From a70ba94b0c2fb77f3f7c23f91eee5d4f3c1620f7 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Tue, 10 Sep 2019 07:10:58 -0400 Subject: [PATCH 01/37] add autoconfig domains before subtracting domains with overridden A records so that a custom DNS record can be used to suppress TLS certificate generation for those domains if needed --- management/web_update.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/management/web_update.py b/management/web_update.py index 12959632..72295c21 100644 --- a/management/web_update.py +++ b/management/web_update.py @@ -23,11 +23,6 @@ def get_web_domains(env, include_www_redirects=True, exclude_dns_elsewhere=True) # to the main domain for. We'll add 'www.' to any DNS zones, i.e. # the topmost of each domain we serve. domains |= set('www.' + zone for zone, zonefile in get_dns_zones(env)) - - if exclude_dns_elsewhere: - # ...Unless the domain has an A/AAAA record that maps it to a different - # IP address than this box. Remove those domains from our list. - domains -= get_domains_with_a_records(env) # Add Autoconfiguration domains, allowing us to serve correct SSL certs. # 'autoconfig.' for Mozilla Thunderbird auto setup. @@ -35,6 +30,11 @@ def get_web_domains(env, include_www_redirects=True, exclude_dns_elsewhere=True) domains |= set('autoconfig.' + maildomain for maildomain in get_mail_domains(env)) domains |= set('autodiscover.' + maildomain for maildomain in get_mail_domains(env)) + if exclude_dns_elsewhere: + # ...Unless the domain has an A/AAAA record that maps it to a different + # IP address than this box. Remove those domains from our list. + domains -= get_domains_with_a_records(env) + # Ensure the PRIMARY_HOSTNAME is in the list so we can serve webmail # as well as Z-Push for Exchange ActiveSync. This can't be removed # by a custom A/AAAA record and is never a 'www.' redirect. From 889118aeb65ded96df76d43e67a7bae8a81ac387 Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sat, 5 Oct 2019 22:12:00 +0200 Subject: [PATCH 02/37] Upgraded Nextcloud to 16.0.5 (#1648) * Upgraded Nextcloud to 16.0.5 * Improved Nextcloud upgrade detection --- CHANGELOG.md | 7 +++++++ setup/nextcloud.sh | 16 ++++++++++------ 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6688e676..a1bdab03 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,13 @@ CHANGELOG ========= +Under Development +----------------- + +Software updates: + +* Upgraded Nextcloud from 15.0.8 to 16.0.5 (with Contacts from 3.1.1 to 3.1.4 and Calendar from 1.6.5 to 1.7.1) + v0.43 (September 1, 2019) ------------------------- diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh index d5a8e7c5..99efebf8 100755 --- a/setup/nextcloud.sh +++ b/setup/nextcloud.sh @@ -40,18 +40,18 @@ InstallNextcloud() { # their github repositories. mkdir -p /usr/local/lib/owncloud/apps - wget_verify https://github.com/nextcloud/contacts/releases/download/v3.1.1/contacts.tar.gz a06bd967197dcb03c94ec1dbd698c037018669e5 /tmp/contacts.tgz + wget_verify https://github.com/nextcloud/contacts/releases/download/v3.1.4/contacts.tar.gz 297cb38c0ba9ba7ad7b8b61108033af8d7eccd96 /tmp/contacts.tgz tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/ rm /tmp/contacts.tgz - wget_verify https://github.com/nextcloud/calendar/releases/download/v1.6.5/calendar.tar.gz 79941255521a5172f7e4ce42dc7773838b5ede2f /tmp/calendar.tgz + wget_verify https://github.com/nextcloud/calendar/releases/download/v1.7.1/calendar.tar.gz bd7c846bad06da6d6ba04280f6fbf37ef846c2ad /tmp/calendar.tgz tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/ rm /tmp/calendar.tgz # Starting with Nextcloud 15, the app user_external is no longer included in Nextcloud core, # we will install from their github repository. if [[ $version =~ ^15 ]]; then - wget_verify https://github.com/nextcloud/user_external/releases/download/v0.6.3/user_external-0.6.3.tar.gz 0f756d35fef6b64a177d6a16020486b76ea5799c /tmp/user_external.tgz + wget_verify https://github.com/nextcloud/user_external/releases/download/v0.7.0/user_external-0.7.0.tar.gz 555a94811daaf5bdd336c5e48a78aa8567b86437 /tmp/user_external.tgz tar -xf /tmp/user_external.tgz -C /usr/local/lib/owncloud/apps/ rm /tmp/user_external.tgz fi @@ -91,8 +91,8 @@ InstallNextcloud() { } # Nextcloud Version to install. Checks are done down below to step through intermediate versions. -nextcloud_ver=15.0.8 -nextcloud_hash=4129d8d4021c435f2e86876225fb7f15adf764a3 +nextcloud_ver=16.0.5 +nextcloud_hash=46e8ec989de9aad9967a5a54ddb84ce8b8e2c54c # Current Nextcloud Version, #1623 # Checking /usr/local/lib/owncloud/version.php shows version of the Nextcloud application, not the DB @@ -142,10 +142,14 @@ if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextc elif [[ ${CURRENT_NEXTCLOUD_VER} =~ ^13 ]]; then # If we are running Nextcloud 13, upgrade to Nextcloud 14 InstallNextcloud 14.0.6 4e43a57340f04c2da306c8eea98e30040399ae5a - elif [[ ${CURRENT_NEXTCLOUD_VER} =~ ^14 ]]; then + CURRENT_NEXTCLOUD_VER="14.0.6" + fi + if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^14 ]]; then # During the upgrade from Nextcloud 14 to 15, user_external may cause the upgrade to fail. # We will disable it here before the upgrade and install it again after the upgrade. hide_output sudo -u www-data php /usr/local/lib/owncloud/console.php app:disable user_external + InstallNextCloud 15.0.8 4129d8d4021c435f2e86876225fb7f15adf764a3 + CURRENT_NEXTCLOUD_VER="15.0.8" fi fi From 70f05e9d5283a3ef0f99ddb92005c36ba64acf49 Mon Sep 17 00:00:00 2001 From: Brendan Hide Date: Thu, 3 Oct 2019 20:10:14 +0200 Subject: [PATCH 03/37] Ensure the universe repository is enabled A minimal Ubuntu server installation might not have universe enabled by default. By adding it, we ensure we can install packages only available in universe, such as python3-pip Merges #1650. --- setup/system.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/setup/system.sh b/setup/system.sh index ccc60231..df5f2856 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -86,6 +86,10 @@ if [ ! -f /usr/bin/add-apt-repository ]; then apt_install software-properties-common fi +# Ensure the universe repository is enabled since some of our packages +# come from there and minimal Ubuntu installs may have it turned off. +hide_output add-apt-repository -y universe + # Install the certbot PPA. hide_output add-apt-repository -y ppa:certbot/certbot From 24a567c3bed4123cd7baf46e0e17e3dfd8e52139 Mon Sep 17 00:00:00 2001 From: Jeff Volkenant Date: Fri, 6 Sep 2019 12:59:30 -0700 Subject: [PATCH 04/37] Fix mailinabox-postgrey-whitelist cron job return code for file over 28 days Merges #1639 --- CHANGELOG.md | 4 ++++ setup/mail-postfix.sh | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a1bdab03..1ee9280f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,10 @@ Software updates: * Upgraded Nextcloud from 15.0.8 to 16.0.5 (with Contacts from 3.1.1 to 3.1.4 and Calendar from 1.6.5 to 1.7.1) +Mail: + +* Fetching of updated whitelist for greylisting was fetching each day instead of every month. + v0.43 (September 1, 2019) ------------------------- diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index 283d08af..e39f8aff 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -218,7 +218,7 @@ cat > /etc/cron.daily/mailinabox-postgrey-whitelist << EOF; # Mail-in-a-Box # check we have a postgrey_whitelist_clients file and that it is not older than 28 days -if [ ! -f /etc/postgrey/whitelist_clients ] || find /etc/postgrey/whitelist_clients -mtime +28 > /dev/null ; then +if [ ! -f /etc/postgrey/whitelist_clients ] || find /etc/postgrey/whitelist_clients -mtime +28 | grep -q '.' ; then # ok we need to update the file, so lets try to fetch it if curl https://postgrey.schweikert.ch/pub/postgrey_whitelist_clients --output /tmp/postgrey_whitelist_clients -sS --fail > /dev/null 2>&1 ; then # if fetching hasn't failed yet then check it is a plain text file From ed02e2106b274268f8210984e7d0f760dcbeb32c Mon Sep 17 00:00:00 2001 From: jvolkenant Date: Mon, 28 Oct 2019 03:27:54 -0700 Subject: [PATCH 05/37] Update zpush to 2.5.1 (#1654) --- setup/zpush.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/zpush.sh b/setup/zpush.sh index 0cbd30ad..a1253d2d 100755 --- a/setup/zpush.sh +++ b/setup/zpush.sh @@ -22,8 +22,8 @@ apt_install \ phpenmod -v php imap # Copy Z-Push into place. -VERSION=2.5.0 -TARGETHASH=30ce5c1af3f10939036361b6032d1187651b621e +VERSION=2.5.1 +TARGETHASH=4fa55863a429b0033497ae477aca4c8699b8f332 needs_update=0 #NODOC if [ ! -f /usr/local/lib/z-push/version ]; then needs_update=1 #NODOC From 50e9e8af30ee8392d4afd1a8b6564d149fde803d Mon Sep 17 00:00:00 2001 From: Victor Date: Mon, 28 Oct 2019 11:29:40 +0100 Subject: [PATCH 06/37] Sort custom dns table based on fqdn, rtype, and value (#1651) --- management/templates/custom-dns.html | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/management/templates/custom-dns.html b/management/templates/custom-dns.html index 56facdc9..a2d5042d 100644 --- a/management/templates/custom-dns.html +++ b/management/templates/custom-dns.html @@ -192,6 +192,22 @@ function show_current_custom_dns() { $('#custom-dns-current').fadeIn(); else $('#custom-dns-current').fadeOut(); + + var reverse_fqdn = function(el) { + el.qname = el.qname.split('.').reverse().join('.'); + return el; + } + var sort = function(a, b) { + if(a.qname === b.qname) { + if(a.rtype === b.rtype) { + return a.value > b.value ? 1 : -1; + } + return a.rtype > b.rtype ? 1 : -1; + } + return a.qname > b.qname ? 1 : -1; + } + + data = data.map(reverse_fqdn).sort(sort).map(reverse_fqdn); $('#custom-dns-current').find("tbody").text(''); for (var i = 0; i < data.length; i++) { From 7558ffd4f35a2cdfbfcd5ee9b917431550a8344b Mon Sep 17 00:00:00 2001 From: notEvil Date: Mon, 28 Oct 2019 11:31:50 +0100 Subject: [PATCH 07/37] Allow dns zone transfer from IPv6 (#1643) --- management/dns_update.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/management/dns_update.py b/management/dns_update.py index dba6dbc1..762c4719 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -876,7 +876,10 @@ def get_secondary_dns(custom_dns, mode=None): if not hostname.startswith("xfr:"): if mode == "xfr": response = dns.resolver.query(hostname+'.', "A") - hostname = str(response[0]) + values.extend(map(str, response)) + response = dns.resolver.query(hostname+'.', "AAAA") + values.extend(map(str, response)) + continue values.append(hostname) # This is a zone-xfer-only IP address. Do not return if From df80b9fc714cfc8f0237dbd328ea8e09c5347261 Mon Sep 17 00:00:00 2001 From: jvolkenant Date: Sat, 2 Nov 2019 12:28:37 -0700 Subject: [PATCH 08/37] Allow user_external for Nextcloud 16 (and eventually 17) (#1655) --- setup/nextcloud.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh index 99efebf8..b38e1f65 100755 --- a/setup/nextcloud.sh +++ b/setup/nextcloud.sh @@ -50,7 +50,7 @@ InstallNextcloud() { # Starting with Nextcloud 15, the app user_external is no longer included in Nextcloud core, # we will install from their github repository. - if [[ $version =~ ^15 ]]; then + if [[ $version =~ ^1[567] ]]; then wget_verify https://github.com/nextcloud/user_external/releases/download/v0.7.0/user_external-0.7.0.tar.gz 555a94811daaf5bdd336c5e48a78aa8567b86437 /tmp/user_external.tgz tar -xf /tmp/user_external.tgz -C /usr/local/lib/owncloud/apps/ rm /tmp/user_external.tgz From cde4e0caca75164f883f72ababc06dec5a5d051d Mon Sep 17 00:00:00 2001 From: Dan Jensen Date: Sat, 2 Nov 2019 14:29:05 -0500 Subject: [PATCH 09/37] Change SSL notification email subject (#1653) Previously the notification email sent when a box's SSL certificate is automatically updated said, "Error Provisioning TLS Certificate" even when there was no error. This changes the subject line to "TLS Certificate Provisioning Results", which is more accurate. --- management/daily_tasks.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/management/daily_tasks.sh b/management/daily_tasks.sh index 3054dd33..2f723352 100755 --- a/management/daily_tasks.sh +++ b/management/daily_tasks.sh @@ -19,7 +19,7 @@ fi management/backup.py | management/email_administrator.py "Backup Status" # Provision any new certificates for new domains or domains with expiring certificates. -management/ssl_certificates.py -q | management/email_administrator.py "Error Provisioning TLS Certificate" +management/ssl_certificates.py -q | management/email_administrator.py "TLS Certificate Provisioning Result" # Run status checks and email the administrator if anything changed. management/status_checks.py --show-changes | management/email_administrator.py "Status Checks Change Notice" From b50dfb7f9370a1bebd4c66576ecbd4c10cece8cd Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sat, 2 Nov 2019 15:57:14 -0400 Subject: [PATCH 10/37] changelog entries --- CHANGELOG.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ee9280f..3e59bda9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,11 +7,26 @@ Under Development Software updates: * Upgraded Nextcloud from 15.0.8 to 16.0.5 (with Contacts from 3.1.1 to 3.1.4 and Calendar from 1.6.5 to 1.7.1) +* Upgraded Z-Push to 2.5.1. + +Control panel: + +* The Custom DNS list of records is now sorted. +* The emails that report TLS provisioning results now has a less scary subject line. Mail: * Fetching of updated whitelist for greylisting was fetching each day instead of every month. +DNS: + +* Automatic autoconfig.* subdomains can now be suppressed with custom DNS records. +* DNS zone transfer now works with IPv6 addresses. + +Setup: + +* An Ubuntu package source was missing on systems where it defaults off. + v0.43 (September 1, 2019) ------------------------- From fa792f664ec8da60539862c846c12bbe9fead7a7 Mon Sep 17 00:00:00 2001 From: Victor Date: Sun, 3 Nov 2019 19:31:29 +0100 Subject: [PATCH 11/37] Use correct setting for .editorconfig indent_style (#1670) --- .editorconfig | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.editorconfig b/.editorconfig index 593ae64e..fbe828c3 100644 --- a/.editorconfig +++ b/.editorconfig @@ -13,7 +13,7 @@ trim_trailing_whitespace = true insert_final_newline = true [Makefile] -indent_style = tabs +indent_style = tab indent_size = 4 [Vagrantfile] @@ -23,7 +23,7 @@ indent_size = 2 indent_size = 2 [*.py] -indent_style = tabs +indent_style = tab [*.js] indent_size = 2 From 2f54f39f318eb2dfe17b1edbd6b2eb20395db3de Mon Sep 17 00:00:00 2001 From: Edwin Schaap Date: Sun, 10 Nov 2019 17:58:22 +0100 Subject: [PATCH 12/37] If xfr is subnet, do not create "notify" entry (#1672) --- management/dns_update.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/management/dns_update.py b/management/dns_update.py index 762c4719..257deffa 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -523,9 +523,11 @@ zone: """ % (domain, zonefile) # If custom secondary nameservers have been set, allow zone transfers - # and notifies to them. + # and, if not a subnet, notifies to them. for ipaddr in get_secondary_dns(additional_records, mode="xfr"): - nsdconf += "\n\tnotify: %s NOKEY\n\tprovide-xfr: %s NOKEY\n" % (ipaddr, ipaddr) + if "/" not in ipaddr: + nsdconf += "\n\tnotify: %s NOKEY" % (ipaddr) + nsdconf += "\n\tprovide-xfr: %s NOKEY\n" % (ipaddr) # Check if the file is changing. If it isn't changing, # return False to flag that no change was made. From f6f75f6fab33f942064194ee28969c5a5a3fca23 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Tue, 19 Nov 2019 09:57:27 -0500 Subject: [PATCH 13/37] Don't fail when resolving zone transfer IP addresses since a nameserver may not have an IPv6 address --- management/dns_update.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/management/dns_update.py b/management/dns_update.py index 257deffa..7d053d5e 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -875,11 +875,13 @@ def get_secondary_dns(custom_dns, mode=None): # This is a hostname. Before including in zone xfr lines, # resolve to an IP address. Otherwise just return the hostname. + # It may not resolve to IPv6, so don't throw an exception if it + # doesn't. if not hostname.startswith("xfr:"): if mode == "xfr": - response = dns.resolver.query(hostname+'.', "A") + response = dns.resolver.query(hostname+'.', "A", raise_on_no_answer=False) values.extend(map(str, response)) - response = dns.resolver.query(hostname+'.', "AAAA") + response = dns.resolver.query(hostname+'.', "AAAA", raise_on_no_answer=False) values.extend(map(str, response)) continue values.append(hostname) From ff8170d5ab18eb7d1d131d8f0b9106acc660d132 Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sat, 23 Nov 2019 13:51:22 +0100 Subject: [PATCH 14/37] Align nextcloud cron job with recommended settings (#1680) --- setup/nextcloud.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh index b38e1f65..d2a4a0ce 100755 --- a/setup/nextcloud.sh +++ b/setup/nextcloud.sh @@ -310,12 +310,15 @@ if grep -q apc.enabled=0 /etc/php/7.2/mods-available/apcu.ini; then fi # Set up a cron job for Nextcloud. -cat > /etc/cron.hourly/mailinabox-owncloud << EOF; +cat > /etc/cron.d/mailinabox-nextcloud << EOF; #!/bin/bash # Mail-in-a-Box -sudo -u www-data php -f /usr/local/lib/owncloud/cron.php +*/5 * * * * root sudo -u www-data php -f /usr/local/lib/owncloud/cron.php EOF -chmod +x /etc/cron.hourly/mailinabox-owncloud +chmod +x /etc/cron.d/mailinabox-nextcloud + +# Remove previous hourly cronjob +rm -f /etc/cron.hourly/mailinabox-owncloud # There's nothing much of interest that a user could do as an admin for Nextcloud, # and there's a lot they could mess up, so we don't make any users admins of Nextcloud. From 91638c7fe0a9919a1c0b554d307a6c32a9f1c85d Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sat, 23 Nov 2019 13:58:29 +0100 Subject: [PATCH 15/37] Removed the postgrey option that specifies which whitelist file to use. This allows the usage of a .local verion (#1675) --- setup/mail-postfix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index e39f8aff..75e09a11 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -208,7 +208,7 @@ tools/editconf.py /etc/postfix/main.cf \ # e-mails really latter, delay of greylisting has been set to # 180 seconds (default is 300 seconds). tools/editconf.py /etc/default/postgrey \ - POSTGREY_OPTS=\"'--inet=127.0.0.1:10023 --delay=180 --whitelist-recipients=/etc/postgrey/whitelist_clients'\" + POSTGREY_OPTS=\"'--inet=127.0.0.1:10023 --delay=180'\" # We are going to setup a newer whitelist for postgrey, the version included in the distribution is old From cd62fd9826ac2334a92bb5bf8834982758081ff8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20H=C3=A4hnel?= Date: Sat, 23 Nov 2019 14:04:22 +0100 Subject: [PATCH 16/37] Update usage hint in backup.py (#1662) removed explicit call of the system python, cause the file has a shebang with the mail-in-a-box shipped python. for me the system python complaint, that it is missing some modules --- management/backup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/management/backup.py b/management/backup.py index 11cdbb8a..e1651552 100755 --- a/management/backup.py +++ b/management/backup.py @@ -410,7 +410,7 @@ def list_target_files(config): reason = "The hostname {} cannot be resolved.".format(target.hostname) else: reason = "Unknown error." \ - "Please check running 'python management/backup.py --verify'" \ + "Please check running 'management/backup.py --verify'" \ "from mailinabox sources to debug the issue." raise ValueError("Connection to rsync host failed: {}".format(reason)) From 6e3dee8b3b137e35399fe4f874e012f44c325f9b Mon Sep 17 00:00:00 2001 From: Francesco Montanari Date: Sun, 1 Dec 2019 23:10:04 +0200 Subject: [PATCH 17/37] Upgrade RoundCube to 1.4.1 and set the default skin to elastic (#1673) * Upgrade RoundCube to 1.4.0 and set the default skin to elastic * Install php-ldap extension * Remove smtp parameters that are now the default --- CHANGELOG.md | 4 ++++ setup/webmail.sh | 18 +++++++++++------- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3e59bda9..c0c75963 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,10 +4,14 @@ CHANGELOG Under Development ----------------- +WebMail: +* Set the default Roundcube skin to the new "Elastic" theme. + Software updates: * Upgraded Nextcloud from 15.0.8 to 16.0.5 (with Contacts from 3.1.1 to 3.1.4 and Calendar from 1.6.5 to 1.7.1) * Upgraded Z-Push to 2.5.1. +* Upgraded Roundcube from 1.3.10 to 1.4.1. Control panel: diff --git a/setup/webmail.sh b/setup/webmail.sh index 6cbe55f9..f44ea047 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -22,14 +22,14 @@ source /etc/mailinabox.conf # load global vars echo "Installing Roundcube (webmail)..." apt_install \ dbconfig-common \ - php-cli php-sqlite3 php-intl php-json php-common php-curl \ + php-cli php-sqlite3 php-intl php-json php-common php-curl php-ldap \ php-gd php-pspell tinymce libjs-jquery libjs-jquery-mousewheel libmagic1 php-mbstring # Install Roundcube from source if it is not already present or if it is out of date. # Combine the Roundcube version number with the commit hash of plugins to track # whether we have the latest version of everything. -VERSION=1.3.10 -HASH=431625fc737e301f9b7e502cccc61e50a24786b8 +VERSION=1.4.1 +HASH=f4ecc63185b8f7b4ce5bccdc9fc689571e82c489 PERSISTENT_LOGIN_VERSION=dc5ca3d3f4415cc41edb2fde533c8a8628a94c76 HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5 CARDDAV_VERSION=3.0.3 @@ -51,6 +51,13 @@ elif [[ "$UPDATE_KEY" != `cat /usr/local/lib/roundcubemail/version` ]]; then needs_update=1 #NODOC fi if [ $needs_update == 1 ]; then + # if upgrading from 1.3.x, clear the temp_dir + if [ -f /usr/local/lib/roundcubemail/version ]; then + if [ "$(cat /usr/local/lib/roundcubemail/version | cut -c1-3)" == '1.3' ]; then + find /var/tmp/roundcubemail/ -type f ! -name 'RCMTEMP*' -delete + fi + fi + # install roundcube wget_verify \ https://github.com/roundcube/roundcubemail/releases/download/$VERSION/roundcubemail-$VERSION-complete.tar.gz \ @@ -110,9 +117,6 @@ cat > $RCM_CONFIG < array( 'verify_peer' => false, @@ -123,7 +127,7 @@ cat > $RCM_CONFIG < Date: Sun, 1 Dec 2019 22:11:00 +0100 Subject: [PATCH 18/37] Nextcloud 17 (#1676) --- CHANGELOG.md | 2 +- setup/nextcloud.sh | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c0c75963..779f13dc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ WebMail: Software updates: -* Upgraded Nextcloud from 15.0.8 to 16.0.5 (with Contacts from 3.1.1 to 3.1.4 and Calendar from 1.6.5 to 1.7.1) +* Upgraded Nextcloud from 15.0.8 to 17.0.1 (with Contacts from 3.1.1 to 3.1.6 and Calendar from 1.6.5 to 1.7.1) * Upgraded Z-Push to 2.5.1. * Upgraded Roundcube from 1.3.10 to 1.4.1. diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh index d2a4a0ce..9ec7ff14 100755 --- a/setup/nextcloud.sh +++ b/setup/nextcloud.sh @@ -40,7 +40,7 @@ InstallNextcloud() { # their github repositories. mkdir -p /usr/local/lib/owncloud/apps - wget_verify https://github.com/nextcloud/contacts/releases/download/v3.1.4/contacts.tar.gz 297cb38c0ba9ba7ad7b8b61108033af8d7eccd96 /tmp/contacts.tgz + wget_verify https://github.com/nextcloud/contacts/releases/download/v3.1.6/contacts.tar.gz d331dc6db2ecf7c8e6166926a055dfa3b59722c3 /tmp/contacts.tgz tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/ rm /tmp/contacts.tgz @@ -91,8 +91,8 @@ InstallNextcloud() { } # Nextcloud Version to install. Checks are done down below to step through intermediate versions. -nextcloud_ver=16.0.5 -nextcloud_hash=46e8ec989de9aad9967a5a54ddb84ce8b8e2c54c +nextcloud_ver=17.0.1 +nextcloud_hash=81e47f2288377927346a4b4cbbb2ecf1b6f4a0e1 # Current Nextcloud Version, #1623 # Checking /usr/local/lib/owncloud/version.php shows version of the Nextcloud application, not the DB @@ -151,6 +151,10 @@ if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextc InstallNextCloud 15.0.8 4129d8d4021c435f2e86876225fb7f15adf764a3 CURRENT_NEXTCLOUD_VER="15.0.8" fi + if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^15 ]]; then + InstallNextCloud 16.0.6 0bb3098455ec89f5af77a652aad553ad40a88819 + CURRENT_NEXTCLOUD_VER="16.0.6" + fi fi InstallNextcloud $nextcloud_ver $nextcloud_hash From 52c68c65104a0115f18d0129a8be7442c54bee70 Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sun, 1 Dec 2019 22:13:33 +0100 Subject: [PATCH 19/37] Implement Nextcloud php-fpm recommended performance tuning settings (#1679) --- setup/nextcloud.sh | 4 ---- setup/web.sh | 44 +++++++++++++++++++++++++++++++++++++++----- 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh index 9ec7ff14..af47a062 100755 --- a/setup/nextcloud.sh +++ b/setup/nextcloud.sh @@ -303,10 +303,6 @@ tools/editconf.py /etc/php/7.2/cli/conf.d/10-opcache.ini -c ';' \ opcache.save_comments=1 \ opcache.revalidate_freq=1 -# Configure the path environment for php-fpm -tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ - env[PATH]=/usr/local/bin:/usr/bin:/bin - # If apc is explicitly disabled we need to enable it if grep -q apc.enabled=0 /etc/php/7.2/mods-available/apcu.ini; then tools/editconf.py /etc/php/7.2/mods-available/apcu.ini -c ';' \ diff --git a/setup/web.sh b/setup/web.sh index ed37e5e3..a5720224 100755 --- a/setup/web.sh +++ b/setup/web.sh @@ -48,13 +48,47 @@ tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \ tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \ default_charset="UTF-8" -# Switch from the dynamic process manager to the ondemand manager see #1216 +# Configure the path environment for php-fpm tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ - pm=ondemand + env[PATH]=/usr/local/bin:/usr/bin:/bin \ -# Bump up PHP's max_children to support more concurrent connections -tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ - pm.max_children=8 +# Configure php-fpm based on the amount of memory the machine has +# This is based on the nextcloud manual for performance tuning: https://docs.nextcloud.com/server/17/admin_manual/installation/server_tuning.html +# Some synchronisation issues can occur when many people access the site at once. +# The pm=ondemand setting is used for memory constrained machines < 2GB, this is copied over from PR: 1216 +TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}' || /bin/true) +if [ $TOTAL_PHYSICAL_MEM -lt 1000000 ] +then + tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ + pm=ondemand \ + pm.max_children=8 \ + pm.start_servers=2 \ + pm.min_spare_servers=1 \ + pm.max_spare_servers=3 +elif [ $TOTAL_PHYSICAL_MEM -lt 2000000 ] +then + tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ + pm=ondemand \ + pm.max_children=16 \ + pm.start_servers=4 \ + pm.min_spare_servers=1 \ + pm.max_spare_servers=6 +elif [ $TOTAL_PHYSICAL_MEM -lt 3000000 ] +then + tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ + pm=dynamic \ + pm.max_children=60 \ + pm.start_servers=6 \ + pm.min_spare_servers=3 \ + pm.max_spare_servers=9 +else + tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ + pm=dynamic \ + pm.max_children=120 \ + pm.start_servers=12 \ + pm.min_spare_servers=6 \ + pm.max_spare_servers=18 +fi # Other nginx settings will be configured by the management service # since it depends on what domains we're serving, which we don't know From 802e7a1f4d315a1bd10c1dfae259f6779f940ed0 Mon Sep 17 00:00:00 2001 From: Carl Reinke Date: Sun, 1 Dec 2019 14:15:04 -0700 Subject: [PATCH 20/37] Copy systemd service files before linking to avoid issue with order of mounting filesystems (#1688) --- setup/management.sh | 3 ++- setup/munin.sh | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/setup/management.sh b/setup/management.sh index 3a6e187b..e4fd75da 100755 --- a/setup/management.sh +++ b/setup/management.sh @@ -93,7 +93,8 @@ source $venv/bin/activate exec python `pwd`/management/daemon.py EOF chmod +x $inst_dir/start -hide_output systemctl link -f conf/mailinabox.service +cp -f conf/mailinabox.service /lib/systemd/system/mailinabox.service +hide_output systemctl link -f /lib/systemd/system/mailinabox.service hide_output systemctl daemon-reload hide_output systemctl enable mailinabox.service diff --git a/setup/munin.sh b/setup/munin.sh index df7af601..9bb19472 100755 --- a/setup/munin.sh +++ b/setup/munin.sh @@ -64,7 +64,8 @@ mkdir -p /var/lib/munin-node/plugin-state/ # Create a systemd service for munin. ln -sf $(pwd)/management/munin_start.sh /usr/local/lib/mailinabox/munin_start.sh chmod 0744 /usr/local/lib/mailinabox/munin_start.sh -hide_output systemctl link -f conf/munin.service +cp -f conf/munin.service /lib/systemd/system/munin.service +hide_output systemctl link -f /lib/systemd/system/munin.service hide_output systemctl daemon-reload hide_output systemctl unmask munin.service hide_output systemctl enable munin.service From 960b5d5bbddd469f77f91540b35980ce026ff46b Mon Sep 17 00:00:00 2001 From: Carl Reinke Date: Sun, 1 Dec 2019 14:21:38 -0700 Subject: [PATCH 21/37] Don't use ifquery to check interface state since it is no longer installed (#1689) --- setup/munin.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/munin.sh b/setup/munin.sh index 9bb19472..b052ef0f 100755 --- a/setup/munin.sh +++ b/setup/munin.sh @@ -53,7 +53,7 @@ find /etc/munin/plugins/ -lname /usr/share/munin/plugins/ntp_ -print0 | xargs -0 # Deactivate monitoring of network interfaces that are not up. Otherwise we can get a lot of empty charts. for f in $(find /etc/munin/plugins/ \( -lname /usr/share/munin/plugins/if_ -o -lname /usr/share/munin/plugins/if_err_ -o -lname /usr/share/munin/plugins/bonding_err_ \)); do IF=$(echo $f | sed s/.*_//); - if ! ifquery $IF >/dev/null 2>/dev/null; then + if ! grep -qFx up /sys/class/net/$IF/operstate 2>/dev/null; then rm $f; fi; done From 81176c8e4b499874883b1936da06117c3e32dce2 Mon Sep 17 00:00:00 2001 From: jvolkenant Date: Sun, 1 Dec 2019 13:22:17 -0800 Subject: [PATCH 22/37] Fix to prevent multiple commented entries in dovecot conf (#1642) --- setup/mail-dovecot.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh index c3d2ee57..d0498ab2 100755 --- a/setup/mail-dovecot.sh +++ b/setup/mail-dovecot.sh @@ -87,8 +87,8 @@ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \ "ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \ "ssl_protocols=!SSLv3" \ "ssl_cipher_list=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" \ - "ssl_prefer_server_ciphers = yes" \ - "ssl_dh_parameters_length = 2048" + "ssl_prefer_server_ciphers=yes" \ + "ssl_dh_parameters_length=2048" # Disable in-the-clear IMAP/POP because there is no reason for a user to transmit # login credentials outside of an encrypted connection. Only the over-TLS versions From aa15670dc24e885a44dfcf67b93845f78eed7e3b Mon Sep 17 00:00:00 2001 From: jvolkenant Date: Sun, 1 Dec 2019 13:23:02 -0800 Subject: [PATCH 23/37] Fixed multiple commented add_header entries in /etc/spamassassin/local.cf (#1641) --- setup/spamassassin.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/spamassassin.sh b/setup/spamassassin.sh index 148cfd0b..d6c8b83b 100755 --- a/setup/spamassassin.sh +++ b/setup/spamassassin.sh @@ -64,8 +64,8 @@ tools/editconf.py /etc/default/spampd \ # the X-Spam-Status & X-Spam-Score mail headers and related headers. tools/editconf.py /etc/spamassassin/local.cf -s \ report_safe=0 \ - add_header="all Report _REPORT_" \ - add_header="all Score _SCORE_" + "add_header all Report"=_REPORT_ \ + "add_header all Score"=_SCORE_ # Bayesean learning # ----------------- From ad9d7326083090f0c2a57ed727b2d82722190264 Mon Sep 17 00:00:00 2001 From: Vasek Sraier Date: Sun, 1 Dec 2019 22:24:38 +0100 Subject: [PATCH 24/37] OpenDKIM canonicalization changed to relaxed for mail headers (#1620) Because Mailman reformats headers it breaks DKIM signatures. SPF also does not apply in mailing lists. This together causes DMARC to fail and mark the email as invalid. This fixes DKIM signatures for Mailman-based mailing lists and makes sure DMARC test is passed. --- setup/dkim.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/dkim.sh b/setup/dkim.sh index dc7e51e2..5bd32370 100755 --- a/setup/dkim.sh +++ b/setup/dkim.sh @@ -31,6 +31,7 @@ if grep -q "ExternalIgnoreList" /etc/opendkim.conf; then else # Add various configuration options to the end of `opendkim.conf`. cat >> /etc/opendkim.conf << EOF; +Canonicalization relaxed/simple MinimumKeyBits 1024 ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts From 8567a9b71905a32f021d124112eaa230fa933469 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sun, 1 Dec 2019 17:43:56 -0500 Subject: [PATCH 25/37] Fix upgrade issue broken by 802e7a1f4d315a1bd10c1dfae259f6779f940ed0 --- setup/management.sh | 2 +- setup/munin.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/management.sh b/setup/management.sh index e4fd75da..3caf8eea 100755 --- a/setup/management.sh +++ b/setup/management.sh @@ -93,7 +93,7 @@ source $venv/bin/activate exec python `pwd`/management/daemon.py EOF chmod +x $inst_dir/start -cp -f conf/mailinabox.service /lib/systemd/system/mailinabox.service +cp --remove-destination conf/mailinabox.service /lib/systemd/system/mailinabox.service # target was previously a symlink so remove it first hide_output systemctl link -f /lib/systemd/system/mailinabox.service hide_output systemctl daemon-reload hide_output systemctl enable mailinabox.service diff --git a/setup/munin.sh b/setup/munin.sh index b052ef0f..6799cad6 100755 --- a/setup/munin.sh +++ b/setup/munin.sh @@ -64,7 +64,7 @@ mkdir -p /var/lib/munin-node/plugin-state/ # Create a systemd service for munin. ln -sf $(pwd)/management/munin_start.sh /usr/local/lib/mailinabox/munin_start.sh chmod 0744 /usr/local/lib/mailinabox/munin_start.sh -cp -f conf/munin.service /lib/systemd/system/munin.service +cp --remove-destination conf/munin.service /lib/systemd/system/munin.service # target was previously a symlink so remove first hide_output systemctl link -f /lib/systemd/system/munin.service hide_output systemctl daemon-reload hide_output systemctl unmask munin.service From f53b18ebb9b1c4c9aba95b3a26bee2be85f8002f Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sun, 1 Dec 2019 17:49:36 -0500 Subject: [PATCH 26/37] Upgrade TLS settings --- CHANGELOG.md | 4 ++++ conf/nginx-ssl.conf | 2 +- security.md | 6 +++--- setup/mail-dovecot.sh | 11 +++++------ setup/mail-postfix.sh | 30 ++++++++++++++++++++---------- setup/web.sh | 7 ++++++- 6 files changed, 39 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 779f13dc..f7e1e870 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ CHANGELOG Under Development ----------------- +System: + +* TLS settings have been upgraded following Mozilla's recommendations for servers. TLS1.2 and 1.3 are now the only supported protocols for web, IMAP, and SMTP (submission). + WebMail: * Set the default Roundcube skin to the new "Elastic" theme. diff --git a/conf/nginx-ssl.conf b/conf/nginx-ssl.conf index 1aba45c3..621973df 100644 --- a/conf/nginx-ssl.conf +++ b/conf/nginx-ssl.conf @@ -1,7 +1,7 @@ # We track the Mozilla "intermediate" compatibility TLS recommendations. # Note that these settings are repeated in the SMTP and IMAP configuration. # ssl_protocols has moved to nginx.conf in bionic, check there for enabled protocols. -ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem; # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html diff --git a/security.md b/security.md index b8dc35af..bc980808 100644 --- a/security.md +++ b/security.md @@ -39,9 +39,9 @@ These services are protected by [TLS](https://en.wikipedia.org/wiki/Transport_La The services all follow these rules: * TLS certificates are generated with 2048-bit RSA keys and SHA-256 fingerprints. The box provides a self-signed certificate by default. The [setup guide](https://mailinabox.email/guide.html) explains how to verify the certificate fingerprint on first login. Users are encouraged to replace the certificate with a proper CA-signed one. ([source](setup/ssl.sh)) -* Only TLSv1, TLSv1.1 and TLSv1.2 are offered (the older SSL protocols are not offered). -* HTTPS, IMAP, and POP track the [Mozilla Intermediate Ciphers Recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS), balancing security with supporting a wide range of mail clients. Diffie-Hellman ciphers use a 2048-bit key for forward secrecy. For more details, see the [output of SSLyze for these ports](tests/tls_results.txt). -* SMTP (port 25) uses the Postfix medium grade ciphers and SMTP Submission (port 587) uses the Postfix high grade ciphers ([more info](http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_ciphers)). +* Only TLSv1.2+ are offered (the older SSL protocols are not offered). +* We track the [Mozilla Intermediate Ciphers Recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS), balancing security with supporting a wide range of mail clients. Diffie-Hellman ciphers use a 2048-bit key for forward secrecy. For more details, see the [output of SSLyze for these ports](tests/tls_results.txt). +* SMTP port 25 (inbound) follows similar rules. Outbound SMTP (i.e. the server is the client) uses more relaxed settings. Additionally: diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh index d0498ab2..0926ce9a 100755 --- a/setup/mail-dovecot.sh +++ b/setup/mail-dovecot.sh @@ -78,16 +78,15 @@ tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \ "auth_mechanisms=plain login" # Enable SSL, specify the location of the SSL certificate and private key files. -# Disable obsolete SSL protocols and allow only good ciphers per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/. -# Enable strong ssl dh parameters - +# Use Mozilla's "Intermediate" recommendations at https://ssl-config.mozilla.org/#server=dovecot&server-version=2.2.33&config=intermediate&openssl-version=1.1.1, +# except that the current version of Dovecot does not have a TLSv1.3 setting, so we only use TLSv1.2. tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \ ssl=required \ "ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \ "ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \ - "ssl_protocols=!SSLv3" \ - "ssl_cipher_list=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" \ - "ssl_prefer_server_ciphers=yes" \ + "ssl_protocols=TLSv1.2" \ + "ssl_cipher_list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \ + "ssl_prefer_server_ciphers=no" \ "ssl_dh_parameters_length=2048" # Disable in-the-clear IMAP/POP because there is no reason for a user to transmit diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index 75e09a11..695884ea 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -80,7 +80,6 @@ tools/editconf.py /etc/postfix/main.cf \ # OpenDKIM milter only. See dkim.sh. # * Even though we dont allow auth over non-TLS connections (smtpd_tls_auth_only below, and without auth the client cant # send outbound mail), don't allow non-TLS mail submission on this port anyway to prevent accidental misconfiguration. -# * Require the best ciphers for incoming connections per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/. # By putting this setting here we leave opportunistic TLS on incoming mail at default cipher settings (any cipher is better than none). # * Give it a different name in syslog to distinguish it from the port 25 smtpd server. # * Add a new cleanup service specific to the submission service ('authclean') @@ -93,7 +92,6 @@ tools/editconf.py /etc/postfix/master.cf -s -w \ -o syslog_name=postfix/submission -o smtpd_milters=inet:127.0.0.1:8891 -o smtpd_tls_security_level=encrypt - -o smtpd_tls_ciphers=high -o smtpd_tls_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4 -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 -o cleanup_service_name=authclean" \ "authclean=unix n - - - 0 cleanup -o header_checks=pcre:/etc/postfix/outgoing_mail_header_filters @@ -111,17 +109,23 @@ sed -i "s/PUBLIC_IP/$PUBLIC_IP/" /etc/postfix/outgoing_mail_header_filters # Enable TLS on these and all other connections (i.e. ports 25 *and* 587) and # require TLS before a user is allowed to authenticate. This also makes # opportunistic TLS available on *incoming* mail. -# Set stronger DH parameters, which via openssl tend to default to 1024 bits -# (see ssl.sh). +# Set stronger DH parameters, which via openssl tend to default to 1024 bits. +# Use Mozilla's "Intermediate" TLS recommendations from https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=intermediate&openssl-version=1.1.1 +# (but use and override the "high" cipher list so we don't conflict with the +# more permissive settings for outgoing mail). tools/editconf.py /etc/postfix/main.cf \ smtpd_tls_security_level=may\ smtpd_tls_auth_only=yes \ smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \ smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \ smtpd_tls_dh1024_param_file=$STORAGE_ROOT/ssl/dh2048.pem \ - smtpd_tls_protocols=\!SSLv2,\!SSLv3 \ - smtpd_tls_ciphers=medium \ - smtpd_tls_exclude_ciphers=aNULL,RC4 \ + smtpd_tls_protocols="!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \ + smtpd_tls_mandatory_protocols="!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \ + smtpd_tls_ciphers=high \ + smtpd_tls_mandatory_ciphers=high \ + smtpd_tls_exclude_ciphers= \ + tls_high_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 \ + tls_preempt_cipherlist=no \ smtpd_tls_received_header=yes # Prevent non-authenticated users from sending mail that requires being @@ -143,8 +147,12 @@ tools/editconf.py /etc/postfix/main.cf \ # offers it, otherwise it will transmit the message in the clear. Postfix will # accept whatever SSL certificate the remote end provides. Opportunistic TLS # protects against passive easvesdropping (but not man-in-the-middle attacks). +# Since we'd rather have poor encryption than none at all, we use Mozilla's +# "Old" recommendations at https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=old&openssl-version=1.1.1 +# for opportunistic encryption but "Intermediate" recommendations when DANE +# is used (see next and above). + # DANE takes this a step further: -# # Postfix queries DNS for the TLSA record on the destination MX host. If no TLSA records are found, # then opportunistic TLS is used. Otherwise the server certificate must match the TLSA records # or else the mail bounces. TLSA also requires DNSSEC on the MX host. Postfix doesn't do DNSSEC @@ -157,11 +165,13 @@ tools/editconf.py /etc/postfix/main.cf \ # now see notices about trusted certs. The CA file is provided by the package `ca-certificates`. tools/editconf.py /etc/postfix/main.cf \ smtp_tls_protocols=\!SSLv2,\!SSLv3 \ - smtp_tls_mandatory_protocols=\!SSLv2,\!SSLv3 \ smtp_tls_ciphers=medium \ - smtp_tls_exclude_ciphers=aNULL,RC4 \ + tls_medium_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA \ + smtp_tls_exclude_ciphers= \ smtp_tls_security_level=dane \ smtp_dns_support_level=dnssec \ + smtp_tls_mandatory_protocols="!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \ + smtp_tls_mandatory_ciphers=high \ smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt \ smtp_tls_loglevel=2 diff --git a/setup/web.sh b/setup/web.sh index a5720224..e6aac6ef 100755 --- a/setup/web.sh +++ b/setup/web.sh @@ -31,14 +31,19 @@ sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ conf/nginx-ssl.conf > /etc/nginx/conf.d/ssl.conf # Fix some nginx defaults. +# # The server_names_hash_bucket_size seems to prevent long domain names! # The default, according to nginx's docs, depends on "the size of the # processor’s cache line." It could be as low as 32. We fixed it at # 64 in 2014 to accommodate a long domain name (20 characters?). But # even at 64, a 58-character domain name won't work (#93), so now # we're going up to 128. +# +# Drop TLSv1.0, TLSv1.1, following the Mozilla "Intermediate" recommendations +# at https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.0&config=intermediate&openssl-version=1.1.1. tools/editconf.py /etc/nginx/nginx.conf -s \ - server_names_hash_bucket_size="128;" + server_names_hash_bucket_size="128;" \ + ssl_protocols="TLSv1.2 TLSv1.3;" # Tell PHP not to expose its version number in the X-Powered-By header. tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \ From 0271e549bb5f582b9760b5b1172b5fee4365a8b5 Mon Sep 17 00:00:00 2001 From: jvolkenant Date: Tue, 10 Dec 2019 16:01:09 -0800 Subject: [PATCH 27/37] Fix typo in InstallNextcloud calls (#1693) --- setup/nextcloud.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh index af47a062..e80480a5 100755 --- a/setup/nextcloud.sh +++ b/setup/nextcloud.sh @@ -148,11 +148,11 @@ if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextc # During the upgrade from Nextcloud 14 to 15, user_external may cause the upgrade to fail. # We will disable it here before the upgrade and install it again after the upgrade. hide_output sudo -u www-data php /usr/local/lib/owncloud/console.php app:disable user_external - InstallNextCloud 15.0.8 4129d8d4021c435f2e86876225fb7f15adf764a3 + InstallNextcloud 15.0.8 4129d8d4021c435f2e86876225fb7f15adf764a3 CURRENT_NEXTCLOUD_VER="15.0.8" fi if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^15 ]]; then - InstallNextCloud 16.0.6 0bb3098455ec89f5af77a652aad553ad40a88819 + InstallNextcloud 16.0.6 0bb3098455ec89f5af77a652aad553ad40a88819 CURRENT_NEXTCLOUD_VER="16.0.6" fi fi From 385340da46862b83d87c399474152961771d1832 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Thu, 12 Dec 2019 11:27:35 -0500 Subject: [PATCH 28/37] install openssh-client which provides ssh-keygen and is not present on desktop Ubuntu by default --- setup/system.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/system.sh b/setup/system.sh index df5f2856..28043b16 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -125,11 +125,12 @@ apt_get_quiet autoremove # * sudo: allows privileged users to execute commands as root without being root # * coreutils: includes `nproc` tool to report number of processors, mktemp # * bc: allows us to do math to compute sane defaults +# * openssh-client: provides ssh-keygen echo Installing system packages... apt_install python3 python3-dev python3-pip \ netcat-openbsd wget curl git sudo coreutils bc \ - haveged pollinate unzip \ + haveged pollinate openssh-client unzip \ unattended-upgrades cron ntp fail2ban rsyslog # ### Suppress Upgrade Prompts From a67f90593db50242dc6428b0c85ad46d2e3768bd Mon Sep 17 00:00:00 2001 From: Bart Date: Fri, 20 Dec 2019 00:33:36 +0100 Subject: [PATCH 29/37] Replace dead link with archive.org link (#1698) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 88735bcc..ca4c0538 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ Our goals are to: * Make deploying a good mail server easy. * Promote [decentralization](http://redecentralize.org/), innovation, and privacy on the web. -* Have automated, auditable, and [idempotent](https://sharknet.us/2014/02/01/automated-configuration-management-challenges-with-idempotency/) configuration. +* Have automated, auditable, and [idempotent](https://web.archive.org/web/20190518072631/https://sharknet.us/2014/02/01/automated-configuration-management-challenges-with-idempotency/) configuration. * **Not** make a totally unhackable, NSA-proof server. * **Not** make something customizable by power users. From 30885bcc8a35a95f904adbe0cc7ed09ba469e93f Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Mon, 20 Jan 2020 05:50:52 -0500 Subject: [PATCH 30/37] Downgrade TLS settings for port 25, partially reverting f53b18ebb9b1c4c9aba95b3a26bee2be85f8002f Port 25 now is aligned with Mozilla's "Old" recommendations at https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=old&openssl-version=1.1.1. See #1705 --- setup/mail-postfix.sh | 36 ++++++++++++++++++++++-------------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index 695884ea..0a66cb0f 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -80,7 +80,7 @@ tools/editconf.py /etc/postfix/main.cf \ # OpenDKIM milter only. See dkim.sh. # * Even though we dont allow auth over non-TLS connections (smtpd_tls_auth_only below, and without auth the client cant # send outbound mail), don't allow non-TLS mail submission on this port anyway to prevent accidental misconfiguration. -# By putting this setting here we leave opportunistic TLS on incoming mail at default cipher settings (any cipher is better than none). +# Setting smtpd_tls_security_level=encrypt also triggers the use of the 'mandatory' settings below. # * Give it a different name in syslog to distinguish it from the port 25 smtpd server. # * Add a new cleanup service specific to the submission service ('authclean') # that filters out privacy-sensitive headers on mail being sent out by @@ -106,25 +106,34 @@ cp conf/postfix_outgoing_mail_header_filters /etc/postfix/outgoing_mail_header_f sed -i "s/PRIMARY_HOSTNAME/$PRIMARY_HOSTNAME/" /etc/postfix/outgoing_mail_header_filters sed -i "s/PUBLIC_IP/$PUBLIC_IP/" /etc/postfix/outgoing_mail_header_filters -# Enable TLS on these and all other connections (i.e. ports 25 *and* 587) and -# require TLS before a user is allowed to authenticate. This also makes -# opportunistic TLS available on *incoming* mail. -# Set stronger DH parameters, which via openssl tend to default to 1024 bits. -# Use Mozilla's "Intermediate" TLS recommendations from https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=intermediate&openssl-version=1.1.1 -# (but use and override the "high" cipher list so we don't conflict with the -# more permissive settings for outgoing mail). +# Enable TLS on incoming connections. It is not required on port 25, allowing for opportunistic +# encryption. On port 587 it is mandatory (see above). Shared and non-shared settings are +# given here. Shared settings include: +# * Require TLS before a user is allowed to authenticate. +# * Set the path to the server TLS certificate and 2048-bit DH parameters for old DH ciphers. +# For port 25 only: +# * Disable extremely old versions of TLS and extremely unsafe ciphers, but some mail servers out in +# the world are very far behind and if we disable too much, they may not be able to use TLS and +# won't fall back to cleartext. So we don't disable too much. smtpd_tls_exclude_ciphers applies to +# both port 25 and port 587, but because we override the cipher list for both, it probably isn't used. +# Use Mozilla's "Old" recommendations at https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=old&openssl-version=1.1.1 +# For port 587 (via the 'mandatory' settings): +# * Use Mozilla's "Intermediate" TLS recommendations from https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=intermediate&openssl-version=1.1.1 +# using and overriding the "high" cipher list so we don't conflict with the more permissive settings for port 25. tools/editconf.py /etc/postfix/main.cf \ smtpd_tls_security_level=may\ smtpd_tls_auth_only=yes \ smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \ smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \ smtpd_tls_dh1024_param_file=$STORAGE_ROOT/ssl/dh2048.pem \ - smtpd_tls_protocols="!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \ + smtpd_tls_protocols="!SSLv2,!SSLv3" \ + smtpd_tls_ciphers=medium \ + tls_medium_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA \ + smtpd_tls_exclude_ciphers=aNULL,RC4 \ smtpd_tls_mandatory_protocols="!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \ - smtpd_tls_ciphers=high \ smtpd_tls_mandatory_ciphers=high \ - smtpd_tls_exclude_ciphers= \ tls_high_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 \ + smtpd_tls_mandatory_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4 \ tls_preempt_cipherlist=no \ smtpd_tls_received_header=yes @@ -150,7 +159,7 @@ tools/editconf.py /etc/postfix/main.cf \ # Since we'd rather have poor encryption than none at all, we use Mozilla's # "Old" recommendations at https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=old&openssl-version=1.1.1 # for opportunistic encryption but "Intermediate" recommendations when DANE -# is used (see next and above). +# is used (see next and above). The cipher lists are set above. # DANE takes this a step further: # Postfix queries DNS for the TLSA record on the destination MX host. If no TLSA records are found, @@ -166,8 +175,7 @@ tools/editconf.py /etc/postfix/main.cf \ tools/editconf.py /etc/postfix/main.cf \ smtp_tls_protocols=\!SSLv2,\!SSLv3 \ smtp_tls_ciphers=medium \ - tls_medium_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA \ - smtp_tls_exclude_ciphers= \ + smtp_tls_exclude_ciphers=aNULL,RC4 \ smtp_tls_security_level=dane \ smtp_dns_support_level=dnssec \ smtp_tls_mandatory_protocols="!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \ From e6294049bca1c117e6a36ceaaa2647d6a8f9bf42 Mon Sep 17 00:00:00 2001 From: jvolkenant Date: Tue, 21 Jan 2020 23:58:04 -0800 Subject: [PATCH 31/37] Update Roundcube persistent_login plugin (#1712) --- setup/webmail.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/webmail.sh b/setup/webmail.sh index f44ea047..940d7153 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -30,7 +30,7 @@ apt_install \ # whether we have the latest version of everything. VERSION=1.4.1 HASH=f4ecc63185b8f7b4ce5bccdc9fc689571e82c489 -PERSISTENT_LOGIN_VERSION=dc5ca3d3f4415cc41edb2fde533c8a8628a94c76 +PERSISTENT_LOGIN_VERSION=6b3fc450cae23ccb2f393d0ef67aa319e877e435 HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5 CARDDAV_VERSION=3.0.3 CARDDAV_HASH=d1e3b0d851ffa2c6bd42bf0c04f70d0e1d0d78f8 From b86bf07d57b1d54143b4fcd8e52838ba0b43cff8 Mon Sep 17 00:00:00 2001 From: "E.M. Makat" <29872150+emmakat@users.noreply.github.com> Date: Tue, 21 Jan 2020 23:58:40 -0800 Subject: [PATCH 32/37] Fix spelling of 'guarantee' (#1703) --- security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security.md b/security.md index bc980808..3b51f235 100644 --- a/security.md +++ b/security.md @@ -95,7 +95,7 @@ Domain policy records allow recipient MTAs to detect when the _domain_ part of o ### User Policy -While domain policy records prevent other servers from sending mail with a "From:" header that matches a domain hosted on the box (see above), those policy records do not guarnatee that the user portion of the sender email address matches the actual sender. In enterprise environments where the box may host the mail of untrusted users, it is important to guard against users impersonating other users. +While domain policy records prevent other servers from sending mail with a "From:" header that matches a domain hosted on the box (see above), those policy records do not guarantee that the user portion of the sender email address matches the actual sender. In enterprise environments where the box may host the mail of untrusted users, it is important to guard against users impersonating other users. The box restricts the envelope sender address (also called the return path or MAIL FROM address --- this is different from the "From:" header) that users may put into outbound mail. The envelope sender address must be either their own email address (their SMTP login username) or any alias that they are listed as a permitted sender of. (There is currently no restriction on the contents of the "From:" header.) From faee29ba8b6ba8a3b8de234e41c2cfedf4d3dbf6 Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Wed, 22 Jan 2020 09:06:17 +0100 Subject: [PATCH 33/37] Bump Nextcloud to 17.0.2 (#1702) --- CHANGELOG.md | 2 +- setup/nextcloud.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f7e1e870..8b6f3a2b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,7 @@ WebMail: Software updates: -* Upgraded Nextcloud from 15.0.8 to 17.0.1 (with Contacts from 3.1.1 to 3.1.6 and Calendar from 1.6.5 to 1.7.1) +* Upgraded Nextcloud from 15.0.8 to 17.0.2 (with Contacts from 3.1.1 to 3.1.6 and Calendar from 1.6.5 to 1.7.1) * Upgraded Z-Push to 2.5.1. * Upgraded Roundcube from 1.3.10 to 1.4.1. diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh index e80480a5..3ab21176 100755 --- a/setup/nextcloud.sh +++ b/setup/nextcloud.sh @@ -91,8 +91,8 @@ InstallNextcloud() { } # Nextcloud Version to install. Checks are done down below to step through intermediate versions. -nextcloud_ver=17.0.1 -nextcloud_hash=81e47f2288377927346a4b4cbbb2ecf1b6f4a0e1 +nextcloud_ver=17.0.2 +nextcloud_hash=8095fb46e9e0c536163708aee3d17fab8b498ad6 # Current Nextcloud Version, #1623 # Checking /usr/local/lib/owncloud/version.php shows version of the Nextcloud application, not the DB From 23be1031b8e867a5c3a92b27d75cf0f071f4d8f3 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Wed, 22 Jan 2020 03:08:25 -0500 Subject: [PATCH 34/37] Remove security.md's information about port 25 which is out of date --- security.md | 1 - 1 file changed, 1 deletion(-) diff --git a/security.md b/security.md index 3b51f235..8c9d43e5 100644 --- a/security.md +++ b/security.md @@ -41,7 +41,6 @@ The services all follow these rules: * TLS certificates are generated with 2048-bit RSA keys and SHA-256 fingerprints. The box provides a self-signed certificate by default. The [setup guide](https://mailinabox.email/guide.html) explains how to verify the certificate fingerprint on first login. Users are encouraged to replace the certificate with a proper CA-signed one. ([source](setup/ssl.sh)) * Only TLSv1.2+ are offered (the older SSL protocols are not offered). * We track the [Mozilla Intermediate Ciphers Recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS), balancing security with supporting a wide range of mail clients. Diffie-Hellman ciphers use a 2048-bit key for forward secrecy. For more details, see the [output of SSLyze for these ports](tests/tls_results.txt). -* SMTP port 25 (inbound) follows similar rules. Outbound SMTP (i.e. the server is the client) uses more relaxed settings. Additionally: From ddadb6c28a7915849049c071e4cadf2d66d8da2e Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Wed, 22 Jan 2020 03:25:26 -0500 Subject: [PATCH 35/37] Roundcube 1.4.2 --- CHANGELOG.md | 5 +---- setup/webmail.sh | 4 ++-- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b6f3a2b..9786361d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,14 +8,11 @@ System: * TLS settings have been upgraded following Mozilla's recommendations for servers. TLS1.2 and 1.3 are now the only supported protocols for web, IMAP, and SMTP (submission). -WebMail: -* Set the default Roundcube skin to the new "Elastic" theme. - Software updates: * Upgraded Nextcloud from 15.0.8 to 17.0.2 (with Contacts from 3.1.1 to 3.1.6 and Calendar from 1.6.5 to 1.7.1) * Upgraded Z-Push to 2.5.1. -* Upgraded Roundcube from 1.3.10 to 1.4.1. +* Upgraded Roundcube from 1.3.10 to 1.4.2 and changed the default skin (theme) to Elastic. Control panel: diff --git a/setup/webmail.sh b/setup/webmail.sh index 940d7153..89ed1722 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -28,8 +28,8 @@ apt_install \ # Install Roundcube from source if it is not already present or if it is out of date. # Combine the Roundcube version number with the commit hash of plugins to track # whether we have the latest version of everything. -VERSION=1.4.1 -HASH=f4ecc63185b8f7b4ce5bccdc9fc689571e82c489 +VERSION=1.4.2 +HASH=d53fcd7f1109a63364d5d4a43f879c6f47d34a89 PERSISTENT_LOGIN_VERSION=6b3fc450cae23ccb2f393d0ef67aa319e877e435 HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5 CARDDAV_VERSION=3.0.3 From ab5ce01bddf8dc2576492c0c67d7966d8db0ac9e Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Wed, 22 Jan 2020 03:36:02 -0500 Subject: [PATCH 36/37] Some changelog entries --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9786361d..27ae2c3a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ Under Development System: * TLS settings have been upgraded following Mozilla's recommendations for servers. TLS1.2 and 1.3 are now the only supported protocols for web, IMAP, and SMTP (submission). +* Fixed an issue starting services when Mail-in-a-Box isn't on the root filesystem. +* Changed some performance options affecting Roundcube and Nextcloud. Software updates: @@ -22,6 +24,7 @@ Control panel: Mail: * Fetching of updated whitelist for greylisting was fetching each day instead of every month. +* OpenDKIM signing has been changed to 'relaxed' mode so that some old mail lists that forward mail can do so. DNS: From 30c2c60f596ab972e496234cb5378c667125a973 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sat, 15 Feb 2020 07:15:09 -0500 Subject: [PATCH 37/37] v0.44 --- CHANGELOG.md | 4 ++-- README.md | 4 ++-- setup/bootstrap.sh | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 27ae2c3a..d4247085 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,8 @@ CHANGELOG ========= -Under Development ------------------ +v0.44 (February 15, 2020) +------------------------- System: diff --git a/README.md b/README.md index ca4c0538..4eef7ed9 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ by him: $ curl -s https://keybase.io/joshdata/key.asc | gpg --import gpg: key C10BDD81: public key "Joshua Tauberer " imported - $ git verify-tag v0.43 + $ git verify-tag v0.44 gpg: Signature made ..... using RSA key ID C10BDD81 gpg: Good signature from "Joshua Tauberer " gpg: WARNING: This key is not certified with a trusted signature! @@ -71,7 +71,7 @@ and on his [personal homepage](https://razor.occams.info/). (Of course, if this Checkout the tag corresponding to the most recent release: - $ git checkout v0.43 + $ git checkout v0.44 Begin the installation. diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh index af8be489..238109dc 100644 --- a/setup/bootstrap.sh +++ b/setup/bootstrap.sh @@ -20,7 +20,7 @@ if [ -z "$TAG" ]; then # want to display in status checks. if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' `" == "Ubuntu 18.04 LTS" ]; then # This machine is running Ubuntu 18.04. - TAG=v0.43 + TAG=v0.44 elif [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' `" == "Ubuntu 14.04 LTS" ]; then # This machine is running Ubuntu 14.04.