Joshua Tauberer
5dd5fc4a1c
clean up multiple secondary nameservers and zone xfr ip addresses
2015-07-10 15:42:33 +00:00
Brian Bustin
09133c8f59
Initial backend changes to make it possible to have one or more secondary name servers
2015-07-10 14:59:38 +00:00
Joshua Tauberer
acd91665b5
setting an alias to forward to two or more addresses was broken since aa33428311
...
fixes #482
2015-07-04 15:28:45 +00:00
Joshua Tauberer
ff4780d5fb
better error handling of invalid PEM files
2015-07-03 14:00:59 +00:00
Joshua Tauberer
0924f8ca7a
allow for PEM private keys in the 'BEGIN PRIVATE KEY' format too
...
see https://discourse.mailinabox.email/t/another-upgrade-failure/630/5
2015-07-02 15:37:26 -04:00
Joshua Tauberer
e57e08088a
the control panel would not allow installing a certificate for a www redirect domain, fixes #475
2015-07-02 10:53:54 +00:00
Joshua Tauberer
42a506231b
don't automatically create the administrator@ alias (e.g. on first user creation) because we dont know what it should be an alias to (leave this to be resolved manually), fixes #470
...
Was broken by 462a79cf47
.
2015-06-30 09:16:22 -04:00
Joshua Tauberer
e3252f53da
idna domains in certificate subject alternative names were not handled correctly after switching to cryptography package
2015-06-30 13:09:18 +00:00
Joshua Tauberer
aa33428311
some IDNA functionality was still using Python's built-in IDNA 2003 encoder rather than the idna package's IDNA 2008 encoder
2015-06-30 13:09:18 +00:00
Joshua Tauberer
5ef1cfbdc7
forgot new version.html template file
2015-06-25 17:43:50 +00:00
Joshua Tauberer
7527b4dc27
show the Mail-in-a-Box version in the control panel and a button to ping the MiaB website for the latest version
...
fixes #441
2015-06-25 13:43:11 +00:00
Joshua Tauberer
299a2315c1
dkim 2048 bits - migration and zone file generation changes
...
* Add a migration to delete any existing DKIM key so that existing machines get a fresh 2048-bit key. (Sadly we don't support key rotation so the change is immediate.)
* Because the DNS record for a 2048-bit key is so much longer, the way we read OpenDKIM's DNS record text file had to be modified to combine an arbitrary number of TXT record quoted ("...") strings.
* When writing out the TXT record value, the string must be split into quoted ("...") strings with a maximum length of 255 bytes each, per the DNS spec.
* Added a changelog entry.
2015-06-25 13:06:29 +00:00
Joshua Tauberer
dece359c90
validate certificates using the cryptography python package as much as possible, shelling out to openssl just once instead of four times per certificate
...
* Use `cryptography` instead of parsing openssl's output.
* When checking if we can reuse the primary domain certificate or a www-parent-domain certificate for a domain, avoid shelling out to openssl entirely.
2015-06-21 14:53:37 +00:00
Joshua Tauberer
43d50d0667
Merge pull request #445 from bizonix/patch-1
...
fix wrong redirect for automatic www subdomain redirects
2015-06-18 07:05:01 -04:00
Joshua Tauberer
6258a7f311
status checks were broken if sshd was not present, fixes #444
2015-06-18 11:01:11 +00:00
Joshua Tauberer
ab36cc8968
whitespace=>tabs
2015-06-18 10:54:51 +00:00
bizonix
33b71c6b3c
fix wrong redirect
...
$ curl -I https://www.site.co.il/static/images/1.png?a=b | grep Location
Location: https://site.co.il?a=b
but should be something like
Location: https://site.co.il/static/images/1.png?a=b
2015-06-18 01:48:15 +03:00
Joshua Tauberer
2af557139d
default IPv6 AAAA records were missing
...
This was broken by the ability to have multiple TXT records in 9f1d633ae4
.
2015-06-17 06:47:22 -04:00
Joshua Tauberer
1990f32ca4
typo, fixes #435
2015-06-06 13:22:50 +00:00
Joshua Tauberer
807939c0e4
make the +tag address tips clearer
2015-06-06 13:02:23 +00:00
Joshua Tauberer
5008cc603e
merge - munin system monitoring
2015-06-06 12:52:22 +00:00
Joshua Tauberer
9857db96cd
add a link to the /admin/munin page from the control panel nav bar
2015-06-06 12:52:16 +00:00
Joshua Tauberer
e9e6d94e3b
the control panel auth hmac message should also include the user's password so that resetting a password in the database forces that user to log in to the control panel again; also use a sha256 hmac
2015-06-06 12:38:19 +00:00
Joshua Tauberer
462a79cf47
fix what counts as a required alias, fixes #434
2015-06-06 12:12:10 +00:00
Joshua Tauberer
f792deeebd
when the undocumented custom web settings has a redirect or proxy at the root of a domain, use a minimal nginx config template (same as the new default www redirects)
2015-06-04 12:32:00 +00:00
Joshua Tauberer
95173bb327
provide redirects from www subdomains of zones to their parent domain
...
* Split the nginx templates again so we have just the part needed to make a domain do a redirect separate from the rest.
* Add server blocks to the nginx config for these domains.
* List these domains in the SSL certificate install admin panel.
* Generate default 'www' records just for domains we provide default redirects for.
Fixes #321 .
2015-06-04 12:19:01 +00:00
Joshua Tauberer
1d09e2406b
refactor how the nginx config file is assembled
...
This doesn't change anything. Just preparation for the next commit.
2015-06-04 12:19:01 +00:00
Joshua Tauberer
c9add7a8bf
if a user sets a custom A record on PRIMARY_HOSTNAME, which is ignored anyway, don't let that cause PRIMARY_HOSTNAME from being dropped from nginx.conf
...
Could be related to https://discourse.mailinabox.email/t/nginx-lost-admin-record-after-install-ssl-cert-problem/528 .
2015-06-04 12:19:01 +00:00
Joshua Tauberer
2b341d884f
merge #396 - allow the backup process to work after a hostname change
2015-05-30 13:55:08 +00:00
Joshua Tauberer
141a09b31e
changelog, comments for duplicity --allow-source-mismatch
2015-05-30 13:46:39 +00:00
Joshua Tauberer
4fa58169f1
after installing an SSL certificate from the control panel the page wasn't being refreshed, broken in ec73c171c7
2015-05-28 18:45:53 +00:00
David Piggott
f78bbab289
Make SPF forbid any outbound mail from non-mail domains
2015-05-28 18:11:44 +01:00
David Piggott
7b9b978a6d
Improve DMARC and SPF record descriptions
2015-05-28 16:34:58 +01:00
Joshua Tauberer
202c4a948b
our users/aliases database is case sensitive - force new users/aliases to lowercase
...
Unfortunately our users/aliases database is case sensitive. (Perhaps I should have defined the columns with COLLATE NOCASE, see https://www.sqlite.org/datatype3.html .) Postfix always queries the tables in lowecase, so mail delivery would fail if a user or alias were defined with any capital letters. It would have also been possible to add multiple euqivalent addresses into the database with different case.
This commit rejects new mail users that have capital letters and forces new aliases to lowecase. I prefer to reject rather than casefold user accounts so that the login credentials the user gave are exactly what goes into the database.
https://discourse.mailinabox.email/t/recipient-address-rejected-user-unknown-in-virtual-mailbox-table/512/4
2015-05-28 13:11:30 +00:00
David Piggott
d6c5f09a1a
Use lowercase h for consistency in aliases template - it reads better (IMO!)
...
This also includes fixes for a typo and some whitespace inconsistencies in
mailconfig.py. In fact the capitalisation change and those fixes are the
remnants of a patch I had been running that changed the default aliases - it
was through developing it that I found the issues.
(I wanted to bring the number of patches I apply before deploying to zero and
in the case of this one I've come to view the way MIAB already is as superior,
so I've undone the core of my patch and these tiny issues are all that remain).
2015-05-28 13:46:15 +01:00
Joshua Tauberer
a9ed9ae936
more work on munin
...
* install the munin-node package
* don't install munin-plugins-extra (if the user wants it they can add it)
* expose the munin www directory via the management daemon so that it can handle authorization, rather than manintaining a separate password file
2015-05-25 17:03:52 +00:00
StevesMonkey
05438d047d
Fixing minor misspelling of the word: encrypted
2015-05-25 10:15:57 +09:30
Joshua Tauberer
4f98d470a0
'/dev/stdout' does not exist on some systems (!)
...
The OVH VPS provider creates systems without /dev/stdout. I have never seen that before. But fine. We were passing it as a command line option to `openssl req`, but outputting to stdout is the default so it's not necessary to specify /dev/stdout.
Fixes #277 . Also https://discourse.mailinabox.email/t/500-internal-server-error/475/10 .
2015-05-16 13:34:47 +00:00
Joshua Tauberer
57abae3999
if the main ssl cert is expiring soon, the end of setup would display the control panel instructions as if the cert were self-signed
2015-05-14 19:16:31 +00:00
Xoib
202e49a897
allow the backup process to work after a hostname change
2015-05-13 13:52:23 +02:00
Joshua Tauberer
8886c9b6bc
move the server: block of nsd.conf out of the management daemon and into the setup scripts
2015-05-04 11:24:40 +00:00
Joshua Tauberer
fc32cf5bcc
permit the first user account to be a domain control validation address because a) it will necessarily be an admin and b) the user doesn't know the rules yet
2015-05-03 14:21:36 +00:00
Joshua Tauberer
1e9c587b92
rewrite the DNS API to permit setting multiple records of the same type on the same domain
...
e.g. multiple TXT records
fixes #333
2015-05-03 13:43:38 +00:00
Joshua Tauberer
9f1d633ae4
re-do the custom DNS get/set routines so it is possible to store more than one record for a qname-rtype pair, like multiple TXT records
2015-05-03 13:43:38 +00:00
Joshua Tauberer
f01189631a
management api: make json responses nicely formatted
...
Better while debugging.
2015-05-03 13:43:38 +00:00
Joshua Tauberer
542877ee46
use the font-awesome .fa-spinner.fa-pulse classes for the AJAX loading indicator, rather than the static glyphicon-time icon
2015-05-03 13:43:38 +00:00
Joshua Tauberer
f1760b516d
control panel: sometimes the ajax loading modal would show after operations were already done
...
Needed to add the clearQueue flag to jQuery's stop() method
2015-05-03 13:43:38 +00:00
Joshua Tauberer
febfa72d60
race condition between backups and status checks - connection refused
...
At the end of the backup, wait a bit for dovecot and postfix to finish restarting.
Hopefully fixes #381 .
2015-04-29 21:06:38 +00:00
Joshua Tauberer
c03e00035f
prevent archiving of the user's own account because they'll lose access to the control panel
2015-04-28 07:17:21 -04:00
Joshua Tauberer
2f8866ef32
if there are no users at all the warning on the control panel login screen was incorrect
2015-04-28 07:17:21 -04:00
Joshua Tauberer
f98afac6df
if you make an API call with a user-specific API key (e.g. from control panel) but your account no longer exists on the system, there was an unhandled error
...
see 1039a08be6
2015-04-28 07:17:21 -04:00
Joshua Tauberer
5efd5abbe4
move the email address syntax validation for users and aliases into my new email_validator library ( https://github.com/JoshData/python-email-validator )
2015-04-21 14:43:12 +00:00
Joshua Tauberer
35f4a49d10
my html5 stub was wrong; 8c3aed2846
2015-04-19 13:21:38 +00:00
Joshua Tauberer
a31d713fcc
stricter validation of the domain parts of email addresses: only letters, numbers, and hyphens, and the TLD ends with a letter
2015-04-19 13:06:11 +00:00
Joshua Tauberer
8c3aed2846
update the control panel html template to my latest html5 stub
...
jquery 1.11.1, bootstrap 3.3.0, better accessibility, see https://github.com/JoshData/html5-stub
2015-04-11 15:40:19 -04:00
Joshua Tauberer
36168b4609
add a 'backup --verify' command to run duplicity's verify command to check that the backup files are OK
2015-04-11 18:43:46 +00:00
Joshua Tauberer
bd498def76
backups now use duplicity's built-in gpg symmetric encryption
...
Merge branch 'dhpiggott-gpg-encrypt-backups'
2015-04-11 18:33:57 +00:00
Joshua Tauberer
d8279c48ac
new backup method tweaks
...
* use the AES256 cipher, be explicit that only the first line of secret_key.txt is used, and sanity check that the passphrase is long enough
* change overship of the encrypted files to the user-data user
* simplify variable names in management/backup.py
* although I appreciate long comments I am trimming the commentary about the backup migration
* revise the control panel template to not refer to the old unencrypted files
* add CHANGELOG entry
2015-04-11 18:32:22 +00:00
David Piggott
4232245546
Use built in duplicity encryption (GPG) for backups, closes #362 , closes #363
...
[Josh merged some subsequent commits:]
* Guard via idempotency against termination between migration operations
* Final corrections and tweaks
* Pass passphrase through to all duplicity calls
Empirical evidence (a failed cron job) shows that cleanup requires the
passphrase (so it presumably needs to decrypt metadata), and though
remove-older-than has been working fine without it, it won't do any harm
to set it in case that changes or there are any special cases.
* Add back the archive-dir override but locate it at STORAGE_ROOT/backup/cache
2015-04-11 17:51:44 +00:00
Joshua Tauberer
072aeca1be
prevent accidental domain control validation hijacking by limiting use of admin@ etc. addresses in users/aliases
2015-04-09 14:46:02 +00:00
Joshua Tauberer
cb656f9ef4
in status checks replace '=>' with a Unicode arrow and tweak how aliases are reported
2015-04-09 14:46:02 +00:00
Joshua Tauberer
322a5779f1
store IDNs (internationalized domain names) in IDNA (ASCII) in our database, not in Unicode
...
I changed my mind. In 1bf8f1991f
I allowed Unicode domain names to go into the database. I thought that was nice because it's what the user *means*. But it's not how the web works. Web and DNS were working, but mail wasn't. Postfix (as shipped with Ubuntu 14.04 without support for SMTPUTF8) exists in an ASCII-only world. When it goes to the users/aliases table, it queries in ASCII (IDNA) only and had no hope of delivering mail if the domain was in full Unicode in the database. I was thinking ahead to SMTPUTF8, where we *could* put Unicode in the database (though that would prevent IDNA-encoded addressing from being deliverable) not realizing it isn't well supported yet anyway.
It's IDNA that goes on the wire in most places anyway (SMTP without SMTPUTF8 (and therefore how Postfix queries our users/aliases tables), DNS zone files, nginx config, CSR 'CN' field, X509 Common Name and Subject Alternative Names fields), so we should really be talking in terms of IDNA (i.e. ASCII).
This partially reverts commit 1bf8f1991f
, where I added a lot of Unicode=>IDNA conversions when writing configuration files. Instead I'm doing Unicode=>IDNA before email addresses get into the users/aliases table. Now we assume the database uses IDNA-encoded ASCII domain names. When adding/removing aliases, addresses are converted to ASCII (w/ IDNA). User accounts must be ASCII-only anyway because of Dovecot's auth limitations, so we don't do any IDNA conversion (don't want to change the user's login info behind their back!). The aliases control panel page converts domains back to Unicode for display to be nice. The status checks converts the domains to Unicode just for the output headings.
A migration is added to convert existing aliases with Unicode domains into IDNA. Any custom DNS or web settings with Unicode may need to be changed.
Future support for SMTPUTF8 will probably need to add columns in the users/aliases table so that it lists both IDNA and Unicode forms.
2015-04-09 14:46:02 +00:00
Joshua Tauberer
ec039719de
prevent caching of ajax responses in the control panel
...
GET requests might be cached. Definitely happens on Internet Explorer. Makes it look like the user is getting unauthorized access.
See https://discourse.mailinabox.email/t/fresh-install-can-login-to-webmail-but-not-admin/394/4 .
2015-03-31 14:52:11 +00:00
Joshua Tauberer
14b16b2f36
allow custom DNS TXT records for SPF, DKIM, and DMARC to override the ones we want to set
...
fixes #323
fixes #324
2015-03-30 01:20:03 +00:00
Joshua Tauberer
cbc7e280d6
set the SPF record after custom DNS records so that the SPF record doesn't prevent all custom TXT records from coming in
2015-03-30 01:18:05 +00:00
Joshua Tauberer
3d21f2223e
status checks: turn missing DNSSEC into a warning instead of an error; omit an error about missing TLSA if DNSSEC isn't in use; if DNSSEC is in use, make a missing TLSA record a warning instead of an error
2015-03-28 11:24:05 -04:00
Joshua Tauberer
710a69b812
turn some nameserver status check errors into warnings if the domain resolves correctly since the user might be using External DNS, closes #330
2015-03-28 11:23:59 -04:00
Joshua Tauberer
298e19598b
small bug in the new system status checks show-changes command
...
see 4d22fb9b2a
fixes #360
2015-03-22 14:03:12 +00:00
Joshua Tauberer
680191d7cb
drop the list of aliases from the users control panel page because with more than 50 aliases it seems to be so slow it times out
...
see https://discourse.mailinabox.email/t/small-bug-in-admin-panel-when-49-aliases/378
2015-03-22 13:59:05 +00:00
Joshua Tauberer
6df72bf4ac
create the Trash folder on new user creation ( fixes #359 )
2015-03-22 13:33:17 +00:00
Joshua Tauberer
01f2451349
provide a better error message when creating a user account with non-ASCII characters
2015-03-22 12:33:06 +00:00
Joshua Tauberer
4d22fb9b2a
run status checks each night and email the administrator with the changes from the previous day's results
2015-03-21 16:02:42 +00:00
Joshua Tauberer
c18d58b13f
backups: predict when the next backup will occur
2015-03-21 15:22:45 +00:00
Joshua Tauberer
7c0ca42145
status checks: don't check that dovecot-sieve is publicly accessible
2015-03-08 18:35:33 +00:00
Ben Schumacher
6558f05d1d
Give the DNS update tool the ability to customize MX records. Useful if you want a subdomain to send mail to another host.
2015-03-04 13:32:35 -05:00
Jack Twilley
b2fcd4c9e5
Now supports domains with multiple MX records.
...
The status check on MX records now correctly handles domains with
multiple MX records.
2015-02-22 17:05:09 -08:00
Jack Twilley
ead6f96513
Changed MX check to respect priorities other than 10.
...
Reordered the if a little, added some string parsing, and modified the
OK text to include a warning.
2015-02-20 11:29:28 -08:00
Joshua Tauberer
7ec662c83f
status checks: use a worker pool that lives across flask requests, see #327
2015-02-18 16:42:33 +00:00
Joshua Tauberer
348d2b8701
Merge pull request #326 from dhpiggott/custom-dns-filter-secondary-nameserver
...
Do not show '_secondary_nameserver' in Custom DNS table
2015-02-17 08:31:34 -05:00
David Piggott
12f0dcb23b
Do not show '_secondary_nameserver' in Custom DNS table
...
It's redundant and potentially confusing, as any secondary NS shows in "Using a
Secondary Nameserver".
2015-02-17 13:28:48 +00:00
Joshua Tauberer
449a538e6b
if a CNAME is set for a domain, don't create a website for that domain (just like A/AAAA records)
2015-02-17 00:48:26 +00:00
Joshua Tauberer
3c50c9a18b
when serving a 'www.' domain, check if the parent domain's ssl certificate can be used besides checking PRIMARY_HOSTNAME
...
Removing buy_certificate.py which is not working and I don't want to update its call signatures.
2015-02-17 00:42:25 +00:00
Joshua Tauberer
3c10ec70a5
update comment
2015-02-17 00:08:04 +00:00
Joshua Tauberer
fba4d4702e
install opendmarc to add Authentication-Results headers for DMARC too
2015-02-16 23:17:44 +00:00
Joshua Tauberer
143bbf37f4
all mail domains, not just (top-level) zones, must have an entry in the opendkim key tables so that such outgoing mail gets signed
...
If you had both x.y.com and y.com configured here, x.y.com mail would not get DKIM-signed.
2015-02-16 18:13:51 -05:00
Joshua Tauberer
fd3ad267ba
if a domain has a catch-all or domain alias then we no longer force the creation of postmaster@ and so we should not be checking for its existence in the status checks
...
see 85a40da83c
2015-02-15 19:07:10 -05:00
Joshua Tauberer
330583f71d
status checks: if a service isn't available publicly, check if it is available on the loopback interface to distinguish not running from not accessible
2015-02-13 09:30:25 -05:00
Joshua Tauberer
e096144713
Outlook 2007 or later on Windows 7 and later
...
fixes #308
2015-02-13 13:29:01 +00:00
Joshua Tauberer
150611123a
typo/text tweak
2015-02-05 09:17:48 -05:00
Joshua Tauberer
abfc17ee62
web admin: simplify the instructions for creating a separate web directory for particular sites by moving it into a modal
2015-02-05 09:12:55 -05:00
Joshua Tauberer
97be9c94b9
if the user has set a http proxy or redirect on the root path of a domain, using custom.yaml, skip the domain from the static hosting panel because it wont be serving any static files
2015-02-05 08:55:57 -05:00
Joshua Tauberer
21b00e8fbb
if a custom A record is set, dont put in a default AAAA record pointing to the box because it will probably be wrong --- the user should either set an AAAA record or let the domain not resolve on IPv6
2015-02-03 21:51:19 -05:00
Ian Beringer
20d20df829
allow for non-standard ssh port in status check
...
closes #313
2015-02-01 23:06:56 +00:00
Joshua Tauberer
7e05d7478f
run status checks asynchronously so that they finish faster, since many checks are waiting on network replies and ought not to block the whole thing
2015-01-31 20:42:43 +00:00
Joshua Tauberer
8fd98d7db3
status checks: s/env['out']/output/
2015-01-31 20:42:43 +00:00
Joshua Tauberer
1039a08be6
/admin login now issues a user-specific key for future calls (rather than providing the system-wide API key or passing the password on each request)
2015-01-31 20:42:43 +00:00
Joshua Tauberer
023b38df50
split management daemon authorization from authentication and use 'doveadm pw' rather than 'doveadm auth test' so that it is decoupled from dovecot's login mechanism
...
This was done to pave the way for two-factor authentication, but that's still a ways off.
2015-01-31 20:41:41 +00:00
Joshua Tauberer
3187053b3a
dont save the CSR generated to make self-signed certificates for non-primary domains (it has no value and might be confusing)
2015-01-31 13:27:06 +00:00
David Piggott
63f2abd923
Fix typos in backup status template
2015-01-29 09:25:12 +00:00
Kurt Huwig
d3059c810f
Fix typo in mail-guide.html
...
Sercurity -> Security
2015-01-21 08:23:26 +01:00
Joshua Tauberer
85a40da83c
catch-all aiases and domain aliases should not require postmaster@ and admin@ aliases because they'll forward anyway
2015-01-19 23:32:36 +00:00
Joshua Tauberer
1bf8f1991f
internationalized domain names (DNS, web, CSRs, normalize to Unicode in database, prohibit non-ASCII characters in user account names)
...
* For non-ASCII domain names, we will keep the Unicode encoding in our users/aliases table. This is nice for the user and also simplifies things like sorting domain names (using Unicode lexicographic order is good, using ASCII lexicogrpahic order on IDNA is confusing).
* Write nsd config, nsd zone files, nginx config, and SSL CSRs with domains in IDNA-encoded ASCII.
* When checking SSL certificates, treat the CN and SANs as IDNA.
* Since Chrome has an interesting feature of converting Unicode to IDNA in <input type="email"> form fields, we'll also forcibly convert IDNA to Unicode in the domain part of email addresses before saving email addresses in the users/aliases tables so that the table is normalized to Unicode.
* Don't allow non-ASCII characters in user account email addresses. Dovecot gets confused when querying the Sqlite database (which we observed even for non-word ASCII characters too, so it may not be related to the character encoding).
2015-01-19 23:31:55 +00:00
Joshua Tauberer
d155aa8745
if all system services are running, say so in the status checks rather than being totally silent
2015-01-19 22:04:25 +00:00
Joshua Tauberer
24cc108147
if a custom CNAME record is set, don't add a default A/AAAA record, e.g. for 'www'
...
see https://discourse.mailinabox.email/t/multiple-domains-in-mail-in-a-box-with-the-domains-being-hosted-elsewhere/56/18
2015-01-19 22:04:21 +00:00
Joshua Tauberer
09713e8eab
status checks: check that system services are running
...
If bind9 isn't running, dont proceed with other checks because we can't do DNS checks. Even though we skip, add error handling so that a failed call to rndc doesn't crash and that a timeout in a DNS check doesn't crash the status checks.
2015-01-11 14:13:35 +00:00
Francisco de Juan
6499c82d7f
explain how to add SRV records to DNS zonefile using the API
2015-01-04 10:23:34 +01:00
Joshua Tauberer
fddab5d432
allow the dns api to set srv records
...
see https://discourse.mailinabox.email/t/create-srv-record-at-the-dns-server/225
2015-01-02 23:39:09 +00:00
Joshua Tauberer
f141af4b61
status checks: dont die if openssh-server isn't installed
...
see https://discourse.mailinabox.email/t/local-dns-is-not-working-was-unable-to-check-system-status/165/39
2015-01-02 22:59:29 +00:00
Joshua Tauberer
3d8ea0e6ed
mail log scanner: dont assume lines are utf8
2015-01-02 22:49:25 +00:00
Joshua Tauberer
399f9d9bdf
in status checks, clear bind9 cache using rndc rather than restarting bind9
2014-12-26 13:22:14 +00:00
Joshua Tauberer
2b76fd299e
admin: ensure multiple concurrent api calls dont confuse the ajax loading indicator (track number of open requets, stop fade animation when it is time to hide)
2014-12-21 22:47:11 +00:00
Joshua Tauberer
90592bb157
add a control panel for setting custom dns records so that we dont have to use the api manually
2014-12-21 11:31:24 -05:00
Marc Schiller
c3a7e3413b
Fixed a small status check bug, where secondary dns server check fails misleadingly.
2014-12-09 12:40:32 +01:00
Joshua Tauberer
d390bfb215
indicate in the admin when a multi-domain or wildcard certificate is in use
2014-12-05 14:43:52 -05:00
Joshua Tauberer
ceba53f1c4
explain how to install a multi-domain or wildcard ssl cert; if one is installed, the Replace Cert button in the admin for non-primary domains should not replace the cert on the primary domain
2014-12-05 14:25:14 -05:00
Joshua Tauberer
be59bcd47d
for .fund domains use RSASHA256 DNSSEC keys
2014-12-05 12:03:21 -05:00
Joshua Tauberer
cfe0fa912a
add a 'redirects' feature in web/custom.yaml
2014-12-05 12:03:21 -05:00
Joshua Tauberer
82cf5b72e4
simplify some output in the work-in-progress mail log scanner
2014-11-30 14:41:30 +00:00
Joshua Tauberer
a7710e9058
dns.resolver.query treats hostnames as relative names if they don't end in a period
...
Relative hostnames have a fall-back lookup with the machine's hostname appended, which makes no sense. Add a period, e.g. "my.hostname.com" => "my.hostname.com.", to prevent that.
This caused false positive Spamhaus checks. Fixes #185 .
2014-11-21 15:16:59 +00:00
Joshua Tauberer
057c1dd913
recommend IMAP/SMTP for everyone
2014-11-18 16:47:42 +00:00
Joshua Tauberer
06f2477cfd
the new iOS configuration profile also is used on OS X 10.10.1, see #261
2014-11-18 16:32:37 +00:00
Joshua Tauberer
cdaa2c847d
[merge] iOS Mobile Configuration Profile
2014-11-14 13:56:18 +00:00
Joshua Tauberer
7e7abf3b53
support "domain aliases" (@domain => @domain aliases)
...
This seemed to already be technically supported but the validation is now stricter and the admin is more helpful:
* Postfix seems to allow @domain.tld as an alias destination address but only if it is the only destination address (see the virtual man page).
* Allow @domain.tld if it is the whole destination address string.
* Otherwise, do not allow email addresses without local parts in the destination.
* In the admin, add a third tab for making it clear how to add a domain alias.
closes #265
2014-11-14 13:35:58 +00:00
Norman
c872e6a9f0
iOS Configuration Profile
...
change name
removed .vagrant
fix guide layout
2014-11-05 18:42:04 +01:00
Joshua Tauberer
ec73c171c7
when installing a ssl cert for the primary hostname, dns, postfix, and dovecot all need to be updated/kicked
...
see https://discourse.mailinabox.email/t/there-is-a-problem-with-the-ssl-certificate/144/4
2014-10-28 11:38:04 +00:00
Joshua Tauberer
f9acf0adec
better errors for ssl certificates
2014-10-24 21:30:33 +00:00
Joshua Tauberer
8b65c11cdf
the namecheap link was bad
2014-10-23 17:17:26 +00:00
Joshua Tauberer
34fca29dd3
fix the animated scroll target on the ssl panel to scroll so that the header is actually visible and not covered by the nav bar
2014-10-23 17:10:21 +00:00
Joshua Tauberer
b75fbf22ca
clear the local dns cache each time the status checks are run by restarting bind9
2014-10-23 17:06:33 +00:00
Joshua Tauberer
d790cae0e2
DNSSEC: use RSASHA256 for the .guide tld too
2014-10-23 17:03:23 +00:00
Joshua Tauberer
f35b2081a1
s/os.rename/shutil.move/ so that the file can be moved across filesystem boundaries, fxies #246
2014-10-21 11:45:14 +00:00
David Piggott
f0508d8cc9
Improve wrapping of external DNS value column to prevent layout overflow
...
see #244
Conflicts:
management/templates/external-dns.html
2014-10-21 11:33:42 +00:00
Joshua Tauberer
47dd59c2a7
admin mail guide: use bootstrap .panel to style the tips
...
also give more space for the login settings and less space to the tips
2014-10-21 11:17:49 +00:00
Joshua Tauberer
c2fe1bc2e3
document +tag addresses in the mail guide
2014-10-21 11:17:49 +00:00
Joshua Tauberer
cce1184090
admin: change the css class name around the panels to not invoke the bootstrap 'panel' css
2014-10-21 11:17:49 +00:00
Joshua Tauberer
1adb1d8307
admin: there is no need to make each panel a separate bootstrap container
...
* also fixes the footer alignment to be within a container rather than a container-fluid
* this changed the width of the login form slightly, so am cleaning that up too
see #244
2014-10-21 11:17:28 +00:00
Joshua Tauberer
c2174e10a6
some admin pages had a container within a container
...
see #244
2014-10-21 11:17:15 +00:00
Joshua Tauberer
86a5394f07
fix control panel when no backup has been made yet
2014-10-15 12:31:08 -04:00
Joshua Tauberer
b5b3fca137
report free disk space in the admin
2014-10-13 14:12:16 +00:00
Joshua Tauberer
048e35a80f
fix display of backups that are past due to be reaped
2014-10-13 14:12:16 +00:00
Joshua Tauberer
fb3045f456
retain backups only for 3 days; beyond that the user is responsible for copying files off of the machine
2014-10-13 14:12:11 +00:00
h8h
57f8ee0b09
Smoothly scroll to alias edit form.
2014-10-11 21:52:00 +02:00
h8h
64220292f1
Jump to the panel_aliases anchor (top) to directly edit the selected alias
2014-10-11 19:56:36 +02:00
Joshua Tauberer
82851d6d2d
suppress "Something went wrong, sorry." when the management daemon's api key has changed
2014-10-11 17:06:22 +00:00
Joshua Tauberer
2f952a7915
delay an ajax call to see if this fixes the problem of the loading indicator not going away after showing the user a panel after login
2014-10-11 17:06:22 +00:00
David Piggott
ca57560f11
Pass additional_records to recursive build_zone calls, closes #229
...
The problem was that custom records defined for a subdomain where implicit
records are otherwise defined (e.g. A/AAAA records for the root) were ignored.
Though additional_records for a subdomain are processed in the base call to
build_zone (the call for the parent domain), and so custom records that don't
override implicits were working fine, those that overrode implicits were
ignored.
This was because the recursive call to build_zone for the subdomain creates the
implicit records (including A/AAAA records for the root), and so by relying on
the base call to add the additional_records fails because has_rec returned
true.
Adding a subdomain's additional_records in the child call works because has_rec
returns false when testing whether to add an e.g. A/AAAA override for the root,
as the defaults have not yet been added.
2014-10-11 17:04:35 +01:00
Joshua Tauberer
17331e7d82
adding a really slick ssl certificate installation form in the control panel
2014-10-10 15:49:14 +00:00
Joshua Tauberer
5130b279d8
management/mail_log.py also include the previously rotated log file
2014-10-10 13:59:50 +00:00
Joshua Tauberer
aac6e49b94
spelling typo
2014-10-10 13:50:44 +00:00
Joshua Tauberer
ac49912b39
recommend DAVdroid
...
see http://discourse.mailinabox.email/t/recommend-a-different-android-carddav-and-caldav-android/102/1
2014-10-07 20:53:37 +00:00
Joshua Tauberer
0441a2e2e3
make a self-signed certificate on a non-primary domain a warning rather than an error, fixes #95
2014-10-07 20:41:07 +00:00
Joshua Tauberer
06a8ce1c9d
in the admin, show user mailbox sizes, fixes #210
2014-10-07 20:24:11 +00:00
Joshua Tauberer
443b084a17
in the admin, group aliases by domain, fixes #211
2014-10-07 19:47:46 +00:00
Joshua Tauberer
990649af2d
in the admin, group users by domain, fixes 209
2014-10-07 19:47:43 +00:00
Joshua Tauberer
6f4d29a410
tweak the new web instructions
2014-10-07 16:17:45 +00:00
Joshua Tauberer
6ab29c3244
add instructions for static web hosting into the control panel
2014-10-07 16:05:42 +00:00
Joshua Tauberer
bf9b770255
sort SSHFP records so that DNS updates don't trigger spurrious zone changes
2014-10-07 15:15:22 +00:00
Joshua Tauberer
9210ebdb9f
control panel tweaks
2014-10-07 15:12:35 +00:00
Joshua Tauberer
a56bb984d6
handle catastrophically bad certificates rather than raising an exception
2014-10-07 14:58:21 +00:00
Joshua Tauberer
7d1c0b3834
show SSL certificate expiration info in the control panel even long before certificates expire
2014-10-07 14:49:36 +00:00
Joshua Tauberer
20892b5d5b
status check on ns records should now take into account that secondary dns may be customized, see #223
2014-10-05 18:42:52 +00:00
Joshua Tauberer
4cf53cd8ee
backup status relativedelta was displaying wrong for deltas greater than 1 month
2014-10-05 18:23:29 +00:00
Joshua Tauberer
f42a1c5a74
allow overriding the second nameserver with a secondary/slave server
...
fixes #151
fixes #223
2014-10-05 14:53:42 +00:00
Joshua Tauberer
092c842a87
split external/custom dns into separate pages in the admin
2014-10-05 13:38:23 +00:00
Joshua Tauberer
d9ecc50119
since the management server binds to 127.0.0.1, must use that and not 'localhost' to connect to it because 'localhost' resolves to the IPv6 ::1 when it is available, see #224
2014-10-05 09:01:26 -04:00
Joshua Tauberer
4ae76aa2dd
dnssec: use RSASHA256 keys for .email domains
2014-10-04 17:29:42 +00:00
Joshua Tauberer
779d921410
status checks: put DNSSEC tests in a better order w.r.t. other tests
...
* If the PRIMARY_HOSTNAME is in a zone with a DS record set at the registrar, show any DNSSEC failure (but only a failure) immediately since it is probably the cause of other DNS errors displayed later.
* For zones, if a DS record is set at the register, do the DNSSEC test first because even the NS test will fail if DNSSEC is improperly configure.
* But if a DS record is not set, the this is just a suggestion to configure DNSSEC so offer the suggestion last --- after mail and web checks.
see https://discourse.mailinabox.email/t/dns-nameserver-gandi-glue-records-issues/105/3
2014-10-01 12:13:11 +00:00
Joshua Tauberer
5c7ba2a4c7
preliminary work on a mail.log scanner to report things in the control panel
2014-09-27 13:33:13 +00:00
Joshua Tauberer
e9cc3fdaab
make mail instructions clearer and describe greylisting, DMARC policy
2014-09-27 13:32:22 +00:00
Joshua Tauberer
8bd37ea53c
add catch-alls to the admin again with nicer instructions
2014-09-27 13:32:22 +00:00
Joshua Tauberer
ab47144ae3
add strict SPF and DMARC records to any subdomains (including custom records) that do not have SPF/DMARC set
...
closes #208
2014-09-26 14:01:03 +00:00
Joshua Tauberer
9b6f9859d1
dns_update: assume DKIM is present
2014-09-26 14:01:03 +00:00
Joshua Tauberer
5a89f3c633
don't allow catch-all addresses in the admin because they take precedence over mail users and that's counter-intuitive
...
For now use the command-line tools/mail.py if you need it.
see #200
Revert "Changed incomming-email-input to type text"
This reverts commit 9631fab7b2
.
2014-09-24 12:36:47 +00:00
Joshua Tauberer
c2ddabe683
fix ajax loading indicator positioning
2014-09-21 17:41:46 +00:00
Joshua Tauberer
846768efcb
admin: update user's password from the admin
2014-09-21 17:24:01 +00:00
Joshua Tauberer
8dfbb90f3a
admin: simplify the users table a bit
2014-09-21 17:10:23 +00:00
Joshua Tauberer
c7c3bd33cf
DNS API should reject qnames that aren't in a zone managed by the box
...
see https://discourse.mailinabox.email/t/set-www-a-and-other-dns-records-after-install/63/10
2014-09-21 13:37:30 +00:00
Joshua Tauberer
1637153566
make the DNS API a little clearer
2014-09-21 13:37:30 +00:00
Joshua Tauberer
05510f25a5
warn if a SSL cert is expiring in 30 days
2014-09-21 13:37:30 +00:00
Joshua Tauberer
b8ea7282b0
don't run `apt-get update` when generating the status checks output because it is so slow and should be update daily by cron anyway
2014-09-21 13:37:30 +00:00
Joshua Tauberer
ff0c85615b
correct typo in comment
2014-09-15 10:02:25 +00:00
Joshua Tauberer
16e2350fef
revise the description of A records on domains: the A record must be present for good deliverability so that the envelope domain resolves, but it doesn't have to resolve to this machine
2014-09-15 06:00:50 -04:00
Christian
9631fab7b2
Changed incomming-email-input to type text
...
The input type="email" validation won't allow "@example.com", which is needed for catch-all-aliases.
2014-09-12 18:08:33 +02:00
Joshua Tauberer
196e42e8b5
don't automatically create an alias if a user account already exists by that name
...
In the event the first user is an address that we'd normally create as an alias,
we'd generate a loop from the alias to the administrative alias to the first user
account (which was the alias again).
hopefully fixes #186
2014-09-09 11:41:47 +00:00
Joshua Tauberer
f09da719f7
show the response from spamhaus.org in the status checks output
2014-09-08 20:27:26 +00:00
Joshua Tauberer
e9e95cbed5
tweak backup explanatory text
2014-09-08 20:12:31 +00:00
Joshua Tauberer
98fc449b49
only hold onto backups for 14 days (not 31) and show when the backups will be deleted in the control panel
2014-09-08 20:09:18 +00:00
Joshua Tauberer
bab8b515ea
new logic for determining when to take a full backup
2014-09-08 19:42:54 +00:00
Joshua Tauberer
cce6bc02a8
add links to IANA tables for DNSSEC algorithm/digest number assignemnts
2014-09-07 10:59:20 -04:00
Joshua Tauberer
110e0f90d9
dns: move the quoting of TXT records to when we write the zone file so that we can display it unquoted in the External DNS instructions
2014-09-07 11:42:20 +00:00
Joshua Tauberer
b5122770cc
tweak admin template for external DNS
2014-09-07 07:22:39 -04:00
Joshua Tauberer
03f9358de4
when checking SSL certs are OK, check for wildcard certificates
...
fixes #175 (hopefully)
2014-09-03 17:31:47 +00:00
Joshua Tauberer
f77f1e656c
split CardDAV instrctions into a new page and add CalDAV instructions; create nice redirects at /cloud/calendar and /cloud/contacts
2014-09-03 10:51:19 +00:00
Joshua Tauberer
b420e560c3
dont show 'make admin' on archived mailbox accounts and other control panel cleanup
2014-09-03 10:17:46 +00:00
Joshua Tauberer
7a449c76a1
set the DNS TTL to 30 minutes rather than 1 day
...
Also updating the values for secondary DNS, but we're not set up
for secondary DNS so it won't matter.
see #172
2014-09-01 23:06:55 +00:00
Joshua Tauberer
3853e8dd93
show the status of backups in the control panel
2014-09-01 13:06:53 +00:00
Joshua Tauberer
10a37cd033
add SSHFP records to DNS
2014-08-27 12:59:40 +00:00
Joshua Tauberer
684d9b3c70
prettify the custom DNS docs
2014-08-27 12:57:47 +00:00
Joshua Tauberer
699923d605
Merge pull request #166 from benschumacher/master
...
Fix typo in dns_update.py.
2014-08-26 16:13:11 -04:00
Ben Schumacher
d5efb05f31
Fix typo in dns_update.py.
2014-08-26 15:58:34 -04:00