Joshua Tauberer
8c6363f792
bad ciphers were allowed in smtp submssion
...
This disallows aNULL and other bad ciphers in the Postfix submission server.
I missed an option in 45e93f7dcc
recommended by the blog post I was reading.
Fixes #389 .
2015-05-05 23:14:59 +00:00
Joshua Tauberer
cbb7f29f96
add 'ip-transparent: yes' to nsd.conf
...
https://discourse.mailinabox.email/t/nsd-service-not-started-at-startup-dns-not-working/449
2015-05-04 11:24:40 +00:00
Joshua Tauberer
8886c9b6bc
move the server: block of nsd.conf out of the management daemon and into the setup scripts
2015-05-04 11:24:40 +00:00
Joshua Tauberer
a07de38e80
remove workaround for buggy nsd installation
...
Prior to nsd 4.0.1-1ubuntu0.1, we had to create the nsd user before installing the nsd package.
This was our issue #25 (see 4e6037c0e1
, c7e1e29d
) and I reported it upstream at https://bugs.launchpad.net/ubuntu/+source/nsd/+bug/1311886 . The new package was published by Ubuntu on 2015-01-15 so this work-around is no longer needed.
2015-05-04 11:24:40 +00:00
Joshua Tauberer
1f08997a9e
need my new email_validator library during questions
2015-05-03 11:02:23 -04:00
Joshua Tauberer
f0143fd6c9
bump version of my email_validator library
2015-04-29 21:18:14 +00:00
Joshua Tauberer
5efd5abbe4
move the email address syntax validation for users and aliases into my new email_validator library ( https://github.com/JoshData/python-email-validator )
2015-04-21 14:43:12 +00:00
Joshua Tauberer
e514ca0009
bump to Roundcube 1.1.1
2015-04-16 11:45:35 +00:00
Joshua Tauberer
c38bdbb0c5
mistake in 31eec9fa1c
#300
2015-04-11 15:24:15 -04:00
Joshua Tauberer
2a1704a0dc
check that the downloaded ownCloud and roundcube files match a known SHA1 hash
2015-04-11 15:21:38 -04:00
Joshua Tauberer
2d1186e55d
increase spampd maximum message size from 64KB to 500KB, matching the spamc default
...
see https://discourse.mailinabox.email/t/allow-spamassassin-to-scan-emails-larger-than-250kb/391
2015-04-09 14:46:02 +00:00
Joshua Tauberer
322a5779f1
store IDNs (internationalized domain names) in IDNA (ASCII) in our database, not in Unicode
...
I changed my mind. In 1bf8f1991f
I allowed Unicode domain names to go into the database. I thought that was nice because it's what the user *means*. But it's not how the web works. Web and DNS were working, but mail wasn't. Postfix (as shipped with Ubuntu 14.04 without support for SMTPUTF8) exists in an ASCII-only world. When it goes to the users/aliases table, it queries in ASCII (IDNA) only and had no hope of delivering mail if the domain was in full Unicode in the database. I was thinking ahead to SMTPUTF8, where we *could* put Unicode in the database (though that would prevent IDNA-encoded addressing from being deliverable) not realizing it isn't well supported yet anyway.
It's IDNA that goes on the wire in most places anyway (SMTP without SMTPUTF8 (and therefore how Postfix queries our users/aliases tables), DNS zone files, nginx config, CSR 'CN' field, X509 Common Name and Subject Alternative Names fields), so we should really be talking in terms of IDNA (i.e. ASCII).
This partially reverts commit 1bf8f1991f
, where I added a lot of Unicode=>IDNA conversions when writing configuration files. Instead I'm doing Unicode=>IDNA before email addresses get into the users/aliases table. Now we assume the database uses IDNA-encoded ASCII domain names. When adding/removing aliases, addresses are converted to ASCII (w/ IDNA). User accounts must be ASCII-only anyway because of Dovecot's auth limitations, so we don't do any IDNA conversion (don't want to change the user's login info behind their back!). The aliases control panel page converts domains back to Unicode for display to be nice. The status checks converts the domains to Unicode just for the output headings.
A migration is added to convert existing aliases with Unicode domains into IDNA. Any custom DNS or web settings with Unicode may need to be changed.
Future support for SMTPUTF8 will probably need to add columns in the users/aliases table so that it lists both IDNA and Unicode forms.
2015-04-09 14:46:02 +00:00
Joshua Tauberer
e41df28bf2
if a migration fails, dont continue setup
2015-04-09 14:46:02 +00:00
Joshua Tauberer
d11be61d94
Add POP3S support (merge w/ adjustments)
...
* Add pop3s to the ufw firewall rules.
* Updated some comments.
* Updated CHANGELOG.
Merge branch 'master' of https://github.com/pichak/mailinabox
2015-04-09 08:19:20 -04:00
Morteza Milani
916063a79b
Better documentation for POP3 settings, UIDL.
...
UIDL assigns a unique string to each email. This allows emails to
be left on the server after a client downloads them.
2015-04-08 21:32:14 -07:00
Joshua Tauberer
f3ad6b4acc
Version 0.08
...
CHANGELOG
=========
v0.08 (April 1, 2015)
---------------------
Mail:
* The Roundcube vacation_sieve plugin by @arodier is now installed to make it easier to set vacation auto-reply messages from within Roundcube.
* Authentication-Results headers for DMARC, added in v0.07, were mistakenly added for outbound mail --- that's now removed.
* The Trash folder is now created automatically for new mail accounts, addressing a Roundcube error.
DNS:
* Custom DNS TXT records were not always working and they can now override the default SPF, DKIM, and DMARC records.
System:
* ownCloud updated to version 8.0.2.
* Brute-force SSH and IMAP login attempts are now prevented by properly configuring fail2ban.
* Status checks are run each night and any changes from night to night are emailed to the box administrator (the first user account).
Control panel:
* The new check that system services are running mistakenly checked that the Dovecot Managesieve service is publicly accessible. Although the service binds to the public network interface we don't open the port in ufw. On some machines it seems that ufw blocks the connection from the status checks (which seems correct) and on some machines (mine) it doesn't, which is why I didn't notice the problem.
* The current backup chain will now try to predict how many days until it is deleted (always at least 3 days after the next full backup).
* The list of aliases that forward to a user are removed from the Mail Users page because when there are many alises it is slow and times-out.
* Some status check errors are turned into warnings, especially those that might not apply if External DNS is used.
2015-04-01 10:14:34 -04:00
Joshua Tauberer
dd6a8d9998
upgrade to ownCloud 8.0.2
...
The contacts and calendar apps are now maintained outside of ownCloud core, so we now pull them in from github tags and must enable them explicitly.
2015-03-28 11:08:57 -04:00
Joshua Tauberer
9f32e5af0a
the install of roundcube vacation_sieve requires that we install git
...
see a8669197dd
2015-03-28 09:54:52 -04:00
Joshua Tauberer
dcd971d079
the opendmarc miter should run on incoming mail only
...
I added OpenDMARC's milter in fba4d4702e
. But this started
setting Authentication-Results headers on outbound mail with failures. Not sure why it
fails at that point, but it shouldn't be set at all. The failure might cause recipients
to junk the mail. See #358 .
This commit removes the milter from the SMTP submission (port 587) listener.
2015-03-21 16:14:01 +00:00
Joshua Tauberer
4d22fb9b2a
run status checks each night and email the administrator with the changes from the previous day's results
2015-03-21 16:02:42 +00:00
Joshua Tauberer
b539c2df70
Merge pull request #347 from Toilal/feat/start-enhancements
...
If the migration file is missing but the storage directory exists, assume this is a fresh directory -- don't bother trying to migrate, and do write the migration file with the current migration ID.
2015-03-19 11:57:24 -04:00
Toilal
64fdb4ddc1
Behave nicely when mailinabox.version file is missing
2015-03-09 08:54:32 +01:00
Joshua Tauberer
a8669197dd
added Roundcube plugin vacation_sieve
...
Merge branch 'master' of https://github.com/zealot128-os/mailinabox
Closes #334
2015-03-08 19:15:20 +00:00
H8H
c443524ee2
Configure fail2ban jails to prevent dumb brute-force attacks against postfix, dovecot and ssh. See #319
2015-03-08 01:13:55 +01:00
Joshua Tauberer
1be0f39be0
prep for v0.07 tag
2015-02-28 17:09:12 -05:00
Stefan Wienert
ba8123f08a
reduced diff noise
2015-02-21 16:06:56 +01:00
Stefan Wienert
e2879a8eb1
made the setup repeatable
2015-02-21 16:05:47 +01:00
Stefan Wienert
eab8652225
added vacation_sieve plugin for Roundcube
2015-02-21 16:01:27 +01:00
Joshua Tauberer
fba4d4702e
install opendmarc to add Authentication-Results headers for DMARC too
2015-02-16 23:17:44 +00:00
Joshua Tauberer
d775f90f0c
prevent apt from asking the user any questions
...
Add additional options to really prevent apt from asking questions, which causes setup to hang because stdin/out have been redirected.
fixes #270 , #291
2015-02-13 13:41:52 +00:00
Joshua Tauberer
7ce30ba888
roundcube 1.1.0
2015-02-13 13:22:46 +00:00
Joshua Tauberer
575d3a66c6
more on being smarter about waiting for the management daemon to start
...
cc333b3965
worked for fresh systems, but if the system already had the daemon running the api.key file would already exist and the test would pass to early. Now removing the file first.
fixes #322
2015-02-13 13:11:03 +00:00
Joshua Tauberer
cc333b3965
be smarter about waiting for the management daemon to start before accessing it
2015-02-10 10:03:07 -05:00
Joshua Tauberer
351758b3bd
typo
...
typo in "roudcube"
2015-02-10 09:27:36 -05:00
H8H
005315cd29
removed hardcoded /home directory to apply the existing configuration options for STORAGE_USER/ROOT if they exist
...
Highest priority: the pre set STORAGE_ROOT/USER, midmost priority: the config settings, lowest priority: the default one.
fixes #309 ; closes #311
2015-02-03 23:52:02 +00:00
Joshua Tauberer
b9ca74c915
implement Mozilla (e.g. Thunderbird) autoconfiguration file
...
fixes #241
2015-01-31 21:33:18 +00:00
pierreozoux
f6d4621834
Typo
2015-01-29 17:03:20 +00:00
Norman
f78cff225b
Add Munin
...
removed testing source
fixed typo & dns
oh cat
more fixes
forgot root
more nginx stuff
nginx munin.conf fix
more fixes
set dns record
2015-01-28 21:42:16 +01:00
Morteza Milani
31eec9fa1c
Add POP3s support
2015-01-25 23:37:01 -08:00
Joshua Tauberer
b02d7d990e
install cron in case it isn't already installed
2015-01-11 20:00:11 +00:00
Joshua Tauberer
87f82addbc
preflight memory check: units problems
...
/proc/meminfo reports kibibytes. Lower the minimum memory requirement so that 768 MB (not MiB) also is allowed.
Report the detected memory in MB (not KiB), to be clearer.
Fixes #289 .
2015-01-11 14:13:35 +00:00
Joshua Tauberer
0aa3941832
release v0.06
2015-01-04 15:18:13 -05:00
Joshua Tauberer
c4e4805160
ensure postfix/postgrey agree on whether to communicate with ipv4 or ipv6
...
see https://discourse.mailinabox.email/t/postgrey-and-ipv6/227
2015-01-02 23:37:16 +00:00
Joshua Tauberer
c75950125d
set dovecot default_process_limit and fs.inotify.max_user_instances to better defaults
...
See https://discourse.mailinabox.email/t/mailserver-limits/228 .
2015-01-02 23:25:52 +00:00
Joshua Tauberer
5cf38b950a
bump ownCloud to 7.0.4; fixes #283
2014-12-12 01:00:35 +00:00
Joshua Tauberer
be59bcd47d
for .fund domains use RSASHA256 DNSSEC keys
2014-12-05 12:03:21 -05:00
Michael Dec
7e36e1fd90
added sudo to the list
...
not all setups have it and the miab installer depends on it
2014-11-25 15:36:34 +00:00
Joshua Tauberer
3133dcd5a3
release 0.05
2014-11-18 16:52:02 +00:00
Joshua Tauberer
06f2477cfd
the new iOS configuration profile also is used on OS X 10.10.1, see #261
2014-11-18 16:32:37 +00:00
Joshua Tauberer
cdaa2c847d
[merge] iOS Mobile Configuration Profile
2014-11-14 13:56:18 +00:00
Joshua Tauberer
b04addda9a
move the mobileconfig into the conf directory as a plain XML file and handle substitutions and copying to /var in web.sh
2014-11-14 13:52:29 +00:00
Joshua Tauberer
9b9f5abf8f
update to ownCloud 7.0.3
2014-11-14 13:35:58 +00:00
Norman
7db80458dd
fix description
2014-11-06 15:42:22 +01:00
Norman
5775cab175
various fixes
2014-11-06 15:33:08 +01:00
Norman
c872e6a9f0
iOS Configuration Profile
...
change name
removed .vagrant
fix guide layout
2014-11-05 18:42:04 +01:00
fpgaminer
f797eecaca
Fix typo in zpush.sh comment
2014-11-04 19:53:24 -08:00
Joshua Tauberer
de0ccd0632
[merge] Disable encapsulation of spam and marking of it as seen
...
is #254 plus a longer comment, fixes #243
2014-10-31 12:15:58 +00:00
David Piggott
be9d97902f
Disable encapsulation of spam and marking of it as seen
2014-10-28 15:15:21 +00:00
Joshua Tauberer
d790cae0e2
DNSSEC: use RSASHA256 for the .guide tld too
2014-10-23 17:03:23 +00:00
David Piggott
3ff74c8dc5
Add source line so dkim should actually work when run separately
2014-10-20 21:33:20 +01:00
David Piggott
e997114d6e
Add shebangs to enable running dkim and webmail scripts separately
2014-10-20 21:26:14 +01:00
Joshua Tauberer
e9aecba4df
update to roundcube 1.0.3, and really update
...
Updating existing installed was broken. The new roundcube would be copied into a subdirectory of /usr/local/lib/roundcubemail.
Also fixes the image thumbnail issue raised on the forum (https://discourse.mailinabox.email/t/roundcube-thumbnails-not-showing/136 ), see http://trac.roundcube.net/wiki/Changelog .
2014-10-20 12:48:15 +00:00
Joshua Tauberer
6585384daa
bring the max outgoing mail size via webmail and z-push in line with the limit set in postfix: 128 MB
...
The limit was previously the nginx default (2MB?).
fixes #236
2014-10-16 22:11:10 +00:00
Joshua Tauberer
8902e9d1fc
bump bootstrap to incoming v0.04 tag
2014-10-15 12:33:20 -04:00
Joshua Tauberer
df5df18820
fixes for bootstrap.sh for upgrading
...
* `git fetch` wasn't done right for shallow clones
* the test for whether mailinabox has already been cloned wasn't looking at the right directory if the script was not run from $HOME
2014-10-15 12:22:48 -04:00
Joshua Tauberer
0b5bf602aa
various improvements in bash comments
2014-10-15 11:46:20 -04:00
Joshua Tauberer
06e074bd32
disable SSLv3 in dovecot now that it is known to be insecure (POODLE)
...
SSLv3 is already disabled in Postfix (45e93f7dcc
) and Nginx (51dd2ed70b
).
2014-10-15 15:39:05 +00:00
Joshua Tauberer
495790d81d
still didn't get the permissions right, chmod must follow sa-learn's initial creation of files
...
see #231 , #201 , b26abc947e
, 7ca54a2bfb
, dfe0a9f187
2014-10-12 18:05:04 +00:00
Joshua Tauberer
dfe0a9f187
clean up setup/spamassassin.sh
2014-10-12 17:57:04 +00:00
Joshua Tauberer
7ca54a2bfb
give dovecot antispam plugin's sa-learn-pipe script permission to write to the bayes files
...
see #231 , #201 , b26abc947e
.
2014-10-12 17:57:04 +00:00
David Piggott
b26abc947e
Change owner of spamassassin directory from mail to spampd, closes #231
2014-10-11 18:00:22 +01:00
Joshua Tauberer
2f4eccd9a9
add 'source /etc/mailinabox.conf' to dns.sh so it can be run separately
2014-10-08 12:48:43 +00:00
Joshua Tauberer
8566b78202
drop webfinger, see #95
2014-10-07 20:30:36 +00:00
Joshua Tauberer
711db9352c
bootstrap: apt was mangling stdin
...
When executed "cat bootstrap.sh | bash", apt-get mangled stdin. The script would terminate at the end of the if block containing apt-get (that seems to be as much as bash read from the pipe) and the remainder of the script was output to the console. This was very weird.
Ensuring that apt-get and git have their stdins redirected from /dev/null seems to fix the problem.
see #224
2014-10-05 13:40:12 -04:00
Joshua Tauberer
7c2092d48f
remove apache before installing nginx, see #224
2014-10-05 09:01:20 -04:00
Joshua Tauberer
5fd107cae5
more work on making the bash scripts readable
2014-10-04 17:57:26 -04:00
Joshua Tauberer
db0967446b
remove unnecessary sudos
2014-10-04 14:06:08 -04:00
Joshua Tauberer
2ff5038c84
replace '.' with 'source'
2014-10-04 14:05:06 -04:00
Joshua Tauberer
4ae76aa2dd
dnssec: use RSASHA256 keys for .email domains
2014-10-04 17:29:42 +00:00
h8h
ba33669a62
generate the locales before change to it.
...
For my german box changing the locale failed:
´´´´/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
setup/functions.sh: line 6: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)´´´´
see #206 and 4e6d572de9
closes #220
commit modified by joshdata
2014-10-02 11:05:42 +00:00
Joshua Tauberer
94c4352f45
Merge branch 'jmar71n-master' - site-wide bayesean spam filtering
2014-09-27 16:18:55 +00:00
Joshua Tauberer
6dd6353d41
move sa-learn-pipe.sh from /usr to /usr/local
2014-09-27 16:18:40 +00:00
Joshua Tauberer
d06bfa6c1b
tweak the site-wide bayesian spam filtering config
2014-09-27 16:18:36 +00:00
Joshua Tauberer
698ae03505
catch-all addresses should not have precedence over mail users
...
Aliases have precedence over mail users. A catch-all address would grab mail intended for a mail user and send it elsewhere. This adds some SQL hackery to create dummy aliases for all mail users.
fixes #200
closes #214 another way
2014-09-27 13:32:10 +00:00
Joshua Tauberer
a4c70f7a92
revert dovecot part of 39bca053ed
because dovecot started behaving weird and I don't have time to debug it
2014-09-26 22:41:59 +00:00
Joshua Tauberer
39bca053ed
add 2048 bits of DH params for nginx, postfix, dovecot
...
nginx/postfix use a new pre-generated dh2048.pem file. dovecot generates the bits on its own.
ssllabs.com reports that TLS_DHE ciphers went from 1024 to 2048 bits as expected. The ECDHE ciphers remain at 256 bits --- no idea what that really means. (This tests nginx only. I haven't tested postfix/dovecot.)
see https://discourse.mailinabox.email/t/fips-ready-for-ssl-dhec-key-exchange/76/3
2014-09-26 22:09:22 +00:00
Joshua Tauberer
c2eb8e5330
typo in roundcube download URL
...
see 8e0967dd8e (commitcomment-7940724)
2014-09-26 14:26:45 +00:00
Joshua Tauberer
4e6d572de9
ensure Python operates in UTF-8 with a consistent locale for all users
...
fixes #206 (hopefully)
2014-09-26 08:26:09 -04:00
Joshua Tauberer
5714b3c6b7
bump bootstrap.sh to incoming 0.03 tag
2014-09-24 12:48:15 +00:00
Joshua Tauberer
8e0967dd8e
if an earlier version of roundcube had already been installed, update to our target version
...
fixes #195
2014-09-24 12:46:51 +00:00
Joshua Tauberer
ed8fb2d06d
the latest z-push introduces a new/second USE_FULLEMAIL_FOR_LOGIN parameter
...
see http://discourse.mailinabox.email/t/activesync-z-push-not-working/94/3
2014-09-24 12:24:35 +00:00
Joshua Tauberer
8c8d9304ac
lock z-push to a particular upstream version by fmbiete/Z-Push-contrib commit hash
2014-09-24 12:20:10 +00:00
Joshua Tauberer
c1ccd22531
put a start script at /usr/local/bin/mailinabox
2014-09-22 16:37:12 -04:00
Joshua Tauberer
01c964bfe3
update bootstrap.sh for next tag
2014-09-22 16:35:07 -04:00
Joshua Tauberer
6c59294e7b
more readable bash
2014-09-21 16:05:11 -04:00
Joshua Tauberer
9d40a12f44
first pass at making readable documentation by parsing the bash scripts
2014-09-21 13:43:31 -04:00
jmar71n
b5bb12d0d2
enable site-wide bayesian filtering
...
Create directory in $STORAGE_ROOT for bayes database.
Added --username arg to sa-learn as the user mail does not have permission to edit files in $STORAGE_ROOT. There is probably a better solution to this...
2014-09-20 16:07:30 +01:00
Joshua Tauberer
dd91553689
open the firewall to an alternative SSH port if set
...
https://discourse.mailinabox.email/t/opening-up-a-custom-port-for-ssh-after-install/55/2
2014-09-20 08:26:10 -04:00
Joshua Tauberer
98651deea4
python3-dev is a dependency for many pip packages, including pyyaml, fixes #196
2014-09-17 21:56:09 +00:00
Bretos
467f04facb
update roundcube version
2014-09-10 12:32:32 +02:00
Joshua Tauberer
7ea956d3bc
install network-checks's dependencies
...
Since it runs before the real setup begins, we must make sure that packages are installed.
Also removing bind9-host's installation from system.sh. In 189dd6000e
I added this so we could use `host`
to aid Docker autoconfiguration. Docker support was since removed but this hadn't gotten removed, which lead me to think it was
normally installed by Ubuntu. It's now installed in `network-checks.sh`.
fixes #180
2014-09-07 12:29:23 +00:00
Joel Kåberg
6b13ac1ca9
Support more concurrent connections
2014-09-04 16:40:33 +02:00
Joel Kåberg
9fd6958dc2
Revert commit "Support more concurrent connections for z-push"
2014-09-04 16:39:38 +02:00
Joel Kåberg
e434bf9fce
Support more concurrent connections for z-push
...
My logs were showing lots of:
[04-Sep-2014 15:52:41] WARNING: [pool www] server reached pm.max_children setting (5), consider raising it
2014-09-04 16:11:06 +02:00
Joshua Tauberer
3853e8dd93
show the status of backups in the control panel
2014-09-01 13:06:53 +00:00
Joshua Tauberer
4ec6692f21
showing the mail-in-a-box version might fail if git isn't actually installed
...
The user might acquire the sources via some means other than a git clone. On Vagrant, the files come in via Vagrant. So test for git before running `git describe`.
2014-09-01 07:51:25 -04:00
Joel Kåberg
7603ce0489
this is what I meant
2014-09-01 10:32:44 +02:00
Joel Kåberg
8b2fed1a2a
fixes comments by @JoshData
2014-09-01 10:02:46 +02:00
Joel Kåberg
ee244386ed
update ownCloud if necessary
...
this will always download the latest ownCloud and upgrade if ownCloud install dir exist, this apphroach allows us to keep existing user plugins. currently not checking if currently installed version is equal to the one we're downloading as I couldn't find a proper solution for that
2014-08-31 20:34:57 +02:00
Joshua Tauberer
cfffb38508
link-local IPv6 addresses need a '%interface' specification to be useful
2014-08-31 08:09:13 -04:00
Joshua Tauberer
24ff0e04b1
output/text tweaks
2014-08-27 14:42:00 +00:00
Joshua Tauberer
10a37cd033
add SSHFP records to DNS
2014-08-27 12:59:40 +00:00
Joshua Tauberer
8586723e70
Merge pull request #168 from hjjg/feature-localehandling1
...
locale-safe check if we have enough memory installed
2014-08-27 07:41:49 -04:00
Joshua Tauberer
da2af2ea5c
once the user has a signed SSL cert, simplify the message at the end of setup
2014-08-27 02:37:03 +00:00
Joshua Tauberer
6a311ee7d9
show the tag or commit the user is on in the output to aid debugging when a user posts the output somewhere
2014-08-27 02:37:03 +00:00
Helmuth Gronewold
756ba111a3
Also swith blocksize and count at the owncloud-specific key generation to ensure get as much bytes as you wanted.
2014-08-26 22:22:43 +02:00
Helmuth Gronewold
ab3d205ef6
Switch blocksize and count when reading from urandom with dd, to prevent getting fewer bytes for the secret key.
2014-08-26 22:16:31 +02:00
Joshua Tauberer
c0f4618bef
normalize some whitespace
2014-08-26 07:13:47 -04:00
Joshua Tauberer
245864caac
bug in the IPV6 question
2014-08-26 10:34:22 +00:00
Helmuth Gronewold
3774f589c8
locale-safe check if we have enough memory installed
2014-08-25 23:36:55 +02:00
Joshua Tauberer
d1c7617cdb
Merge branch 'master' into usedialog
2014-08-25 08:26:59 -04:00
Joshua Tauberer
ea32af1f0e
Merge commit 'b0d6473c3c6748a68f4845324fee13f3153bc18f' into usedialog
...
Conflicts:
setup/start.sh (changes are in questions.sh now)
2014-08-25 08:26:39 -04:00
Joshua Tauberer
c18200d9b1
Merge commit '09d2a08ce620928d0398068197951e5acebca0f0' into usedialog
...
Conflicts:
setup/start.sh (change was already applied)
2014-08-25 08:23:28 -04:00
Joshua Tauberer
bf5016a8ac
bootstrap.sh: allow overring the tag to checkout by setting the TAG environment variable (helpful for debugging)
2014-08-25 08:18:46 -04:00
Joshua Tauberer
e0dc8ff04a
when deleting my old /usr/local/bin/mailinabox-exchange-autodiscover.php file from existing systems, don't emit an error if the file doesn't exist (added -f)
2014-08-25 08:10:54 -04:00
Joshua Tauberer
faf6f87a63
move the user-interactive questions and other parts of start.sh into new files
2014-08-25 08:09:37 -04:00
Joshua Tauberer
4ed69cbae5
replace '-t 0' test with an environment variable since '-t 0' is false when standard input has been redirected and doesn't tell us whether or not we can use dialog for input, but Vagrant must be non-interactive
2014-08-25 07:54:11 -04:00
Joshua Tauberer
28231ac248
Merge pull request #150 from hjjg/secretkeyfix
...
The secret key that encrypts the backups should not be world readable.
2014-08-24 17:21:38 -04:00
Helmuth Gronewold
90c7655d82
Fix wrong permissions of backup secret. Pyhton 3 needs octal permissions.
2014-08-24 21:27:39 +02:00
Joshua Tauberer
6e3b04ce83
when generating SSL CSRs, using SHA256 as SHA1 is being phased out, per @konklone
2014-08-23 17:49:33 -04:00
Joshua Tauberer
b0d6473c3c
Merge branch 'box-in-a-name' of github.com:hjjg/mailinabox
2014-08-23 12:43:47 +00:00
Joshua Tauberer
03bbd25a10
re-do allow apt to perform security updates on its own
...
Move this into system.sh rather than anagement.sh.
This reverts commit eab28c97ff
.
2014-08-23 12:35:59 +00:00
Helmuth Gronewold
ff8413a622
Better handling of hostname and email address recommendation.
2014-08-23 08:51:18 +02:00
Helmuth Gronewold
ee9552734f
Fix permissions of backup secret according to Josh's comment at
...
https://github.com/mail-in-a-box/mailinabox/pull/150#issuecomment-53120156
2014-08-22 23:23:56 +02:00
Helmuth Gronewold
a68fd6429f
The secret key that encrypts the backups should not be world readable.
2014-08-22 22:55:34 +02:00
Joshua Tauberer
f7c7d5b9c3
Merge pull request #146 from ls42/zpush/auto-timezone
...
Read timezone from /etc/timezone.
2014-08-21 17:21:47 -04:00
Christian Koptein
09d2a08ce6
Typo in introduction
2014-08-21 21:51:54 +02:00
Joshua Tauberer
9576594cfe
bootstrap script should check out a particular tag rather than master
2014-08-21 17:28:20 +00:00
Joshua Tauberer
76dcab3139
now that we use `dialog` for input we can pipe the bootstrap script to bash
2014-08-21 17:28:12 +00:00
Joshua Tauberer
7e8e104964
when asking for a CSR country code, give the user a list
2014-08-21 17:28:04 +00:00
Joshua Tauberer
7ea4d33e06
simplify the input_box function
2014-08-21 16:01:12 +00:00
Joshua Tauberer
eab28c97ff
allow apt to perform security updates on its own
2014-08-21 11:47:28 +00:00
Joshua Tauberer
294d19e0af
rename whats_next.py to status_checks.py
2014-08-21 10:43:55 +00:00
H8H
980b83b124
Added dialogs, so that the setup.sh can ask the user any questions even when its piped; Added additional email valdidation for the last step
2014-08-21 03:09:09 +02:00
Stephan Brauer
2cab02c831
Read timezone from /etc/timezone.
2014-08-20 23:51:10 +02:00
Joshua Tauberer
aaea954072
remove my old Exchange autodiscover PHP script from systems
2014-08-19 11:50:00 +00:00
Joshua Tauberer
b6dd407aa7
z-push autodiscover should use the primary hostname for the mail server and not the domain part of the email address (both may work, but the primary hostname is more likely to have a signed SSL cert)
2014-08-19 11:49:20 +00:00
jkaberg
a0df18506b
use z-push autodisover instead
2014-08-19 13:03:44 +02:00
Joshua Tauberer
b30d7ad80a
web-based administrative UI
...
closes #19
2014-08-17 22:46:06 +00:00
Joshua Tauberer
04454b35c6
(merge) CardDAV, CalDAV via ownCloud and move to z-push fork fork
...
Merges branch 'owncloud' of github.com:jkaberg/mailinabox
which is pull request #135 , closes #135
thanks @jkaberg, @fmbiete, @owncloud
2014-08-17 15:31:08 -04:00
Joshua Tauberer
56c7d7436e
warn that generating DNSSEC keys takes a while (still slow in some virtualized environments)
2014-08-17 11:50:05 -04:00
Joshua Tauberer
062e8b839e
failed network checks should result in start.sh exiting with a non-zero exit status
2014-08-17 11:50:05 -04:00
Joshua Tauberer
7e62131fbc
a bootstrapping script to support a one-line install command
...
based on a script by @jkaberg in #141
2014-08-16 13:31:42 -04:00
Joshua Tauberer
e1606df237
s/joshdata/mailinabox/ due to repo moving to the org account
2014-08-16 13:16:01 +00:00
Joshua Tauberer
bbd35f4906
ownCloud: do cron the same way we do the others
2014-08-16 13:00:36 +00:00
Joshua Tauberer
ae1e69a5e3
ownCloud: code a way to add admins from our users table, but dont use it
2014-08-16 12:59:29 +00:00
Joshua Tauberer
9e86c67534
make setup/owncloud.sh idempotent: don't wreck user data on second run
2014-08-16 12:38:03 +00:00
Joshua Tauberer
277f98aac8
drop the owncloud mail app for now
2014-08-16 12:19:40 +00:00
Joshua Tauberer
398b538e2b
owncloud: automatically set it up with an administrator account that even the box owner doesn't have access to, because we do not want to have the user hit ownCloud's setup page on first visit
2014-08-15 23:07:20 +00:00
Joshua Tauberer
ca45c88a32
owncloud: set forcessl to be true to get the corret HSTS header (would be better if we could prevent ownCloud from sending one)
2014-08-15 22:32:01 +00:00
Joshua Tauberer
5ecbaa2b41
Merge branch 'owncloud' of github.com:jkaberg/mailinabox into owncloud
2014-08-15 18:30:17 -04:00
Joshua Tauberer
a10b828d5c
when modifying php.ini, use ; as the comment char not # because php emits horrid deprecation warnings otherwise
2014-08-15 18:29:05 -04:00
jkaberg
7024b428ad
increased timeouts so that owncloud properly loads with larger db
2014-08-13 07:30:32 +02:00
Joshua Tauberer
d03bc0cefa
more owncloud configuration tweaks
2014-08-13 00:30:09 +00:00
Joshua Tauberer
05cc63b5d5
Merge branch 'owncloud' of github.com:jkaberg/mailinabox into owncloud
...
Conflicts:
conf/nginx.conf
setup/zpush.sh
2014-08-12 23:10:51 +00:00
jkaberg
e828dd63e1
auto enable apps in owncloud (FINAL COMMIT!)
2014-08-12 16:45:36 +02:00
jkaberg
b92033cafe
install fpm instead of cgi
2014-08-12 15:39:45 +02:00
Joshua Tauberer
c9bf57eacd
Merge branch 'master' into owncloud (php5-fpm)
2014-08-12 13:30:55 +00:00
Joshua Tauberer
791e68a3af
automate more of the initial configuration
2014-08-12 13:29:44 +00:00
Joshua Tauberer
4d64246b22
tweak z-push/owncloud installation scripts: hide output, check if z-push needs an update, dont use /etc/timezone because its contents would need to be escaped before being passed into sed
2014-08-12 13:29:44 +00:00
Joshua Tauberer
9d6dc78b15
keep Roundcube working too, put owncloud at /cloud rather than at /
2014-08-12 13:29:43 +00:00
jkaberg
57a441a547
small script to update the mail app
2014-08-12 15:27:37 +02:00
jkaberg
afb09a84b7
use tools/editconf.py to edit php.ini for large file uploads
2014-08-12 14:00:28 +02:00
jkaberg
7396785a9a
install php5-xsl as carddav is dependent on it
2014-08-12 13:22:34 +02:00
Joshua Tauberer
cf4f519cc0
zpush/owncloud: inject mail using 'sendmail' not SMTP
2014-08-12 11:18:45 +00:00
jkaberg
654c200709
properly escape $
2014-08-12 13:12:57 +02:00
Joshua Tauberer
0eceb2012f
use php5-fpm rather than our own custom launcher script for PHP+FastCGI
2014-08-12 11:00:54 +00:00
jkaberg
9f5fd6b474
fix user_backends array
2014-08-12 12:33:42 +02:00
jkaberg
5cf2965633
tls instead of ssl
2014-08-12 12:04:27 +02:00
jkaberg
e8a1837d02
properly set correct timezone
2014-08-12 12:01:18 +02:00
jkaberg
7ba79effae
moved TODO
2014-08-12 11:02:13 +02:00
jkaberg
9d41530232
clarifications
2014-08-12 10:10:53 +02:00
jkaberg
a6ba2da68b
create an no-reply user to use with SMTP from ownCloud
2014-08-12 10:09:44 +02:00
jkaberg
17c4edb58d
add cron job for owncloud
2014-08-12 09:24:49 +02:00
jkaberg
7b5ebb093f
properly chmod HTMLPurifier
2014-08-12 02:04:38 +02:00
jkaberg
2d74fad947
restart using php5-fpm
2014-08-12 01:26:51 +02:00
jkaberg
01d7d4e860
restart using php5-fpm
2014-08-12 01:15:17 +02:00
jkaberg
bfbd85183e
hide_output dosnt work
2014-08-12 00:49:26 +02:00
jkaberg
1e91cb0683
well that didnt work..
2014-08-12 00:44:54 +02:00
jkaberg
bc48e7d871
proper indentation
2014-08-12 00:33:13 +02:00
jkaberg
881b693cd4
use memcache with owncloud
2014-08-12 00:10:52 +02:00
jkaberg
54fe92615b
include php-libawl and cleanup
2014-08-11 23:43:16 +02:00
jkaberg
f287ca3b6c
dont replace owncloud config if it exists (we dont want this as it will contain vital data)
2014-08-11 23:01:18 +02:00
jkaberg
a80c076d8f
safe apphroach, sid dosnt like special characters like %
2014-08-11 19:42:52 +02:00
jkaberg
1621a2940f
use sub dir
2014-08-11 19:31:05 +02:00
jkaberg
cc8e1fa7b7
set working dir for composer
2014-08-11 19:09:42 +02:00
jkaberg
d53cb88a92
update z-push with carddav and caldav support
2014-08-11 19:08:02 +02:00
jkaberg
3540a1677d
install php5-imap, restart php service
2014-08-11 17:59:04 +02:00
jkaberg
bc0c0bf0fb
owncloud config.php markup
2014-08-11 17:53:01 +02:00
jkaberg
51bb781ffd
fix composer.phar not finding the composer.json file
2014-08-11 17:44:30 +02:00
jkaberg
d324f0981a
cleanup owncloud.sh
2014-08-11 17:08:13 +02:00
jkaberg
0899952fe1
initial owncloud port, untested and unfinished
2014-08-11 16:24:29 +02:00
Joshua Tauberer
140c508ff6
increase dovecot imap_idle_notify_interval to 4 minutes
...
Doesn't seem like 2 minutes is a problem, but 4 minutes seems better. A little less bandwidth, possibly less battery usage (though we don't have evidence that's actually true), and the interval should be shorter than any peer timeouts that might occur due to inactivity
fixes #129
2014-08-10 11:39:29 +00:00
Joshua Tauberer
b56f82cb92
make a privileges column in the users table and mark the first user as an admin
2014-08-08 12:31:22 +00:00
Joshua Tauberer
880ec44a0c
if the machine didn't have resolvconf before (my box didn't after an upgrade from Ubuntu 13.xx), make sure it has it now and archive any old resolv.conf since it should now only list 127.0.0.1 for bind9
2014-08-07 14:00:16 +00:00
Joshua Tauberer
5db12be507
migrate the migration state from MIGRATIONID in /etc/mailinabox.conf to STORAGE_ROOT/mailinabox.version so that the data format of STORAGE_ROOT is stored in the directory itself
2014-08-03 17:44:17 -04:00
Joshua Tauberer
64cb00b9d6
add reject_unlisted_recipient before greylisting, fixes #127
2014-08-03 00:06:54 +00:00
Joshua Tauberer
b86656243f
avoid mail.log warnings about untrusted certificates on outgoing mail, fixes #124
2014-08-02 15:39:47 +00:00
Joshua Tauberer
cd59025979
dont ask the user for the machine's IP address if we can be sure our guess is right (trust icanhazip to give us the right answer)
2014-07-29 20:07:26 -04:00
Joshua Tauberer
0be92d776e
put a 15-second timeout in asking icanhazip.com for our IP address, although this limit does not seem to actually work (i.e. if I set the limit to 5 seconds, curl still hangs 10+ when I turn off my network connection)
2014-07-29 20:07:26 -04:00
Joshua Tauberer
168c06939d
have nsd bind to the network interaface that is connected to the Internet, rather than all non-loopback network interfaces
...
hopefully fixes #121 ; thanks for the help @sfPlayer1
2014-07-29 20:07:26 -04:00
Joshua Tauberer
c74bef12d2
allow for network checks to be skips in setup while testing using SKIP_NETWORK_CHECKS=1
2014-07-29 20:07:26 -04:00
Joshua Tauberer
6619239280
the SSL private key would be overwritten if ssl_certificate.pem file was deleted; maybe the cause of #98
2014-07-28 15:38:23 -04:00
Joshua Tauberer
834a7b9096
run network checks during setup and stop if there is a bad condition
...
* check that the PUBLIC_IP is not listed in zen.spamhaus.org
* check that the PRIMARY_HOSTNAME is not listed in dbl.spamhaus.org
* check that a connection to Google's MTA is working (i.e. we're not on a residential network that blocks outbound port 25)
2014-07-26 11:26:59 -04:00
Joshua Tauberer
86ec0f6da7
the cron job to re-sign DNSSEC zones was still not working because the script needed a hash-bang line; what I did in 65c3a44e63
didn't actually fix the problem
2014-07-25 12:15:30 +00:00
Joshua Tauberer
f50cf10249
also accept Ubuntu 14.04.1 LTS, the point release that people are automatically pushed to
...
fixes #116
2014-07-22 21:36:59 +00:00
Joshua Tauberer
621fcc2233
use /dev/random for crypto-grade RNG with the help of haveged
...
Rather than pass `-r /dev/random` to ldns-keygen (it was `-r /dev/urandom`),
don't pass `-r` at all since /dev/random is the default.
Merges branch 'master' of github.com:pysiak/mailinabox
2014-07-21 07:31:14 -04:00
solt
69f0e1d07a
Use /dev/random instead of /dev/urandom
...
/dev/random should be used for crypto-grade RNG.
To make sure use of /dev/random doesn't stall due to lack of entropy, install haveged which fills the entropy pool with sources such as network traffic, key strokes, etc.
On branch master
Your branch is up-to-date with 'origin/master'.
Changes to be committed:
modified: setup/dns.sh
modified: setup/system.sh
modified: setup/webmail.sh
2014-07-20 23:14:13 +02:00
Joshua Tauberer
65c3a44e63
the cron job to re-sign DNSSEC zones wasnt working after adding the API key to the management daemon because the script relied on a bash-ism but cron runs it with (probably) sh
2014-07-19 16:31:05 +00:00
Joshua Tauberer
91cf45c843
add a comment
2014-07-16 09:39:13 -04:00
Joshua Tauberer
023cd12e1a
hide lots of unnecessary and scary output during setup
2014-07-16 09:36:56 -04:00
Joshua Tauberer
465aaf2d30
check that we're running as root before doing anything
2014-07-16 09:36:31 -04:00
Joshua Tauberer
5a4f5b1874
move the welcome message to after the system checks
2014-07-16 09:36:31 -04:00
Joshua Tauberer
c716fd27bf
refuse to start if the system has less than 768 MB of RAM, except when testing within Vagrant
2014-07-16 09:36:31 -04:00
Joshua Tauberer
4e5b5f2852
Vagrant typo
2014-07-16 09:36:31 -04:00
h8h
9b887d2e63
Use $STORAGE_ROOT
...
Better to use $STORAGE_ROOT instead of hardcoded /home/user-data/
2014-07-16 15:33:40 +02:00
Joshua Tauberer
fb357dee33
add z-push to the start script
2014-07-12 00:04:56 +00:00
Joshua Tauberer
2a7669a0d3
z-push: an Exchange ActiveSync server
2014-07-12 00:02:32 +00:00
Joshua Tauberer
67c7391546
Roundcube's classic skin is nicer
2014-07-11 21:52:46 +00:00
Joshua Tauberer
85bd2c8804
use the Dovecot managesieve service to manage sieve scripts
...
This lets roundcube's manageseive plugin do cool things like vacation responses.
Also:
* Run the spam filtering sieve script out of a global sieve file that we'll place in /etc/dovecot. It is no longer necessary to create per-user sieve files for this. Remove them with a new migration. Remove the code that created them.
* Corrects the spam script. Backslashes were double-escaped probably because this script started embedded within the bash script. Not sure how this was working until now.
this adapts work by @h8h in #103
2014-07-10 23:09:07 +00:00
Joshua Tauberer
e713af5f5a
refactor the mail setup scripts
...
As the scripts keep growing, it's time to split them up to
keep them understandable.
This splits mail.sh into mail-postfix.sh, mail-dovecot.sh,
and mail-users.sh, which has all of the user database-related
configurations shared by Dovecot and Postfix. Also from
spamassassin.sh the core sieve configuration is moved into
mail-dovecot.sh and the virtual transport setting is moved
into mail-postfix.sh.
Also revising one of the sed scripts in mail-dovecot to
not insert a new additional # at the start of a line each
time the script is run.
2014-07-10 12:49:28 +00:00
Joshua Tauberer
6f51b49671
remove the hard-coded migration ID from setup.sh
2014-07-10 12:49:19 +00:00
Joshua Tauberer
41b3df6d78
manage hostmaster@ and postmaster@ automatically, create administrator@ during setup instead
...
closes #94
2014-07-09 19:30:17 +00:00
Joshua Tauberer
3bab63d4ce
update to Roundcube 1.0.1
2014-07-08 00:37:53 +00:00
Joshua Tauberer
3d4eadd436
the new migration management in c8856f107d
left out the part where we actually keep the system's current MIGRATIONID... it was being lost when setup/start.sh was re-run
2014-07-07 11:29:21 +00:00
Joshua Tauberer
cf7053c124
set nginx server_names_hash_bucket_size to 64, fixes #93
2014-07-07 11:23:41 +00:00
Joshua Tauberer
c8856f107d
migrate the SSL certificates path for non-primary certs to a new layout using a new migration script
2014-06-30 20:41:29 +00:00
Joshua Tauberer
b5aa1b0f31
walk the user through choosing the PRIMARY_HOSTNAME by first asking for their email address
2014-06-30 10:20:58 -04:00
Joshua Tauberer
fed5959288
s/PUBLIC_HOSTNAME/PRIMARY_HOSTNAME/ throughout
2014-06-30 09:15:36 -04:00
Joshua Tauberer
573faa2bf5
install the backup script as a daily cron job
2014-06-26 10:46:22 +00:00
Joshua Tauberer
f8cd2bb805
typo: www/default/index.html would be overwritten if it already exists
2014-06-23 19:43:19 +00:00
Joshua Tauberer
1dec8c65ce
move the SSH password login check into whats_next.py (it used to be in start.sh and then moved to an unused script when it became a problem for Vagrant)
2014-06-23 19:39:20 +00:00
Joshua Tauberer
d4ce50de86
new tool to purchase and install a SSL certificate using Gandi.net's API
2014-06-23 10:53:29 +00:00
Joshua Tauberer
45e93f7dcc
strengthen the cyphers and protocols allowed by Dovecot and Postfix submission
2014-06-22 19:03:11 +00:00
Joshua Tauberer
4668367420
first pass at a management tool for checking what the user must do to finish his configuration: set NS records, DS records, sign his certificates, etc.
2014-06-22 15:54:22 +00:00
Joshua Tauberer
ec6c7d84c1
dont ask for a CSR country code on second runs because the CSR is already generated and any new country code won't be used anyway
2014-06-22 15:36:14 +00:00
Michael Kropat
d100a790a0
Remove API_KEY_FILE setting
2014-06-22 08:45:29 -04:00
Michael Kropat
554a28479f
Merge remote-tracking branch 'upstream/master' into mgmt-auth
...
Conflicts:
management/daemon.py
2014-06-21 21:29:25 -04:00
Michael Kropat
88e496eba4
Update setup scripts to auth against the API
2014-06-22 00:02:52 +00:00
Michael Kropat
067052d4ea
Add key-based authentication to management service
...
Intended to be the simplest auth possible: every time the service
starts, a random key is written to `/var/lib/mailinabox/api.key`. In
order to authenticate to the service, the client must pass the contents
of `api.key` in an HTTP basic auth header. In this way, users who do not
have read access to that file are not able to communicate with the
service.
2014-06-21 23:42:48 +00:00