Commit Graph

455 Commits

Author SHA1 Message Date
Joshua Tauberer 33d07b2b54 ownCloud moved their source code to a new location, breaking our installation script.
Fixes #741.
2016-03-01 07:23:16 -05:00
Joshua Tauberer f9ca440ce8 v0.17 2016-02-25 18:36:14 -05:00
Ángel Guzmán Maeso e785886447 Fix small typo in comments 2016-02-18 15:38:33 +01:00
Joshua Tauberer 86368ed165 clean up apt_install lines and comments in setup/management.sh 2016-02-18 06:59:38 -05:00
Joshua Tauberer 5e4c0ed825 Revert "install boto (py2) via the package manager, not pip (used by duplicity)"
This reverts commit b32cb6229b.

Fixes #627. Fixes #653. Closes #714.
2016-02-18 06:54:23 -05:00
Joshua Tauberer 098e250cc4 bump free_tls_certificates, fixes #695, if a challenge fails dont cache it permanently (or at all) 2016-02-16 09:08:58 -05:00
Joshua Tauberer 87d3f2641d merge #685 - tweak postfix mail queue/warn/bounce times 2016-02-15 18:44:56 -05:00
Joshua Tauberer c6c75c5a17 document the default values for delay_warning_time, maximal_queue_lifetime, bounce_queue_lifetime 2016-02-15 18:38:55 -05:00
Sony? 6182347641 spelling box->Box 2016-02-14 20:24:00 +01:00
Sony? 401b0526a3 Added a warning to the installation / setup script
See pull request #638 and issue #635 for more information.
2016-02-14 19:40:43 +01:00
Joshua Tauberer 8ea42847da nightly status checks could fail if any domains had non-ASCII characters
https://discourse.mailinabox.email/t/status-check-emails-empty-after-upgrading-to-v0-16/1082/3

A user on that thread suggests an alternate solution, adding `PYTHONIOENCODING=utf-8` to `/etc/environment`. Python docs say that affects stdin/out/err. But we also use these environment variables elsewhere to ensure that config files we read/write are opened with UTF8 too. Maybe all that can be simplified too.
2016-02-13 11:51:06 -05:00
Joshua Tauberer 77937df955 bind postfix to the right network interface when sending outbound mail so that SPF checks on the receiving end will pass
fixes #3 (again)
2016-02-01 12:36:52 -05:00
Joshua Tauberer 4db8efa0df bump Roundcube to 1.1.4 2016-02-01 12:31:42 -05:00
Joshua Tauberer 83ffc99b9c change the public URL of bootstrap.sh to setup.sh 2016-01-30 11:19:51 -05:00
Joshua Tauberer 3615772b2d v0.16 2016-01-30 11:15:14 -05:00
dofl 85a9a1608c Update mail-postfix.sh 2016-01-21 16:05:43 +01:00
dofl 2e693f7011 Update mail-postfix.sh
Updated according to Josh's latest reaction. Sounds good.
2016-01-21 08:38:39 +01:00
dofl 6f0220da4b Update mail-postfix.sh
Same result as maximal_queue_lifetime and bounce_queue_lifetime, but complies with rfc2821.
2016-01-20 15:34:22 +01:00
dofl 09a45b4397 Update mail-postfix.sh
The default timeout for Postfix's maximal_queue_lifetime and bounce_queue_lifetime is 5 days. This is way too long if you expect someone to have an answer and after 5 days you'll get the message that it's not delivered. This disrupts communication. It would be more responsive if the user got the 'can't deliver' error after 24 hours.
2016-01-20 13:25:41 +01:00
Joshua Tauberer faaa74c3a7 tls: hide extra reasons why domains aren't getting a new certificate during setup 2016-01-14 07:21:08 -05:00
Joshua Tauberer 5045e206c2 roundcube file ownership should not preserve uid/gid from the release tarball, tar (when run as root) should always extract using --no-same-owner, fixes #667 2016-01-09 09:17:45 -05:00
Joshua Tauberer 07f9228694 Merge branch 'letsencrypt' for automatic provisioning of TLS certificates from Let's Encrypt 2016-01-09 08:58:35 -05:00
Joshua Tauberer 50b5b91216 v0.15a
Sending mail through Exchange/ActiveSync (Z-Push) had been broken since v0.14. This is now fixed.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJWkQ9rAAoJELkgQfTBC92BPjQH/ibFBZHgma7C53Q4X9iPfUk2
 dPK75rNBx06d6yW4LNAYuWVnNO1Mb0khb2k2UPwg4noImYWqsNS9hXih7C6oPHiK
 Szz4ubCc5MEqnmhxiNkzLdIBvsyKmz8IfmCl+LCXu8uk0Fb+pB6zbSdAGxjtaSPL
 itCwz8+ApTC4bl1CoNYPn2zudHmHNeC7L6INYdb+xbtc/Tz6mO/xMaBVPDiKeq9P
 LqLTOXiJNENz7vKSZytlWGOTdtSTZqwd7JBXuBg0QFz5C9yg8EV4LWB9wOm5aTIf
 Fol3WK5ZHA5YeihZKmZSjz9+p4iwv5hqR5osKL2n46LeVHyafESl+QnZSXRlDjE=
 =i3ei
 -----END PGP SIGNATURE-----

Merge release branch v0.15a

v0.15a

Sending mail through Exchange/ActiveSync (Z-Push) had been broken since v0.14. This is now fixed.
2016-01-09 08:48:37 -05:00
Joshua Tauberer 72bfc0915c v0.15a (January 9, 2016)
Sending mail through Exchange/ActiveSync (Z-Push) had been broken since v0.14. This is now fixed.
2016-01-09 08:44:51 -05:00
Joshua Tauberer b6933a73fa provision and install free SSL certificates from Let's Encrypt 2016-01-04 18:43:16 -05:00
Chloride Cull d6d5009d23 Fix typos in questions.sh
sed s/supress/suppress/g
sed s/depencies/dependencies/g
2016-01-03 16:48:23 +01:00
Joshua Tauberer 06a0e7f3fe merge #584 - Add checks to the management interface to report memory usage 2016-01-01 18:13:21 -05:00
Joshua Tauberer f184a74fa0 merge #647 - open the port for Sieve 2016-01-01 17:53:40 -05:00
Joshua Tauberer 3fbbf56986 v0.15 (January 1, 2016)
-----------------------

Mail:

* Updated Roundcube to version 1.1.3.
* Auto-create aliases for abuse@, as required by RFC2142.
* The DANE TLSA record is changed to use the certificate subject public key rather than the whole certificate, which means the record remains valid after certificate changes (so long as the private key remains the same, which it does for us).

Control panel:

* When IPv6 is enabled, check that system services are accessible over IPv6 too, that the box's hostname resolves over IPv6, and that reverse DNS is setup correctly for IPv6.
* Explanatory text for setting up secondary nameserver is added/fixed.
* DNS checks now have a timeout in case a DNS server is not responding, so the checks don't stall indefinitely.
* Better messages if external DNS is used and, weirdly, custom secondary nameservers are set.
* Add POP to the mail client settings documentation.
* The box's IP address is added to the fail2ban whitelist so that the status checks don't trigger the machine banning itself, which results in the status checks showing services down even though they are running.
* For SSL certificates, rather than asking you what country you are in during setup, ask at the time a CSR is generated. The default system self-signed certificate now omits a country in the subject (it was never needed). The CSR_COUNTRY Mail-in-a-Box setting is dropped entirely.

System:

* Nightly backups and system status checks are now moved to 3am in the system's timezone.
* fail2ban's recidive jail is now active, which guards against persistent brute force login attacks over long periods of time.
* Setup (first run only) now asks for your timezone to set the system time.
* The Exchange/ActiveSync server is now taken offline during nightly backups (along with SMTP and IMAP).
* The machine's random number generator (/dev/urandom) is now seeded with Ubuntu Pollinate and a blocking read on /dev/random.
* DNSSEC key generation during install now uses /dev/urandom (instead of /dev/random), which is faster.
* The $STORAGE_ROOT/ssl directory is flattened by a migration script and the system SSL certificate path is now a symlink to the actual certificate.
* If ownCloud sends out email, it will use the box's administrative address now (admin@yourboxname).
* Z-Push (Exchange/ActiveSync) logs now exclude warnings and are now rotated to save disk space.
* Fix pip command that might have not installed all necessary Python packages.
* The control panel and backup would not work on Google Compute Engine because GCE installs a conflicting boto package.
* Added a new command `management/backup.py --restore` to restore files from a backup to a target directory (command line arguments are passed to `duplicity restore`).
2016-01-01 17:47:18 -05:00
Ralph J.Mayer afd401c3d4 Allow remote client for Sieve 2015-12-31 18:22:31 +01:00
Joshua Tauberer d53332b7cf drop the CSR_COUNTRY setting and ask within the control panel 2015-12-26 11:48:23 -05:00
Joshua Tauberer 4305a71916 merge #587 - move backup and nightly status checks to 3am in system time
previously these were run in a cron.daily script which per crontab is run at 6:25 am local time
2015-12-26 08:42:58 -05:00
Joshua Tauberer a4d8e12fd7 clean up the backup time patch: dont choose timezone here, move status checks into the same 3am script 2015-12-26 08:41:37 -05:00
Joshua Tauberer e4a4b47fac setup now asks for and sets the system timezone
closes #294
see #328
maybe related to #235
2015-12-26 08:08:08 -05:00
BuildTools 8a35905d2e add timezone selection 2015-12-23 17:29:13 -05:00
Scott Bronson 6336cc6452 tiny tweaks to make the bash slightly more readable 2015-12-22 12:33:26 -08:00
Scott Bronson fe9ed3f70d don't install bind9-host when setting hostname
also remove an incorrect comment
2015-12-07 10:21:51 -08:00
Joshua Tauberer 20e11bbab3 fail2ban: whitelist our machine's public ip address so status checks dont cause bans of the machine itself 2015-12-07 08:45:59 -05:00
Joshua Tauberer c422543fdd make the system SSL certificate a symlink so we never have to replace a certificate file, and flatten the directory structure of user-installed certificates 2015-11-29 02:02:01 +00:00
Joshua Tauberer b32cb6229b install boto (py2) via the package manager, not pip (used by duplicity) 2015-11-26 14:20:59 +00:00
Michael Kroes 59f8aa1c31 Add checks to the management interface to report memory usage 2015-11-20 01:48:59 -05:00
Joshua Tauberer bbf78716fd during setup suppress the status line about generating an SSL certificate if we already have it 2015-11-19 07:00:33 -05:00
Joshua Tauberer b9820641aa when generating the initial self-signed cert, dont keep the CSR - it has no use after this step 2015-11-19 07:00:33 -05:00
Joshua Tauberer 8c00556bab use /dev/urandom for roundcube/owncloud key generation, see #596, partially reverts #115 (69f0e1d07a) 2015-11-19 07:00:33 -05:00
Joshua Tauberer 16d148a8a9 use /dev/urandom for DNSSEC key generation, fixes #596, partially reverts #115 (69f0e1d07a) 2015-11-19 07:00:33 -05:00
Joshua Tauberer e8264e9b6a ensure /dev/urandom is seeded with a blocking call to /dev/random and using Ubuntu's pollinate servers 2015-11-19 07:00:33 -05:00
Joshua Tauberer 4f2b223070 add comments about how openssl generates random numbers for genrsa and what could create a perfect storm to make the key not random
see #596
2015-11-19 07:00:32 -05:00
Joshua Tauberer 05e128cafb the >'s in pip install package names might be interpreted as shell redirects and was creating files name '=1.0.0' '=2.0.0' and '=1.0.2' (I'm not sure how this was ever working) 2015-11-19 07:00:32 -05:00
Norman Stanke ec20d657ba Change Z-Push log level to error 2015-11-18 21:39:17 +01:00
yodax c28065cc56 Add log rotation to z-push 2015-11-17 09:27:05 -05:00