Merge branch 'jammyjellyfish2204' into jammyjellyfish2204-update-cipher-sha2

CHANGELOG.md

@@ -15,10 +15,16 @@ LINK TBD
 No features of Mail-in-a-Box have changed in this release, but with the newer version of Ubuntu the following software packages we use are updated:
 
 * dovecot is upgraded to 2.3.16, postfix to 3.6.4, opendmark to 1.4 (which adds ARC-Authentication-Results headers), and spampd to 2.53 (alleviating a mail delivery rate limiting bug).
-* Nextcloud is upgraded to 23.0.4 with PHP updated from 7.2 to 8.0.
+* Nextcloud is upgraded to 23.0.4.
+* Roundcube is upgraded to 1.6.0.
 * certbot is upgraded to 1.21 (via the Ubuntu repository instead of a PPA).
 * fail2ban is upgraded to 0.11.2.
 * nginx is upgraded to 1.18.
+* PHP is upgraded from 7.2 to 8.0.
+
+Also:
+
+* Roundcube's login session cookie was tightened. Existing sessions may require a manual logout.
 
 Version 57a (June 19, 2022)
 ---------------------------

management/daemon.py

@@ -122,7 +122,6 @@ def index():
 	no_admins_exist = (len(get_admins(env)) == 0)
 
 	import boto3.s3
-	from urllib.parse import urlparse
 	backup_s3_hosts = [(r, f"s3.{r}.amazonaws.com") for r in boto3.session.Session().get_available_regions('s3')]
 
 

management/templates/system-backup.html

@@ -269,6 +269,7 @@ function show_custom_backup() {
           $("#backup-target-type").val("s3");
           var hostpath = r.target.substring(5).split('/');
           var host = hostpath.shift();
+          $("#backup-target-s3-host-select").val(host);
           $("#backup-target-s3-host").val(host);
           $("#backup-target-s3-path").val(hostpath.join('/'));
         } else if (r.target.substring(0, 5) == "b2://") {

setup/mail-dovecot.sh

@@ -87,7 +87,8 @@ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
 	"ssl_min_protocol=TLSv1.2" \
 	"ssl_cipher_list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
 	"ssl_prefer_server_ciphers=no" \
-	"ssl_dh=<$STORAGE_ROOT/ssl/ffdhe4096.pem"
+	"ssl_dh_parameters_length=2048" \
+	"ssl_dh=<$STORAGE_ROOT/ssl/dh2048.pem"
 
 # Disable in-the-clear IMAP/POP because there is no reason for a user to transmit
 # login credentials outside of an encrypted connection. Only the over-TLS versions

setup/webmail.sh

@@ -115,8 +115,7 @@ cat > $RCM_CONFIG <<EOF;
 \$config['log_dir'] = '/var/log/roundcubemail/';
 \$config['temp_dir'] = '/var/tmp/roundcubemail/';
 \$config['db_dsnw'] = 'sqlite:///$STORAGE_ROOT/mail/roundcube/roundcube.sqlite?mode=0640';
-\$config['imap_host'] = 'ssl://localhost';
+\$config['imap_host'] = 'ssl://localhost:993';
-\$config['imap_port'] = 993;
 \$config['imap_conn_options'] = array(
   'ssl'         => array(
      'verify_peer'  => false,
@@ -141,6 +140,10 @@ cat > $RCM_CONFIG <<EOF;
 \$config['login_username_filter'] = 'email';
 \$config['password_charset'] = 'UTF-8';
 \$config['junk_mbox'] = 'Spam';
+/* ensure roudcube session id's aren't leaked to other parts of the server */
+\$config['session_path'] = '/mail/';
+/* prevent CSRF, requires php 7.3+ */
+\$config['session_samesite'] = 'Strict';
 ?>
 EOF
 

tools/editconf.py

@@ -136,9 +136,10 @@ while len(input_lines) > 0:
 # Put any settings we didn't see at the end of the file,
 # except settings being cleared.
 for i in range(len(settings)):
-	if (i not in found) and not (not val and erase_setting):
+	if i not in found:
 		name, val = settings[i].split("=", 1)
-		buf += name + delimiter + val + "\n"
+		if not (not val and erase_setting):
+			buf += name + delimiter + val + "\n"
 
 if not testing:
 	# Write out the new file.