From d96613b8fe91f3d04887aa3318d4ef2467cea08a Mon Sep 17 00:00:00 2001 From: "Christopher A. DeFlumeri" Date: Sat, 7 Jul 2018 18:41:41 +0000 Subject: [PATCH] minimal changeset to get things working on 18.04 @joshdata squashed pull request #1398, removed some comments, and added these notes: * The old init.d script for the management daemon is replaced with a systemd service. * A systemd service configuration is added to configure permissions for munin on startup. * nginx SSL settings are updated because nginx's options and defaults have changed, and we now enable http2. * Automatic SSHFP record generation is updated to know that 22 is the default SSH daemon port, since it is no longer explicit in sshd_config. * The dovecot-lucene package is dropped because the Mail-in-a-Box PPA where we built the package has not been updated for Ubuntu 18.04. * The stock postgrey package is installed instead of the one from our PPA (which we no longer support), which loses the automatic whitelisting of DNSWL.org-whitelisted senders. * Drop memcached and the status check for memcached, which we used to use with ownCloud long ago but are no longer installing. * Other minor changes. --- CHANGELOG.md | 3 + Vagrantfile | 9 +- conf/mailinabox.service | 10 ++ conf/management-initscript | 135 -------------------- conf/munin.service | 10 ++ conf/nginx-ssl.conf | 70 ++--------- conf/nginx.conf | 4 +- management/dns_update.py | 23 ++-- management/munin_start.sh | 2 + management/status_checks.py | 1 - setup/dkim.sh | 8 ++ setup/mail-dovecot.sh | 13 +- setup/mail-postfix.sh | 3 +- setup/management.sh | 8 +- setup/munin.sh | 8 ++ setup/{owncloud.sh => nextcloud.sh} | 185 ++++------------------------ setup/preflight.sh | 6 +- setup/start.sh | 2 +- setup/system.sh | 11 +- setup/webmail.sh | 2 - 20 files changed, 101 insertions(+), 412 deletions(-) create mode 100644 conf/mailinabox.service delete mode 100755 conf/management-initscript create mode 100644 conf/munin.service create mode 100644 management/munin_start.sh rename setup/{owncloud.sh => nextcloud.sh} (58%) diff --git a/CHANGELOG.md b/CHANGELOG.md index befea2a7..64beabb9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,13 @@ CHANGELOG ========= +This branch supports Ubuntu 18.04 **only**. When upgrading, **always** upgrade your **existing** Ubuntu 14.04 machine to version the latest release supporting Ubuntu 14.04 --- v0.28. If you are running an older version of Mail-in-a-Box which has an old version of ownCloud or Nextcloud, you will *not* be able to upgrade your data because older versions of ownCloud and Nextcloud that are required to perform the upgrade *cannot* be run on Ubuntu 18.04. + In Development -------------- * Starting with v0.28, TLS certificate provisioning wouldn't work on new boxes until the mailinabox setup command was run a second time because of a problem with the non-interactive setup. + * Update to Nextcloud 13.0.5. * Update to Roundcube 1.3.7. * Update to Z-Push 2.4.4. diff --git a/Vagrantfile b/Vagrantfile index 770f66d2..467fb95e 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -2,14 +2,7 @@ # vi: set ft=ruby : Vagrant.configure("2") do |config| - config.vm.box = "ubuntu14.04" - config.vm.box_url = "http://cloud-images.ubuntu.com/vagrant/trusty/current/trusty-server-cloudimg-amd64-vagrant-disk1.box" - - if Vagrant.has_plugin?("vagrant-cachier") - # Configure cached packages to be shared between instances of the same base box. - # More info on http://fgrehm.viewdocs.io/vagrant-cachier/usage - config.cache.scope = :box - end + config.vm.box = "ubuntu/bionic64" # Network config: Since it's a mail server, the machine must be connected # to the public web. However, we currently don't want to expose SSH since diff --git a/conf/mailinabox.service b/conf/mailinabox.service new file mode 100644 index 00000000..b4cfa6cf --- /dev/null +++ b/conf/mailinabox.service @@ -0,0 +1,10 @@ +[Unit] +Description=Mail-in-a-Box System Management Service +After=multi-user.target + +[Service] +Type=idle +ExecStart=/usr/local/lib/mailinabox/start + +[Install] +WantedBy=multi-user.target diff --git a/conf/management-initscript b/conf/management-initscript deleted file mode 100755 index 8275da86..00000000 --- a/conf/management-initscript +++ /dev/null @@ -1,135 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: mailinabox -# Required-Start: $all -# Required-Stop: $all -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Start and stop the Mail-in-a-Box management daemon. -# Description: Start and stop the Mail-in-a-Box management daemon. -### END INIT INFO - -# Adapted from http://blog.codefront.net/2007/06/11/nginx-php-and-a-php-fastcgi-daemon-init-script/ - -PATH=/sbin:/usr/sbin:/bin:/usr/bin -DESC="Mail-in-a-Box Management Daemon" -NAME=mailinabox -DAEMON=/usr/local/lib/mailinabox/start -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/$NAME - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Set defaults. -START=yes -EXEC_AS_USER=root - -# Ensure Python reads/writes files in UTF-8. If the machine -# triggers some other locale in Python, like ASCII encoding, -# Python may not be able to read/write files. Set also -# setup/start.sh (where the locale is also installed if not -# already present) and management/daily_tasks.sh. -export LANGUAGE=en_US.UTF-8 -export LC_ALL=en_US.UTF-8 -export LANG=en_US.UTF-8 -export LC_TYPE=en_US.UTF-8 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. -. /lib/lsb/init-functions - -# If the daemon is not enabled, give the user a warning and then exit, -# unless we are stopping the daemon -if [ "$START" != "yes" -a "$1" != "stop" ]; then - log_warning_msg "To enable $NAME, edit /etc/default/$NAME and set START=yes" - exit 0 -fi - -# Process configuration -#export ... -DAEMON_ARGS="" - - -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON \ - --background --make-pidfile --chuid $EXEC_AS_USER --startas $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 -} - -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE > /dev/null # --name $DAEMON - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - restart|force-reload) - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2 - exit 3 - ;; -esac diff --git a/conf/munin.service b/conf/munin.service new file mode 100644 index 00000000..06735d04 --- /dev/null +++ b/conf/munin.service @@ -0,0 +1,10 @@ +[Unit] +Description=Munin System Monitoring Startup Script +After=multi-user.target + +[Service] +Type=idle +ExecStart=/usr/local/lib/mailinabox/munin_start.sh + +[Install] +WantedBy=multi-user.target diff --git a/conf/nginx-ssl.conf b/conf/nginx-ssl.conf index e893ad67..d4dc619b 100644 --- a/conf/nginx-ssl.conf +++ b/conf/nginx-ssl.conf @@ -1,76 +1,20 @@ -# from https://gist.github.com/konklone/6532544 and https://mozilla.github.io/server-side-tls/ssl-config-generator/ -################################################################################################################### - -# Basically the nginx configuration I use at konklone.com. -# I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com -# -# To provide feedback, please tweet at @konklone or email eric@konklone.com. -# Comments on gists don't notify the author. -# -# Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites. -# Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration. - -# Path to certificate and private key. -# The .crt may omit the root CA cert, if it's a standard CA that ships with clients. -#ssl_certificate /path/to/unified.crt; -#ssl_certificate_key /path/to/my-private-decrypted.key; - -# Tell browsers to require SSL (warning: difficult to change your mind) -# Handled by the management daemon because we can toggle this version or a -# preload version. -#add_header Strict-Transport-Security max-age=31536000; - -# Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities. -# -# Forces forward secrecy in all browsers and clients that can use TLS, -# but with a small exception (DES-CBC3-SHA) for IE8/XP users. -# -# Reference client: https://www.ssllabs.com/ssltest/analyze.html -ssl_prefer_server_ciphers on; -ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; - -# Cut out (the old, broken) SSLv3 entirely. -# This **excludes IE6 users** and (apparently) Yandexbot. -# Just comment out if you need to support IE6, bless your soul. +# We track the Mozilla "intermediate" compatibility TLS recommendations. +# Note that these settings are repeated in the SMTP and IMAP configuration. ssl_protocols TLSv1.2 TLSv1.1 TLSv1; +ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; +ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem; -# Turn on session resumption, using a cache shared across nginx processes, # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; -#keepalive_timeout 70; # in Ubuntu 14.04/nginx 1.4.6 the default is 65, so plenty good # Buffer size of 1400 bytes fits in one MTU. # nginx 1.5.9+ ONLY -#ssl_buffer_size 1400; +ssl_buffer_size 1400; -# SPDY header compression (0 for none, 9 for slow/heavy compression). Preferred is 6. -# -# BUT: header compression is flawed and vulnerable in SPDY versions 1 - 3. -# Disable with 0, until using a version of nginx with SPDY 4. -spdy_headers_comp 0; - -# Now let's really get fancy, and pre-generate a 2048 bit random parameter -# for DH elliptic curves. If not created and specified, default is only 1024 bits. -# -# Generated by OpenSSL with the following command: -# openssl dhparam -outform pem -out dhparam2048.pem 2048 -# -# Note: raising the bits to 2048 excludes Java 6 clients. Comment out if a problem. -ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem; - - -# OCSP stapling - means nginx will poll the CA for signed OCSP responses, -# and send them to clients so clients don't make their own OCSP calls. -# http://en.wikipedia.org/wiki/OCSP_stapling -# -# while the ssl_certificate above may omit the root cert if the CA is trusted, -# ssl_trusted_certificate below must point to a chain of **all** certs -# in the trust path - (your cert, intermediary certs, root cert) -# -# 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers. -# nginx will use them to talk to the CA. ssl_stapling on; ssl_stapling_verify on; resolver 127.0.0.1 valid=86400; resolver_timeout 10; + +# h/t https://gist.github.com/konklone/6532544 diff --git a/conf/nginx.conf b/conf/nginx.conf index ce662751..fafd3409 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -31,8 +31,8 @@ server { # The secure HTTPS server. server { - listen 443 ssl; - listen [::]:443 ssl; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name $HOSTNAME; diff --git a/management/dns_update.py b/management/dns_update.py index b6e1022d..5c1969d7 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -354,19 +354,20 @@ def build_sshfp_records(): # Get our local fingerprints by running ssh-keyscan. The output looks # like the known_hosts file: hostname, keytype, fingerprint. The order # of the output is arbitrary, so sort it to prevent spurrious updates - # to the zone file (that trigger bumping the serial number). - - # scan the sshd_config and find the ssh ports (port 22 may be closed) + # to the zone file (that trigger bumping the serial number). However, + # if SSH has been configured to listen on a nonstandard port, we must + # specify that port to sshkeyscan. + port = 22 with open('/etc/ssh/sshd_config', 'r') as f: - ports = [] - t = f.readlines() - for line in t: - s = line.split() + for line in f: + s = line.rstrip().split() if len(s) == 2 and s[0] == 'Port': - ports = ports + [s[1]] - # the keys are the same at each port, so we only need to get - # them at the first port found (may not be port 22) - keys = shell("check_output", ["ssh-keyscan", "-t", "rsa,dsa,ecdsa,ed25519", "-p", ports[0], "localhost"]) + try: + port = int(s[1]) + except ValueError: + pass + break + keys = shell("check_output", ["ssh-keyscan", "-t", "rsa,dsa,ecdsa,ed25519", "-p", str(port), "localhost"]) for key in sorted(keys.split("\n")): if key.strip() == "" or key[0] == "#": continue try: diff --git a/management/munin_start.sh b/management/munin_start.sh new file mode 100644 index 00000000..682861e7 --- /dev/null +++ b/management/munin_start.sh @@ -0,0 +1,2 @@ +#!/bin/bash +mkdir -p /var/run/munin && chown munin /var/run/munin diff --git a/management/status_checks.py b/management/status_checks.py index 3b0026d9..2f4fe0a7 100755 --- a/management/status_checks.py +++ b/management/status_checks.py @@ -28,7 +28,6 @@ def get_services(): { "name": "Spamassassin", "port": 10025, "public": False, }, { "name": "OpenDKIM", "port": 8891, "public": False, }, { "name": "OpenDMARC", "port": 8893, "public": False, }, - { "name": "Memcached", "port": 11211, "public": False, }, { "name": "Mail-in-a-Box Management Daemon", "port": 10222, "public": False, }, { "name": "SSH Login (ssh)", "port": get_ssh_port(), "public": True, }, { "name": "Public DNS (nsd4)", "port": 53, "public": True, }, diff --git a/setup/dkim.sh b/setup/dkim.sh index 830e9e18..dc7e51e2 100755 --- a/setup/dkim.sh +++ b/setup/dkim.sh @@ -21,6 +21,11 @@ mkdir -p $STORAGE_ROOT/mail/dkim # Not quite sure why. echo "127.0.0.1" > /etc/opendkim/TrustedHosts +# We need to at least create these files, since we reference them later. +# Otherwise, opendkim startup will fail +touch /etc/opendkim/KeyTable +touch /etc/opendkim/SigningTable + if grep -q "ExternalIgnoreList" /etc/opendkim.conf; then true # already done #NODOC else @@ -75,6 +80,9 @@ tools/editconf.py /etc/postfix/main.cf \ non_smtpd_milters=\$smtpd_milters \ milter_default_action=accept +# We need to explicitly enable the opendmarc service, or it will not start +hide_output systemctl enable opendmarc + # Restart services. restart_service opendkim restart_service opendmarc diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh index 21343964..4bcc53aa 100755 --- a/setup/mail-dovecot.sh +++ b/setup/mail-dovecot.sh @@ -26,7 +26,7 @@ source /etc/mailinabox.conf # load global vars echo "Installing Dovecot (IMAP server)..." apt_install \ dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-sqlite sqlite3 \ - dovecot-sieve dovecot-managesieved dovecot-lucene + dovecot-sieve dovecot-managesieved # The `dovecot-imapd`, `dovecot-pop3d`, and `dovecot-lmtpd` packages automatically # enable IMAP, POP and LMTP protocols. @@ -112,17 +112,6 @@ tools/editconf.py /etc/dovecot/conf.d/20-imap.conf \ tools/editconf.py /etc/dovecot/conf.d/20-pop3.conf \ pop3_uidl_format="%08Xu%08Xv" -# Full Text Search - Enable full text search of mail using dovecot's lucene plugin, -# which *we* package and distribute (dovecot-lucene package). -tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \ - mail_plugins="\$mail_plugins fts fts_lucene" -cat > /etc/dovecot/conf.d/90-plugin-fts.conf << EOF; -plugin { - fts = lucene - fts_lucene = whitespace_chars=@. -} -EOF - # ### LDA (LMTP) # Enable Dovecot's LDA service with the LMTP protocol. It will listen diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index ca52edbd..10322bca 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -48,9 +48,8 @@ source /etc/mailinabox.conf # load global vars # > Every user with more than 100’000 queries per day on the public nameserver # > infrastructure and every commercial vendor of dnswl.org data (eg through # > anti-spam solutions) must register with dnswl.org and purchase a subscription. - echo "Installing Postfix (SMTP server)..." -apt_install postfix postfix-pcre postgrey ca-certificates +apt_install postfix postfix-sqlite postfix-pcre postgrey ca-certificates # ### Basic Settings diff --git a/setup/management.sh b/setup/management.sh index 064906d3..1e29ab8c 100755 --- a/setup/management.sh +++ b/setup/management.sh @@ -87,16 +87,16 @@ rm -f /tmp/bootstrap.zip # Create an init script to start the management daemon and keep it # running after a reboot. -rm -f /usr/local/bin/mailinabox-daemon # old path +rm -f /usr/local/bin/mailinabox-daemon /etc/init.d/mailinabox # old paths cat > $inst_dir/start < /dev/null || /bin/true - service php5-fpm stop &> /dev/null || /bin/true # Backup the existing ownCloud/Nextcloud. # Create a backup directory to store the current installation and database to BACKUP_DIRECTORY=$STORAGE_ROOT/owncloud-backup/`date +"%Y-%m-%d-%T"` mkdir -p "$BACKUP_DIRECTORY" if [ -d /usr/local/lib/owncloud/ ]; then - echo "upgrading ownCloud/Nextcloud to $owncloud_flavor $owncloud_ver (backing up existing installation, configuration and database to directory to $BACKUP_DIRECTORY..." + echo "Upgrading Nextcloud --- backing up existing installation, configuration, and database to directory to $BACKUP_DIRECTORY..." cp -r /usr/local/lib/owncloud "$BACKUP_DIRECTORY/owncloud-install" fi if [ -e /home/user-data/owncloud/owncloud.db ]; then cp /home/user-data/owncloud/owncloud.db $BACKUP_DIRECTORY - fi - if [ -e /home/user-data/owncloud/config.php ]; then - cp /home/user-data/owncloud/config.php $BACKUP_DIRECTORY - fi + fi + if [ -e /home/user-data/owncloud/config.php ]; then + cp /home/user-data/owncloud/config.php $BACKUP_DIRECTORY + fi - # We only need to check if we do upgrades when owncloud/Nextcloud was previously installed + # If ownCloud or Nextcloud was previously installed.... if [ -e /usr/local/lib/owncloud/version.php ]; then - if grep -q "OC_VersionString = '8\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then - echo "We are running 8.1.x, upgrading to 8.2.11 first" - InstallOwncloud 8.2.11 e4794938fc2f15a095018ba9d6ee18b53f6f299c + # Database migrations from ownCloud are no longer possible because ownCloud cannot be run under + # PHP 7. + if grep -q "OC_VersionString = '[89]\." /usr/local/lib/owncloud/version.php; then + echo "Upgrades from Mail-in-a-Box prior to v0.26c (dated February 13, 2018) with Nextcloud < 12.0.5 (you have ownCloud 8 or 9) are not supported. Upgrade to Mail-in-a-Box version v0.28 first. Setup aborting." + exit 1 fi - - # If we are upgrading from 8.2.x we should go to 9.0 first. Owncloud doesn't support skipping minor versions - if grep -q "OC_VersionString = '8\.2\.[0-9]" /usr/local/lib/owncloud/version.php; then - echo "We are running version 8.2.x, upgrading to 9.0.11 first" - - # We need to disable memcached. The upgrade and install fails - # with memcached - CONFIG_TEMP=$(/bin/mktemp) - php < $CONFIG_TEMP && mv $CONFIG_TEMP $STORAGE_ROOT/owncloud/config.php; - -EOF - chown www-data.www-data $STORAGE_ROOT/owncloud/config.php - - # We can now install owncloud 9.0.11 - InstallOwncloud 9.0.11 fc8bad8a62179089bc58c406b28997fb0329337b - - # The owncloud 9 migration doesn't migrate calendars and contacts - # The option to migrate these are removed in 9.1 - # So the migrations should be done when we have 9.0 installed - sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:migrate-addressbooks - # The following migration has to be done for each owncloud user - for directory in $STORAGE_ROOT/owncloud/*@*/ ; do - username=$(basename "${directory}") - sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:migrate-calendar $username - done - sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:sync-birthday-calendar - fi - - # If we are upgrading from 9.0.x we should go to 9.1 first. - if grep -q "OC_VersionString = '9\.0\.[0-9]" /usr/local/lib/owncloud/version.php; then - echo "We are running ownCloud 9.0.x, upgrading to ownCloud 9.1.7 first" - InstallOwncloud 9.1.7 1307d997d0b23dc42742d315b3e2f11423a9c808 - fi - - # Newer ownCloud 9.1.x versions cannot be upgraded to Nextcloud 10 and have to be - # upgraded to Nextcloud 11 straight away, see: - # https://github.com/nextcloud/server/issues/2203 - # However, for some reason, upgrading to the latest Nextcloud 11.0.7 doesn't - # work either. Therefore, we're upgrading to Nextcloud 11.0.0 in the interim. - # This should not be a problem since we're upgrading to the latest Nextcloud 12 - # in the next step. - if grep -q "OC_VersionString = '9\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then - echo "We are running ownCloud 9.1.x, upgrading to Nextcloud 11.0.0 first" - InstallNextcloud 11.0.0 e8c9ebe72a4a76c047080de94743c5c11735e72e - fi - - # If we are upgrading from 10.0.x we should go to Nextcloud 11.0 first. - if grep -q "OC_VersionString = '10\.0\.[0-9]" /usr/local/lib/owncloud/version.php; then - echo "We are running Nextcloud 10.0.x, upgrading to Nextcloud 11.0.7 first" - InstallNextcloud 11.0.7 f936ddcb2ae3dbb66ee4926eb8b2ebbddc3facbe + if grep -q "OC_VersionString = '10\." /usr/local/lib/owncloud/version.php; then + echo "Upgrades from Mail-in-a-Box prior to v0.26c (dated February 13, 2018) with Nextcloud < 12.0.5 (you have ownCloud 10) are not supported. Upgrade to Mail-in-a-Box version v0.28 first. Setup aborting." + exit 1 fi # If we are upgrading from Nextcloud 11 we should go to Nextcloud 12 first. @@ -253,7 +120,7 @@ EOF fi fi - InstallNextcloud $owncloud_ver $owncloud_hash + InstallNextcloud $nextcloud_ver $nextcloud_hash fi # ### Configuring Nextcloud @@ -278,10 +145,10 @@ if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then 'overwritewebroot' => '/cloud', 'overwrite.cli.url' => '/cloud', 'user_backends' => array( - array( - 'class'=>'OC_User_IMAP', - 'arguments'=>array('{127.0.0.1:993/imap/ssl/novalidate-cert}') - ) + array( + 'class'=>'OC_User_IMAP', + 'arguments'=>array('{127.0.0.1:993/imap/ssl/novalidate-cert}') + ) ), 'memcache.local' => '\OC\Memcache\APCu', 'mail_smtpmode' => 'sendmail', @@ -397,7 +264,7 @@ tools/editconf.py /etc/php/7.0/cli/conf.d/10-opcache.ini -c ';' \ # Configure the path environment for php-fpm tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \ - env[PATH]=/usr/local/bin:/usr/bin:/bin + env[PATH]=/usr/local/bin:/usr/bin:/bin # If apc is explicitly disabled we need to enable it if grep -q apc.enabled=0 /etc/php/7.0/mods-available/apcu.ini; then diff --git a/setup/preflight.sh b/setup/preflight.sh index 4be2ec41..54fcd6c9 100644 --- a/setup/preflight.sh +++ b/setup/preflight.sh @@ -7,9 +7,9 @@ if [[ $EUID -ne 0 ]]; then exit fi -# Check that we are running on Ubuntu 14.04 LTS (or 14.04.xx). -if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' `" != "Ubuntu 14.04 LTS" ]; then - echo "Mail-in-a-Box only supports being installed on Ubuntu 14.04, sorry. You are running:" +# Check that we are running on Ubuntu 18.04 LTS (or 18.04.xx). +if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' `" != "Ubuntu 18.04 LTS" ]; then + echo "Mail-in-a-Box only supports being installed on Ubuntu 18.04, sorry. You are running:" echo lsb_release -d | sed 's/.*:\s*//' echo diff --git a/setup/start.sh b/setup/start.sh index 3dbaed54..9d64bba5 100755 --- a/setup/start.sh +++ b/setup/start.sh @@ -106,7 +106,7 @@ source setup/dkim.sh source setup/spamassassin.sh source setup/web.sh source setup/webmail.sh -source setup/owncloud.sh +source setup/nextcloud.sh source setup/zpush.sh source setup/management.sh source setup/munin.sh diff --git a/setup/system.sh b/setup/system.sh index 04728051..29ee97bd 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -70,7 +70,7 @@ fi # ### Add PPAs. -# We install some non-standard Ubuntu packages maintained by us and other +# We install some non-standard Ubuntu packages maintained by other # third-party providers. First ensure add-apt-repository is installed. if [ ! -f /usr/bin/add-apt-repository ]; then @@ -79,14 +79,7 @@ if [ ! -f /usr/bin/add-apt-repository ]; then apt_install software-properties-common fi -# [Main-in-a-Box's own PPA](https://launchpad.net/~mail-in-a-box/+archive/ubuntu/ppa) -# holds several .deb packages that we built on our own. -# One is a replacement for Ubuntu's stock postgrey package that makes -# some enhancements. The other is dovecot-lucene, a Lucene-based full -# text search plugin for (and by) dovecot, which is not available in -# Ubuntu currently. - -hide_output add-apt-repository -y ppa:mail-in-a-box/ppa +# Install the certbot PPA. hide_output add-apt-repository -y ppa:certbot/certbot # ### Update Packages diff --git a/setup/webmail.sh b/setup/webmail.sh index 38aee942..798641f9 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -25,8 +25,6 @@ apt_install \ php7.0-cli php7.0-sqlite php7.0-mcrypt php7.0-intl php7.0-json php7.0-common php7.0-curl \ php7.0-gd php7.0-pspell tinymce libjs-jquery libjs-jquery-mousewheel libmagic1 php7.0-mbstring -apt_get_quiet remove php-mail-mimedecode # no longer needed since Roundcube 1.1.3 - # We used to install Roundcube from Ubuntu, without triggering the dependencies #NODOC # on Apache and MySQL, by downloading the debs and installing them manually. #NODOC # Now that we're beyond that, get rid of those debs before installing from source. #NODOC