d4ce50de86
new tool to purchase and install a SSL certificate using Gandi.net's API
2014-06-23 10:53:29 +00:00
30c416ff6e
rename the new checklist script to whats_next.py
2014-06-23 00:11:24 +00:00
5aa09c3f9b
let the user override some DNS records in a different way
...
Moved the configuration to a single YAML file, rather than one per domain, to be clearer.
re-does 33f06f29c1
2014-06-22 19:33:30 +00:00
45e93f7dcc
strengthen the cyphers and protocols allowed by Dovecot and Postfix submission
2014-06-22 19:03:11 +00:00
343886d818
add mail alias checks and other cleanup
2014-06-22 16:28:55 +00:00
deab8974ec
if we handle mail for both a domain and any subdomain, only create a zone for the domain and put the subdomain's DNS records in the main domain's zone file
2014-06-22 16:24:15 +00:00
4668367420
first pass at a management tool for checking what the user must do to finish his configuration: set NS records, DS records, sign his certificates, etc.
2014-06-22 15:54:22 +00:00
ec6c7d84c1
dont ask for a CSR country code on second runs because the CSR is already generated and any new country code won't be used anyway
2014-06-22 15:36:14 +00:00
8076ce4ab9
Merge pull request #74 from mkropat/mgmt-auth
...
Add authentication to mailinabox-daemon; resolves #67
2014-06-22 11:36:04 -04:00
9e63ec62fb
Cleanup: remove env dependency
2014-06-22 08:55:19 -04:00
d100a790a0
Remove API_KEY_FILE setting
2014-06-22 08:45:29 -04:00
554a28479f
Merge remote-tracking branch 'upstream/master' into mgmt-auth
...
Conflicts:
management/daemon.py
2014-06-21 21:29:25 -04:00
064d75e261
Merge pull request #73 from mkropat/syslog-logging
...
Tell Flask to log to syslog
2014-06-21 21:22:27 -04:00
e70bc50432
README parallel sentence structure
2014-06-22 00:34:49 +00:00
bb394242ef
Update documentation to use API auth
...
The updated instruction is not very user-friendly. I think the right
solution is to wrap the `/dns` commands in a `tools/dns.py` style
script, along the lines of `tools/mail.py`.
2014-06-22 00:07:14 +00:00
88e496eba4
Update setup scripts to auth against the API
2014-06-22 00:02:52 +00:00
447399e8cd
Update mail tool to pass api key auth
2014-06-21 23:49:09 +00:00
067052d4ea
Add key-based authentication to management service
...
Intended to be the simplest auth possible: every time the service
starts, a random key is written to `/var/lib/mailinabox/api.key`. In
order to authenticate to the service, the client must pass the contents
of `api.key` in an HTTP basic auth header. In this way, users who do not
have read access to that file are not able to communicate with the
service.
2014-06-21 23:42:48 +00:00
53e15eae15
Tell Flask to log to syslog
...
- Writes Flask warnings and errors to `/var/log/syslog`
- Helps to debug issues when running in production
2014-06-21 23:25:35 +00:00
67d31ed998
move the SSL setup into its own bash script since it is used for much more than email now
2014-06-21 22:16:46 +00:00
0ab43ef4fd
have webfinger output a JSON file in STORAGE_ROOT/webfinger/(acct/..)
2014-06-21 17:08:18 +00:00
326cc2a451
obviously put our stuff in /usr/local and not /usr
2014-06-21 12:35:00 -04:00
d3cacd4a11
update test_dns
...
Don't check NS records for now because they will only appear on zones.
If a hostname is a subdomain on a zone and not itself a zone, it will
lack NS records.
Also stop testing for ADSP, which we dropped in 126ea94ccf
2014-06-21 12:32:20 -04:00
87b0608f15
test_dns: DNSSEC signing inserts empty text string components
2014-06-21 12:32:20 -04:00
85169dc960
preliminary support for webfinger
...
It just echos back the subject given to it.
2014-06-20 01:55:16 +00:00
5faa1cae71
manage the nginx conf in the management daemon too so we can have nginx operate on all domains that we serve mail for
2014-06-20 01:55:12 +00:00
a1a80b295e
update docs a bit
2014-06-18 23:12:05 -04:00
94a140a27a
linkify README
2014-06-18 23:04:06 -04:00
126ea94ccf
drop support for ADSP which since last November is no longer recommended per http://datatracker.ietf.org/doc/status-change-adsp-rfc5617-to-historic/
2014-06-18 22:56:55 -04:00
0f72f78eea
add DNSSEC/DANE TLSA to the README
2014-06-19 02:23:07 +00:00
782ad04b10
use DANE when sending mail: if the recipient MX has a DANE TLSA record in DNS then Postfix will necessarily encrypt the mail in transport
2014-06-19 01:58:14 +00:00
95e61bc110
add DANE TLSA records to the PUBLIC_HOSTNAME's DNS
...
Postfix has a tls_security_level called "dane" which uses DNS-Based Authentication of Named Entities (DANE)
to require, if specified in the DNS of the MX host, an encrpyted connection with a known certificate.
This commit adds TLSA records.
2014-06-19 01:39:27 +00:00
699bccad80
missing spaces in nsd.conf (has no effect but looks proper)
2014-06-18 23:53:52 +00:00
afb6c26c8b
run bind9 on the loopback interface for ensuring we are using a DNSSEC-aware nameserver to resolve our own DNS queries (i.e. when sending mail) since we can't trust that the network configuration provided for us gives us a DNSSEC-aware DNS server
...
see #71
2014-06-18 19:45:47 -04:00
761fac729b
nsd.conf wasn't properly using the signed zone files
2014-06-18 23:30:35 +00:00
dd15bf4384
use a better sort order for records in DNS zone files
2014-06-17 23:34:06 +00:00
14396e58f8
dont create a separate zone for PUBLIC_HOSTNAME if it is a subdomain of another zone (hmm, this is a general principle that could apply to any two domains the box is serving)
2014-06-17 23:30:00 +00:00
33f06f29c1
let the user override some DNS records
2014-06-17 22:21:51 +00:00
88709506f8
add DNSSEC
...
* sign zones
* in a cron job, periodically re-sign zones because they expire (not tested)
2014-06-17 22:21:12 +00:00
aaa735dbfe
write nsd.conf zones in a predictable order so that we don't keep rewriting it
2014-06-12 22:28:37 -04:00
e9cde52a48
two more cases of shelling out external programs in a more secure way, see cecda9cec5
2014-06-12 21:06:04 -04:00
c925f72b0b
remove obsoleted parts of setup/dns.sh
...
Now that dns_update is a part of the management daemon, we no
longer are using STORAGE_ROOT/dns for anything.
2014-06-12 20:18:55 -04:00
e18c51293d
update News Challenge status in README
2014-06-10 18:48:12 -04:00
d28d07f78e
increase the postfix message size limit from 10MB to 128MB
2014-06-10 10:21:43 +00:00
cad868c6c9
reorganize mail.sh a little
2014-06-10 10:19:49 +00:00
8bd62aa3bc
increase duplicity's volume size from the default of 25MB to 100MB so we create fewer files
2014-06-09 13:47:41 +00:00
5490142df5
re-do the backup script to use the duplicity program
...
Duplicity will manage the process of creating incremental backups for us.
Although duplicity can both encrypt & copy files to a remote host, I really
don't like PGP and so I don't want to use that.
Instead, we'll back up to a local directory unencrypted, then manually
encrypt the full & incremental backup files. Synchronizing the encrypted
backup directory to a remote host is a TODO.
2014-06-09 09:34:52 -04:00
cecda9cec5
management: shell out external programs in a more secure way
2014-06-09 08:09:45 -04:00
70bd96f643
Merge pull request #70 from mkropat/ipv6-support
...
Support dual-stack IPv4/IPv6 mail servers
2014-06-08 19:03:33 -04:00
fb957d2de7
Populate default values before echoing help text
...
Testing showed that it may take a few seconds for the default values to
populate. If the help text is shown, “Enter the public IP address…,”
but no prompt is shown, the user may get confused and try to enter the
IP address before mailinabox has had a chance to figure out and display
a suitable default value.
2014-06-08 18:44:08 -04:00
Joshua Tauberer
Michael Kropat