Joshua Tauberer
d4ce50de86
new tool to purchase and install a SSL certificate using Gandi.net's API
2014-06-23 10:53:29 +00:00
Joshua Tauberer
30c416ff6e
rename the new checklist script to whats_next.py
2014-06-23 00:11:24 +00:00
Joshua Tauberer
5aa09c3f9b
let the user override some DNS records in a different way
...
Moved the configuration to a single YAML file, rather than one per domain, to be clearer.
re-does 33f06f29c1
2014-06-22 19:33:30 +00:00
Joshua Tauberer
45e93f7dcc
strengthen the cyphers and protocols allowed by Dovecot and Postfix submission
2014-06-22 19:03:11 +00:00
Joshua Tauberer
343886d818
add mail alias checks and other cleanup
2014-06-22 16:28:55 +00:00
Joshua Tauberer
deab8974ec
if we handle mail for both a domain and any subdomain, only create a zone for the domain and put the subdomain's DNS records in the main domain's zone file
2014-06-22 16:24:15 +00:00
Joshua Tauberer
4668367420
first pass at a management tool for checking what the user must do to finish his configuration: set NS records, DS records, sign his certificates, etc.
2014-06-22 15:54:22 +00:00
Joshua Tauberer
ec6c7d84c1
dont ask for a CSR country code on second runs because the CSR is already generated and any new country code won't be used anyway
2014-06-22 15:36:14 +00:00
Joshua Tauberer
8076ce4ab9
Merge pull request #74 from mkropat/mgmt-auth
...
Add authentication to mailinabox-daemon; resolves #67
2014-06-22 11:36:04 -04:00
Michael Kropat
9e63ec62fb
Cleanup: remove env dependency
2014-06-22 08:55:19 -04:00
Michael Kropat
d100a790a0
Remove API_KEY_FILE setting
2014-06-22 08:45:29 -04:00
Michael Kropat
554a28479f
Merge remote-tracking branch 'upstream/master' into mgmt-auth
...
Conflicts:
management/daemon.py
2014-06-21 21:29:25 -04:00
Joshua Tauberer
064d75e261
Merge pull request #73 from mkropat/syslog-logging
...
Tell Flask to log to syslog
2014-06-21 21:22:27 -04:00
Joshua Tauberer
e70bc50432
README parallel sentence structure
2014-06-22 00:34:49 +00:00
Michael Kropat
bb394242ef
Update documentation to use API auth
...
The updated instruction is not very user-friendly. I think the right
solution is to wrap the `/dns` commands in a `tools/dns.py` style
script, along the lines of `tools/mail.py`.
2014-06-22 00:07:14 +00:00
Michael Kropat
88e496eba4
Update setup scripts to auth against the API
2014-06-22 00:02:52 +00:00
Michael Kropat
447399e8cd
Update mail tool to pass api key auth
2014-06-21 23:49:09 +00:00
Michael Kropat
067052d4ea
Add key-based authentication to management service
...
Intended to be the simplest auth possible: every time the service
starts, a random key is written to `/var/lib/mailinabox/api.key`. In
order to authenticate to the service, the client must pass the contents
of `api.key` in an HTTP basic auth header. In this way, users who do not
have read access to that file are not able to communicate with the
service.
2014-06-21 23:42:48 +00:00
Michael Kropat
53e15eae15
Tell Flask to log to syslog
...
- Writes Flask warnings and errors to `/var/log/syslog`
- Helps to debug issues when running in production
2014-06-21 23:25:35 +00:00
Joshua Tauberer
67d31ed998
move the SSL setup into its own bash script since it is used for much more than email now
2014-06-21 22:16:46 +00:00
Joshua Tauberer
0ab43ef4fd
have webfinger output a JSON file in STORAGE_ROOT/webfinger/(acct/..)
2014-06-21 17:08:18 +00:00
Joshua Tauberer
326cc2a451
obviously put our stuff in /usr/local and not /usr
2014-06-21 12:35:00 -04:00
Joshua Tauberer
d3cacd4a11
update test_dns
...
Don't check NS records for now because they will only appear on zones.
If a hostname is a subdomain on a zone and not itself a zone, it will
lack NS records.
Also stop testing for ADSP, which we dropped in 126ea94ccf
.
2014-06-21 12:32:20 -04:00
Joshua Tauberer
87b0608f15
test_dns: DNSSEC signing inserts empty text string components
2014-06-21 12:32:20 -04:00
Joshua Tauberer
85169dc960
preliminary support for webfinger
...
It just echos back the subject given to it.
2014-06-20 01:55:16 +00:00
Joshua Tauberer
5faa1cae71
manage the nginx conf in the management daemon too so we can have nginx operate on all domains that we serve mail for
2014-06-20 01:55:12 +00:00
Joshua Tauberer
a1a80b295e
update docs a bit
2014-06-18 23:12:05 -04:00
Joshua Tauberer
94a140a27a
linkify README
2014-06-18 23:04:06 -04:00
Joshua Tauberer
126ea94ccf
drop support for ADSP which since last November is no longer recommended per http://datatracker.ietf.org/doc/status-change-adsp-rfc5617-to-historic/
2014-06-18 22:56:55 -04:00
Joshua Tauberer
0f72f78eea
add DNSSEC/DANE TLSA to the README
2014-06-19 02:23:07 +00:00
Joshua Tauberer
782ad04b10
use DANE when sending mail: if the recipient MX has a DANE TLSA record in DNS then Postfix will necessarily encrypt the mail in transport
2014-06-19 01:58:14 +00:00
Joshua Tauberer
95e61bc110
add DANE TLSA records to the PUBLIC_HOSTNAME's DNS
...
Postfix has a tls_security_level called "dane" which uses DNS-Based Authentication of Named Entities (DANE)
to require, if specified in the DNS of the MX host, an encrpyted connection with a known certificate.
This commit adds TLSA records.
2014-06-19 01:39:27 +00:00
Joshua Tauberer
699bccad80
missing spaces in nsd.conf (has no effect but looks proper)
2014-06-18 23:53:52 +00:00
Joshua Tauberer
afb6c26c8b
run bind9 on the loopback interface for ensuring we are using a DNSSEC-aware nameserver to resolve our own DNS queries (i.e. when sending mail) since we can't trust that the network configuration provided for us gives us a DNSSEC-aware DNS server
...
see #71
2014-06-18 19:45:47 -04:00
Joshua Tauberer
761fac729b
nsd.conf wasn't properly using the signed zone files
2014-06-18 23:30:35 +00:00
Joshua Tauberer
dd15bf4384
use a better sort order for records in DNS zone files
2014-06-17 23:34:06 +00:00
Joshua Tauberer
14396e58f8
dont create a separate zone for PUBLIC_HOSTNAME if it is a subdomain of another zone (hmm, this is a general principle that could apply to any two domains the box is serving)
2014-06-17 23:30:00 +00:00
Joshua Tauberer
33f06f29c1
let the user override some DNS records
2014-06-17 22:21:51 +00:00
Joshua Tauberer
88709506f8
add DNSSEC
...
* sign zones
* in a cron job, periodically re-sign zones because they expire (not tested)
2014-06-17 22:21:12 +00:00
Joshua Tauberer
aaa735dbfe
write nsd.conf zones in a predictable order so that we don't keep rewriting it
2014-06-12 22:28:37 -04:00
Joshua Tauberer
e9cde52a48
two more cases of shelling out external programs in a more secure way, see cecda9cec5
2014-06-12 21:06:04 -04:00
Joshua Tauberer
c925f72b0b
remove obsoleted parts of setup/dns.sh
...
Now that dns_update is a part of the management daemon, we no
longer are using STORAGE_ROOT/dns for anything.
2014-06-12 20:18:55 -04:00
Joshua Tauberer
e18c51293d
update News Challenge status in README
2014-06-10 18:48:12 -04:00
Joshua Tauberer
d28d07f78e
increase the postfix message size limit from 10MB to 128MB
2014-06-10 10:21:43 +00:00
Joshua Tauberer
cad868c6c9
reorganize mail.sh a little
2014-06-10 10:19:49 +00:00
Joshua Tauberer
8bd62aa3bc
increase duplicity's volume size from the default of 25MB to 100MB so we create fewer files
2014-06-09 13:47:41 +00:00
Joshua Tauberer
5490142df5
re-do the backup script to use the duplicity program
...
Duplicity will manage the process of creating incremental backups for us.
Although duplicity can both encrypt & copy files to a remote host, I really
don't like PGP and so I don't want to use that.
Instead, we'll back up to a local directory unencrypted, then manually
encrypt the full & incremental backup files. Synchronizing the encrypted
backup directory to a remote host is a TODO.
2014-06-09 09:34:52 -04:00
Joshua Tauberer
cecda9cec5
management: shell out external programs in a more secure way
2014-06-09 08:09:45 -04:00
Joshua Tauberer
70bd96f643
Merge pull request #70 from mkropat/ipv6-support
...
Support dual-stack IPv4/IPv6 mail servers
2014-06-08 19:03:33 -04:00
Michael Kropat
fb957d2de7
Populate default values before echoing help text
...
Testing showed that it may take a few seconds for the default values to
populate. If the help text is shown, “Enter the public IP address…,”
but no prompt is shown, the user may get confused and try to enter the
IP address before mailinabox has had a chance to figure out and display
a suitable default value.
2014-06-08 18:44:08 -04:00