1039a08be6
/admin login now issues a user-specific key for future calls (rather than providing the system-wide API key or passing the password on each request)
2015-01-31 20:42:43 +00:00
023b38df50
split management daemon authorization from authentication and use 'doveadm pw' rather than 'doveadm auth test' so that it is decoupled from dovecot's login mechanism
...
This was done to pave the way for two-factor authentication, but that's still a ways off.
2015-01-31 20:41:41 +00:00
3187053b3a
dont save the CSR generated to make self-signed certificates for non-primary domains (it has no value and might be confusing)
2015-01-31 13:27:06 +00:00
63f2abd923
Fix typos in backup status template
2015-01-29 09:25:12 +00:00
d3059c810f
Fix typo in mail-guide.html
...
Sercurity -> Security
2015-01-21 08:23:26 +01:00
85a40da83c
catch-all aiases and domain aliases should not require postmaster@ and admin@ aliases because they'll forward anyway
2015-01-19 23:32:36 +00:00
1bf8f1991f
internationalized domain names (DNS, web, CSRs, normalize to Unicode in database, prohibit non-ASCII characters in user account names)
...
* For non-ASCII domain names, we will keep the Unicode encoding in our users/aliases table. This is nice for the user and also simplifies things like sorting domain names (using Unicode lexicographic order is good, using ASCII lexicogrpahic order on IDNA is confusing).
* Write nsd config, nsd zone files, nginx config, and SSL CSRs with domains in IDNA-encoded ASCII.
* When checking SSL certificates, treat the CN and SANs as IDNA.
* Since Chrome has an interesting feature of converting Unicode to IDNA in <input type="email"> form fields, we'll also forcibly convert IDNA to Unicode in the domain part of email addresses before saving email addresses in the users/aliases tables so that the table is normalized to Unicode.
* Don't allow non-ASCII characters in user account email addresses. Dovecot gets confused when querying the Sqlite database (which we observed even for non-word ASCII characters too, so it may not be related to the character encoding).
2015-01-19 23:31:55 +00:00
d155aa8745
if all system services are running, say so in the status checks rather than being totally silent
2015-01-19 22:04:25 +00:00
24cc108147
if a custom CNAME record is set, don't add a default A/AAAA record, e.g. for 'www'
...
see https://discourse.mailinabox.email/t/multiple-domains-in-mail-in-a-box-with-the-domains-being-hosted-elsewhere/56/18
2015-01-19 22:04:21 +00:00
09713e8eab
status checks: check that system services are running
...
If bind9 isn't running, dont proceed with other checks because we can't do DNS checks. Even though we skip, add error handling so that a failed call to rndc doesn't crash and that a timeout in a DNS check doesn't crash the status checks.
2015-01-11 14:13:35 +00:00
6499c82d7f
explain how to add SRV records to DNS zonefile using the API
2015-01-04 10:23:34 +01:00
fddab5d432
allow the dns api to set srv records
...
see https://discourse.mailinabox.email/t/create-srv-record-at-the-dns-server/225
2015-01-02 23:39:09 +00:00
f141af4b61
status checks: dont die if openssh-server isn't installed
...
see https://discourse.mailinabox.email/t/local-dns-is-not-working-was-unable-to-check-system-status/165/39
2015-01-02 22:59:29 +00:00
3d8ea0e6ed
mail log scanner: dont assume lines are utf8
2015-01-02 22:49:25 +00:00
399f9d9bdf
in status checks, clear bind9 cache using rndc rather than restarting bind9
2014-12-26 13:22:14 +00:00
2b76fd299e
admin: ensure multiple concurrent api calls dont confuse the ajax loading indicator (track number of open requets, stop fade animation when it is time to hide)
2014-12-21 22:47:11 +00:00
90592bb157
add a control panel for setting custom dns records so that we dont have to use the api manually
2014-12-21 11:31:24 -05:00
c3a7e3413b
Fixed a small status check bug, where secondary dns server check fails misleadingly.
2014-12-09 12:40:32 +01:00
d390bfb215
indicate in the admin when a multi-domain or wildcard certificate is in use
2014-12-05 14:43:52 -05:00
ceba53f1c4
explain how to install a multi-domain or wildcard ssl cert; if one is installed, the Replace Cert button in the admin for non-primary domains should not replace the cert on the primary domain
2014-12-05 14:25:14 -05:00
be59bcd47d
for .fund domains use RSASHA256 DNSSEC keys
2014-12-05 12:03:21 -05:00
cfe0fa912a
add a 'redirects' feature in web/custom.yaml
2014-12-05 12:03:21 -05:00
82cf5b72e4
simplify some output in the work-in-progress mail log scanner
2014-11-30 14:41:30 +00:00
a7710e9058
dns.resolver.query treats hostnames as relative names if they don't end in a period
...
Relative hostnames have a fall-back lookup with the machine's hostname appended, which makes no sense. Add a period, e.g. "my.hostname.com" => "my.hostname.com.", to prevent that.
This caused false positive Spamhaus checks. Fixes #185 .
2014-11-21 15:16:59 +00:00
057c1dd913
recommend IMAP/SMTP for everyone
2014-11-18 16:47:42 +00:00
06f2477cfd
the new iOS configuration profile also is used on OS X 10.10.1, see #261
2014-11-18 16:32:37 +00:00
cdaa2c847d
[merge] iOS Mobile Configuration Profile
2014-11-14 13:56:18 +00:00
7e7abf3b53
support "domain aliases" (@domain => @domain aliases)
...
This seemed to already be technically supported but the validation is now stricter and the admin is more helpful:
* Postfix seems to allow @domain.tld as an alias destination address but only if it is the only destination address (see the virtual man page).
* Allow @domain.tld if it is the whole destination address string.
* Otherwise, do not allow email addresses without local parts in the destination.
* In the admin, add a third tab for making it clear how to add a domain alias.
closes #265
2014-11-14 13:35:58 +00:00
c872e6a9f0
iOS Configuration Profile
...
change name
removed .vagrant
fix guide layout
2014-11-05 18:42:04 +01:00
ec73c171c7
when installing a ssl cert for the primary hostname, dns, postfix, and dovecot all need to be updated/kicked
...
see https://discourse.mailinabox.email/t/there-is-a-problem-with-the-ssl-certificate/144/4
2014-10-28 11:38:04 +00:00
f9acf0adec
better errors for ssl certificates
2014-10-24 21:30:33 +00:00
8b65c11cdf
the namecheap link was bad
2014-10-23 17:17:26 +00:00
34fca29dd3
fix the animated scroll target on the ssl panel to scroll so that the header is actually visible and not covered by the nav bar
2014-10-23 17:10:21 +00:00
b75fbf22ca
clear the local dns cache each time the status checks are run by restarting bind9
2014-10-23 17:06:33 +00:00
d790cae0e2
DNSSEC: use RSASHA256 for the .guide tld too
2014-10-23 17:03:23 +00:00
f35b2081a1
s/os.rename/shutil.move/ so that the file can be moved across filesystem boundaries, fxies #246
2014-10-21 11:45:14 +00:00
f0508d8cc9
Improve wrapping of external DNS value column to prevent layout overflow
...
see #244
Conflicts:
management/templates/external-dns.html
2014-10-21 11:33:42 +00:00
47dd59c2a7
admin mail guide: use bootstrap .panel to style the tips
...
also give more space for the login settings and less space to the tips
2014-10-21 11:17:49 +00:00
c2fe1bc2e3
document +tag addresses in the mail guide
2014-10-21 11:17:49 +00:00
cce1184090
admin: change the css class name around the panels to not invoke the bootstrap 'panel' css
2014-10-21 11:17:49 +00:00
1adb1d8307
admin: there is no need to make each panel a separate bootstrap container
...
* also fixes the footer alignment to be within a container rather than a container-fluid
* this changed the width of the login form slightly, so am cleaning that up too
see #244
2014-10-21 11:17:28 +00:00
c2174e10a6
some admin pages had a container within a container
...
see #244
2014-10-21 11:17:15 +00:00
86a5394f07
fix control panel when no backup has been made yet
2014-10-15 12:31:08 -04:00
b5b3fca137
report free disk space in the admin
2014-10-13 14:12:16 +00:00
048e35a80f
fix display of backups that are past due to be reaped
2014-10-13 14:12:16 +00:00
fb3045f456
retain backups only for 3 days; beyond that the user is responsible for copying files off of the machine
2014-10-13 14:12:11 +00:00
57f8ee0b09
Smoothly scroll to alias edit form.
2014-10-11 21:52:00 +02:00
64220292f1
Jump to the panel_aliases anchor (top) to directly edit the selected alias
2014-10-11 19:56:36 +02:00
82851d6d2d
suppress "Something went wrong, sorry." when the management daemon's api key has changed
2014-10-11 17:06:22 +00:00
2f952a7915
delay an ajax call to see if this fixes the problem of the loading indicator not going away after showing the user a panel after login
2014-10-11 17:06:22 +00:00
ca57560f11
Pass additional_records to recursive build_zone calls, closes #229
...
The problem was that custom records defined for a subdomain where implicit
records are otherwise defined (e.g. A/AAAA records for the root) were ignored.
Though additional_records for a subdomain are processed in the base call to
build_zone (the call for the parent domain), and so custom records that don't
override implicits were working fine, those that overrode implicits were
ignored.
This was because the recursive call to build_zone for the subdomain creates the
implicit records (including A/AAAA records for the root), and so by relying on
the base call to add the additional_records fails because has_rec returned
true.
Adding a subdomain's additional_records in the child call works because has_rec
returns false when testing whether to add an e.g. A/AAAA override for the root,
as the defaults have not yet been added.
2014-10-11 17:04:35 +01:00
17331e7d82
adding a really slick ssl certificate installation form in the control panel
2014-10-10 15:49:14 +00:00
5130b279d8
management/mail_log.py also include the previously rotated log file
2014-10-10 13:59:50 +00:00
aac6e49b94
spelling typo
2014-10-10 13:50:44 +00:00
ac49912b39
recommend DAVdroid
...
see http://discourse.mailinabox.email/t/recommend-a-different-android-carddav-and-caldav-android/102/1
2014-10-07 20:53:37 +00:00
0441a2e2e3
make a self-signed certificate on a non-primary domain a warning rather than an error, fixes #95
2014-10-07 20:41:07 +00:00
06a8ce1c9d
in the admin, show user mailbox sizes, fixes #210
2014-10-07 20:24:11 +00:00
443b084a17
in the admin, group aliases by domain, fixes #211
2014-10-07 19:47:46 +00:00
990649af2d
in the admin, group users by domain, fixes 209
2014-10-07 19:47:43 +00:00
6f4d29a410
tweak the new web instructions
2014-10-07 16:17:45 +00:00
6ab29c3244
add instructions for static web hosting into the control panel
2014-10-07 16:05:42 +00:00
bf9b770255
sort SSHFP records so that DNS updates don't trigger spurrious zone changes
2014-10-07 15:15:22 +00:00
9210ebdb9f
control panel tweaks
2014-10-07 15:12:35 +00:00
a56bb984d6
handle catastrophically bad certificates rather than raising an exception
2014-10-07 14:58:21 +00:00
7d1c0b3834
show SSL certificate expiration info in the control panel even long before certificates expire
2014-10-07 14:49:36 +00:00
20892b5d5b
status check on ns records should now take into account that secondary dns may be customized, see #223
2014-10-05 18:42:52 +00:00
4cf53cd8ee
backup status relativedelta was displaying wrong for deltas greater than 1 month
2014-10-05 18:23:29 +00:00
f42a1c5a74
allow overriding the second nameserver with a secondary/slave server
...
fixes #151
fixes #223
2014-10-05 14:53:42 +00:00
092c842a87
split external/custom dns into separate pages in the admin
2014-10-05 13:38:23 +00:00
d9ecc50119
since the management server binds to 127.0.0.1, must use that and not 'localhost' to connect to it because 'localhost' resolves to the IPv6 ::1 when it is available, see #224
2014-10-05 09:01:26 -04:00
4ae76aa2dd
dnssec: use RSASHA256 keys for .email domains
2014-10-04 17:29:42 +00:00
779d921410
status checks: put DNSSEC tests in a better order w.r.t. other tests
...
* If the PRIMARY_HOSTNAME is in a zone with a DS record set at the registrar, show any DNSSEC failure (but only a failure) immediately since it is probably the cause of other DNS errors displayed later.
* For zones, if a DS record is set at the register, do the DNSSEC test first because even the NS test will fail if DNSSEC is improperly configure.
* But if a DS record is not set, the this is just a suggestion to configure DNSSEC so offer the suggestion last --- after mail and web checks.
see https://discourse.mailinabox.email/t/dns-nameserver-gandi-glue-records-issues/105/3
2014-10-01 12:13:11 +00:00
5c7ba2a4c7
preliminary work on a mail.log scanner to report things in the control panel
2014-09-27 13:33:13 +00:00
e9cc3fdaab
make mail instructions clearer and describe greylisting, DMARC policy
2014-09-27 13:32:22 +00:00
8bd37ea53c
add catch-alls to the admin again with nicer instructions
2014-09-27 13:32:22 +00:00
ab47144ae3
add strict SPF and DMARC records to any subdomains (including custom records) that do not have SPF/DMARC set
...
closes #208
2014-09-26 14:01:03 +00:00
9b6f9859d1
dns_update: assume DKIM is present
2014-09-26 14:01:03 +00:00
5a89f3c633
don't allow catch-all addresses in the admin because they take precedence over mail users and that's counter-intuitive
...
For now use the command-line tools/mail.py if you need it.
see #200
Revert "Changed incomming-email-input to type text"
This reverts commit 9631fab7b2
2014-09-24 12:36:47 +00:00
c2ddabe683
fix ajax loading indicator positioning
2014-09-21 17:41:46 +00:00
846768efcb
admin: update user's password from the admin
2014-09-21 17:24:01 +00:00
8dfbb90f3a
admin: simplify the users table a bit
2014-09-21 17:10:23 +00:00
c7c3bd33cf
DNS API should reject qnames that aren't in a zone managed by the box
...
see https://discourse.mailinabox.email/t/set-www-a-and-other-dns-records-after-install/63/10
2014-09-21 13:37:30 +00:00
1637153566
make the DNS API a little clearer
2014-09-21 13:37:30 +00:00
05510f25a5
warn if a SSL cert is expiring in 30 days
2014-09-21 13:37:30 +00:00
b8ea7282b0
don't run `apt-get update` when generating the status checks output because it is so slow and should be update daily by cron anyway
2014-09-21 13:37:30 +00:00
ff0c85615b
correct typo in comment
2014-09-15 10:02:25 +00:00
16e2350fef
revise the description of A records on domains: the A record must be present for good deliverability so that the envelope domain resolves, but it doesn't have to resolve to this machine
2014-09-15 06:00:50 -04:00
9631fab7b2
Changed incomming-email-input to type text
...
The input type="email" validation won't allow "@example.com", which is needed for catch-all-aliases.
2014-09-12 18:08:33 +02:00
196e42e8b5
don't automatically create an alias if a user account already exists by that name
...
In the event the first user is an address that we'd normally create as an alias,
we'd generate a loop from the alias to the administrative alias to the first user
account (which was the alias again).
hopefully fixes #186
2014-09-09 11:41:47 +00:00
f09da719f7
show the response from spamhaus.org in the status checks output
2014-09-08 20:27:26 +00:00
e9e95cbed5
tweak backup explanatory text
2014-09-08 20:12:31 +00:00
98fc449b49
only hold onto backups for 14 days (not 31) and show when the backups will be deleted in the control panel
2014-09-08 20:09:18 +00:00
bab8b515ea
new logic for determining when to take a full backup
2014-09-08 19:42:54 +00:00
cce6bc02a8
add links to IANA tables for DNSSEC algorithm/digest number assignemnts
2014-09-07 10:59:20 -04:00
110e0f90d9
dns: move the quoting of TXT records to when we write the zone file so that we can display it unquoted in the External DNS instructions
2014-09-07 11:42:20 +00:00
b5122770cc
tweak admin template for external DNS
2014-09-07 07:22:39 -04:00
03f9358de4
when checking SSL certs are OK, check for wildcard certificates
...
fixes #175 (hopefully)
2014-09-03 17:31:47 +00:00
f77f1e656c
split CardDAV instrctions into a new page and add CalDAV instructions; create nice redirects at /cloud/calendar and /cloud/contacts
2014-09-03 10:51:19 +00:00
b420e560c3
dont show 'make admin' on archived mailbox accounts and other control panel cleanup
2014-09-03 10:17:46 +00:00
7a449c76a1
set the DNS TTL to 30 minutes rather than 1 day
...
Also updating the values for secondary DNS, but we're not set up
for secondary DNS so it won't matter.
see #172
2014-09-01 23:06:55 +00:00
3853e8dd93
show the status of backups in the control panel
2014-09-01 13:06:53 +00:00
10a37cd033
add SSHFP records to DNS
2014-08-27 12:59:40 +00:00
684d9b3c70
prettify the custom DNS docs
2014-08-27 12:57:47 +00:00
699923d605
Merge pull request #166 from benschumacher/master
...
Fix typo in dns_update.py.
2014-08-26 16:13:11 -04:00
d5efb05f31
Fix typo in dns_update.py.
2014-08-26 15:58:34 -04:00
2afd0be591
Replace spaces by tabs in 106-109
2014-08-26 12:16:20 -04:00
92c7815d2c
Merge pull request #156 from skosch/patch-1
...
Allow users to insert custom nginx configuration directives through new optional files.
2014-08-26 10:24:22 -04:00
06a4046d13
fix link to /cloud in the admin, fixes #160
2014-08-26 11:51:47 +00:00
9b8d85de45
if there are no admins when trying to access the control panel, tell the user how to make an admin from SSH
2014-08-26 11:31:45 +00:00
b76cbae5a0
document the DNS API in the control panel
...
see #140 , #155 , df20d447a9
2014-08-25 23:52:41 +00:00
ed8ce16fb5
show custom DNS records in the control panel too, fixes #155
2014-08-25 23:35:44 +00:00
a32806da32
create STORAGE_ROOT/backup/duplicity if it doesn't exist
...
fixes #158
2014-08-25 23:29:00 +00:00
18f0406541
update comments in backup.py
2014-08-25 23:28:43 +00:00
bc9d670981
prettify mail guide
2014-08-25 23:24:41 +00:00
00b5c6ee9c
test_domain -> domain
2014-08-25 16:02:13 -04:00
76ff9735cc
Move custom server blocks to STORAGE_ROOT
2014-08-25 13:25:44 -04:00
9bfff1f679
Add server block customizations
...
This allows users to add a file /etc/nginx/conf.d/includes/mydomain.com.conf, the contents of which will be included in the server block for mydomain.com.
2014-08-24 17:34:15 -04:00
df20d447a9
add an api for setting custom DNS records
...
Works like this:
```curl -d "" --user email:password https://.../admin/dns/set/qname/rtype/value ```
where the rtype and value default to "A" and the remote IP address of the request, so that a simple, empty POST to
```https://.../admin/dns/set/desktop.mydomain.com ```
will point desktop.mydomain.com to the caller's IPv4 address.
closes #140
2014-08-23 23:03:45 +00:00
6e3b04ce83
when generating SSL CSRs, using SHA256 as SHA1 is being phased out, per @konklone
2014-08-23 17:49:33 -04:00
2d5097345a
move the package update check into the system status checks
2014-08-21 11:24:40 +00:00
294d19e0af
rename whats_next.py to status_checks.py
2014-08-21 10:43:55 +00:00
46f3d05034
add the network checks to whats_next
...
* zen.spamhaus.org
* dbl.spamhaus.org
* checks if a connection to Google's MTA on port 25 works
2014-08-19 11:16:49 +00:00
91821adfd7
nameserver checks should be case insensitive
2014-08-18 22:41:27 +00:00
b30d7ad80a
web-based administrative UI
...
closes #19
2014-08-17 22:46:06 +00:00
ba8e015795
dns_update: dont restart the opendkim process if nothing changed
2014-08-17 20:42:17 +00:00
919a5a8f0b
whats_next: when there are multiple responses like for NS records sort the responses so we can compare to a fixed order
2014-08-17 19:55:03 +00:00
f299825a95
in the nginx override YAML file, change how proxies are specified into a mapping
2014-08-17 19:40:45 +00:00
04454b35c6
(merge) CardDAV, CalDAV via ownCloud and move to z-push fork fork
...
Merges branch 'owncloud' of github.com:jkaberg/mailinabox
which is pull request #135 , closes #135
thanks @jkaberg, @fmbiete, @owncloud
2014-08-17 15:31:08 -04:00
f41ec93cbe
management: dont raise an exception on a poorly formatted authentication header
2014-08-17 11:50:05 -04:00
6e380ade17
owncloud will only let users access it from the PRIMARY_HOSTNAME (due to its trusted_domains option being set statically), so only include /cloud in the nginx configuration for PRIMARY_HOSTNAME
2014-08-16 12:33:10 +00:00
8c9f278166
owncloud: support MOD_X_ACCEL_REDIRECT_ENABLED
...
This lets downloads from the file app work.
2014-08-15 23:16:54 +00:00
e625a424fd
whats_next: check that the TLSA record is correct, fixes #139
2014-08-13 19:42:49 +00:00
0eceb2012f
use php5-fpm rather than our own custom launcher script for PHP+FastCGI
2014-08-12 11:00:54 +00:00
1312b0254b
backup: dont remove old increments because then we lose the backup history right before the last full backup, instead let them disappear along with full backups when a whole chain becomes very old
2014-08-11 11:45:40 +00:00
f66914d634
backup: automatically take a full backup when the sum of the increments get very large
2014-08-11 11:38:32 +00:00
58e300e113
backup must be full on the first run because incremental backup will fail, fixes #134
2014-08-11 07:16:58 -04:00
e294f7c181
create the Drafts folder for users so K-9 mail doesn't poll unnecessarily, see #129
2014-08-09 16:49:57 +00:00
b56f82cb92
make a privileges column in the users table and mark the first user as an admin
2014-08-08 12:31:22 +00:00
6a512042dc
after creating the local encrypted backup, execute the after-backup script if the user has provided one to copy the files to a remote location
2014-08-02 14:16:08 +00:00
6d4fab1e6a
whats_next: offer DNSSEC DS parameters rather than the full record and in validation allow for other digests than the one we suggest using
...
fixes #120 (hopefully), in which Gandi generates a SHA1 digest but we were only checking against a SHA256 digest
Also see http://discourse.mailinabox.email/t/how-to-set-ds-record-for-gandi-net/24/1 in which a user asks about the DS parameters that Gandi asks for.
2014-08-01 12:15:05 +00:00
30178ef019
add a --force flag to dns_update
2014-08-01 12:05:34 +00:00
168c06939d
have nsd bind to the network interaface that is connected to the Internet, rather than all non-loopback network interfaces
...
hopefully fixes #121 ; thanks for the help @sfPlayer1
2014-07-29 20:07:26 -04:00
8042ab66ac
dont serve web for domains with custom DNS records that point A/AAAA elsewhere, and in whats_next only check that an A record exists on a domain if we are serving web on the domain
2014-07-20 15:23:17 +00:00
8354d9732a
in the custom DNS yaml config, treat 'local' as an alias for the box's own IP/IPv6 addresses
2014-07-20 14:53:55 +00:00
1ad9c70887
refactor custom DNS records
2014-07-20 14:48:20 +00:00
2e0680de4f
the check for whether a custom DNS setting is valid was in the wrong place
2014-07-20 14:41:02 +00:00
89acbe4127
Update dns_update.py
...
Add new extra bool parameter.
2014-07-18 13:05:32 +02:00
0e893626c8
Add IPv6 glue records as well
...
The dns_update script didn't generate IPv6 (AAAA) glue records for the name servers.
This caused http://dnscheck.pingdom.com to complain about a mismatch between the glue records reported by the parent name server and mailinabox nsd.
Here's the failing dnscheck output for reference:
> Checking glue for ns1.my.domain.tld (1.2.3.4).
> Child glue for bgwe.eu found: ns1.my.domain.tld (1.2.3.4)
> Checking glue for ns1.my.domain.tld (1234::1).
> Missing glue at child: ns1.my.domain.tld
> Checking glue for ns2.my.domain.tld (1.2.3.4).
> Child glue for bgwe.eu found: ns2.my.domain.tld (1.2.3.4)
> Checking glue for ns2.my.domain.tld (1234::1).
> Missing glue at child: ns2.my.domain.tld
I'm not very familiar with Python and DNS, please verify ;)
2014-07-18 13:03:09 +02:00
42c891032d
don't create a www. subdomain on any domains that are themselves subdomains within a zone, i.e. don't create www.PUBLIC_HOSTNAME if PUBLIC_HOSTNAME is a subdomain of another domain, which is what we normally recommend
2014-07-17 13:08:05 +00:00
d7a9e7cc17
run management/dns_update.py from the console to dump the DNS records, with explanations, in case the user wants to host DNS off of the box
2014-07-17 13:08:05 +00:00
7803ac9ca4
write explanatory text as we build DNS zones so we can help the user manage DNS off of the box
2014-07-17 13:08:05 +00:00
eac349187d
whats_next: move the admin alias check to the system section
2014-07-16 09:36:56 -04:00
9c7d476915
re-do catch-all aliases, fixes #107 (originally #104 )
...
This reverts pull request #105 from jonessen96/master (84d2023f94
2014-07-13 12:29:43 +00:00
c35252720f
Prohibited usage of empty local part for validate_email(email, strict = true)
2014-07-12 22:57:38 +02:00
70e4e7f7be
Fixed validate_email not accepting catchalls (empty local part of the address)
2014-07-12 03:22:55 +02:00
85bd2c8804
use the Dovecot managesieve service to manage sieve scripts
...
This lets roundcube's manageseive plugin do cool things like vacation responses.
Also:
* Run the spam filtering sieve script out of a global sieve file that we'll place in /etc/dovecot. It is no longer necessary to create per-user sieve files for this. Remove them with a new migration. Remove the code that created them.
* Corrects the spam script. Backslashes were double-escaped probably because this script started embedded within the bash script. Not sure how this was working until now.
this adapts work by @h8h in #103
2014-07-10 23:09:07 +00:00
41b3df6d78
manage hostmaster@ and postmaster@ automatically, create administrator@ during setup instead
...
closes #94
2014-07-09 19:30:17 +00:00
22a010ecb9
say that certificates are valid too in output
2014-07-09 16:38:56 +00:00
659b5c8aa3
if the server certificate can be used for a non-primary domain, use it
2014-07-09 16:38:42 +00:00
6c70b10c15
tell users to restart nginx after plugging in a new cert
2014-07-09 14:05:59 +00:00
deebda06e1
utils.sort_domains wasn't right
2014-07-09 12:35:12 +00:00
1a74b81f44
new nginx configuration yaml file to allow proxying of whole domains elsewhere
2014-07-09 12:31:32 +00:00
04e30ffa78
check that the installed certificate corresponds to the private key
2014-07-08 15:47:54 +00:00
59a9d02fa5
check that installed certificates are for the domains we are using the certificates for
2014-07-07 12:06:11 +00:00
65fb65ada7
an mx record may be missing if the A record matches the A record of PRIMARY_HOSTNAME
2014-07-07 02:35:45 +00:00
28e254fb84
whats_next: Allow the PRIMARY_HOSTNAME to not have an MX because the default value means the domain itself, which is what we want anyway
2014-07-07 02:35:45 +00:00
e898cd5d2a
whats_next: wrap output to the actual width of the terminal
2014-07-07 02:35:45 +00:00
6a231d4409
clarify that an SSL cert can remain self-signed on the non-primary domains if the domain isn't being used for web
2014-07-07 02:35:45 +00:00
49d5561933
when adding/removing mail addresses also update nginx's config
2014-07-06 12:16:50 +00:00
c8856f107d
migrate the SSL certificates path for non-primary certs to a new layout using a new migration script
2014-06-30 20:41:29 +00:00
06ba25151f
get_domain_ssl_files returned the wrong path for the CSR for PRIMARY_HOSTNAME
2014-06-30 19:49:41 +00:00
b5aa1b0f31
walk the user through choosing the PRIMARY_HOSTNAME by first asking for their email address
2014-06-30 10:20:58 -04:00
fed5959288
s/PUBLIC_HOSTNAME/PRIMARY_HOSTNAME/ throughout
2014-06-30 09:15:36 -04:00
87f001a5d5
some comments
2014-06-24 03:24:41 +00:00
1dec8c65ce
move the SSH password login check into whats_next.py (it used to be in start.sh and then moved to an unused script when it became a problem for Vagrant)
2014-06-23 19:39:20 +00:00
d4ce50de86
new tool to purchase and install a SSL certificate using Gandi.net's API
2014-06-23 10:53:29 +00:00
30c416ff6e
rename the new checklist script to whats_next.py
2014-06-23 00:11:24 +00:00
5aa09c3f9b
let the user override some DNS records in a different way
...
Moved the configuration to a single YAML file, rather than one per domain, to be clearer.
re-does 33f06f29c1
2014-06-22 19:33:30 +00:00
343886d818
add mail alias checks and other cleanup
2014-06-22 16:28:55 +00:00
deab8974ec
if we handle mail for both a domain and any subdomain, only create a zone for the domain and put the subdomain's DNS records in the main domain's zone file
2014-06-22 16:24:15 +00:00
4668367420
first pass at a management tool for checking what the user must do to finish his configuration: set NS records, DS records, sign his certificates, etc.
2014-06-22 15:54:22 +00:00
9e63ec62fb
Cleanup: remove env dependency
2014-06-22 08:55:19 -04:00
d100a790a0
Remove API_KEY_FILE setting
2014-06-22 08:45:29 -04:00
554a28479f
Merge remote-tracking branch 'upstream/master' into mgmt-auth
...
Conflicts:
management/daemon.py
2014-06-21 21:29:25 -04:00
064d75e261
Merge pull request #73 from mkropat/syslog-logging
...
Tell Flask to log to syslog
2014-06-21 21:22:27 -04:00
067052d4ea
Add key-based authentication to management service
...
Intended to be the simplest auth possible: every time the service
starts, a random key is written to `/var/lib/mailinabox/api.key`. In
order to authenticate to the service, the client must pass the contents
of `api.key` in an HTTP basic auth header. In this way, users who do not
have read access to that file are not able to communicate with the
service.
2014-06-21 23:42:48 +00:00
53e15eae15
Tell Flask to log to syslog
...
- Writes Flask warnings and errors to `/var/log/syslog`
- Helps to debug issues when running in production
2014-06-21 23:25:35 +00:00
67d31ed998
move the SSL setup into its own bash script since it is used for much more than email now
2014-06-21 22:16:46 +00:00
5faa1cae71
manage the nginx conf in the management daemon too so we can have nginx operate on all domains that we serve mail for
2014-06-20 01:55:12 +00:00
126ea94ccf
drop support for ADSP which since last November is no longer recommended per http://datatracker.ietf.org/doc/status-change-adsp-rfc5617-to-historic/
2014-06-18 22:56:55 -04:00
95e61bc110
add DANE TLSA records to the PUBLIC_HOSTNAME's DNS
...
Postfix has a tls_security_level called "dane" which uses DNS-Based Authentication of Named Entities (DANE)
to require, if specified in the DNS of the MX host, an encrpyted connection with a known certificate.
This commit adds TLSA records.
2014-06-19 01:39:27 +00:00
699bccad80
missing spaces in nsd.conf (has no effect but looks proper)
2014-06-18 23:53:52 +00:00
afb6c26c8b
run bind9 on the loopback interface for ensuring we are using a DNSSEC-aware nameserver to resolve our own DNS queries (i.e. when sending mail) since we can't trust that the network configuration provided for us gives us a DNSSEC-aware DNS server
...
see #71
2014-06-18 19:45:47 -04:00
761fac729b
nsd.conf wasn't properly using the signed zone files
2014-06-18 23:30:35 +00:00
dd15bf4384
use a better sort order for records in DNS zone files
2014-06-17 23:34:06 +00:00
14396e58f8
dont create a separate zone for PUBLIC_HOSTNAME if it is a subdomain of another zone (hmm, this is a general principle that could apply to any two domains the box is serving)
2014-06-17 23:30:00 +00:00
33f06f29c1
let the user override some DNS records
2014-06-17 22:21:51 +00:00
88709506f8
add DNSSEC
...
* sign zones
* in a cron job, periodically re-sign zones because they expire (not tested)
2014-06-17 22:21:12 +00:00
aaa735dbfe
write nsd.conf zones in a predictable order so that we don't keep rewriting it
2014-06-12 22:28:37 -04:00
e9cde52a48
two more cases of shelling out external programs in a more secure way, see cecda9cec5
2014-06-12 21:06:04 -04:00
8bd62aa3bc
increase duplicity's volume size from the default of 25MB to 100MB so we create fewer files
2014-06-09 13:47:41 +00:00
5490142df5
re-do the backup script to use the duplicity program
...
Duplicity will manage the process of creating incremental backups for us.
Although duplicity can both encrypt & copy files to a remote host, I really
don't like PGP and so I don't want to use that.
Instead, we'll back up to a local directory unencrypted, then manually
encrypt the full & incremental backup files. Synchronizing the encrypted
backup directory to a remote host is a TODO.
2014-06-09 09:34:52 -04:00
cecda9cec5
management: shell out external programs in a more secure way
2014-06-09 08:09:45 -04:00
ae67409603
Support dual-stack IPv4/IPv6 mail servers
...
Addresses #3
Added support by adding parallel code wherever `$PUBLIC_IP` was used.
Providing an IPv6 address is completely optional.
Playing around on my IPv6-enabled mail server revealed that — before
this change — mailinabox might try to use an IPv6 address as the value
for `$PUBLIC_IP`, which wouldn't work out well.
2014-06-08 18:32:52 -04:00
242cadebc8
allow dashes in emails during validation, and for aliases allow a much wider range of characters, fixes #64
...
* for local mail users, also disallows periods at the beginning or end of the local or domain parts
* Dovecot gets confused if the string contains any unusual characters, so local mail users are restricted to a narrow regex
* for mail aliases Postfix is not confused so use a regex based on RFC 2822
2014-06-06 10:51:36 -04:00
f1dac1fe13
show less output when updating DNS configuration
2014-06-06 10:51:36 -04:00
6194c63f76
add management comments for checking for updated Ubuntu packages and applying updates
2014-06-05 20:57:30 +00:00
295981828f
Vagrantize
...
* adding a Vagrantfile
* in a non-interactive setup like this, create the user's first email account for them
* let the machine auto-detect its IP address using http://icanhazip.com/
* use our own justtesting.email domain to provision a subdomain for users so they can quickly get started
2014-06-04 19:39:58 -04:00
7fa4862f1a
refactor dns_update so that the zone is first generated in a file-format agnostic way
2014-06-04 19:00:31 -04:00
8ed15168c0
the new dns_update totally forgot to write the OpenDKIM tables
2014-06-04 18:44:13 -04:00
89730bd643
new backup script, see #11
2014-06-03 21:16:38 +00:00
c54b0cbefc
move management into a daemon service running as root
...
* Created a new Python/flask-based management daemon.
* Moved the mail user management core code from tools/mail.py to the new daemon.
* tools/mail.py is a wrapper around the daemon and can be run as a non-root user.
* Adding a new initscript for the management daemon.
* Moving dns_update.sh to the management daemon, called via curl'ing the daemon's API.
This also now runs the DNS update after mail users and aliases are added/removed,
which sets up new domains' DNS as needed.
2014-06-03 13:56:40 +00:00
Joshua Tauberer
David Piggott
Kurt Huwig
Francisco de Juan
Marc Schiller
Norman
h8h
Christian
Ben Schumacher
Sebastian Kosch
sfPlayer1
Jonas Platte
Michael Kropat