Joshua Tauberer
b1b57f9bfd
don't try to get certs for IDNA domains and report all reasons for not fetching a certificate
...
fixes #646
2016-01-04 18:43:16 -05:00
Joshua Tauberer
b6933a73fa
provision and install free SSL certificates from Let's Encrypt
2016-01-04 18:43:16 -05:00
Joshua Tauberer
5033042b8c
backups: email the administrator when there's a problem
...
Refactor by moving the email-the-admin code out of the status checks and into a new separate tool.
This is why I suppressed non-error output of the backups last commit - so it doesn't send a daily email.
2016-01-04 18:43:02 -05:00
Joshua Tauberer
89a46089ee
backups: suppress all output except errors
2016-01-04 18:43:02 -05:00
Joshua Tauberer
e288d7730b
backups: trap an error that occurs as early as getting the current backup status
2016-01-04 18:43:02 -05:00
Joshua Tauberer
06a0e7f3fe
merge #584 - Add checks to the management interface to report memory usage
2016-01-01 18:13:21 -05:00
Joshua Tauberer
a9cd72bbf9
tighten the status text strings for free memory, add changelog entry
2016-01-01 18:12:36 -05:00
Joshua Tauberer
682b1dea5e
changelog/status checks updated for opening the sieve port
2016-01-01 17:53:05 -05:00
Joshua Tauberer
8d19eade85
clarify the backup days option, fixes #570
2015-12-26 12:04:26 -05:00
Joshua Tauberer
d53332b7cf
drop the CSR_COUNTRY setting and ask within the control panel
2015-12-26 11:48:23 -05:00
Joshua Tauberer
392d33b902
change DANE TLSA record to hash the subject public key rather than the whole certificate, which means it is good for any certificate tied to the same private key
...
Better for short-lived certificates. This is especially in preparation to using certificates from Let's Encrypt.
see #268
2015-12-26 11:01:46 -05:00
Joshua Tauberer
4305a71916
merge #587 - move backup and nightly status checks to 3am in system time
...
previously these were run in a cron.daily script which per crontab is run at 6:25 am local time
2015-12-26 08:42:58 -05:00
Joshua Tauberer
a4d8e12fd7
clean up the backup time patch: dont choose timezone here, move status checks into the same 3am script
2015-12-26 08:41:37 -05:00
Joshua Tauberer
dbf4729109
add management/backup.py --restore
2015-12-23 12:53:38 +00:00
Joshua Tauberer
6e6c993724
reword POP documentation, add to changelog/readme
2015-12-12 08:46:18 -05:00
Marius
f8b4e3775d
Update mail-guide.html (POP3)
2015-12-12 08:41:13 -05:00
Joshua Tauberer
fad69f85fa
Merge pull request #605 from ariejan/feature/604-add-rfc2142-mail-aliases
...
Add alias for abuse@
2015-12-07 15:56:51 -05:00
Ariejan de Vroom
aedfe62bb0
Add alias for abuse@
2015-12-07 16:31:58 +01:00
Joshua Tauberer
c4f00626ef
status checks: check that PRIMARY_HOSTNAME's AAAA record is working
2015-12-07 09:08:00 -05:00
Joshua Tauberer
fdad83a1bb
status checks: check IPv6 reverse DNS
2015-12-07 08:58:48 -05:00
Joshua Tauberer
5bbe9f9a04
status checks: when ipv6 is enabled, check that services are accessible over ipv6 too
2015-12-07 08:37:04 -05:00
Joshua Tauberer
7a93d219ef
some cleanup in dns_update.py
2015-11-29 14:59:35 +00:00
Joshua Tauberer
808522d895
merge functions get_web_domains and get_default_www_redirects
2015-11-29 14:46:08 +00:00
Joshua Tauberer
be9efe0273
ensure malformed ssl certificate can't cause it to be written to an arbitrary path
2015-11-29 14:04:37 +00:00
Joshua Tauberer
766b98c4ad
refactor: move SSL-related management functions into a new module ssl_certificates.py
2015-11-29 13:59:22 +00:00
Joshua Tauberer
c422543fdd
make the system SSL certificate a symlink so we never have to replace a certificate file, and flatten the directory structure of user-installed certificates
2015-11-29 02:02:01 +00:00
Joshua Tauberer
cf33be4596
fix boto 2 conflict on Google Compute Engine instances
...
GCE installs some Python-2-only boto plugin that conflicts with boto running under Python 3. It gives a SyntaxError in /usr/share/google/boto/boto_plugins/compute_auth.py (https://github.com/GoogleCloudPlatform/compute-image-packages ).
Disabling boto's default configuration file prior to importing boto so that GCE's plugin is not loaded.
See https://discourse.mailinabox.email/t/500-internal-server-error-for-admin/942 .
2015-11-26 14:51:44 +00:00
Joshua Tauberer
161d096139
add a way to dump backup status from the command line
2015-11-26 14:34:07 +00:00
Michael Kroes
59f8aa1c31
Add checks to the management interface to report memory usage
2015-11-20 01:48:59 -05:00
Joshua Tauberer
59e9952a61
the explanatory text for setting up secondary nameservers was hidden until a secondary nameserver is added, so that wasn't helpful
2015-11-19 07:00:32 -05:00
yodax
280de022cb
Change order in which service stop
2015-11-17 05:22:42 -05:00
yodax
fa1cad7fb2
During the backup you will get login failures which will confuse iOS, so it is better to stop php-fpm as well
2015-11-17 02:57:14 -05:00
Joshua Tauberer
1926bfa1c5
all DNS queries should have a timeout, fixes #591
2015-11-11 12:25:55 +00:00
Sheldon Rupp
96b02e68ee
Change 'Wosign' to 'WoSign'
2015-11-08 21:31:43 +01:00
Joshua Tauberer
ac238b9d28
dont run secondary nameserver checks if the zone's nameservers aren't correct to begin with, possibly because the user is using external DNS, see #582
2015-11-05 11:09:15 +00:00
Joshua Tauberer
3fd1279e7d
...but then also have to compare against the intended IP address, which might have a custom override, see #582
2015-11-03 12:06:03 +00:00
Joshua Tauberer
3bc38c89ab
secondary NS status checks in 3b91bc2c0a
should not be skipped if the target IP address has been modified by a custom record
...
see #582
2015-11-03 06:48:04 -05:00
Joshua Tauberer
d0062b7de4
Merge pull request #572 from OmgImAlexis/patch-1
...
Added wosign as a suggested free SSL provider.
2015-10-31 14:57:13 -04:00
Joshua Tauberer
3b91bc2c0a
if secondary nameservers are given, status checks now check they are serving the right info
2015-10-22 10:58:36 +00:00
Joshua Tauberer
4c4babd9e7
experimentally scanning the mail log to see if we can infer a good time to take a backup
2015-10-22 10:35:14 +00:00
Joshua Tauberer
274e5ca676
let dovecot automatically create mailbox folders rather than doing it manually in the management daemon, fixes #554
2015-10-18 11:55:27 +00:00
Peter Timofejew
1bdfdbee89
Added 'Sent' folder when creating user.
2015-10-12 09:43:35 -04:00
X O
ebffaab16a
Added wosign as a suggest free SSL provider.
2015-10-11 11:33:18 +10:30
Joshua Tauberer
6c8ee1862a
use subresource integrity attributes to guard against CDNs being used as an attack vector; drop external resources that we can't protect this way (fonts); fixes #234
2015-09-18 19:04:28 +00:00
Joshua Tauberer
787beab63f
choose the best SSL cert from among the installed certificates; use the server certificate instead of self-signed certificates
...
For HTTPS for the non-primary domains, instead of selecting an SSL certificate by expecting it to be in a directory named after the domain name (with special-case lookups
for www domains, and reusing the server certificate where possible), now scan all of the certificates that have been installed and just pick the best to use for each domain.
If no certificate is available, don't create a self-signed certificate anymore. This wasn't ever really necessary. Instead just use the server certificate.
2015-09-18 13:25:18 +00:00
Joshua Tauberer
58349a9410
when updating DNS, clear the local DNS cache
2015-09-18 13:00:53 +00:00
Joshua Tauberer
93c2258d23
let the HSTS header be controlled by the management daemon so some domains can choose to enable preload
2015-09-08 21:20:50 +00:00
Joshua Tauberer
d60d73b7e0
status checks: dont error if there's a domain that dns_update hasn't been run yet on
2015-09-06 13:27:35 +00:00
Joshua Tauberer
6704da1446
silence errors in the admin if there is an invalid domain name in the database
...
see #531
2015-09-06 13:27:28 +00:00
Joshua Tauberer
4f6fa40dbd
warn in status checks if a custom DNS record has been set on a domain that would normally serve web and as a result that domain no longer is serving web
2015-09-05 20:07:51 +00:00
Joshua Tauberer
104b804059
if a custom DNS record exists for a web-serving domain and the record is just the box's IP address, don't skip this domain for serving web
2015-09-05 20:07:51 +00:00
Joshua Tauberer
75a75a6f84
admin: rename my ajax javascript function to ajax_with_indicator; see 79c57c2303
2015-09-04 18:40:56 -04:00
Joshua Tauberer
2e99589336
admin: fix jumpyness when a modal is shown (move overflow-y to body; make the navbar not fixed to top)
2015-09-04 22:21:10 +00:00
Joshua Tauberer
188b21dd36
bump bootstrap to 3.3.5 and jquery to 1.11.3 on the admin
2015-09-04 22:13:56 +00:00
Joshua Tauberer
0cf56e0aad
add a random password generator to the users page of the admin
2015-09-04 22:12:07 +00:00
Joshua Tauberer
c5082498ab
utils.py can't import non-standard modules because it is imported by migrate.py, which is run before anything is installed
...
closes #540
2015-08-30 13:50:34 -04:00
Richard Willis
ab59323813
Added a note about TXT record length limitations and how to construct the records to bypass the limitation
2015-08-28 15:50:02 +02:00
Joshua Tauberer
a56a9dc6a1
add Mail-in-a-Box version check to status checks
...
closes #502
2015-08-28 12:34:02 +00:00
Joshua Tauberer
bc790ea581
backups: make the instructions about the backup password file more prominent
2015-08-28 12:33:07 +00:00
Joshua Tauberer
dbfd158388
dont refresh the backup page when there's an error saving the config
2015-08-28 12:33:07 +00:00
Joshua Tauberer
2b1f7da654
S3 credentials for backup should not be displayed in the control panel, fixes #529
2015-08-28 12:33:07 +00:00
Joshua Tauberer
0c9d431a3f
major cleanup to adding new version check to the status checks
2015-08-28 12:29:55 +00:00
Norman Stanke
1a525df8ad
Add Mail-in-a-Box version status check.
2015-08-28 11:55:21 +00:00
Richard Willis
f26c0b71d2
Focus on fields in the login form
...
This just makes life a little easier...
Squashed the following commits:
* Use $.trim() for better browser support
2015-08-27 22:17:13 +02:00
Joshua Tauberer
a8074ae3e4
suppress some status output regarding new automatic aliases on first installation
2015-08-19 16:30:32 -04:00
Joshua Tauberer
cfc4e6b48b
automatic administrator aliases are probably not bidirectional because the administrator@ address is an alias and not a user
2015-08-19 16:06:09 -04:00
root
39270a8e35
fix problem with certificate verification on OpenVZ servers
2015-08-15 17:32:40 +02:00
Joshua Tauberer
8c08f957cd
bidirectional alias controls: a new permitted_senders column in the aliases table allows setting who can send as an address independently of where the address forwards to
...
But the default permitted senders are the same as the addresses the alias forwards to.
Merge branch 'dhpiggott-bidirectional-alias-controls'
2015-08-14 23:09:22 +00:00
Joshua Tauberer
5924d0fe0d
various cleanup related to the new permitted_senders column for aliases
2015-08-14 23:05:08 +00:00
Joshua Tauberer
848dea83ab
additional error handling for backups with an invalid target
2015-08-12 11:19:59 +00:00
Leo Koppelkamm
f96bef43cc
If no prefix is specified, set the path to '', otherwise boto won't list the files
2015-08-11 13:54:30 +02:00
Joshua Tauberer
f4e8ee0af9
html errors in the backup template, my bad
2015-08-09 20:34:08 +00:00
Joshua Tauberer
9ca116d545
add an option to disable backups
2015-08-09 20:15:43 +00:00
Joshua Tauberer
cdd3a64638
after-backup was run with the wrong environment
2015-08-09 20:08:33 +00:00
Joshua Tauberer
99e51f8a52
use boto to get actual file sizes of backup files when S3 is used
2015-08-09 20:08:33 +00:00
Joshua Tauberer
3b4b57c081
switching between backup options in the admin wasn't working at all
...
* going from s3 to file target wasn't working
* use 'local' in the config instead of a file: url, for the local target, so it is not path-specific
* break out the S3 fields since users can't be expected to know how to form a URL
* use boto to generate a list of S3 hosts
* use boto to validate that the user input for s3 is valid
* fix lots of html errors in the backup admin
2015-08-09 20:08:33 +00:00
Joshua Tauberer
c7f8ead496
clean up the new backup configuration panel
2015-08-09 20:08:30 +00:00
Joshua Tauberer
3f15879578
remove global variables in backup.py
2015-08-09 17:54:46 +00:00
Leo Koppelkamm
1cdd205eb7
Missed one max_age
2015-07-28 20:58:39 +02:00
Leo Koppelkamm
77099b3bce
Reword backup min_time label
2015-07-28 00:42:00 +02:00
Leo Koppelkamm
0d8a4099c1
Add placeholder attribute; use input instead of textarea
2015-07-28 00:37:48 +02:00
Leo Koppelkamm
606cf6a941
Fix API typo
2015-07-28 00:34:26 +02:00
Leo Koppelkamm
ba9065cada
Don't write collection_status output to file but parse it directly
2015-07-27 22:30:22 +02:00
Leo Koppelkamm
e693802091
Rename max_age to min_age
...
Also clarify a comment and remove an unneeded type check
2015-07-27 22:18:19 +02:00
Leo Koppelkamm
fa0dd684da
Add archive-dir argument to collection-status
2015-07-27 22:13:28 +02:00
Leo Koppelkamm
43fb7fe635
Remove unused variable
2015-07-27 22:11:43 +02:00
Leo Koppelkamm
91e4ea6e2f
Infer target_type from url
2015-07-27 22:09:58 +02:00
Leo Koppelkamm
1e3e34f15f
Make backup API RESTful
2015-07-27 22:00:36 +02:00
Leo Koppelkamm
2e6c410336
Make backups more configurable
...
Backup location and maximum age can now be configured in the admin panel.
For now only S3 is supported, but adding other duplicity supported backends should be straightforward.
2015-07-27 21:53:34 +02:00
Joshua Tauberer
0293e04311
fix control panel links, broken in Firefox (worked in Chrome)
...
see https://discourse.mailinabox.email/t/bug-present-for-ages/694/3
2015-07-25 14:12:45 +00:00
Joshua Tauberer
1900e512f2
improve the sort order of domains - siblings to the primary hostname were not sorted right
2015-07-21 11:25:11 +00:00
David Piggott
123ac4fd33
s/email/address/ in aliases UI variable names
...
This makes the frontend consistent with the backend.
2015-07-20 12:51:57 +01:00
David Piggott
423bb8e317
Fix remove-alias button breakage
2015-07-20 12:51:57 +01:00
David Piggott
e6ff280984
Store and set alias receivers and senders separately for maximum control
2015-07-20 12:51:57 +01:00
David Piggott
3fdfad27cd
Add support for bidirectional mail alias controls
...
This is an extension of #427 . Building on that change it adds support in the
aliases table for flagging aliases as:
1. Applicable to inbound and outbound mail.
2. Applicable to inbound mail only.
3. Applicable to outbound mail only.
4. Disabled.
The aliases UI is also updated to allow administrators to set the direction of
each alias.
Using this extra information, the sqlite queries executed by Postfix are
updated so only the relevant alias types are checked.
The goal and result of this change is that outbound-only catch-all aliases can
now be defined (in fact catch-all aliases of any type can be defined).
This allow us to continue supporting relaying as described at
https://mailinabox.email/advanced-configuration.html#relay
without requiring that administrators either create regular aliases for each
outbound *relay* address, or that they create a catch-all alias and then face a
flood of spam.
I have tested the code as it is in this commit and fixed every issue I found,
so in that regard the change is complete. However I see room for improvement
in terms of updating terminology to make the UI etc. easier to understand.
I'll make those changes as subsequent commits so that this tested checkpoint is
not lost, but also so they can be rejected independently of the actual change
if not wanted.
2015-07-20 12:51:57 +01:00
Joshua Tauberer
d3bbc0ec95
bug in new secondary nameservers
...
forgot a 'continue' statement
see 216acb0eeb
fixes #497
2015-07-20 11:25:16 +00:00
Joshua Tauberer
541d9252f6
allow PEM files to have non-Unix line endings
2015-07-17 11:44:28 +00:00
PortableTech
415f95b792
Add TLSA record for HTTPS connections.
...
While not widely supported, there are some browser addons that can
validate DNSSEC and TLSA for additional out-of-band verification of
certificates when browsing the web. Costs nothing to implement and
might improve security in some situations.
2015-07-13 09:12:13 -04:00
Joshua Tauberer
5dd5fc4a1c
clean up multiple secondary nameservers and zone xfr ip addresses
2015-07-10 15:42:33 +00:00
Brian Bustin
09133c8f59
Initial backend changes to make it possible to have one or more secondary name servers
2015-07-10 14:59:38 +00:00