1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2025-04-05 00:27:25 +00:00
Commit Graph

2163 Commits

Author SHA1 Message Date
downtownallday
06216876a2 Update roundcube carddav plugin to support roundcube 1.5 and close a security hole 2021-11-15 16:07:54 -05:00
downtownallday
334c7f71b5 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-11-13 19:36:00 -05:00
jvolkenant
58b0323b36
Update persistent_login for Roundcube 1.5 (#2055) 2021-11-04 18:59:10 -04:00
kiekerjan
646f971d8b
Update mailinabox.yml (#2054)
The examples for login and logout use GET instead of POST. GET gives me an error when using it, while POST seems to work.
2021-10-31 12:49:26 -04:00
downtownallday
229a9c6d95 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-10-28 21:40:05 -04:00
Felix Spöttel
86067be142
fix(docs): set a schema for /logout responses (#2051)
* this remedies an OpenAPI syntax violation resulting in a redoc-cli crash
2021-10-27 12:27:54 -04:00
downtownallday
3bb6f021a7 Fix tests that were broken by commit bb54370 2021-10-27 08:20:07 -04:00
downtownallday
db8e0fdf66 Remove /etc/ldap/ldap.conf creation as it's now created by the Nextcloud docker image 2021-10-27 08:19:32 -04:00
downtownallday
4767afe8de Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-10-26 23:05:35 -04:00
Joshua Tauberer
c67ff241c4
Updates to security.md 2021-10-23 08:57:05 -04:00
Joshua Tauberer
7b4cd443bf
How to report security issues 2021-10-22 18:49:16 -04:00
Joshua Tauberer
34017548d5 Don't crash if a custom DNS entry is not under a zone managed by the box, fixes #1961 2021-10-22 18:39:53 -04:00
downtownallday
bb543700f5 Fix smart host alias (alias with no forward to's). Postfix recently started rejecting these mails with "Sender address rejected: domain not found". This ensures the special case is handled properly. 2021-10-19 08:15:28 -04:00
downtownallday
00805cb52c Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	README.md
2021-10-19 07:11:33 -04:00
Joshua Tauberer
65861c68b7 Version 55 2021-10-18 20:40:51 -04:00
Joshua Tauberer
71a7a3e201 Upgrade to Roundcube 1.5 2021-10-18 20:40:51 -04:00
Richard Willis
1c3bca53bb
Fix broken link in external-dns.html (#2045) 2021-10-18 07:36:48 -04:00
downtownallday
e3bc8b1a41 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-10-15 18:49:48 -04:00
ukfhVp0zms
b643cb3478
Update calendar/contacts android app info (#2044)
DAVdroid has been renamed to DAVx⁵ and price increased from $3.69 to $5.99.
CardDAV-Sync free is no longer in beta.
CalDAV-Sync price increased from $2.89 to $2.99.
2021-10-13 19:09:05 -04:00
downtownallday
31dc96757c Add help text 2021-10-02 10:10:06 -04:00
downtownallday
66ac35871e Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox
Upstream is adding handling for utf8 domains by creating a domain alias @utf8 -> @idna. I'm deviating from this approach by setting multiple email address (idna and utf8) per user and alias where a domain contains non-ascii characters. The maildrop (mailbox) remains the same - all mail goes to the user's mailbox regardless of which email address was used. This is more in line with how other systems (eg. active directory), handle multiple email addresses for a single user.

# Conflicts:
#	README.md
#	management/mailconfig.py
#	management/templates/index.html
#	setup/dns.sh
#	setup/mail-users.sh
2021-10-01 17:43:48 -04:00
Joshua Tauberer
113b7bd827 Disable SMTPUTF8 in Postfix because Dovecot LMTP doesn't support it and bounces messages that require SMTPUTF8
By not advertising SMTPUTF8 support at the start, senders may opt to transmit recipient internationalized domain names in IDNA form instead, which will be deliverable.

Incoming mail with internationalized domains was probably working prior to our move to Ubuntu 18.04 when postfix's SMTPUTF8 support became enabled by default.

The previous commit is retained because Mail-in-a-Box users might prefer to keep SMTPUTF8 on for outbound mail, if they are not using internationalized domains for email, in which case the previous commit fixes the 'relay access denied' error even if the emails aren't deliverable.
2021-09-24 08:11:36 -04:00
Joshua Tauberer
3e19f85fad Add domain maps from Unicode forms of internationalized domains to their ASCII forms
When an email is received by Postfix using SMTPUTF8 and the recipient domain is a Unicode internationalized domain, it was failing to be delivered (bouncing with 'relay access denied') because our users and aliases tables only store ASCII (IDNA) forms of internationalized domains. In this commit, domain maps are added to the auto_aliases table from the Unicode form of each mail domain to its IDNA form, if those forms are different. The Postfix domains query is updated to look at the auto_aliases table now as well, since it is the only table with Unicode forms of the mail domains.

However, mail delivery is still not working since the Dovecot LMTP server does not support SMTPUTF8, and mail still bounces but with an error that SMTPUTF8 is not supported.
2021-09-24 08:11:36 -04:00
Joshua Tauberer
11e84d0d40 Move automatically generated aliases to a separate database table
They really should never have been conflated with the user-provided aliases.

Update the postfix alias map to query the automatically generated aliases with lowest priority.
2021-09-24 08:11:36 -04:00
Joshua Tauberer
79966e36e3 Set a cookie for /admin/munin pages to grant access to Munin reports
The /admin/munin routes used the same Authorization: header logic as the other API routes, but they are browsed directly in the browser because they are handled as static pages or as a proxy to a CGI script.

This required users to enter their email username/password for HTTP basic authentication in the standard browser auth prompt, which wasn't ideal (and may leak the password in browser storage). It also stopped working when MFA was enabled for user accounts.

A token is now set in a cookie when visiting /admin/munin which is then checked in the routes that proxy the Munin pages. The cookie's lifetime is kept limited to limit the opportunity for any unknown CSRF attacks via the Munin CGI script.
2021-09-24 08:11:36 -04:00
Joshua Tauberer
66b15d42a5 CHANGELOG entries 2021-09-24 08:11:36 -04:00
drpixie
df46e1311b
Include NSD config files from /etc/nsd/nsd.conf.d/*.conf (#2035)
And write MIAB dns zone config into /etc/nsd/nsd.conf.d/zones.conf. Delete lingering old zones.conf file.

Co-authored-by: Joshua Tauberer <jt@occams.info>
2021-09-24 08:07:40 -04:00
downtownallday
4403e65053 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-09-23 17:11:53 -04:00
Elsie Hupp
353084ce67
Use "smart invert" for dark mode (#2038)
* Use "smart invert" for dark mode

Signed-off-by: Elsie Hupp <9206310+elsiehupp@users.noreply.github.com>

* Add more contrast to form controls

Co-authored-by: Joshua Tauberer <jt@occams.info>
2021-09-19 09:53:03 -04:00
downtownallday
763cdfcd7e remove /admin/me call, which is no longer available, and use the new api_credentials Object, which used to be a String.
add X-Requested-With header to requests so 401's are not returned by daemon.py.
2021-09-14 10:00:17 -04:00
downtownallday
9ea03e18c9 automatically install avahi for systems with a .local tld 2021-09-14 09:56:19 -04:00
downtownallday
026115b845 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-09-14 08:37:22 -04:00
downtownallday
4b285c3201 Prepare for multiple base system support and automatically update and remove stale vagrant boxes 2021-09-14 08:20:37 -04:00
downtownallday
3d32dbab22 Explicitly create a /etc/ldap/ldap.conf in the docker image so ldap tools recognize the system's trusted root certificate list 2021-09-14 08:18:53 -04:00
downtownallday
3f2b2ef146 Stop the capture daemon during ehdd shutdown to avoid "busy" mount 2021-09-14 08:17:21 -04:00
downtownallday
402207714b Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	management/auth.py
#	management/daemon.py
#	management/templates/index.html
#	setup/management.sh
2021-09-14 08:16:08 -04:00
mailinabox-contributor
91079ab934
add numeric flag value to DNSSEC DS status message (#2033)
Some registrars (e.g. Porkbun) accept Key Data when creating a DS RR,
but accept only a numeric flags value to indicate the key type (256 for KSK, 257 for ZSK).

https://datatracker.ietf.org/doc/html/rfc5910#section-4.3
2021-09-10 16:12:41 -04:00
Joshua Tauberer
e5909a6287 Allow non-admin login to the control panel and show/hide menu items depending on the login state
* When logged out, no menu items are shown.
* When logged in, Log Out is shown.
* When logged in as an admin, the remaining menu items are also shown.
* When logged in as a non-admin, the mail and contacts/calendar instruction pages are shown.

Fixes #1987
2021-09-06 09:23:58 -04:00
Joshua Tauberer
26932ecb10 Add a 'welcome' panel to the control panel and make it the default page instead of the status checks which take too long to load
Fixes #2014
2021-09-06 09:23:58 -04:00
Joshua Tauberer
e884c4774f Replace HMAC-based session API keys with tokens stored in memory in the daemon process
Since the session cache clears keys after a period of time, this fixes #1821.

Based on https://github.com/mail-in-a-box/mailinabox/pull/2012, and so:

Co-Authored-By: NewbieOrange <NewbieOrange@users.noreply.github.com>

Also fixes #2029 by not revealing through the login failure error message whether a user exists or not.
2021-09-06 09:23:58 -04:00
Joshua Tauberer
53ec0f39cb Use 'secrets' to generate the system API key and remove some debugging-related code
* Rename the 'master' API key to be called the 'system' API key
* Generate the key using the Python secrets module which is meant for this
* Remove some debugging helper code which will be obsoleted by the upcoming changes for session keys
2021-09-06 09:23:58 -04:00
Joshua Tauberer
700188c443 Roundcube 1.5 RC 2021-09-06 09:23:58 -04:00
downtownallday
4bf71e68be Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-08-23 17:48:17 -04:00
Downtown Allday
72039a1409
Merge pull request #15 from downtownallday/github-actions
GitHub actions
2021-08-23 17:19:54 -04:00
downtownallday
4f8697c07d change badge link 2021-08-23 16:57:40 -04:00
downtownallday
71526bc294 Add badge 2021-08-23 16:39:36 -04:00
downtownallday
be932af813 git remote url does not contain .git extension in github actions 2021-08-23 16:17:07 -04:00
downtownallday
0876a9a7de non-standard git remotes in github actions 2021-08-23 16:01:16 -04:00
downtownallday
0c2c76a6dc Patch upstream to install php-xml instead of php-xsl 2021-08-23 15:17:33 -04:00
downtownallday
2a9fcd7101 add upgrade-from-upstream job 2021-08-23 15:00:31 -04:00