Commit Graph

76 Commits

Author SHA1 Message Date
Joshua Tauberer e294f7c181 create the Drafts folder for users so K-9 mail doesn't poll unnecessarily, see #129 2014-08-09 16:49:57 +00:00
Joshua Tauberer b56f82cb92 make a privileges column in the users table and mark the first user as an admin 2014-08-08 12:31:22 +00:00
Joshua Tauberer 6a512042dc after creating the local encrypted backup, execute the after-backup script if the user has provided one to copy the files to a remote location 2014-08-02 14:16:08 +00:00
Joshua Tauberer 6d4fab1e6a whats_next: offer DNSSEC DS parameters rather than the full record and in validation allow for other digests than the one we suggest using
fixes #120 (hopefully), in which Gandi generates a SHA1 digest but we were only checking against a SHA256 digest

Also see http://discourse.mailinabox.email/t/how-to-set-ds-record-for-gandi-net/24/1 in which a user asks about the DS parameters that Gandi asks for.
2014-08-01 12:15:05 +00:00
Joshua Tauberer 30178ef019 add a --force flag to dns_update 2014-08-01 12:05:34 +00:00
Joshua Tauberer 168c06939d have nsd bind to the network interaface that is connected to the Internet, rather than all non-loopback network interfaces
hopefully fixes #121; thanks for the help @sfPlayer1
2014-07-29 20:07:26 -04:00
Joshua Tauberer 8042ab66ac dont serve web for domains with custom DNS records that point A/AAAA elsewhere, and in whats_next only check that an A record exists on a domain if we are serving web on the domain 2014-07-20 15:23:17 +00:00
Joshua Tauberer 8354d9732a in the custom DNS yaml config, treat 'local' as an alias for the box's own IP/IPv6 addresses 2014-07-20 14:53:55 +00:00
Joshua Tauberer 1ad9c70887 refactor custom DNS records 2014-07-20 14:48:20 +00:00
Joshua Tauberer 2e0680de4f the check for whether a custom DNS setting is valid was in the wrong place 2014-07-20 14:41:02 +00:00
sfPlayer1 89acbe4127 Update dns_update.py
Add new extra bool parameter.
2014-07-18 13:05:32 +02:00
sfPlayer1 0e893626c8 Add IPv6 glue records as well
The dns_update script didn't generate IPv6 (AAAA) glue records for the name servers.

This caused http://dnscheck.pingdom.com to complain about a mismatch between the glue records reported by the parent name server and mailinabox nsd.

Here's the failing dnscheck output for reference:
> Checking glue for ns1.my.domain.tld (1.2.3.4).
> Child glue for bgwe.eu found: ns1.my.domain.tld (1.2.3.4)
> Checking glue for ns1.my.domain.tld (1234::1).
> Missing glue at child: ns1.my.domain.tld
> Checking glue for ns2.my.domain.tld (1.2.3.4).
> Child glue for bgwe.eu found: ns2.my.domain.tld (1.2.3.4)
> Checking glue for ns2.my.domain.tld (1234::1).
> Missing glue at child: ns2.my.domain.tld

I'm not very familiar with Python and DNS, please verify ;)
2014-07-18 13:03:09 +02:00
Joshua Tauberer 42c891032d don't create a www. subdomain on any domains that are themselves subdomains within a zone, i.e. don't create www.PUBLIC_HOSTNAME if PUBLIC_HOSTNAME is a subdomain of another domain, which is what we normally recommend 2014-07-17 13:08:05 +00:00
Joshua Tauberer d7a9e7cc17 run management/dns_update.py from the console to dump the DNS records, with explanations, in case the user wants to host DNS off of the box 2014-07-17 13:08:05 +00:00
Joshua Tauberer 7803ac9ca4 write explanatory text as we build DNS zones so we can help the user manage DNS off of the box 2014-07-17 13:08:05 +00:00
Joshua Tauberer eac349187d whats_next: move the admin alias check to the system section 2014-07-16 09:36:56 -04:00
Joshua Tauberer 9c7d476915 re-do catch-all aliases, fixes #107 (originally #104)
This reverts pull request #105 from jonessen96/master (84d2023f94) which was incorrect because it lost the "+" in DOT_ATOM_TEXT and so was not accepting any email addresses.

Am taking the opportunity to make the code cleaner while I'm here.
2014-07-13 12:29:43 +00:00
Jonas Platte c35252720f Prohibited usage of empty local part for validate_email(email, strict = true) 2014-07-12 22:57:38 +02:00
Jonas Platte 70e4e7f7be Fixed validate_email not accepting catchalls (empty local part of the address) 2014-07-12 03:22:55 +02:00
Joshua Tauberer 85bd2c8804 use the Dovecot managesieve service to manage sieve scripts
This lets roundcube's manageseive plugin do cool things like vacation responses.

Also:

* Run the spam filtering sieve script out of a global sieve file that we'll place in /etc/dovecot. It is no longer necessary to create per-user sieve files for this. Remove them with a new migration. Remove the code that created them.

* Corrects the spam script. Backslashes were double-escaped probably because this script started embedded within the bash script. Not sure how this was working until now.

this adapts work by @h8h in #103
2014-07-10 23:09:07 +00:00
Joshua Tauberer 41b3df6d78 manage hostmaster@ and postmaster@ automatically, create administrator@ during setup instead
closes #94
2014-07-09 19:30:17 +00:00
Joshua Tauberer 22a010ecb9 say that certificates are valid too in output 2014-07-09 16:38:56 +00:00
Joshua Tauberer 659b5c8aa3 if the server certificate can be used for a non-primary domain, use it 2014-07-09 16:38:42 +00:00
Joshua Tauberer 6c70b10c15 tell users to restart nginx after plugging in a new cert 2014-07-09 14:05:59 +00:00
Joshua Tauberer deebda06e1 utils.sort_domains wasn't right 2014-07-09 12:35:12 +00:00
Joshua Tauberer 1a74b81f44 new nginx configuration yaml file to allow proxying of whole domains elsewhere 2014-07-09 12:31:32 +00:00
Joshua Tauberer 04e30ffa78 check that the installed certificate corresponds to the private key 2014-07-08 15:47:54 +00:00
Joshua Tauberer 59a9d02fa5 check that installed certificates are for the domains we are using the certificates for 2014-07-07 12:06:11 +00:00
Joshua Tauberer 65fb65ada7 an mx record may be missing if the A record matches the A record of PRIMARY_HOSTNAME 2014-07-07 02:35:45 +00:00
Joshua Tauberer 28e254fb84 whats_next: Allow the PRIMARY_HOSTNAME to not have an MX because the default value means the domain itself, which is what we want anyway 2014-07-07 02:35:45 +00:00
Joshua Tauberer e898cd5d2a whats_next: wrap output to the actual width of the terminal 2014-07-07 02:35:45 +00:00
Joshua Tauberer 6a231d4409 clarify that an SSL cert can remain self-signed on the non-primary domains if the domain isn't being used for web 2014-07-07 02:35:45 +00:00
Joshua Tauberer 49d5561933 when adding/removing mail addresses also update nginx's config 2014-07-06 12:16:50 +00:00
Joshua Tauberer c8856f107d migrate the SSL certificates path for non-primary certs to a new layout using a new migration script 2014-06-30 20:41:29 +00:00
Joshua Tauberer 06ba25151f get_domain_ssl_files returned the wrong path for the CSR for PRIMARY_HOSTNAME 2014-06-30 19:49:41 +00:00
Joshua Tauberer b5aa1b0f31 walk the user through choosing the PRIMARY_HOSTNAME by first asking for their email address 2014-06-30 10:20:58 -04:00
Joshua Tauberer fed5959288 s/PUBLIC_HOSTNAME/PRIMARY_HOSTNAME/ throughout 2014-06-30 09:15:36 -04:00
Joshua Tauberer 87f001a5d5 some comments 2014-06-24 03:24:41 +00:00
Joshua Tauberer 1dec8c65ce move the SSH password login check into whats_next.py (it used to be in start.sh and then moved to an unused script when it became a problem for Vagrant) 2014-06-23 19:39:20 +00:00
Joshua Tauberer d4ce50de86 new tool to purchase and install a SSL certificate using Gandi.net's API 2014-06-23 10:53:29 +00:00
Joshua Tauberer 30c416ff6e rename the new checklist script to whats_next.py 2014-06-23 00:11:24 +00:00
Joshua Tauberer 5aa09c3f9b let the user override some DNS records in a different way
Moved the configuration to a single YAML file, rather than one per domain, to be clearer.

re-does 33f06f29c1
2014-06-22 19:33:30 +00:00
Joshua Tauberer 343886d818 add mail alias checks and other cleanup 2014-06-22 16:28:55 +00:00
Joshua Tauberer deab8974ec if we handle mail for both a domain and any subdomain, only create a zone for the domain and put the subdomain's DNS records in the main domain's zone file 2014-06-22 16:24:15 +00:00
Joshua Tauberer 4668367420 first pass at a management tool for checking what the user must do to finish his configuration: set NS records, DS records, sign his certificates, etc. 2014-06-22 15:54:22 +00:00
Michael Kropat 9e63ec62fb Cleanup: remove env dependency 2014-06-22 08:55:19 -04:00
Michael Kropat d100a790a0 Remove API_KEY_FILE setting 2014-06-22 08:45:29 -04:00
Michael Kropat 554a28479f Merge remote-tracking branch 'upstream/master' into mgmt-auth
Conflicts:
	management/daemon.py
2014-06-21 21:29:25 -04:00
Joshua Tauberer 064d75e261 Merge pull request #73 from mkropat/syslog-logging
Tell Flask to log to syslog
2014-06-21 21:22:27 -04:00
Michael Kropat 067052d4ea Add key-based authentication to management service
Intended to be the simplest auth possible: every time the service
starts, a random key is written to `/var/lib/mailinabox/api.key`. In
order to authenticate to the service, the client must pass the contents
of `api.key` in an HTTP basic auth header. In this way, users who do not
have read access to that file are not able to communicate with the
service.
2014-06-21 23:42:48 +00:00