1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2025-04-05 00:27:25 +00:00
Commit Graph

839 Commits

Author SHA1 Message Date
downtownallday
1933818843 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-04-26 19:29:09 -04:00
Joshua Tauberer
2c295bcafd Upgrade the Roundcube persistent login cookie encryption to AES-256-CBC and increase the key length accordingly
This change will force everyone to be logged out of Roundcube since the encryption key and cipher won't match anyone's already-set cookie, but this happens anyway after every Mail-in-a-Box update since we generate a new key each time already.

Fixes #1968.
2021-04-23 17:04:56 -04:00
downtownallday
d20c3e6ffa Merge branch 'master' into postgrey-whitelist 2021-04-13 07:00:47 -04:00
downtownallday
4227fa2b42 Merge branch 'master' into reporting 2021-04-13 06:51:05 -04:00
downtownallday
6bfcd679e1 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	README.md
2021-04-13 00:22:55 -04:00
Downtown Allday
f14eb2cdce v0.53
# Conflicts:
#	README.md
2021-04-12 23:27:11 -04:00
Joshua Tauberer
178c587654 Migrate to the ECDSAP256SHA256 (13) DNSSEC algorithm
* Stop generating RSASHA1-NSEC3-SHA1 keys on new installs since it is no longer recommended, but preserve the key on existing installs so that we continue to sign zones with existing keys to retain the chain of trust with existing DS records.
* Start generating ECDSAP256SHA256 keys during setup, the current best practice (in addition to RSASHA256 which is also ok). See https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1 and https://www.cloudflare.com/dns/dnssec/ecdsa-and-dnssec/.
* Sign zones using all available keys rather than choosing just one based on the TLD to enable rotation/migration to the new key and to give the user some options since not every registrar/TLD supports every algorithm.
* Allow a user to drop a key from signing specific domains using DOMAINS= in our key configuration file. Signing the zones with extraneous keys may increase the size of DNS responses, which isn't ideal, although I don't know if this is a problem in practice. (Although a user can delete the RSASHA1-NSEC3-SHA1 key file, the other keys will be re-generated on upgrade.)
* When generating zonefiles, add a hash of all of the DNSSEC signing keys so that when the keys change the zone is definitely regenerated and re-signed.
* In status checks, if DNSSEC is not active (or not valid), offer to use all of the keys that have been generated (for RSASHA1-NSEC3-SHA1 on existing installs, RSASHA256, and now ECDSAP256SHA256) with all digest types, since not all registers support everything, but list them in an order that guides users to the best practice.
* In status checks, if the deployed DS record doesn't use a ECDSAP256SHA256 key, prompt the user to update their DS record.
* In status checks, if multiple DS records are set, only fail if none are valid. If some use ECDSAP256SHA256 and some don't, remind the user to delete the DS records that don't.
* Don't fail if the DS record uses the SHA384 digest (by pre-generating a DS record with that digest type) but don't recommend it because it is not in the IANA mandatory list yet (https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml).

See #1953
2021-04-12 19:42:12 -04:00
Joshua Tauberer
34569d24a9 v0.53 2021-04-11 12:45:37 -04:00
downtownallday
fe4581e849 Merge branch 'reporting' into postgrey-whitelist 2021-04-09 12:05:00 -04:00
downtownallday
8093837e93 use systemctl 'restart' instead of 'start' 2021-04-09 12:04:11 -04:00
downtownallday
0df9de30c9 Manage the local Postgrey whitelist in the admin console 2021-04-09 09:47:07 -04:00
downtownallday
8a6f962b3e Merge branch 'master' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	setup/management.sh
2021-02-28 12:47:10 -05:00
Paul
a839602cba
Enable sending DMARC failure reports (#1929)
Configures opendmarc to send failure reports for domains that request them, including when p=none.

The emails are sent as the package default of package name and user@hostname: OpenDMARC Filter <opendmarc@box.example.com>

Note I have been running this for several months with a configuration I did not include in the PR to have reports BCC'd to me (FailureReportsBcc postmaster@example.com). Very low load for my personal server of rarely more than a dozen emails sent out per day.

I am not familiar with editing scripts, so apologies in advance and please feel free to correct me.
2021-02-28 08:21:15 -05:00
Joshua Tauberer
f21a41dc84 Merge #1932, with some edits 2021-02-28 08:16:50 -05:00
davDevOps
055ac07663 Update roundcube to 1.4.11
roundcube Bug Fixes:

Fix for Cross-Site Scripting (XSS) via HTML messages with malicious CSS content
General Improvements from roundcube's Issue Tracker
2021-02-28 08:14:17 -05:00
davDevOps
c7b295f403 Update zpush to 2.6.2 2021-02-28 08:05:40 -05:00
Joshua Tauberer
d36a2cc938 Enable Backblaze B2 backups
This reverts commit b1d703a5e7 and adds python3-setuptools per the first version of #1899 which fixes an installation error for the b2sdk Python package.
2021-02-28 08:04:14 -05:00
downtownallday
226e59415a Merge branch 'master' of https://github.com/mail-in-a-box/mailinabox 2021-02-19 04:14:20 -05:00
jvolkenant
af62e7a99b
Fixes unbound variable when upgrading from Nextcloud 13 (#1913) 2021-02-06 16:49:43 -05:00
downtownallday
810bf15a43 Merge branch 'master' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	README.md
#	setup/management.sh
2021-01-31 16:56:49 -05:00
Joshua Tauberer
90d63fd208 v0.52 2021-01-31 08:48:14 -05:00
Joshua Tauberer
b1d703a5e7 Disable Backblaze B2 backups until #1899 is resolved 2021-01-31 08:33:56 -05:00
jvolkenant
50d50ba653
Update zpush to 2.6.1 (#1908) 2021-01-28 18:20:19 -05:00
downtownallday
2a0e50c8d4 Initial commit of a log capture and reporting feature
This adds a new section to the admin panel called "Activity", that
supplies charts, graphs and details about messages entering and leaving
the host.

A new daemon captures details of system mail activity by monitoring
the /var/log/mail.log file, summarizing it into a sqllite database
that's kept in user-data.
2021-01-11 18:02:07 -05:00
downtownallday
73a2b72243 Merge branch 'master' of https://github.com/mail-in-a-box/mailinabox 2020-12-29 07:57:08 -05:00
jcm-shove-it
e2f9cd845a
Update roundcube to 1.4.10 (#1891) 2020-12-28 08:11:33 -05:00
downtownallday
3656ad9b9c Merge branch 'master' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	setup/dkim.sh
#	setup/spamassassin.sh
2020-12-26 08:16:22 -05:00
downtownallday
e7c5a841aa Merge branch 'jvolk-spf-opendd' 2020-12-26 07:55:30 -05:00
jvolkenant
c7280055a8
Implement SPF/DMARC checks, add spam weight to those mails (#1836) 2020-12-25 17:22:24 -05:00
Hilko
003e8b7bb1
Adjust max-recursion-queries to fix alternating rdns status (#1876) 2020-12-25 17:19:16 -05:00
downtownallday
3a98a993bd Merge branch 'master' of https://github.com/mail-in-a-box/mailinabox 2020-12-21 09:22:58 -05:00
downtownallday
4cc672e852 Modify the handling of SPF checks and spam rules for policyd-spf 2020-12-21 08:44:10 -05:00
Hilko
3422cc61ce
Include en_US.UTF-8 locale in daemon startup (#1883)
Fixes #1881.
2020-12-19 19:11:58 -05:00
downtownallday
24c156c594 Merge branch 'master' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	setup/management.sh
2020-11-27 16:50:12 -05:00
Hilko
8664afa997
Implement Backblaze for Backup (#1812)
* Installing b2sdk for b2 support
* Added Duplicity PPA so the most recent version is used
* Implemented list_target_files for b2
* Implemented b2 in frontend
* removed python2 boto package
2020-11-26 07:13:31 -05:00
downtownallday
a0dd58d29e Merge branch 'master' of https://github.com/mail-in-a-box/mailinabox 2020-11-17 07:46:22 -05:00
Joshua Tauberer
7fd35bbd11 Disable default Nextcloud apps that we don't support
Contacts and calendar are the only supported apps in Mail-in-a-Box.

Files can't be disabled.

Fixes #1864
2020-11-15 17:17:58 -05:00
downtownallday
74a2f89cff Merge branch 'master' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	README.md
2020-11-14 12:44:09 -05:00
Joshua Tauberer
92221f9efb v0.51 2020-11-14 10:05:20 -05:00
downtownallday
4661a29248 Merge remote-tracking branch 'jvolkenant/1755_spf_opendmarc_opendkim_sa' into jvolk-spf-opendd 2020-11-06 09:27:41 -05:00
downtownallday
68ac593d7f load vars ahead of functions 2020-11-05 16:32:23 -05:00
downtownallday
e43c01e6fe Enable caching of Nextcloud downloads as well as downloading Nextcloud from github instead of Nextcloud servers 2020-11-05 16:19:42 -05:00
downtownallday
5a023f7868 Ensure system php is used 2020-11-04 14:26:20 -05:00
downtownallday
4fdbad5ef8 Be ciab-aware and use php version used by nextcloud 2020-11-04 14:13:59 -05:00
downtownallday
34d968a2cd Prep for ubuntu 20.
This file is shared with cloud-in-a-box, which will support ubuntu 20 before MiaB-LDAP.
2020-11-02 12:57:57 -05:00
downtownallday
b634188ac0 Merge branch 'master' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	management/daemon.py
#	management/mfa.py
2020-10-31 11:43:35 -04:00
downtownallday
ad3174f08e Merge branch 'totp' 2020-10-31 11:39:35 -04:00
Joshua Tauberer
6a979f4f52
Add TOTP two-factor authentication to admin panel login (#1814)
* add user interface for managing 2fa

* update user schema with 2fa columns

* implement two factor check during login

* Use pyotp for validating TOTP codes

* also implements resynchronisation support via `pyotp`'s `valid_window option

* Update API route naming, update setup page

* Rename /two-factor-auth/ => /2fa/
* Nest totp routes under /2fa/totp/
* Update ids and methods in panel to allow for different setup types

* Autofocus otp input when logging in, update layout

* Extract TOTPStrategy class to totp.py

* this decouples `TOTP` validation and storage logic from `auth` and moves it to `totp`
* reduce `pyotp.validate#valid_window` from `2` to `1`

* Update OpenApi docs, rename /2fa/ => /mfa/

* Decouple totp from users table by moving to totp_credentials table

* this allows implementation of other mfa schemes in the future (webauthn)
* also makes key management easier and enforces one totp credentials per user on db-level

* Add sqlite migration

* Rename internal validate_two_factor_secret => validate_two_factor_secret

* conn.close() if mru_token update can't .commit()

* Address review feedback, thanks @hija

* Use hmac.compare_digest() to compare mru_token

* Safeguard against empty mru_token column

* hmac.compare_digest() expects arguments of type string, make sure we don't pass None
 * Currently, this cannot happen but we might not want to store `mru_token` during setup

* Do not log failed login attempts for MissingToken errors

* Due to the way that the /login UI works, this persists at least one failed login each time a user logs into the admin panel. This in turn triggers fail2ban at some point.

* Add TOTP secret to user_key hash

thanks @downtownallday
* this invalidates all user_keys after TOTP status is changed for user
* after changing TOTP state, a login is required
* due to the forced login, we can't and don't need to store the code used for setup in `mru_code`

* Typo

* Reorganize the MFA backend methods

* Reorganize MFA front-end and add label column

* Fix handling of bad input when enabling mfa

* Update openAPI docs

* Remove unique key constraint on foreign key user_id in mfa table

* Don't expose mru_token and secret for enabled mfas over HTTP

* Only update mru_token for matched mfa row

* Exclude mru_token in user key hash

* Rename tools/mail.py to management/cli.py

* Add MFA list/disable to the management CLI so admins can restore access if MFA device is lost

Co-authored-by: Joshua Tauberer <jt@occams.info>
2020-10-31 10:27:38 -04:00
David Duque
48c233ebe5
Update Roundcube to version 1.4.9 (#1830) 2020-10-31 10:01:14 -04:00
Michael Kroes
9a588de754
Upgrade Nextcloud to version 20.0.1 (#1848) 2020-10-31 09:58:26 -04:00