Joshua Tauberer
7f8f4518e3
document password character limitation
...
fixes #407
2018-11-30 10:46:54 -05:00
Joshua Tauberer
86e2cfb6c8
remove old duplicity migration code from 2015, see 42322455
2018-11-30 10:46:54 -05:00
Joshua Tauberer
f739662392
duplicity started creating signature files with invalid filenames, fixes #1431
2018-10-13 16:16:30 -04:00
Joshua Tauberer
3dbd6c994a
update bind9 configuration
2018-10-03 14:28:43 -04:00
Joshua Tauberer
bbfa01f33a
update to PHP 7.2
...
* drop the ondrej/php PPA since PHP 7.x is available directly from Ubuntu 18.04
* intall PHP 7.2 which is just the "php" package in Ubuntu 18.04
* some package names changed, some unnecessary packages are no longer provided
* update paths
2018-10-03 13:00:15 -04:00
Christopher A. DeFlumeri
d96613b8fe
minimal changeset to get things working on 18.04
...
@joshdata squashed pull request #1398 , removed some comments, and added these notes:
* The old init.d script for the management daemon is replaced with a systemd service.
* A systemd service configuration is added to configure permissions for munin on startup.
* nginx SSL settings are updated because nginx's options and defaults have changed, and we now enable http2.
* Automatic SSHFP record generation is updated to know that 22 is the default SSH daemon port, since it is no longer explicit in sshd_config.
* The dovecot-lucene package is dropped because the Mail-in-a-Box PPA where we built the package has not been updated for Ubuntu 18.04.
* The stock postgrey package is installed instead of the one from our PPA (which we no longer support), which loses the automatic whitelisting of DNSWL.org-whitelisted senders.
* Drop memcached and the status check for memcached, which we used to use with ownCloud long ago but are no longer installing.
* Other minor changes.
2018-10-03 13:00:06 -04:00
hlxnd
f420294819
Use ISO 8601 on backups table dates.
2018-08-05 15:26:45 +02:00
Joshua Tauberer
2f467556bd
new ssl cert provisioning broke if a domain doesnt yet have a cert, fixes #1392
2018-07-19 11:40:49 -04:00
Joshua Tauberer
2a72c800f6
replace free_tls_certificates with certbot
2018-06-29 16:46:21 -04:00
Joshua Tauberer
8be23d5ef6
ssl_certificates: reuse query_dns function in status_checks and simplify calls by calling normalize_ip within query_dns
2018-06-29 16:46:21 -04:00
Joshua Tauberer
1eba7b0616
send the mail_log.py report to the box admin every Monday
2018-02-25 11:55:06 -05:00
Joshua Tauberer
9c7820f422
mail_log.py: include sent mail in the logins report in a new smtp column
2018-02-24 09:24:15 -05:00
Joshua Tauberer
87ec4e9f82
mail_log.py: refactor the dovecot login collector
2018-02-24 09:24:14 -05:00
Joshua Tauberer
08becf7fa3
the hidden feature for proxying web requests now sets X-Forwarded-For
2018-02-24 09:24:14 -05:00
NatCC
fe597da7aa
Update users.html ( #1345 )
...
Passwords must be eight characters long; when passwords are changed via the users page the dialog states that passwords need to be at least four characters but only eight or more are acceptable.
2018-02-03 17:49:11 -05:00
Joshua Tauberer
61e9888a85
Cdon't try to generate a CSR in the control panel until both the domain and country are selected
...
Fixes #1338 .
See 0e9680fda63c33ace3f34ca7126617fb0efe8ffc, a52c56e571
.
2018-01-28 09:08:24 -05:00
Joshua Tauberer
ef6f121491
when generating a CSR in the control panel, don't set empty attributes
...
Same as in a52c56e571
.
Fixes #1338 .
2018-01-28 09:07:54 -05:00
Joshua Tauberer
8d6d84d87f
run mailconfig.py's email address validator outside of the virtualenv during questions.sh
...
We don't have the virtualenv this early in setup.
Broken by 0088fb4553
.
Fixes #1326 .
See https://discourse.mailinabox.email/t/that-is-not-a-valid-email-error-during-mailinabox-installation/2793 .
2018-01-20 10:59:37 -05:00
Joshua Tauberer
0088fb4553
install Python 3 packages in a virtualenv
...
The cryptography package has created all sorts of installation trouble over the last few years, probably because of mismatches between OS-installed packages and pip-installed packages. Using a virtualenv for all Python packages used by the management daemon should make sure everything is consistent.
See #1298 , see #1264 .
2018-01-15 13:27:04 -05:00
Joshua Tauberer
5f14eca67f
merge v0.25 security release
2017-11-15 11:27:30 -05:00
John Olten
544f155948
Add support for DNS wildcard [merges #1281 ]
2017-11-15 11:10:59 -05:00
Jānis (Yannis)
7bf377eed1
use RSASHA256 for .lv domains DNSSEC ( #1277 )
2017-10-31 18:01:47 -04:00
Nicolas North
cd554cf480
document the "local" alias pointing to this box in Custom DNS ( #1261 )
2017-10-20 17:20:21 -04:00
Fabian Bucher
341aa8695a
update F-Droid DAVdroid link ( #1253 )
...
the information about the invalid link comes from here -> https://discourse.mailinabox.email/t/admin-sync-guide-contacts-and-calendar-davdroid-3-69-free-here/2528
2017-10-04 17:47:15 -04:00
Joshua Tauberer
cc7be13098
update nginx cipher list to Mozilla's current intermediate ciphers and update HSTS header to be six months
...
* The Mozilla recommendations must have been updated in the last few years.
* The HSTS header must have >=6 months to get an A+ at ssllabs.com/ssltest.
2017-10-03 11:47:32 -04:00
Joshua Tauberer
35b8a149d8
fix dns regex: underscores are allowed in domain names even though they are not allowed in hostnames
2017-09-22 12:31:49 -04:00
Marius Blüm
48ff664ee9
Remove the ? from "Log out" ( #1231 )
...
Signed-off-by: Marius Blüm <marius@lineone.io>
2017-08-23 19:46:45 -04:00
Git Repository
19a928e4ec
[Issue #1159 ] Remove any +tag name in email alias before checking privileges ( #1181 )
...
* [Issue #1159 ] Remove any +tag name in email alias before checking privileges
* Move priprivileged email check after the conversion to unicode so only IDNA serves as input
2017-07-21 11:10:16 -04:00
Michael Kroes
78f2fe213e
Secondary name server could not be set ( #1209 )
2017-07-21 08:20:37 -04:00
Michael Kroes
a16855ecf0
Backup script should now stop php7.0-fpm instead of php5-fpm ( #1206 )
2017-07-17 09:45:40 -04:00
Michael Kroes
2c324d0bc9
web_domains should also normalize ipv6 addresses ( #1201 )
2017-07-13 07:16:12 -04:00
François Deppierraz
46ba62b7b1
Add support for NS records in custom domains ( #1177 )
2017-06-11 07:56:30 -04:00
Michael Kroes
e49c99890b
fetch whole bootstrap - fixes missing icons in admin ( #1185 )
2017-05-31 07:36:17 -04:00
Git Repository
18f1689f45
changed the location we store the web-assets for the admin pages to /usr/local/mailinabox ( #1179 )
2017-05-23 19:22:53 -04:00
Git Repository
8234a5a9f4
download jQuery and Bootstrap during setup and serve locally so that we don't rely on a CDN which is blocked in some parts of the world ( #1167 ) ( #1171 )
2017-05-08 07:25:16 -04:00
Michael Kroes
d2b7204319
Add support for adding a custom "CAA" DNS record ( #1155 )
2017-04-30 08:58:00 -04:00
Joshua Tauberer
add985ce5d
letencrypt now supports idna, remove the check/block
2017-04-17 07:45:08 -04:00
yodax
b66f12dd4c
Fix rsync backup. The path was not append properly
2017-04-17 07:25:47 -04:00
yodax
6e04eb490f
Add check to prevent division by zero during backup status
2017-04-17 07:25:47 -04:00
Michael Kroes
a072730fb8
Wrap normalize_ip in try..except ( #1139 )
...
closes #1134
2017-04-03 16:53:53 -04:00
Rinze de Laat
9c9cae2096
Added an alternative mail log scanning script for use from the command line (and monitoring, at a later stage)
...
merges #970
2017-03-26 09:13:35 -04:00
Théo Segonds
423f1907d0
Fix zpush compatibility list link ( #1076 )
2017-03-26 09:09:00 -04:00
Sean Watson
86621392f6
support SSHFP records for custom domains ( #1114 )
2017-03-09 09:05:52 -05:00
Sean Watson
368b9c50d0
add DSA and ED25519 SSHFP records if those keys are present ( #1078 )
2017-03-01 08:02:41 -05:00
Ian Beringer
89222d519a
Fix date delta display for deltas greater than 1 year ( #1099 )
2017-02-15 18:24:32 -05:00
Dominik Murzynowski
36bef2ee16
Change password min-length to 8 characters ( #1098 )
2017-02-14 14:24:59 -05:00
Joshua Tauberer
a24977a96e
normalize_ip for ipv6 still not correct, was broken if box has no IPv6 address
2017-01-18 07:51:59 -05:00
Joshua Tauberer
a081d04082
move the custom exclusive process code from utils.py into a new python package named exclusiveprocess
2017-01-15 11:02:23 -05:00
Jonathan Chun
584cfe42c4
compare IPv6 addresses correctly with normalization ( #1052 )
2017-01-15 10:41:12 -05:00
Michael Kroes
41601a592f
Improve error handling when doing update checks ( #1065 )
...
* Added an error message to handle exceptions when the setup script is trying to determine the latest Miab version
2017-01-15 10:35:33 -05:00
guyzmo
34d58fb720
Fix/rsync issues ( #1036 )
...
* Fixed issue with relative path for rsync relative names
Actually using the parsed URL `path` part, instead of doing a lousy split().
Renamed the `p` variable into something more sensible (`target`).
Fixes : #1019
* Added more verbose error messages upon rsync failures
fixes #1033
* Added command to test file listing
2016-12-17 09:29:48 -05:00
Joshua Tauberer
99d0afd650
secondary nameserver check fails if domain has custom DNS (round-robin) multiple A records
...
fixes #834
2016-12-07 07:02:52 -05:00
Joshua Tauberer
cd717ec94e
nightly TLS certificate provisioning should omit warnings about domains it cant provision for
2016-12-07 07:02:52 -05:00
Joshua Tauberer
96b3a29800
rsync backup broke other things
2016-11-12 09:59:06 -05:00
guyzmo
041b5f883f
Support for rsync+ssh backup target ( #678 )
...
* Added support for backup to a remote server using rsync
* updated web interface to get data from user
* added way to list files from server
It’s not using the “username” field of the yaml configuration
file to minimise the amount of patches needed. So the username
is actually sorted within the rsync URL.
Signed-off-by: Bernard `Guyzmo` Pratz <guyzmo+github@m0g.net>
* Added ssh key generation upon installation for root user.
Signed-off-by: Bernard `Guyzmo` Pratz <guyzmo+github@m0g.net>
* Removed stale blank lines, and fixed typo
Signed-off-by: Bernard `Guyzmo` Pratz <guyzmo+github@m0g.net>
* fix backup-location lines, by switching it from id to class
* Various web UI fixes
- fixed user field being shadowed ;
- fixed settings reading comparaison ;
- fixed forgotten min-age field.
Signed-off-by: Bernard `Guyzmo` Pratz <guyzmo+github@m0g.net>
* Added SSH Public Key shown on the web interface UI
Signed-off-by: Bernard `Guyzmo` Pratz <guyzmo+github@m0g.net>
* trailing spaces.
Signed-off-by: Bernard `Guyzmo` Pratz <guyzmo+github@m0g.net>
* fixed the extraneous environment
Signed-off-by: Bernard `Guyzmo` Pratz <guyzmo+github@m0g.net>
* Updated key setup
- made key lower in bits, but stronger (using -a option),
- made ssh-keygen run in background using nohup,
- added independent key file, as id_rsa_miab,
- added ssh-options to all duplicity calls to use the id_rsa_miab keyfile,
- changed path to the public key display
Signed-off-by: Bernard `Guyzmo` Pratz <guyzmo+github@m0g.net>
* added rsync options for ssh identity support
Signed-off-by: Bernard `Guyzmo` Pratz <guyzmo+github@m0g.net>
* removed strict host checking for all backup operations
Signed-off-by: Bernard `Guyzmo` Pratz <guyzmo+github@m0g.net>
* Remove nohup from ssh-keygen so errors aren't hidden. Also only generate a key if none exists yet
* Add trailing slash when checking a remote backup. Also check if we actually can read the remote size
* Factorisation of the repeated rsync/ssh options
cf https://github.com/mail-in-a-box/mailinabox/pull/678#discussion_r81478919
* Updated message SSH key creation
https://github.com/mail-in-a-box/mailinabox/pull/678#discussion_r81478886
2016-11-12 09:28:55 -05:00
yodax
3b78a8d9d6
If ufw isn't installed on the machine the status checks shouldn't fail
2016-11-12 09:25:34 -05:00
rxcomm
bbe27df413
SSHFP record creation should scan nonstandard SSH port if necessary ( #974 )
...
* sshfp records from nonstandard ports
If port 22 is not open, dns_update.py will not create SSHFP records
because it only scans port 22 for keys. This commit modifies
dns_update.py to parse the sshd_config file for open ports, and
then obtains keys from one of them (even if port 22 is not open).
* modified test of s per JoshData request
* edit CHANGELOG per JoshData
* fix typo
2016-10-15 15:36:13 -04:00
Michael Kroes
a658abc95f
Fix status checks for ufw when the system doesn't support iptables ( #961 )
2016-10-08 14:35:19 -04:00
Steve Gregg
8b5eba21c0
Correct typo of "PRIORITY" in the template ( #965 )
2016-10-05 18:43:50 -04:00
Marius Blüm
3ac4b8aca8
Remove Certificate Providers / Fix #950
...
Signed-off-by: Marius Blüm <marius@lineone.io>
2016-09-27 15:06:50 +02:00
Marius Blüm
5f0376bfbf
Fix typo in alias-page, fixes #943 (merges #949 )
...
Signed-off-by: Marius Blüm <marius@lineone.io>
2016-09-23 15:11:37 -04:00
Joshua Tauberer
c26bc841a2
more for dnspython exception with IPv6 addresses
...
fixes #945 , corrects prev commit (#947 ) in case of multiple AAAA records, adds changelog
2016-09-23 07:41:24 -04:00
Mathis Hoffmann
163daea41c
dnspython exception with IPv6 addresses
...
see #945 , merges #947
2016-09-23 07:35:53 -04:00
Scott Bronson
102b2d46ab
typo fix: seconday -> secondary ( #939 )
2016-09-18 08:10:49 -04:00
cs@twoflower
00bd23eb04
fix status_checks.py free disk space reporting #932
2016-09-15 17:01:21 +01:00
Joshua Tauberer
35a360ef0b
simplify how munin-cgi-graph is called to reduce the attack surface area
...
Seems like if REQUEST_METHOD is set to GET, then we can drop two redundant ways the query string is given. munin-cgi-graph itself reads the environment variables only, but its calls to Perl's CGI::param will look at the command line if REQUEST_METHOD is not used, otherwise it uses environment variables like CGI used to work.
Since this is all behind admin auth anyway, there isn't a public vulnerability. #914 was opened without comment which lead me to notice the redundancy and worry about a vulnerability, before I realized this is admin-only anyway.
2016-08-19 12:42:43 -04:00
Marius Blüm
942bcfc7c5
Update Bootstrap to 3.3.7 ( #909 )
...
Signed-off-by: Marius Blüm <marius@lineone.io>
2016-08-15 18:06:12 -04:00
Joshua Tauberer
1aca6fe08f
some minor tweaks to the new users/aliases API documentation
2016-08-08 07:28:10 -04:00
Joshua Tauberer
cf3e1cd595
add SRV records for CardDAV/CalDAV
...
DavDroid's latest version's account configuration no longer just asked for a hostname. Its email address & password configuration mode did not work without a SRV record.
2016-07-31 20:53:57 -04:00
Joshua Tauberer
b044dda28f
put the ufw status checks in the network section, add a punctuation mark, add changelog entry
2016-07-29 09:23:36 -04:00
Joshua Tauberer
f66f39b61d
Merge branch 'ufw_status_check' of https://github.com/yodax/mailinabox
2016-07-29 09:16:22 -04:00
Joshua Tauberer
cbc4bf553d
Merge pull request #880 from schlypel/master
...
Added information about API endpoints
2016-07-29 09:04:27 -04:00
Joshua Tauberer
8844a9185f
Merge pull request #798 from mail-in-a-box/fail2banjails
...
add fail2ban jails for ownCloud, postfix submission, roundcube, and the Mail-in-a-Box management daemon
2016-07-29 08:52:44 -04:00
schlypel
3249a55f3a
added API info to users page template
2016-06-29 13:35:42 +02:00
schlypel
b58fb54725
added API info to aliases page template
2016-06-29 13:34:54 +02:00
Rinze
1c84e0aeb6
Added received mail count to hourly activity overview in mail log management script
2016-06-10 13:08:57 +02:00
Rinze
ae1b56d23f
Added POP3 support to mail log management script
2016-06-10 11:19:03 +02:00
Rinze
946cd63e8e
Mail log management script cleanup
2016-06-10 10:32:32 +02:00
Michael Kroes
01fa8cf72c
add fail2ban jails for ownCloud, postfix submission, roundcube, and the Mail-in-a-Box management daemon
...
(tests squashed into this commit by josh)
2016-06-06 09:13:10 -04:00
Joshua Tauberer
9ee2d946b7
Merge pull request #821 from m4rcs/before-backup
...
Added a pre-backup script to complement post-backup script.
2016-05-17 19:48:14 -04:00
Arnaud
ff7d4196a6
target to blank for munin link in tempalte ( #822 )
...
adding :
target="_blank"
to
<li><a href="/admin/munin">Munin Monitoring</a></li> on line 96
Why ?
Because when you click on munin link, and follow links, you lose your index, or click back many times...
So i propose my pull request.
Et voilà ^^
2016-05-17 19:46:45 -04:00
aspdye
490b36d86c
Fix #819 ( #823 )
2016-05-17 19:46:10 -04:00
Marc Schiller
69bd137b4e
Added a pre-backup script to complement post-backup script.
2016-05-11 10:11:16 +02:00
Joshua Tauberer
6d259a6e12
use "127.0.0.1" throughout rather than mixing use of an IP address and "localhost"
...
On some machines localhost is defined as something other than 127.0.0.1, and if we mix "127.0.0.1" and "localhost" then some connections won't be to to the address a service is actually running on.
This was the case with DKIM: It was running on "localhost" but Postfix was connecting to it at 127.0.0.1. (https://discourse.mailinabox.email/t/opendkim-is-not-running-port-8891/1188/12 .)
I suppose "localhost" could be an alias to an IPv6 address? We don't really want local services binding on IPv6, so use "127.0.0.1" to be explicit and don't use "localhost" to be sure we get an IPv4 address.
Fixes #797
2016-05-06 09:10:38 -04:00
Joshua Tauberer
6eeb107ee3
Merge #795 - Upgrade Bootstrap 3.3.5 to 3.3.6
2016-04-24 06:27:50 -04:00
aspdye
79a39d86f9
reseller -> provider
2016-04-23 15:18:21 +02:00
aspdye
0ebf33e9df
Make clear that Let's Encrypt is reccomended!
2016-04-23 11:35:02 +02:00
aspdye
f65d9d3196
Upgrade Bootstrap 3.3.5 to 3.3.6
2016-04-09 13:27:27 +02:00
Michael Kroes
736b3de221
Improve matching of ufw output. Reuse network service list. Improve messages
2016-04-07 16:03:28 +02:00
Michael Kroes
42f2e983e5
Merge branch 'master' into ufw_status_check
2016-04-07 15:13:59 +02:00
msgerbs
703a963ae5
Add SRV record to the Custom DNS page
...
Add SRV to the drop-down to add a custom DNS zone. I made this change on my up-to-date install and it worked without any issues.
2016-04-05 00:54:26 -05:00
Michael Kroes
c9f30e8059
Add status checks for ufw
2016-04-02 13:41:16 +02:00
Joshua Tauberer
252c35c66e
Merge pull request #772 from yodax/generic-login-message
...
Make control panel login failed messages generic - don't reveal if an email address has an account on the system.
2016-03-26 09:22:02 -04:00
Michael Kroes
f292e8fc5b
Add generic login failed message
2016-03-26 14:06:43 +01:00
Michael Kroes
d7d8bda0a4
Instructions on how to create a web site for a domain weren't rendered. Users would miss the step about manually creating the directory to put files in there and wouldn't see anything happen
2016-03-25 13:37:55 +01:00
Joshua Tauberer
74a0359cec
Merge pull request #763 from Neopallium/master
...
Fix creation of custom MX records.
2016-03-23 17:22:42 -04:00
Joshua Tauberer
5edefbec27
merge #735 - Allow a server to be rebooted when a reboot is required
2016-03-23 16:39:40 -04:00
Joshua Tauberer
67555679bd
move the reboot button, fix grammar, refactor check for DRY, add changelog entry
2016-03-23 16:37:15 -04:00
Joshua Tauberer
546d6f0026
merge #674 - Support munin's cgi dynazoom
2016-03-23 16:10:30 -04:00
Joshua Tauberer
bd86d44c8b
simplify the munin_cgi wrapper / add changelog entry
2016-03-23 16:09:19 -04:00
Robert G. Jakabosky
72fcb005b2
Check MX priority.
2016-03-22 03:07:14 +08:00
Robert G. Jakabosky
84638ab11e
Fix creation of custom MX records.
2016-03-21 21:12:08 +08:00
Joshua Tauberer
49ea9cddd1
ssl_certificates: also forgot to catch free_tls_certificates.client.RateLimited
2016-03-06 14:39:34 -05:00
Joshua Tauberer
3bbec18ac6
Merge pull request #734 from yodax/dynamicpool
...
Create a temporary multiprocessing pool
2016-02-28 12:39:11 -05:00
Joshua Tauberer
2be373fd06
Merge pull request #727 from yodax/userlist
...
Allow files in /home/user-data/mail/mailboxes
2016-02-28 12:33:38 -05:00
Michael Kroes
b71ad85e9f
Restore an empty line
2016-02-26 09:51:22 +01:00
Michael Kroes
8ea2f5a766
Allow a server to be rebooted when a reboot is required
2016-02-25 21:56:27 +01:00
yodax
6c1357e16c
Merge branch 'master' into dynamicpool
2016-02-23 17:01:13 +01:00
Joshua Tauberer
5cabfd591b
(re-fix) mail sent from an address on a subdomain of a domain hosted by the box (a non-zone domain) would never be DKIM-signed because only zones were included in the openDKIM configuration, mistakenly
...
This was originally fixed in 143bbf37f4
(February 16, 2015). Then I broke it in 7a93d219ef
(November 2015) while doing some refactoring ahead of v0.15.
2016-02-23 10:16:04 -05:00
yodax
721730f0e8
Create a temporary multiprocessing pool
2016-02-23 06:32:01 +01:00
Joshua Tauberer
af80849857
Merge pull request #732 from yodax/memory
...
Reduce percentages for required free memory checks
2016-02-22 15:02:50 -05:00
Joshua Tauberer
4b2e48f2c0
Merge pull request #726 from yodax/login
...
When previous panel was login, move to system_status
2016-02-22 14:44:23 -05:00
yodax
1b24e2cbaf
Reduce percentages for required memory checks
2016-02-22 17:49:19 +01:00
yodax
0843159fb4
Reduce number of processes in the pool to 5
2016-02-22 17:38:30 +01:00
yodax
057903a303
Allow files in /home/user-data/mail/mailboxes
2016-02-21 13:49:07 +01:00
yodax
b8e99c30a2
When previous panel was login, move to system_status
2016-02-20 18:42:28 +01:00
Joshua Tauberer
23ecff04b8
the logic in 4ed23f44e6
for taking backups more often was partly backward
2016-02-18 07:50:59 -05:00
Joshua Tauberer
36cb2ef41d
missing elif
2016-02-16 09:11:54 -05:00
Joshua Tauberer
1ba44b02d4
forgot to catch free_tls_certificates.client.ChallengeFailed
...
Provisioning could crash if, e.g., the DNS we see is different from the DNS Let's Encrypt sees.
see #695 , probably fixes it
2016-02-15 18:22:16 -05:00
Joshua Tauberer
2f24328608
before the user agrees to Let's Encrypt's ToS the admin could get a nightly email with weird interactive text
...
Made a mistake refactoring the headless variable earlier.
fixes #696
2016-02-13 12:38:16 -05:00
Joshua Tauberer
8ea42847da
nightly status checks could fail if any domains had non-ASCII characters
...
https://discourse.mailinabox.email/t/status-check-emails-empty-after-upgrading-to-v0-16/1082/3
A user on that thread suggests an alternate solution, adding `PYTHONIOENCODING=utf-8` to `/etc/environment`. Python docs say that affects stdin/out/err. But we also use these environment variables elsewhere to ensure that config files we read/write are opened with UTF8 too. Maybe all that can be simplified too.
2016-02-13 11:51:06 -05:00
Joshua Tauberer
4ed23f44e6
take a full backup more often so we don't keep backups around for so long
2016-02-05 11:08:33 -05:00
Joshua Tauberer
178527dab1
convert the backup increment time to the local timezone, fixes #700
...
Duplicity gives times in UTC. We were assuming times were in local time.
2016-02-05 08:58:07 -05:00
Wolf-Bastian Pöttner
239eac662c
Fix: Correct IP is reported when using custom DNS
...
Fix bug that reports wrong ip, when custom DNS is enabled
2016-02-04 21:32:11 +01:00
Joshua Tauberer
4e18f66db6
tls control panel: only show integral seconds while waiting the requested time from Lets Encrypt, in case we got back a non-integral number of seconds to wait
2016-02-03 08:21:22 -05:00
Joshua Tauberer
83ffc99b9c
change the public URL of bootstrap.sh to setup.sh
2016-01-30 11:19:51 -05:00
mike
6b408ef824
Use utils.shell instead of subprocess.Popen
2016-01-14 10:24:04 -05:00
Jeroen Jacobs
70111dafbc
Removes border and rounded corners from navbar
2016-01-14 15:48:39 +01:00
Joshua Tauberer
faaa74c3a7
tls: hide extra reasons why domains aren't getting a new certificate during setup
2016-01-14 07:21:08 -05:00
mike
8932aaf4ef
needed libcgi-fast-perl and chown log files
2016-01-13 23:55:45 -05:00
mike
6d6f3ea391
Added ability to use munin's dynazoom
2016-01-13 22:20:33 -05:00
Joshua Tauberer
2ad7d0830e
add exception handling for what_version_is_this, fixes #659
2016-01-09 09:23:07 -05:00
Joshua Tauberer
07f9228694
Merge branch 'letsencrypt' for automatic provisioning of TLS certificates from Let's Encrypt
2016-01-09 08:58:35 -05:00
baltoche
36e5772a8e
Update dns_update.py
2016-01-05 16:56:16 +01:00
Joshua Tauberer
2882e63dd8
second part of provisioning tls certificates from the control panel
2016-01-04 18:43:17 -05:00
Joshua Tauberer
812ef024ef
status checks: check that the non-primary domains also resolve over IPv6, if configured
2016-01-04 18:43:17 -05:00
Joshua Tauberer
40cdc5aa30
status checks: if a domain's DNS isnt working dont check the TLS certificate because we cant automatically provision one now anyway
2016-01-04 18:43:17 -05:00
Joshua Tauberer
b8d6226a9a
when provisioning tls certs from the command line, specify domain names as command line arguments to force getting certs for those domains
2016-01-04 18:43:17 -05:00
Joshua Tauberer
bac15d3919
provision tls certificates from the control panel
2016-01-04 18:43:16 -05:00
Joshua Tauberer
4b4f670adf
s/SSL/TLS/ in user-visible text throughout the project
2016-01-04 18:43:16 -05:00
Joshua Tauberer
b1b57f9bfd
don't try to get certs for IDNA domains and report all reasons for not fetching a certificate
...
fixes #646
2016-01-04 18:43:16 -05:00
Joshua Tauberer
b6933a73fa
provision and install free SSL certificates from Let's Encrypt
2016-01-04 18:43:16 -05:00
Joshua Tauberer
5033042b8c
backups: email the administrator when there's a problem
...
Refactor by moving the email-the-admin code out of the status checks and into a new separate tool.
This is why I suppressed non-error output of the backups last commit - so it doesn't send a daily email.
2016-01-04 18:43:02 -05:00
Joshua Tauberer
89a46089ee
backups: suppress all output except errors
2016-01-04 18:43:02 -05:00
Joshua Tauberer
e288d7730b
backups: trap an error that occurs as early as getting the current backup status
2016-01-04 18:43:02 -05:00
Joshua Tauberer
06a0e7f3fe
merge #584 - Add checks to the management interface to report memory usage
2016-01-01 18:13:21 -05:00
Joshua Tauberer
a9cd72bbf9
tighten the status text strings for free memory, add changelog entry
2016-01-01 18:12:36 -05:00
Joshua Tauberer
682b1dea5e
changelog/status checks updated for opening the sieve port
2016-01-01 17:53:05 -05:00
Joshua Tauberer
8d19eade85
clarify the backup days option, fixes #570
2015-12-26 12:04:26 -05:00
Joshua Tauberer
d53332b7cf
drop the CSR_COUNTRY setting and ask within the control panel
2015-12-26 11:48:23 -05:00
Joshua Tauberer
392d33b902
change DANE TLSA record to hash the subject public key rather than the whole certificate, which means it is good for any certificate tied to the same private key
...
Better for short-lived certificates. This is especially in preparation to using certificates from Let's Encrypt.
see #268
2015-12-26 11:01:46 -05:00
Joshua Tauberer
4305a71916
merge #587 - move backup and nightly status checks to 3am in system time
...
previously these were run in a cron.daily script which per crontab is run at 6:25 am local time
2015-12-26 08:42:58 -05:00
Joshua Tauberer
a4d8e12fd7
clean up the backup time patch: dont choose timezone here, move status checks into the same 3am script
2015-12-26 08:41:37 -05:00
Joshua Tauberer
dbf4729109
add management/backup.py --restore
2015-12-23 12:53:38 +00:00
Joshua Tauberer
6e6c993724
reword POP documentation, add to changelog/readme
2015-12-12 08:46:18 -05:00
Marius
f8b4e3775d
Update mail-guide.html (POP3)
2015-12-12 08:41:13 -05:00
Joshua Tauberer
fad69f85fa
Merge pull request #605 from ariejan/feature/604-add-rfc2142-mail-aliases
...
Add alias for abuse@
2015-12-07 15:56:51 -05:00
Ariejan de Vroom
aedfe62bb0
Add alias for abuse@
2015-12-07 16:31:58 +01:00
Joshua Tauberer
c4f00626ef
status checks: check that PRIMARY_HOSTNAME's AAAA record is working
2015-12-07 09:08:00 -05:00
Joshua Tauberer
fdad83a1bb
status checks: check IPv6 reverse DNS
2015-12-07 08:58:48 -05:00
Joshua Tauberer
5bbe9f9a04
status checks: when ipv6 is enabled, check that services are accessible over ipv6 too
2015-12-07 08:37:04 -05:00
Joshua Tauberer
7a93d219ef
some cleanup in dns_update.py
2015-11-29 14:59:35 +00:00
Joshua Tauberer
808522d895
merge functions get_web_domains and get_default_www_redirects
2015-11-29 14:46:08 +00:00
Joshua Tauberer
be9efe0273
ensure malformed ssl certificate can't cause it to be written to an arbitrary path
2015-11-29 14:04:37 +00:00
Joshua Tauberer
766b98c4ad
refactor: move SSL-related management functions into a new module ssl_certificates.py
2015-11-29 13:59:22 +00:00
Joshua Tauberer
c422543fdd
make the system SSL certificate a symlink so we never have to replace a certificate file, and flatten the directory structure of user-installed certificates
2015-11-29 02:02:01 +00:00
Joshua Tauberer
cf33be4596
fix boto 2 conflict on Google Compute Engine instances
...
GCE installs some Python-2-only boto plugin that conflicts with boto running under Python 3. It gives a SyntaxError in /usr/share/google/boto/boto_plugins/compute_auth.py (https://github.com/GoogleCloudPlatform/compute-image-packages ).
Disabling boto's default configuration file prior to importing boto so that GCE's plugin is not loaded.
See https://discourse.mailinabox.email/t/500-internal-server-error-for-admin/942 .
2015-11-26 14:51:44 +00:00
Joshua Tauberer
161d096139
add a way to dump backup status from the command line
2015-11-26 14:34:07 +00:00
Michael Kroes
59f8aa1c31
Add checks to the management interface to report memory usage
2015-11-20 01:48:59 -05:00
Joshua Tauberer
59e9952a61
the explanatory text for setting up secondary nameservers was hidden until a secondary nameserver is added, so that wasn't helpful
2015-11-19 07:00:32 -05:00
yodax
280de022cb
Change order in which service stop
2015-11-17 05:22:42 -05:00
yodax
fa1cad7fb2
During the backup you will get login failures which will confuse iOS, so it is better to stop php-fpm as well
2015-11-17 02:57:14 -05:00
Joshua Tauberer
1926bfa1c5
all DNS queries should have a timeout, fixes #591
2015-11-11 12:25:55 +00:00
Sheldon Rupp
96b02e68ee
Change 'Wosign' to 'WoSign'
2015-11-08 21:31:43 +01:00
Joshua Tauberer
ac238b9d28
dont run secondary nameserver checks if the zone's nameservers aren't correct to begin with, possibly because the user is using external DNS, see #582
2015-11-05 11:09:15 +00:00
Joshua Tauberer
3fd1279e7d
...but then also have to compare against the intended IP address, which might have a custom override, see #582
2015-11-03 12:06:03 +00:00
Joshua Tauberer
3bc38c89ab
secondary NS status checks in 3b91bc2c0a
should not be skipped if the target IP address has been modified by a custom record
...
see #582
2015-11-03 06:48:04 -05:00
Joshua Tauberer
d0062b7de4
Merge pull request #572 from OmgImAlexis/patch-1
...
Added wosign as a suggested free SSL provider.
2015-10-31 14:57:13 -04:00
Joshua Tauberer
3b91bc2c0a
if secondary nameservers are given, status checks now check they are serving the right info
2015-10-22 10:58:36 +00:00
Joshua Tauberer
4c4babd9e7
experimentally scanning the mail log to see if we can infer a good time to take a backup
2015-10-22 10:35:14 +00:00
Joshua Tauberer
274e5ca676
let dovecot automatically create mailbox folders rather than doing it manually in the management daemon, fixes #554
2015-10-18 11:55:27 +00:00
Peter Timofejew
1bdfdbee89
Added 'Sent' folder when creating user.
2015-10-12 09:43:35 -04:00
X O
ebffaab16a
Added wosign as a suggest free SSL provider.
2015-10-11 11:33:18 +10:30
Joshua Tauberer
6c8ee1862a
use subresource integrity attributes to guard against CDNs being used as an attack vector; drop external resources that we can't protect this way (fonts); fixes #234
2015-09-18 19:04:28 +00:00
Joshua Tauberer
787beab63f
choose the best SSL cert from among the installed certificates; use the server certificate instead of self-signed certificates
...
For HTTPS for the non-primary domains, instead of selecting an SSL certificate by expecting it to be in a directory named after the domain name (with special-case lookups
for www domains, and reusing the server certificate where possible), now scan all of the certificates that have been installed and just pick the best to use for each domain.
If no certificate is available, don't create a self-signed certificate anymore. This wasn't ever really necessary. Instead just use the server certificate.
2015-09-18 13:25:18 +00:00
Joshua Tauberer
58349a9410
when updating DNS, clear the local DNS cache
2015-09-18 13:00:53 +00:00
Joshua Tauberer
93c2258d23
let the HSTS header be controlled by the management daemon so some domains can choose to enable preload
2015-09-08 21:20:50 +00:00
Joshua Tauberer
d60d73b7e0
status checks: dont error if there's a domain that dns_update hasn't been run yet on
2015-09-06 13:27:35 +00:00
Joshua Tauberer
6704da1446
silence errors in the admin if there is an invalid domain name in the database
...
see #531
2015-09-06 13:27:28 +00:00
Joshua Tauberer
4f6fa40dbd
warn in status checks if a custom DNS record has been set on a domain that would normally serve web and as a result that domain no longer is serving web
2015-09-05 20:07:51 +00:00
Joshua Tauberer
104b804059
if a custom DNS record exists for a web-serving domain and the record is just the box's IP address, don't skip this domain for serving web
2015-09-05 20:07:51 +00:00
Joshua Tauberer
75a75a6f84
admin: rename my ajax javascript function to ajax_with_indicator; see 79c57c2303
2015-09-04 18:40:56 -04:00
Joshua Tauberer
2e99589336
admin: fix jumpyness when a modal is shown (move overflow-y to body; make the navbar not fixed to top)
2015-09-04 22:21:10 +00:00
Joshua Tauberer
188b21dd36
bump bootstrap to 3.3.5 and jquery to 1.11.3 on the admin
2015-09-04 22:13:56 +00:00
Joshua Tauberer
0cf56e0aad
add a random password generator to the users page of the admin
2015-09-04 22:12:07 +00:00
Joshua Tauberer
c5082498ab
utils.py can't import non-standard modules because it is imported by migrate.py, which is run before anything is installed
...
closes #540
2015-08-30 13:50:34 -04:00
Richard Willis
ab59323813
Added a note about TXT record length limitations and how to construct the records to bypass the limitation
2015-08-28 15:50:02 +02:00
Joshua Tauberer
a56a9dc6a1
add Mail-in-a-Box version check to status checks
...
closes #502
2015-08-28 12:34:02 +00:00
Joshua Tauberer
bc790ea581
backups: make the instructions about the backup password file more prominent
2015-08-28 12:33:07 +00:00
Joshua Tauberer
dbfd158388
dont refresh the backup page when there's an error saving the config
2015-08-28 12:33:07 +00:00
Joshua Tauberer
2b1f7da654
S3 credentials for backup should not be displayed in the control panel, fixes #529
2015-08-28 12:33:07 +00:00
Joshua Tauberer
0c9d431a3f
major cleanup to adding new version check to the status checks
2015-08-28 12:29:55 +00:00
Norman Stanke
1a525df8ad
Add Mail-in-a-Box version status check.
2015-08-28 11:55:21 +00:00
Richard Willis
f26c0b71d2
Focus on fields in the login form
...
This just makes life a little easier...
Squashed the following commits:
* Use $.trim() for better browser support
2015-08-27 22:17:13 +02:00
Joshua Tauberer
a8074ae3e4
suppress some status output regarding new automatic aliases on first installation
2015-08-19 16:30:32 -04:00
Joshua Tauberer
cfc4e6b48b
automatic administrator aliases are probably not bidirectional because the administrator@ address is an alias and not a user
2015-08-19 16:06:09 -04:00
root
39270a8e35
fix problem with certificate verification on OpenVZ servers
2015-08-15 17:32:40 +02:00
Joshua Tauberer
8c08f957cd
bidirectional alias controls: a new permitted_senders column in the aliases table allows setting who can send as an address independently of where the address forwards to
...
But the default permitted senders are the same as the addresses the alias forwards to.
Merge branch 'dhpiggott-bidirectional-alias-controls'
2015-08-14 23:09:22 +00:00
Joshua Tauberer
5924d0fe0d
various cleanup related to the new permitted_senders column for aliases
2015-08-14 23:05:08 +00:00
Joshua Tauberer
848dea83ab
additional error handling for backups with an invalid target
2015-08-12 11:19:59 +00:00
Leo Koppelkamm
f96bef43cc
If no prefix is specified, set the path to '', otherwise boto won't list the files
2015-08-11 13:54:30 +02:00
Joshua Tauberer
f4e8ee0af9
html errors in the backup template, my bad
2015-08-09 20:34:08 +00:00
Joshua Tauberer
9ca116d545
add an option to disable backups
2015-08-09 20:15:43 +00:00
Joshua Tauberer
cdd3a64638
after-backup was run with the wrong environment
2015-08-09 20:08:33 +00:00
Joshua Tauberer
99e51f8a52
use boto to get actual file sizes of backup files when S3 is used
2015-08-09 20:08:33 +00:00
Joshua Tauberer
3b4b57c081
switching between backup options in the admin wasn't working at all
...
* going from s3 to file target wasn't working
* use 'local' in the config instead of a file: url, for the local target, so it is not path-specific
* break out the S3 fields since users can't be expected to know how to form a URL
* use boto to generate a list of S3 hosts
* use boto to validate that the user input for s3 is valid
* fix lots of html errors in the backup admin
2015-08-09 20:08:33 +00:00
Joshua Tauberer
c7f8ead496
clean up the new backup configuration panel
2015-08-09 20:08:30 +00:00
Joshua Tauberer
3f15879578
remove global variables in backup.py
2015-08-09 17:54:46 +00:00
Leo Koppelkamm
1cdd205eb7
Missed one max_age
2015-07-28 20:58:39 +02:00
Leo Koppelkamm
77099b3bce
Reword backup min_time label
2015-07-28 00:42:00 +02:00
Leo Koppelkamm
0d8a4099c1
Add placeholder attribute; use input instead of textarea
2015-07-28 00:37:48 +02:00
Leo Koppelkamm
606cf6a941
Fix API typo
2015-07-28 00:34:26 +02:00
Leo Koppelkamm
ba9065cada
Don't write collection_status output to file but parse it directly
2015-07-27 22:30:22 +02:00
Leo Koppelkamm
e693802091
Rename max_age to min_age
...
Also clarify a comment and remove an unneeded type check
2015-07-27 22:18:19 +02:00
Leo Koppelkamm
fa0dd684da
Add archive-dir argument to collection-status
2015-07-27 22:13:28 +02:00
Leo Koppelkamm
43fb7fe635
Remove unused variable
2015-07-27 22:11:43 +02:00
Leo Koppelkamm
91e4ea6e2f
Infer target_type from url
2015-07-27 22:09:58 +02:00
Leo Koppelkamm
1e3e34f15f
Make backup API RESTful
2015-07-27 22:00:36 +02:00
Leo Koppelkamm
2e6c410336
Make backups more configurable
...
Backup location and maximum age can now be configured in the admin panel.
For now only S3 is supported, but adding other duplicity supported backends should be straightforward.
2015-07-27 21:53:34 +02:00
Joshua Tauberer
0293e04311
fix control panel links, broken in Firefox (worked in Chrome)
...
see https://discourse.mailinabox.email/t/bug-present-for-ages/694/3
2015-07-25 14:12:45 +00:00
Joshua Tauberer
1900e512f2
improve the sort order of domains - siblings to the primary hostname were not sorted right
2015-07-21 11:25:11 +00:00
David Piggott
123ac4fd33
s/email/address/ in aliases UI variable names
...
This makes the frontend consistent with the backend.
2015-07-20 12:51:57 +01:00
David Piggott
423bb8e317
Fix remove-alias button breakage
2015-07-20 12:51:57 +01:00
David Piggott
e6ff280984
Store and set alias receivers and senders separately for maximum control
2015-07-20 12:51:57 +01:00
David Piggott
3fdfad27cd
Add support for bidirectional mail alias controls
...
This is an extension of #427 . Building on that change it adds support in the
aliases table for flagging aliases as:
1. Applicable to inbound and outbound mail.
2. Applicable to inbound mail only.
3. Applicable to outbound mail only.
4. Disabled.
The aliases UI is also updated to allow administrators to set the direction of
each alias.
Using this extra information, the sqlite queries executed by Postfix are
updated so only the relevant alias types are checked.
The goal and result of this change is that outbound-only catch-all aliases can
now be defined (in fact catch-all aliases of any type can be defined).
This allow us to continue supporting relaying as described at
https://mailinabox.email/advanced-configuration.html#relay
without requiring that administrators either create regular aliases for each
outbound *relay* address, or that they create a catch-all alias and then face a
flood of spam.
I have tested the code as it is in this commit and fixed every issue I found,
so in that regard the change is complete. However I see room for improvement
in terms of updating terminology to make the UI etc. easier to understand.
I'll make those changes as subsequent commits so that this tested checkpoint is
not lost, but also so they can be rejected independently of the actual change
if not wanted.
2015-07-20 12:51:57 +01:00
Joshua Tauberer
d3bbc0ec95
bug in new secondary nameservers
...
forgot a 'continue' statement
see 216acb0eeb
fixes #497
2015-07-20 11:25:16 +00:00
Joshua Tauberer
541d9252f6
allow PEM files to have non-Unix line endings
2015-07-17 11:44:28 +00:00
PortableTech
415f95b792
Add TLSA record for HTTPS connections.
...
While not widely supported, there are some browser addons that can
validate DNSSEC and TLSA for additional out-of-band verification of
certificates when browsing the web. Costs nothing to implement and
might improve security in some situations.
2015-07-13 09:12:13 -04:00
Joshua Tauberer
5dd5fc4a1c
clean up multiple secondary nameservers and zone xfr ip addresses
2015-07-10 15:42:33 +00:00
Brian Bustin
09133c8f59
Initial backend changes to make it possible to have one or more secondary name servers
2015-07-10 14:59:38 +00:00
Joshua Tauberer
acd91665b5
setting an alias to forward to two or more addresses was broken since aa33428311
...
fixes #482
2015-07-04 15:28:45 +00:00
Joshua Tauberer
ff4780d5fb
better error handling of invalid PEM files
2015-07-03 14:00:59 +00:00
Joshua Tauberer
0924f8ca7a
allow for PEM private keys in the 'BEGIN PRIVATE KEY' format too
...
see https://discourse.mailinabox.email/t/another-upgrade-failure/630/5
2015-07-02 15:37:26 -04:00
Joshua Tauberer
e57e08088a
the control panel would not allow installing a certificate for a www redirect domain, fixes #475
2015-07-02 10:53:54 +00:00
Joshua Tauberer
42a506231b
don't automatically create the administrator@ alias (e.g. on first user creation) because we dont know what it should be an alias to (leave this to be resolved manually), fixes #470
...
Was broken by 462a79cf47
.
2015-06-30 09:16:22 -04:00
Joshua Tauberer
e3252f53da
idna domains in certificate subject alternative names were not handled correctly after switching to cryptography package
2015-06-30 13:09:18 +00:00
Joshua Tauberer
aa33428311
some IDNA functionality was still using Python's built-in IDNA 2003 encoder rather than the idna package's IDNA 2008 encoder
2015-06-30 13:09:18 +00:00
Joshua Tauberer
5ef1cfbdc7
forgot new version.html template file
2015-06-25 17:43:50 +00:00
Joshua Tauberer
7527b4dc27
show the Mail-in-a-Box version in the control panel and a button to ping the MiaB website for the latest version
...
fixes #441
2015-06-25 13:43:11 +00:00
Joshua Tauberer
299a2315c1
dkim 2048 bits - migration and zone file generation changes
...
* Add a migration to delete any existing DKIM key so that existing machines get a fresh 2048-bit key. (Sadly we don't support key rotation so the change is immediate.)
* Because the DNS record for a 2048-bit key is so much longer, the way we read OpenDKIM's DNS record text file had to be modified to combine an arbitrary number of TXT record quoted ("...") strings.
* When writing out the TXT record value, the string must be split into quoted ("...") strings with a maximum length of 255 bytes each, per the DNS spec.
* Added a changelog entry.
2015-06-25 13:06:29 +00:00