||||
var hostpath = r.target.substring(5).split('/');
|
var hostpath = r.target.substring(5).split('/');
|
||||||
var host = hostpath.shift();
|
var host = hostpath.shift();
|
||||||
|
$("#backup-target-s3-host-select").val(host);
|
||||||
$("#backup-target-s3-host").val(host);
|
$("#backup-target-s3-host").val(host);
|
||||||
$("#backup-target-s3-path").val(hostpath.join('/'));
|
$("#backup-target-s3-path").val(hostpath.join('/'));
|
||||||
} else if (r.target.substring(0, 5) == "b2://") {
|
} else if (r.target.substring(0, 5) == "b2://") {
|
||||||
|
@ -177,13 +177,6 @@ def wait_for_service(port, public, env, timeout):
|
|||||||
return False
|
return False
|
||||||
time.sleep(min(timeout/4, 1))
|
time.sleep(min(timeout/4, 1))
|
||||||
|
|
||||||
def fix_boto():
|
|
||||||
# Google Compute Engine instances install some Python-2-only boto plugins that
|
|
||||||
# conflict with boto running under Python 3. Disable boto's default configuration
|
|
||||||
# file prior to importing boto so that GCE's plugin is not loaded:
|
|
||||||
import os
|
|
||||||
os.environ["BOTO_CONFIG"] = "/etc/boto3.cfg"
|
|
||||||
|
|
||||||
def get_php_version():
|
def get_php_version():
|
||||||
# Gets the version of PHP installed in the system.
|
# Gets the version of PHP installed in the system.
|
||||||
return shell("check_output", ["/usr/bin/php", "-v"])[4:7]
|
return shell("check_output", ["/usr/bin/php", "-v"])[4:7]
|
||||||
|
11
management/wsgi.py
Normal file
11
management/wsgi.py
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
from daemon import app
|
||||||
|
import auth, utils, logging
|
||||||
|
|
||||||
|
app.logger.addHandler(utils.create_syslog_handler())
|
||||||
|
|
||||||
|
logging_level = logging.DEBUG
|
||||||
|
logging.basicConfig(level=logging_level, format='MiaB %(levelname)s:%(module)s.%(funcName)s %(message)s')
|
||||||
|
logging.info('Logging level set to %s', logging.getLevelName(logging_level))
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
app.run(port=10222)
|
@ -26,15 +26,11 @@ if [ -z "$TAG" ]; then
|
|||||||
# This machine is running Ubuntu 22.04, which is supported by
|
# This machine is running Ubuntu 22.04, which is supported by
|
||||||
# Mail-in-a-Box versions 60 and later.
|
# Mail-in-a-Box versions 60 and later.
|
||||||
TAG=v60
|
TAG=v60
|
||||||
elif [ "$UBUNTU_VERSION" == "Ubuntu 20.04 LTS" ]; then
|
|
||||||
# This machine is running Ubuntu 20.04, which is supported by
|
|
||||||
# Mail-in-a-Box versions 56 and later.
|
|
||||||
TAG=v57a
|
|
||||||
elif [ "$UBUNTU_VERSION" == "Ubuntu 18.04 LTS" ]; then
|
elif [ "$UBUNTU_VERSION" == "Ubuntu 18.04 LTS" ]; then
|
||||||
# This machine is running Ubuntu 18.04, which is supported by
|
# This machine is running Ubuntu 18.04, which is supported by
|
||||||
# Mail-in-a-Box versions 0.40 through 5x.
|
# Mail-in-a-Box versions 0.40 through 5x.
|
||||||
echo "Support is ending for Ubuntu 18.04."
|
echo "Support is ending for Ubuntu 18.04."
|
||||||
echo "Please immediately begin to migrate your information to"
|
echo "Please immediately begin to migrate your data to"
|
||||||
echo "a new machine running Ubuntu 22.04. See:"
|
echo "a new machine running Ubuntu 22.04. See:"
|
||||||
echo "https://mailinabox.email/maintenance.html#upgrade"
|
echo "https://mailinabox.email/maintenance.html#upgrade"
|
||||||
TAG=v57a
|
TAG=v57a
|
||||||
@ -46,7 +42,7 @@ if [ -z "$TAG" ]; then
|
|||||||
echo "The last version of Mail-in-a-Box supporting Ubuntu 14.04 will be installed."
|
echo "The last version of Mail-in-a-Box supporting Ubuntu 14.04 will be installed."
|
||||||
TAG=v0.30
|
TAG=v0.30
|
||||||
else
|
else
|
||||||
echo "This script may be used only on a machine running Ubuntu 14.04, 18.04, 20.04 or 22.04."
|
echo "This script may be used only on a machine running Ubuntu 14.04, 18.04, or 22.04."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
11
setup/dns.sh
11
setup/dns.sh
@ -10,8 +10,6 @@
|
|||||||
source setup/functions.sh # load our functions
|
source setup/functions.sh # load our functions
|
||||||
source /etc/mailinabox.conf # load global vars
|
source /etc/mailinabox.conf # load global vars
|
||||||
|
|
||||||
echo "Installing nsd (DNS server)..."
|
|
||||||
|
|
||||||
# Prepare nsd's configuration.
|
# Prepare nsd's configuration.
|
||||||
# We configure nsd before installation as we only want it to bind to some addresses
|
# We configure nsd before installation as we only want it to bind to some addresses
|
||||||
# and it otherwise will have port / bind conflicts with unbound used as the local resolver
|
# and it otherwise will have port / bind conflicts with unbound used as the local resolver
|
||||||
@ -68,19 +66,12 @@ cat > /etc/logrotate.d/nsd <<EOF;
|
|||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Add systemd override file to fix some permissions
|
|
||||||
mkdir -p /etc/systemd/system/nsd.service.d/
|
|
||||||
cat > /etc/systemd/system/nsd.service.d/nsd-permissions.conf << EOF
|
|
||||||
[Service]
|
|
||||||
ReadWritePaths=/var/lib/nsd /etc/nsd /run /var/log /run/nsd
|
|
||||||
CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_NET_ADMIN
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# Install the packages.
|
# Install the packages.
|
||||||
#
|
#
|
||||||
# * nsd: The non-recursive nameserver that publishes our DNS records.
|
# * nsd: The non-recursive nameserver that publishes our DNS records.
|
||||||
# * ldnsutils: Helper utilities for signing DNSSEC zones.
|
# * ldnsutils: Helper utilities for signing DNSSEC zones.
|
||||||
# * openssh-client: Provides ssh-keyscan which we use to create SSHFP records.
|
# * openssh-client: Provides ssh-keyscan which we use to create SSHFP records.
|
||||||
|
echo "Installing nsd (DNS server)..."
|
||||||
apt_install nsd ldnsutils openssh-client
|
apt_install nsd ldnsutils openssh-client
|
||||||
|
|
||||||
# Create DNSSEC signing keys.
|
# Create DNSSEC signing keys.
|
||||||
|
@ -35,8 +35,6 @@ if [ ! -f /usr/lib/dovecot/decode2text.sh ]; then
|
|||||||
cp -f /usr/share/doc/dovecot-core/examples/decode2text.sh /usr/lib/dovecot
|
cp -f /usr/share/doc/dovecot-core/examples/decode2text.sh /usr/lib/dovecot
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#cp -f lib/lib21_fts_xapian_plugin.so /usr/lib/dovecot/modules/
|
|
||||||
|
|
||||||
# Create configuration file
|
# Create configuration file
|
||||||
cat > /etc/dovecot/conf.d/90-plugin-fts.conf << EOF;
|
cat > /etc/dovecot/conf.d/90-plugin-fts.conf << EOF;
|
||||||
plugin {
|
plugin {
|
||||||
|
@ -4,6 +4,8 @@
|
|||||||
# -o pipefail: don't ignore errors in the non-last command in a pipeline
|
# -o pipefail: don't ignore errors in the non-last command in a pipeline
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
|
PHP_VER=php_version
|
||||||
|
|
||||||
function hide_output {
|
function hide_output {
|
||||||
# This function hides the output of a command unless the command fails
|
# This function hides the output of a command unless the command fails
|
||||||
# and returns a non-zero exit code.
|
# and returns a non-zero exit code.
|
||||||
|
@ -245,12 +245,33 @@ tools/editconf.py /etc/postfix/main.cf \
|
|||||||
# As a matter of fact RFC is not strict about retry timer so postfix and
|
# As a matter of fact RFC is not strict about retry timer so postfix and
|
||||||
# other MTA have their own intervals. To fix the problem of receiving
|
# other MTA have their own intervals. To fix the problem of receiving
|
||||||
# e-mails really later, delay of greylisting has been set to
|
# e-mails really later, delay of greylisting has been set to
|
||||||
# 180 seconds (default is 300 seconds).
|
# 180 seconds (default is 300 seconds). We will move the postgrey database
|
||||||
|
# under $STORAGE_ROOT. This prevents a "warming up" that would have occured
|
||||||
|
# previously with a migrated or reinstalled OS. We will specify this new path
|
||||||
|
# with the --dbdir=... option. Arguments within POSTGREY_OPTS can not have spaces,
|
||||||
|
# including dbdir. This is due to the way the init script sources the
|
||||||
|
# /etc/default/postgrey file. --dbdir=... either needs to be a path without spaces
|
||||||
|
# (luckily $STORAGE_ROOT does not currently work with spaces), or it needs to be a
|
||||||
|
# symlink without spaces that can point to a folder with spaces). We'll just assume
|
||||||
|
# $STORAGE_ROOT won't have spaces to simplify things.
|
||||||
# Postgrey removes entries after 185 days of not being used.
|
# Postgrey removes entries after 185 days of not being used.
|
||||||
tools/editconf.py /etc/default/postgrey \
|
tools/editconf.py /etc/default/postgrey \
|
||||||
POSTGREY_OPTS=\"'--inet=127.0.0.1:10023 --delay=180 --max-age=185'\"
|
POSTGREY_OPTS=\""--inet=127.0.0.1:10023 --delay=180 --max-age=185 --dbdir=$STORAGE_ROOT/mail/postgrey/db"\"
|
||||||
|
|
||||||
|
|
||||||
|
# If the $STORAGE_ROOT/mail/postgrey is empty, copy the postgrey database over from the old location
|
||||||
|
if [ ! -d $STORAGE_ROOT/mail/postgrey/db ]; then
|
||||||
|
# Stop the service
|
||||||
|
service postgrey stop
|
||||||
|
# Ensure the new paths for postgrey db exists
|
||||||
|
mkdir -p $STORAGE_ROOT/mail/postgrey/db
|
||||||
|
# Move over database files
|
||||||
|
mv /var/lib/postgrey/* $STORAGE_ROOT/mail/postgrey/db/ || true
|
||||||
|
fi
|
||||||
|
# Ensure permissions are set
|
||||||
|
chown -R postgrey:postgrey $STORAGE_ROOT/mail/postgrey/
|
||||||
|
chmod 700 $STORAGE_ROOT/mail/postgrey/{,db}
|
||||||
|
|
||||||
# We are going to setup a newer whitelist for postgrey, the version included in the distribution is old
|
# We are going to setup a newer whitelist for postgrey, the version included in the distribution is old
|
||||||
cat > /etc/cron.daily/mailinabox-postgrey-whitelist << EOF;
|
cat > /etc/cron.daily/mailinabox-postgrey-whitelist << EOF;
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
@ -1,23 +1,12 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
source setup/functions.sh
|
source setup/functions.sh
|
||||||
|
source /etc/mailinabox.conf # load global vars
|
||||||
|
|
||||||
echo "Installing Mail-in-a-Box system management daemon..."
|
echo "Installing Mail-in-a-Box system management daemon..."
|
||||||
|
|
||||||
# DEPENDENCIES
|
# DEPENDENCIES
|
||||||
|
|
||||||
# We used to install management daemon-related Python packages
|
|
||||||
# directly to /usr/local/lib. We moved to a virtualenv because
|
|
||||||
# these packages might conflict with apt-installed packages.
|
|
||||||
# We may have a lingering version of acme that conflcits with
|
|
||||||
# certbot, which we're about to install below, so remove it
|
|
||||||
# first. Once acme is installed by an apt package, this might
|
|
||||||
# break the package version and `apt-get install --reinstall python3-acme`
|
|
||||||
# might be needed in that case.
|
|
||||||
while [ -d /usr/local/lib/python3.4/dist-packages/acme ]; do
|
|
||||||
pip3 uninstall -y acme;
|
|
||||||
done
|
|
||||||
|
|
||||||
# duplicity is used to make backups of user data.
|
# duplicity is used to make backups of user data.
|
||||||
#
|
#
|
||||||
# virtualenv is used to isolate the Python 3 packages we
|
# virtualenv is used to isolate the Python 3 packages we
|
||||||
@ -28,9 +17,9 @@ done
|
|||||||
apt_install duplicity python3-pip virtualenv certbot rsync
|
apt_install duplicity python3-pip virtualenv certbot rsync
|
||||||
|
|
||||||
# b2sdk is used for backblaze backups.
|
# b2sdk is used for backblaze backups.
|
||||||
# boto is used for amazon aws backups.
|
# boto3 is used for amazon aws backups.
|
||||||
# Both are installed outside the pipenv, so they can be used by duplicity
|
# Both are installed outside the pipenv, so they can be used by duplicity
|
||||||
hide_output pip3 install --upgrade b2sdk==1.14.1 boto
|
hide_output pip3 install --upgrade b2sdk boto3
|
||||||
|
|
||||||
# Create a virtualenv for the installation of Python 3 packages
|
# Create a virtualenv for the installation of Python 3 packages
|
||||||
# used by the management daemon.
|
# used by the management daemon.
|
||||||
@ -49,10 +38,10 @@ hide_output $venv/bin/pip install --upgrade pip
|
|||||||
# NOTE: email_validator is repeated in setup/questions.sh, so please keep the versions synced.
|
# NOTE: email_validator is repeated in setup/questions.sh, so please keep the versions synced.
|
||||||
hide_output $venv/bin/pip install --upgrade \
|
hide_output $venv/bin/pip install --upgrade \
|
||||||
rtyaml "email_validator>=1.0.0" "exclusiveprocess" \
|
rtyaml "email_validator>=1.0.0" "exclusiveprocess" \
|
||||||
flask dnspython python-dateutil expiringdict \
|
flask dnspython python-dateutil expiringdict gunicorn \
|
||||||
qrcode[pil] pyotp \
|
qrcode[pil] pyotp \
|
||||||
"idna>=2.0.0" "cryptography==2.2.2" psutil postfix-mta-sts-resolver \
|
"idna>=2.0.0" "cryptography==37.0.2" psutil postfix-mta-sts-resolver \
|
||||||
b2sdk==1.14.1 boto
|
b2sdk boto3
|
||||||
|
|
||||||
# CONFIGURATION
|
# CONFIGURATION
|
||||||
|
|
||||||
@ -89,6 +78,9 @@ rm -f /tmp/bootstrap.zip
|
|||||||
|
|
||||||
# Create an init script to start the management daemon and keep it
|
# Create an init script to start the management daemon and keep it
|
||||||
# running after a reboot.
|
# running after a reboot.
|
||||||
|
# Set a long timeout since some commands take a while to run, matching
|
||||||
|
# the timeout we set for PHP (fastcgi_read_timeout in the nginx confs).
|
||||||
|
# Note: Authentication currently breaks with more than 1 gunicorn worker.
|
||||||
cat > $inst_dir/start <<EOF;
|
cat > $inst_dir/start <<EOF;
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
# Set character encoding flags to ensure that any non-ASCII don't cause problems.
|
# Set character encoding flags to ensure that any non-ASCII don't cause problems.
|
||||||
@ -97,8 +89,13 @@ export LC_ALL=en_US.UTF-8
|
|||||||
export LANG=en_US.UTF-8
|
export LANG=en_US.UTF-8
|
||||||
export LC_TYPE=en_US.UTF-8
|
export LC_TYPE=en_US.UTF-8
|
||||||
|
|
||||||
|
mkdir -p /var/lib/mailinabox
|
||||||
|
tr -cd '[:xdigit:]' < /dev/urandom | head -c 32 > /var/lib/mailinabox/api.key
|
||||||
|
chmod 640 /var/lib/mailinabox/api.key
|
||||||
|
|
||||||
source $venv/bin/activate
|
source $venv/bin/activate
|
||||||
exec python $(pwd)/management/daemon.py
|
export PYTHONPATH=$(pwd)/management
|
||||||
|
exec gunicorn -b localhost:10222 -w 1 --timeout 630 wsgi:app
|
||||||
EOF
|
EOF
|
||||||
chmod +x $inst_dir/start
|
chmod +x $inst_dir/start
|
||||||
cp --remove-destination conf/mailinabox.service /lib/systemd/system/mailinabox.service # target was previously a symlink so remove it first
|
cp --remove-destination conf/mailinabox.service /lib/systemd/system/mailinabox.service # target was previously a symlink so remove it first
|
||||||
|
@ -49,8 +49,8 @@ apt_install php php-fpm \
|
|||||||
php-dev php-xml php-mbstring php-zip php-apcu php-json \
|
php-dev php-xml php-mbstring php-zip php-apcu php-json \
|
||||||
php-intl php-imagick php-gmp php-bcmath
|
php-intl php-imagick php-gmp php-bcmath
|
||||||
|
|
||||||
# Enable apc is required before installing nextcloud
|
# Enable APC before Nextcloud tools are run.
|
||||||
tools/editconf.py /etc/php/$(php_version)/mods-available/apcu.ini -c ';' \
|
tools/editconf.py /etc/php/$PHP_VER/mods-available/apcu.ini -c ';' \
|
||||||
apc.enabled=1 \
|
apc.enabled=1 \
|
||||||
apc.enable_cli=1
|
apc.enable_cli=1
|
||||||
|
|
||||||
@ -155,7 +155,7 @@ fi
|
|||||||
if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextcloud_ver ]]; then
|
if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextcloud_ver ]]; then
|
||||||
|
|
||||||
# Stop php-fpm if running. If they are not running (which happens on a previously failed install), dont bail.
|
# Stop php-fpm if running. If they are not running (which happens on a previously failed install), dont bail.
|
||||||
service php$(php_version)-fpm stop &> /dev/null || /bin/true
|
service php$PHP_VER-fpm stop &> /dev/null || /bin/true
|
||||||
|
|
||||||
# Backup the existing ownCloud/Nextcloud.
|
# Backup the existing ownCloud/Nextcloud.
|
||||||
# Create a backup directory to store the current installation and database to
|
# Create a backup directory to store the current installation and database to
|
||||||
@ -280,7 +280,7 @@ if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then
|
|||||||
array(
|
array(
|
||||||
'class' => '\OCA\UserExternal\IMAP',
|
'class' => '\OCA\UserExternal\IMAP',
|
||||||
'arguments' => array(
|
'arguments' => array(
|
||||||
'127.0.0.1', 143, null
|
'127.0.0.1', 143, null, null, false, false
|
||||||
),
|
),
|
||||||
),
|
),
|
||||||
),
|
),
|
||||||
@ -343,7 +343,7 @@ php <<EOF > $CONFIG_TEMP && mv $CONFIG_TEMP $STORAGE_ROOT/owncloud/config.php;
|
|||||||
<?php
|
<?php
|
||||||
include("$STORAGE_ROOT/owncloud/config.php");
|
include("$STORAGE_ROOT/owncloud/config.php");
|
||||||
|
|
||||||
\$CONFIG['config_is_read_only'] = false; # should prevent warnings from occ tool but doesn't
|
\$CONFIG['config_is_read_only'] = true;
|
||||||
|
|
||||||
\$CONFIG['trusted_domains'] = array('$PRIMARY_HOSTNAME');
|
\$CONFIG['trusted_domains'] = array('$PRIMARY_HOSTNAME');
|
||||||
|
|
||||||
@ -358,7 +358,14 @@ include("$STORAGE_ROOT/owncloud/config.php");
|
|||||||
|
|
||||||
\$CONFIG['mail_domain'] = '$PRIMARY_HOSTNAME';
|
\$CONFIG['mail_domain'] = '$PRIMARY_HOSTNAME';
|
||||||
|
|
||||||
\$CONFIG['user_backends'] = array(array('class' => '\OCA\UserExternal\IMAP','arguments' => array('127.0.0.1', 143, null),),);
|
\$CONFIG['user_backends'] = array(
|
||||||
|
array(
|
||||||
|
'class' => '\OCA\UserExternal\IMAP',
|
||||||
|
'arguments' => array(
|
||||||
|
'127.0.0.1', 143, null, null, false, false
|
||||||
|
),
|
||||||
|
),
|
||||||
|
);
|
||||||
|
|
||||||
echo "<?php\n\\\$CONFIG = ";
|
echo "<?php\n\\\$CONFIG = ";
|
||||||
var_export(\$CONFIG);
|
var_export(\$CONFIG);
|
||||||
@ -366,7 +373,7 @@ echo ";";
|
|||||||
?>
|
?>
|
||||||
EOF
|
EOF
|
||||||
chown www-data.www-data $STORAGE_ROOT/owncloud/config.php
|
chown www-data.www-data $STORAGE_ROOT/owncloud/config.php
|
||||||
chmod 640 $STORAGE_ROOT/owncloud/config.php
|
#chmod 640 $STORAGE_ROOT/owncloud/config.php
|
||||||
|
|
||||||
# Enable/disable apps. Note that this must be done after the Nextcloud setup.
|
# Enable/disable apps. Note that this must be done after the Nextcloud setup.
|
||||||
# The firstrunwizard gave Josh all sorts of problems, so disabling that.
|
# The firstrunwizard gave Josh all sorts of problems, so disabling that.
|
||||||
@ -402,7 +409,7 @@ sudo -u www-data php /usr/local/lib/owncloud/occ app:update --all
|
|||||||
|
|
||||||
# Set PHP FPM values to support large file uploads
|
# Set PHP FPM values to support large file uploads
|
||||||
# (semicolon is the comment character in this file, hashes produce deprecation warnings)
|
# (semicolon is the comment character in this file, hashes produce deprecation warnings)
|
||||||
tools/editconf.py /etc/php/$(php_version)/fpm/php.ini -c ';' \
|
tools/editconf.py /etc/php/$PHP_VER/fpm/php.ini -c ';' \
|
||||||
upload_max_filesize=16G \
|
upload_max_filesize=16G \
|
||||||
post_max_size=16G \
|
post_max_size=16G \
|
||||||
output_buffering=16384 \
|
output_buffering=16384 \
|
||||||
@ -411,7 +418,7 @@ tools/editconf.py /etc/php/$(php_version)/fpm/php.ini -c ';' \
|
|||||||
short_open_tag=On
|
short_open_tag=On
|
||||||
|
|
||||||
# Set Nextcloud recommended opcache settings
|
# Set Nextcloud recommended opcache settings
|
||||||
tools/editconf.py /etc/php/$(php_version)/cli/conf.d/10-opcache.ini -c ';' \
|
tools/editconf.py /etc/php/$PHP_VER/cli/conf.d/10-opcache.ini -c ';' \
|
||||||
opcache.enable=1 \
|
opcache.enable=1 \
|
||||||
opcache.enable_cli=1 \
|
opcache.enable_cli=1 \
|
||||||
opcache.interned_strings_buffer=8 \
|
opcache.interned_strings_buffer=8 \
|
||||||
@ -420,6 +427,12 @@ tools/editconf.py /etc/php/$(php_version)/cli/conf.d/10-opcache.ini -c ';' \
|
|||||||
opcache.save_comments=1 \
|
opcache.save_comments=1 \
|
||||||
opcache.revalidate_freq=1
|
opcache.revalidate_freq=1
|
||||||
|
|
||||||
|
# Migrate users_external data from <0.6.0 to version 3.0.0 (see https://github.com/nextcloud/user_external).
|
||||||
|
# This version was probably in use in Mail-in-a-Box v0.41 (February 26, 2019) and earlier.
|
||||||
|
# We moved to v0.6.3 in 193763f8. Ignore errors - maybe there are duplicated users with the
|
||||||
|
# correct backend already.
|
||||||
|
sqlite3 $STORAGE_ROOT/owncloud/owncloud.db "UPDATE oc_users_external SET backend='127.0.0.1';" || /bin/true
|
||||||
|
|
||||||
# Set up a cron job for Nextcloud.
|
# Set up a cron job for Nextcloud.
|
||||||
cat > /etc/cron.d/mailinabox-nextcloud << EOF;
|
cat > /etc/cron.d/mailinabox-nextcloud << EOF;
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
@ -428,9 +441,6 @@ cat > /etc/cron.d/mailinabox-nextcloud << EOF;
|
|||||||
EOF
|
EOF
|
||||||
chmod +x /etc/cron.d/mailinabox-nextcloud
|
chmod +x /etc/cron.d/mailinabox-nextcloud
|
||||||
|
|
||||||
# Remove previous hourly cronjob
|
|
||||||
rm -f /etc/cron.hourly/mailinabox-owncloud
|
|
||||||
|
|
||||||
# There's nothing much of interest that a user could do as an admin for Nextcloud,
|
# There's nothing much of interest that a user could do as an admin for Nextcloud,
|
||||||
# and there's a lot they could mess up, so we don't make any users admins of Nextcloud.
|
# and there's a lot they could mess up, so we don't make any users admins of Nextcloud.
|
||||||
# But if we wanted to, we would do this:
|
# But if we wanted to, we would do this:
|
||||||
@ -441,4 +451,4 @@ rm -f /etc/cron.hourly/mailinabox-owncloud
|
|||||||
# ```
|
# ```
|
||||||
|
|
||||||
# Enable PHP modules and restart PHP.
|
# Enable PHP modules and restart PHP.
|
||||||
restart_service php$(php_version)-fpm
|
restart_service php$PHP_VER-fpm
|
||||||
|
@ -7,9 +7,9 @@ if [[ $EUID -ne 0 ]]; then
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Check that we are running on Ubuntu 20.04 LTS or Ubuntu 22.04 LTS
|
# Check that we are running on Ubuntu 22.04 LTS (or 22.04.xx).
|
||||||
if [ "$( lsb_release --id --short )" != "Ubuntu" ] || [ "$( lsb_release --release --short )" != "22.04" -a "$( lsb_release --release --short )" != "20.04" ]; then
|
if [ "$( lsb_release --id --short )" != "Ubuntu" ] || [ "$( lsb_release --release --short )" != "22.04" ]; then
|
||||||
echo "Mail-in-a-Box only supports being installed on Ubuntu 20.04 or 22.04, sorry. You are running:"
|
echo "Mail-in-a-Box only supports being installed on Ubuntu 22.04, sorry. You are running:"
|
||||||
echo
|
echo
|
||||||
lsb_release --description --short
|
lsb_release --description --short
|
||||||
echo
|
echo
|
||||||
|
@ -72,6 +72,10 @@ fi
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Create the STORAGE_USER and STORAGE_ROOT directory if they don't already exist.
|
# Create the STORAGE_USER and STORAGE_ROOT directory if they don't already exist.
|
||||||
|
#
|
||||||
|
# Set the directory and all of its parent directories' permissions to world
|
||||||
|
# readable since it holds files owned by different processes.
|
||||||
|
#
|
||||||
# If the STORAGE_ROOT is missing the mailinabox.version file that lists a
|
# If the STORAGE_ROOT is missing the mailinabox.version file that lists a
|
||||||
# migration (schema) number for the files stored there, assume this is a fresh
|
# migration (schema) number for the files stored there, assume this is a fresh
|
||||||
# installation to that directory and write the file to contain the current
|
# installation to that directory and write the file to contain the current
|
||||||
@ -82,6 +86,8 @@ fi
|
|||||||
if [ ! -d $STORAGE_ROOT ]; then
|
if [ ! -d $STORAGE_ROOT ]; then
|
||||||
mkdir -p $STORAGE_ROOT
|
mkdir -p $STORAGE_ROOT
|
||||||
fi
|
fi
|
||||||
|
f=$STORAGE_ROOT
|
||||||
|
while [[ $f != / ]]; do chmod a+rx "$f"; f=$(dirname "$f"); done;
|
||||||
if [ ! -f $STORAGE_ROOT/mailinabox.version ]; then
|
if [ ! -f $STORAGE_ROOT/mailinabox.version ]; then
|
||||||
setup/migrate.py --current > $STORAGE_ROOT/mailinabox.version
|
setup/migrate.py --current > $STORAGE_ROOT/mailinabox.version
|
||||||
chown $STORAGE_USER.$STORAGE_USER $STORAGE_ROOT/mailinabox.version
|
chown $STORAGE_USER.$STORAGE_USER $STORAGE_ROOT/mailinabox.version
|
||||||
|
@ -83,6 +83,9 @@ fi
|
|||||||
tools/editconf.py /etc/systemd/journald.conf MaxRetentionSec=10day
|
tools/editconf.py /etc/systemd/journald.conf MaxRetentionSec=10day
|
||||||
|
|
||||||
hide_output systemctl restart systemd-journald.service
|
hide_output systemctl restart systemd-journald.service
|
||||||
|
|
||||||
|
# ### Add PPAs.
|
||||||
|
|
||||||
# We install some non-standard Ubuntu packages maintained by other
|
# We install some non-standard Ubuntu packages maintained by other
|
||||||
# third-party providers. First ensure add-apt-repository is installed.
|
# third-party providers. First ensure add-apt-repository is installed.
|
||||||
|
|
||||||
@ -96,6 +99,8 @@ fi
|
|||||||
# come from there and minimal Ubuntu installs may have it turned off.
|
# come from there and minimal Ubuntu installs may have it turned off.
|
||||||
hide_output add-apt-repository -y universe
|
hide_output add-apt-repository -y universe
|
||||||
|
|
||||||
|
# Install the duplicity PPA.
|
||||||
|
hide_output add-apt-repository -y ppa:duplicity-team/duplicity-release-git
|
||||||
# ### Update Packages
|
# ### Update Packages
|
||||||
|
|
||||||
# Update system packages to make sure we have the latest upstream versions
|
# Update system packages to make sure we have the latest upstream versions
|
||||||
|
16
setup/web.sh
16
setup/web.sh
@ -46,11 +46,11 @@ tools/editconf.py /etc/nginx/nginx.conf -s \
|
|||||||
ssl_protocols="TLSv1.2 TLSv1.3;"
|
ssl_protocols="TLSv1.2 TLSv1.3;"
|
||||||
|
|
||||||
# Tell PHP not to expose its version number in the X-Powered-By header.
|
# Tell PHP not to expose its version number in the X-Powered-By header.
|
||||||
tools/editconf.py /etc/php/$(php_version)/fpm/php.ini -c ';' \
|
tools/editconf.py /etc/php/$PHP_VER/fpm/php.ini -c ';' \
|
||||||
expose_php=Off
|
expose_php=Off
|
||||||
|
|
||||||
# Set PHPs default charset to UTF-8, since we use it. See #367.
|
# Set PHPs default charset to UTF-8, since we use it. See #367.
|
||||||
tools/editconf.py /etc/php/$(php_version)/fpm/php.ini -c ';' \
|
tools/editconf.py /etc/php/$PHP_VER/fpm/php.ini -c ';' \
|
||||||
default_charset="UTF-8"
|
default_charset="UTF-8"
|
||||||
|
|
||||||
# Set higher timeout since fts searches with Roundcube may take longer
|
# Set higher timeout since fts searches with Roundcube may take longer
|
||||||
@ -60,7 +60,7 @@ tools/editconf.py /etc/php/$(php_version)/fpm/php.ini -c ';' \
|
|||||||
default_socket_timeout=180
|
default_socket_timeout=180
|
||||||
|
|
||||||
# Configure the path environment for php-fpm
|
# Configure the path environment for php-fpm
|
||||||
tools/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
|
tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \
|
||||||
env[PATH]=/usr/local/bin:/usr/bin:/bin \
|
env[PATH]=/usr/local/bin:/usr/bin:/bin \
|
||||||
|
|
||||||
# Configure php-fpm based on the amount of memory the machine has
|
# Configure php-fpm based on the amount of memory the machine has
|
||||||
@ -70,7 +70,7 @@ tools/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
|
|||||||
TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}' || /bin/true)
|
TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}' || /bin/true)
|
||||||
if [ $TOTAL_PHYSICAL_MEM -lt 1000000 ]
|
if [ $TOTAL_PHYSICAL_MEM -lt 1000000 ]
|
||||||
then
|
then
|
||||||
tools/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
|
tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \
|
||||||
pm=ondemand \
|
pm=ondemand \
|
||||||
pm.max_children=8 \
|
pm.max_children=8 \
|
||||||
pm.start_servers=2 \
|
pm.start_servers=2 \
|
||||||
@ -78,7 +78,7 @@ then
|
|||||||
pm.max_spare_servers=3
|
pm.max_spare_servers=3
|
||||||
elif [ $TOTAL_PHYSICAL_MEM -lt 2000000 ]
|
elif [ $TOTAL_PHYSICAL_MEM -lt 2000000 ]
|
||||||
then
|
then
|
||||||
tools/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
|
tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \
|
||||||
pm=ondemand \
|
pm=ondemand \
|
||||||
pm.max_children=16 \
|
pm.max_children=16 \
|
||||||
pm.start_servers=4 \
|
pm.start_servers=4 \
|
||||||
@ -86,14 +86,14 @@ then
|
|||||||
pm.max_spare_servers=6
|
pm.max_spare_servers=6
|
||||||
elif [ $TOTAL_PHYSICAL_MEM -lt 3000000 ]
|
elif [ $TOTAL_PHYSICAL_MEM -lt 3000000 ]
|
||||||
then
|
then
|
||||||
tools/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
|
tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \
|
||||||
pm=dynamic \
|
pm=dynamic \
|
||||||
pm.max_children=60 \
|
pm.max_children=60 \
|
||||||
pm.start_servers=6 \
|
pm.start_servers=6 \
|
||||||
pm.min_spare_servers=3 \
|
pm.min_spare_servers=3 \
|
||||||
pm.max_spare_servers=9
|
pm.max_spare_servers=9
|
||||||
else
|
else
|
||||||
tools/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
|
tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \
|
||||||
pm=dynamic \
|
pm=dynamic \
|
||||||
pm.max_children=120 \
|
pm.max_children=120 \
|
||||||
pm.start_servers=12 \
|
pm.start_servers=12 \
|
||||||
@ -162,7 +162,7 @@ chown www-data /var/log/nginx/geoipblock.log
|
|||||||
|
|
||||||
# Start services.
|
# Start services.
|
||||||
restart_service nginx
|
restart_service nginx
|
||||||
restart_service php$(php_version)-fpm
|
restart_service php$PHP_VER-fpm
|
||||||
|
|
||||||
# Open ports.
|
# Open ports.
|
||||||
ufw_allow http
|
ufw_allow http
|
||||||
|
@ -22,7 +22,7 @@ source /etc/mailinabox.conf # load global vars
|
|||||||
echo "Installing Roundcube (webmail)..."
|
echo "Installing Roundcube (webmail)..."
|
||||||
apt_install \
|
apt_install \
|
||||||
dbconfig-common \
|
dbconfig-common \
|
||||||
php-cli php-sqlite3 php-intl php-json php-common php-curl php-ldap \
|
php-cli php-sqlite3 php-intl php-json php-common php-curl php-imap \
|
||||||
php-gd php-pspell libjs-jquery libjs-jquery-mousewheel libmagic1 php-mbstring
|
php-gd php-pspell libjs-jquery libjs-jquery-mousewheel libmagic1 php-mbstring
|
||||||
|
|
||||||
# Install Roundcube from source if it is not already present or if it is out of date.
|
# Install Roundcube from source if it is not already present or if it is out of date.
|
||||||
@ -124,8 +124,7 @@ cat > $RCM_CONFIG <<EOF;
|
|||||||
\$config['log_dir'] = '/var/log/roundcubemail/';
|
\$config['log_dir'] = '/var/log/roundcubemail/';
|
||||||
\$config['temp_dir'] = '/var/tmp/roundcubemail/';
|
\$config['temp_dir'] = '/var/tmp/roundcubemail/';
|
||||||
\$config['db_dsnw'] = 'sqlite:///$STORAGE_ROOT/mail/roundcube/roundcube.sqlite?mode=0640';
|
\$config['db_dsnw'] = 'sqlite:///$STORAGE_ROOT/mail/roundcube/roundcube.sqlite?mode=0640';
|
||||||
\$config['default_host'] = 'ssl://localhost';
|
\$config['imap_host'] = 'ssl://localhost:993';
|
||||||
\$config['default_port'] = 993;
|
|
||||||
\$config['imap_conn_options'] = array(
|
\$config['imap_conn_options'] = array(
|
||||||
'ssl' => array(
|
'ssl' => array(
|
||||||
'verify_peer' => false,
|
'verify_peer' => false,
|
||||||
@ -133,7 +132,7 @@ cat > $RCM_CONFIG <<EOF;
|
|||||||
),
|
),
|
||||||
);
|
);
|
||||||
\$config['imap_timeout'] = 180;
|
\$config['imap_timeout'] = 180;
|
||||||
\$config['smtp_server'] = 'tls://127.0.0.1';
|
\$config['smtp_host'] = 'tls://127.0.0.1';
|
||||||
\$config['smtp_conn_options'] = array(
|
\$config['smtp_conn_options'] = array(
|
||||||
'ssl' => array(
|
'ssl' => array(
|
||||||
'verify_peer' => false,
|
'verify_peer' => false,
|
||||||
@ -150,6 +149,10 @@ cat > $RCM_CONFIG <<EOF;
|
|||||||
\$config['login_username_filter'] = 'email';
|
\$config['login_username_filter'] = 'email';
|
||||||
\$config['password_charset'] = 'UTF-8';
|
\$config['password_charset'] = 'UTF-8';
|
||||||
\$config['junk_mbox'] = 'Spam';
|
\$config['junk_mbox'] = 'Spam';
|
||||||
|
/* ensure roudcube session id's aren't leaked to other parts of the server */
|
||||||
|
\$config['session_path'] = '/mail/';
|
||||||
|
/* prevent CSRF, requires php 7.3+ */
|
||||||
|
\$config['session_samesite'] = 'Strict';
|
||||||
?>
|
?>
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
@ -216,5 +219,5 @@ chown www-data:www-data $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
|
|||||||
chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
|
chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
|
||||||
|
|
||||||
# Enable PHP modules.
|
# Enable PHP modules.
|
||||||
phpenmod -v php mcrypt imap
|
phpenmod -v php imap
|
||||||
restart_service php$(php_version)-fpm
|
restart_service php$PHP_VER-fpm
|
||||||
|
@ -30,7 +30,7 @@ def test(server, description):
|
|||||||
(hostname, "TXT", "\"v=spf1 mx -all\""),
|
(hostname, "TXT", "\"v=spf1 mx -all\""),
|
||||||
("mail._domainkey." + hostname, "TXT", "\"v=DKIM1; k=rsa; s=email; \" \"p=__KEY__\""),
|
("mail._domainkey." + hostname, "TXT", "\"v=DKIM1; k=rsa; s=email; \" \"p=__KEY__\""),
|
||||||
#("_adsp._domainkey." + hostname, "TXT", "\"dkim=all\""),
|
#("_adsp._domainkey." + hostname, "TXT", "\"dkim=all\""),
|
||||||
("_dmarc." + hostname, "TXT", "\"v=DMARC1; p=quarantine\""),
|
("_dmarc." + hostname, "TXT", "\"v=DMARC1; p=quarantine;\""),
|
||||||
]
|
]
|
||||||
return test2(tests, server, description)
|
return test2(tests, server, description)
|
||||||
|
|
||||||
|
@ -136,9 +136,10 @@ while len(input_lines) > 0:
|
|||||||
# Put any settings we didn't see at the end of the file,
|
# Put any settings we didn't see at the end of the file,
|
||||||
# except settings being cleared.
|
# except settings being cleared.
|
||||||
for i in range(len(settings)):
|
for i in range(len(settings)):
|
||||||
if (i not in found) and not (not val and erase_setting):
|
if i not in found:
|
||||||
name, val = settings[i].split("=", 1)
|
name, val = settings[i].split("=", 1)
|
||||||
buf += name + delimiter + val + "\n"
|
if not (not val and erase_setting):
|
||||||
|
buf += name + delimiter + val + "\n"
|
||||||
|
|
||||||
if not testing:
|
if not testing:
|
||||||
# Write out the new file.
|
# Write out the new file.
|
||||||
|
Loading…
Reference in New Issue
Block a user