From 34017548d5833e598fc0b72f9b816fa788c119d3 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Fri, 22 Oct 2021 18:39:53 -0400 Subject: [PATCH 1/5] Don't crash if a custom DNS entry is not under a zone managed by the box, fixes #1961 --- management/daemon.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/management/daemon.py b/management/daemon.py index e8e679e4..0bbb1ad5 100755 --- a/management/daemon.py +++ b/management/daemon.py @@ -330,7 +330,7 @@ def dns_get_records(qname=None, rtype=None): r["sort-order"]["created"] = i domain_sort_order = utils.sort_domains([r["qname"] for r in records], env) for i, r in enumerate(sorted(records, key = lambda r : ( - zones.index(r["zone"]), + zones.index(r["zone"]) if r.get("zone") else 0, # record is not within a zone managed by the box domain_sort_order.index(r["qname"]), r["rtype"]))): r["sort-order"]["qname"] = i From 7b4cd443bf3f49c66ee2eb7f695b6a53232f7d81 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Fri, 22 Oct 2021 18:49:16 -0400 Subject: [PATCH 2/5] How to report security issues --- security.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/security.md b/security.md index 5de8c612..52e84241 100644 --- a/security.md +++ b/security.md @@ -3,7 +3,12 @@ Mail-in-a-Box Security Guide Mail-in-a-Box turns a fresh Ubuntu 18.04 LTS 64-bit machine into a mail server appliance by installing and configuring various components. -This page documents the security features of Mail-in-a-Box. The term “box” is used below to mean a configured Mail-in-a-Box. +This page documents the security posture of Mail-in-a-Box. The term “box” is used below to mean a configured Mail-in-a-Box. + +Reporting Security Vulnerabilities +---------------------------------- + +Security vulnerabilities should be reported to the [project's maintainer](https://joshdata.me) via email. Threat Model ------------ From c67ff241c43aa101e3e830795ae0fea54c947f67 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sat, 23 Oct 2021 08:57:05 -0400 Subject: [PATCH 3/5] Updates to security.md --- security.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/security.md b/security.md index 52e84241..ac508c93 100644 --- a/security.md +++ b/security.md @@ -54,9 +54,7 @@ Additionally: ### Password Storage -The passwords for mail users are stored on disk using the [SHA512-CRYPT](http://man7.org/linux/man-pages/man3/crypt.3.html) hashing scheme. ([source](management/mailconfig.py)) - -When using the web-based administrative control panel, after logging in an API key is placed in the browser's local storage (rather than, say, the user's actual password). The API key is an HMAC based on the user's email address and current password, and it is keyed by a secret known only to the control panel service. By resetting an administrator's password, any HMACs previously generated for that user will expire. +The passwords for mail users are stored on disk using the [SHA512-CRYPT](http://man7.org/linux/man-pages/man3/crypt.3.html) hashing scheme. ([source](management/mailconfig.py)) Password changes (as well as changes to control panel two-factor authentication settings) expire any control panel login sessions. ### Console access @@ -70,7 +68,7 @@ If DNSSEC is enabled at the box's domain name's registrar, the SSHFP record that `fail2ban` provides some protection from brute-force login attacks (repeated logins that guess account passwords) by blocking offending IP addresses at the network level. -The following services are protected: SSH, IMAP (dovecot), SMTP submission (postfix), webmail (roundcube), Nextcloud/CalDAV/CardDAV (over HTTP), and the Mail-in-a-Box control panel & munin (over HTTP). +The following services are protected: SSH, IMAP (dovecot), SMTP submission (postfix), webmail (roundcube), Nextcloud/CalDAV/CardDAV (over HTTP), and the Mail-in-a-Box control panel (over HTTP). Some other services running on the box may be missing fail2ban filters. From 86067be1425cb7df60c347dc1998ce9fc533acdd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?= <1682504+fspoettel@users.noreply.github.com> Date: Wed, 27 Oct 2021 18:27:54 +0200 Subject: [PATCH 4/5] fix(docs): set a schema for /logout responses (#2051) * this remedies an OpenAPI syntax violation resulting in a redoc-cli crash --- api/mailinabox.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/api/mailinabox.yml b/api/mailinabox.yml index bd4b203b..6e289f30 100644 --- a/api/mailinabox.yml +++ b/api/mailinabox.yml @@ -110,6 +110,8 @@ paths: description: Successful operation content: application/json: + schema: + $ref: '#/components/schemas/LogoutResponse' /system/status: post: tags: @@ -2723,3 +2725,8 @@ components: nullable: true MfaDisableSuccessResponse: type: string + LogoutResponse: + type: object + properties: + status: + type: string From 646f971d8bac7671646e4167b71b45b4b609e048 Mon Sep 17 00:00:00 2001 From: kiekerjan Date: Sun, 31 Oct 2021 17:49:26 +0100 Subject: [PATCH 5/5] Update mailinabox.yml (#2054) The examples for login and logout use GET instead of POST. GET gives me an error when using it, while POST seems to work. --- api/mailinabox.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/api/mailinabox.yml b/api/mailinabox.yml index 6e289f30..f3290fb9 100644 --- a/api/mailinabox.yml +++ b/api/mailinabox.yml @@ -71,7 +71,7 @@ paths: x-codeSamples: - lang: curl source: | - curl -X GET "https://{host}/admin/login" \ + curl -X POST "https://{host}/admin/login" \ -u ":" responses: 200: @@ -103,7 +103,7 @@ paths: x-codeSamples: - lang: curl source: | - curl -X GET "https://{host}/admin/logout" \ + curl -X POST "https://{host}/admin/logout" \ -u ":" responses: 200: