Commit Graph

1205 Commits

Author SHA1 Message Date
Joshua Tauberer 5e43c394d5 Merge pull request #477 from anoma/master
cleanup and harden of fail2ban
2015-07-02 06:22:57 -04:00
anoma b2eaaeca4b Revert to default 6 ssh/ddos login attempts
No legitimate admin will require 20 login attempts. The default 6 is a sane middle ground especially since in 10 minutes they can try again  or immediately from another IP anyway.
2015-07-02 10:23:48 +01:00
anoma e2d9a523c3 Cleanup blank lines, comments and whitespace to make it easier to follow 2015-07-02 10:19:37 +01:00
anoma 11df1e4680 Unnecessary config item, inherited from default jail.conf 2015-07-02 10:10:50 +01:00
anoma 53d5542402 Revert to default 600 second ban time
A 60 second/1 minute ban time is not long enough to counter brute force attacks which is the main purpose of fail2ban for mail in a box. The default bantime of 10 minutes is still sane and I think we have proven fail2ban is reliable enough not to cause problems in general. It is not worth sacrificing security for the rare case where an admin locks themselves out for 10 minutes.
2015-07-02 10:08:50 +01:00
anoma bfda3f40b9 Unnecessary config item, inherited from default jail.conf 2015-07-02 09:55:59 +01:00
Joshua Tauberer c0ddceb2bd Merge pull request #471 from hnk/patch-1
Set PHPs default charset to UTF-8, since we use it. Closes #367.
2015-06-30 12:00:27 -04:00
Joshua Tauberer 42a506231b don't automatically create the administrator@ alias (e.g. on first user creation) because we dont know what it should be an alias to (leave this to be resolved manually), fixes #470
Was broken by 462a79cf47.
2015-06-30 09:16:22 -04:00
Joshua Tauberer e3252f53da idna domains in certificate subject alternative names were not handled correctly after switching to cryptography package 2015-06-30 13:09:18 +00:00
Joshua Tauberer aa33428311 some IDNA functionality was still using Python's built-in IDNA 2003 encoder rather than the idna package's IDNA 2008 encoder 2015-06-30 13:09:18 +00:00
Hnk Reno ca5d228be6 Set PHPs default charset to UTF-8, since we use it. Closes #367. 2015-06-30 11:31:43 +02:00
Joshua Tauberer f89a98c78a v0.11b to fix missing package for apt-add-repository 2015-06-29 21:52:47 -04:00
Joshua Tauberer a3087d8815 must install software-properties-common to have add-apt-repository 2015-06-29 21:47:54 -04:00
Joshua Tauberer 23d2df7a93 v0.11
---------------------

Advisories:
* Users can no longer spoof arbitrary email addresses in outbound mail. When sending mail, the email address configured in your mail client must match the SMTP login username being used, or the email address must be an alias with the SMTP login username listed as one of the alias's targets.
* This update replaces your DKIM signing key with a stronger key. Because of DNS caching/propagation, mail sent within a few hours after this update could be marked as spam by recipients. If you use External DNS, you will need to update your DNS records.
* The box will now install software from a new Mail-in-a-Box PPA on Launchpad.net, where we are distributing two of our own packages: a patched postgrey and dovecot-lucene.

Mail:
* Greylisting will now let some reputable senders pass through immediately.
* Searching mail (via IMAP) will now be much faster using the dovecot lucene full text search plugin.
* Users can no longer spoof arbitrary email addresses in outbound mail (see above).
* Fix for deleting admin@ and postmaster@ addresses.
* Roundcube is updated to version 1.1.2, plugins updated.
* Exchange/ActiveSync autoconfiguration was not working on all devices (e.g. iPhone) because of a case-sensitive URL.
* The DKIM signing key has been increased to 2048 bits, from 1024, replacing the existing key.

Web:
* 'www' subdomains now automatically redirect to their parent domain (but you'll need to install an SSL certificate).
* OCSP no longer uses Google Public DNS.
* The installed PHP version is no longer exposed through HTTP response headers, for better security.

DNS:
* Default IPv6 AAAA records were missing since version 0.09.

Control panel:
* Resetting a user's password now forces them to log in again everywhere.
* Status checks were not working if an ssh server was not installed.
* SSL certificate validation now uses the Python cryptography module in some places where openssl was used.
* There is a new tab to show the installed version of Mail-in-a-Box and to fetch the latest released version.

System:
* The munin system monitoring tool is now installed and accessible at /admin/munin.
* ownCloud updated to version 8.0.4. The ownCloud installation step now is reslient to download problems. The ownCloud configuration file is now stored in STORAGE_ROOT to fix loss of data when moving STORAGE_ROOT to a new machine.
* The setup scripts now run `apt-get update` prior to installing anything to ensure the apt database is in sync with the packages actually available.
2015-06-29 20:58:35 -04:00
Joshua Tauberer 1cd97d46a2 press hit 2015-06-27 10:10:33 -04:00
Joshua Tauberer 53f84a8092 set ssl_stapling_verify back to on, reverts part of 47de93961e
The sslmate guidance changed. See #458.
2015-06-27 07:14:16 -04:00
Joshua Tauberer 6441de63ba typo in security.md 2015-06-26 11:38:40 -04:00
Joshua Tauberer b2553aea33 note the new sender email address spoofing restriction at the top of the changelog 2015-06-26 11:36:10 -04:00
Joshua Tauberer 5ef1cfbdc7 forgot new version.html template file 2015-06-25 17:43:50 +00:00
Joshua Tauberer 7527b4dc27 show the Mail-in-a-Box version in the control panel and a button to ping the MiaB website for the latest version
fixes #441
2015-06-25 13:43:11 +00:00
Joshua Tauberer 1367816b04 merge #451 - Increase DKIM key length to 2048 2015-06-25 13:07:29 +00:00
Joshua Tauberer 299a2315c1 dkim 2048 bits - migration and zone file generation changes
* Add a migration to delete any existing DKIM key so that existing machines get a fresh 2048-bit key. (Sadly we don't support key rotation so the change is immediate.)
* Because the DNS record for a 2048-bit key is so much longer, the way we read OpenDKIM's DNS record text file had to be modified to combine an arbitrary number of TXT record quoted ("...") strings.
* When writing out the TXT record value, the string must be split into quoted ("...") strings with a maximum length of 255 bytes each, per the DNS spec.
* Added a changelog entry.
2015-06-25 13:06:29 +00:00
Joshua Tauberer 9a6aea6940 changelog entry for z-push autodiscover case insensitivity 2015-06-25 12:32:07 +00:00
Joshua Tauberer 98cd04cccf Merge pull request #452 from m4rcs/master
Z-Push autoconfiguration fails due to URL case sensitivity
2015-06-25 08:28:44 -04:00
Marc Schiller 0cc20cbb97 Fixed a bug where autoconfiguration for Z-Push fails due to case of URL. 2015-06-25 11:56:33 +02:00
PortableTech ef6a17d4a6 Increase DKIM key length to 2048
Currently MiaB creates 1024 bit keys which is seen as a minimum standard
by several providers such as Google who already uses a 2048 bit key.
Increasing the keysize beyond 2048 is an issue as it often goes beyond
supported DNS record sizes.
2015-06-24 18:49:19 -04:00
Joshua Tauberer 17a149947a other CHANGELOG updates 2015-06-24 18:16:25 -04:00
Joshua Tauberer a2c50ae967 note the new SMTP mail from restriction in the changelog and security guide 2015-06-24 18:12:41 -04:00
Joshua Tauberer 13958ba4df Merge pull request #427 from pichak/add-sender-login-mismatch
Reject outgoing mail if MAIL FROM (envelope sender) does not match login name or is not an alias that directs mail (directly) to login name.
2015-06-24 18:03:03 -04:00
Joshua Tauberer 8eb71483f3 Merge pull request #450 from agriffaut/patch-1
ownCloud breaks if download fails (Issue #449)
2015-06-24 08:11:30 -04:00
aLeX d8e30883fa Issue #449
If the downloaded file doesn't pass hash verification, the script exits and leaves a broken system
Just make hash verification before moving owncloud directory
2015-06-24 14:06:01 +02:00
Joshua Tauberer 47acbbf332 bump to latest version of my email_validator library 2015-06-23 16:43:35 -04:00
Joshua Tauberer dece359c90 validate certificates using the cryptography python package as much as possible, shelling out to openssl just once instead of four times per certificate
* Use `cryptography` instead of parsing openssl's output.
* When checking if we can reuse the primary domain certificate or a www-parent-domain certificate for a domain, avoid shelling out to openssl entirely.
2015-06-21 14:53:37 +00:00
Joshua Tauberer 6a9eb4e367 improve inline documentation for the virtual-alias-maps query 2015-06-21 08:22:33 -04:00
Morteza Milani fc03ce9b2f Fix login map. Now includes both emails and aliases 2015-06-20 03:27:18 -07:00
Toilal ce17c12ca2 Use netcat to check if mailinabox webservice is available
[JT added installing netcat-openbsd in system.sh]
2015-06-18 08:04:46 -04:00
Joshua Tauberer 5edaeb8c7b add a new autoconfiguration option PRIMARY_HOSTNAME=auto to simply grab the hostname from reverse DNS
drawn from 5b23a06a74.
2015-06-18 07:46:09 -04:00
Joshua Tauberer 3a28d1b073 showing the Mail-in-a-Box version using git describe was broken since dd6a8d99 2015-06-18 07:45:55 -04:00
Joshua Tauberer 6f2226bfcd move more of start.sh into questions.sh to keep start.sh cleaner and encapsulate all of the variable setting in a single script
Based on 5b23a06a74.
2015-06-18 07:38:18 -04:00
Joshua Tauberer 97cd4c64ad don't expose PHP version in the X-Powered-By header, closes #439, fixes #433 2015-06-18 11:12:03 +00:00
Joshua Tauberer 43d50d0667 Merge pull request #445 from bizonix/patch-1
fix wrong redirect for automatic www subdomain redirects
2015-06-18 07:05:01 -04:00
Joshua Tauberer 6258a7f311 status checks were broken if sshd was not present, fixes #444 2015-06-18 11:01:11 +00:00
Joshua Tauberer ab36cc8968 whitespace=>tabs 2015-06-18 10:54:51 +00:00
bizonix 33b71c6b3c fix wrong redirect
$ curl -I https://www.site.co.il/static/images/1.png?a=b | grep Location
Location: https://site.co.il?a=b
but should be something like 
Location: https://site.co.il/static/images/1.png?a=b
2015-06-18 01:48:15 +03:00
Joshua Tauberer 34e821c102 Roundcube 1.1.2 2015-06-17 11:00:15 +00:00
Joshua Tauberer 2af557139d default IPv6 AAAA records were missing
This was broken by the ability to have multiple TXT records in 9f1d633ae4.
2015-06-17 06:47:22 -04:00
Joshua Tauberer 9e0dcd8718 security.md: add a section on DNSSEC specifically 2015-06-15 10:24:16 -04:00
Joshua Tauberer be2b5a62de ownCloud updated to version 8.0.4 2015-06-14 16:04:07 +00:00
Joshua Tauberer 0cbba71c72 merge #429 - Move OwnCloud's config to Storage Root 2015-06-14 15:48:09 +00:00
Joshua Tauberer d28563fb45 tweak the ownCloud config location migration (no need for third ln) 2015-06-14 15:42:32 +00:00