anoma 
							
						 
					 
					
						
						
						
						
							
						
						
							b2eaaeca4b 
							
						 
					 
					
						
						
							
							Revert to default 6 ssh/ddos login attempts  
						
						... 
						
						
						
						No legitimate admin will require 20 login attempts. The default 6 is a sane middle ground especially since in 10 minutes they can try again  or immediately from another IP anyway. 
						
					 
					
						2015-07-02 10:23:48 +01:00 
						 
				 
			
				
					
						
							
							
								anoma 
							
						 
					 
					
						
						
						
						
							
						
						
							e2d9a523c3 
							
						 
					 
					
						
						
							
							Cleanup blank lines, comments and whitespace to make it easier to follow  
						
						
						
					 
					
						2015-07-02 10:19:37 +01:00 
						 
				 
			
				
					
						
							
							
								anoma 
							
						 
					 
					
						
						
						
						
							
						
						
							11df1e4680 
							
						 
					 
					
						
						
							
							Unnecessary config item, inherited from default jail.conf  
						
						
						
					 
					
						2015-07-02 10:10:50 +01:00 
						 
				 
			
				
					
						
							
							
								anoma 
							
						 
					 
					
						
						
						
						
							
						
						
							53d5542402 
							
						 
					 
					
						
						
							
							Revert to default 600 second ban time  
						
						... 
						
						
						
						A 60 second/1 minute ban time is not long enough to counter brute force attacks which is the main purpose of fail2ban for mail in a box. The default bantime of 10 minutes is still sane and I think we have proven fail2ban is reliable enough not to cause problems in general. It is not worth sacrificing security for the rare case where an admin locks themselves out for 10 minutes. 
						
					 
					
						2015-07-02 10:08:50 +01:00 
						 
				 
			
				
					
						
							
							
								anoma 
							
						 
					 
					
						
						
						
						
							
						
						
							bfda3f40b9 
							
						 
					 
					
						
						
							
							Unnecessary config item, inherited from default jail.conf  
						
						
						
					 
					
						2015-07-02 09:55:59 +01:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							53f84a8092 
							
						 
					 
					
						
						
							
							set ssl_stapling_verify back to on, reverts part of  47de93961e 
						
						... 
						
						
						
						The sslmate guidance changed. See #458 . 
						
					 
					
						2015-06-27 07:14:16 -04:00 
						 
				 
			
				
					
						
							
							
								Marc Schiller 
							
						 
					 
					
						
						
						
						
							
						
						
							0cc20cbb97 
							
						 
					 
					
						
						
							
							Fixed a bug where autoconfiguration for Z-Push fails due to case of URL.  
						
						
						
					 
					
						2015-06-25 11:56:33 +02:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							be2b5a62de 
							
						 
					 
					
						
						
							
							ownCloud updated to version 8.0.4  
						
						
						
					 
					
						2015-06-14 16:04:07 +00:00 
						 
				 
			
				
					
						
							
							
								bizonix 
							
						 
					 
					
						
						
						
						
							
						
						
							2c90c267bd 
							
						 
					 
					
						
						
							
							fix loop redirecting  
						
						... 
						
						
						
						server is redirecting the request for this address in a way that will never complete 
						
					 
					
						2015-06-07 21:50:41 +03:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							47de93961e 
							
						 
					 
					
						
						
							
							OCSP improvements  
						
						... 
						
						
						
						* Set ssl_stapling_verify to off per https://sslmate.com/blog/post/ocsp_stapling_in_apache_and_nginx  ('on' has no security benefits).
* Set resolver to 127.0.0.1, instead of Google Public DNS, because we might as well use our local nameserver anyway.
* Remove the commented line which per the link above would never be necessary anyway.
OCSP seems to work just fine after these changes. 
						
					 
					
						2015-06-06 23:24:09 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							5008cc603e 
							
						 
					 
					
						
						
							
							merge - munin system monitoring  
						
						
						
					 
					
						2015-06-06 12:52:22 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							95173bb327 
							
						 
					 
					
						
						
							
							provide redirects from www subdomains of zones to their parent domain  
						
						... 
						
						
						
						* Split the nginx templates again so we have just the part needed to make a domain do a redirect separate from the rest.
* Add server blocks to the nginx config for these domains.
* List these domains in the SSL certificate install admin panel.
* Generate default 'www' records just for domains we provide default redirects for.
Fixes  #321 . 
						
					 
					
						2015-06-04 12:19:01 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							a0e6c7ceb6 
							
						 
					 
					
						
						
							
							fix downloading dotfiles through ownCloud's webdav  
						
						... 
						
						
						
						fixes  #414  
					
						2015-05-30 18:03:37 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							a9ed9ae936 
							
						 
					 
					
						
						
							
							more work on munin  
						
						... 
						
						
						
						* install the munin-node package
* don't install munin-plugins-extra (if the user wants it they can add it)
* expose the munin www directory via the management daemon so that it can handle authorization, rather than manintaining a separate password file 
						
					 
					
						2015-05-25 17:03:52 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							ce94ef38b2 
							
						 
					 
					
						
						
							
							anonymize X-Pgp-Agent, Mime-Version outgoing mail headers;  fixes   #342  
						
						... 
						
						
						
						I don't have a mail client that sets Mime-Version with a user agent string so I couldn't really test. 
						
					 
					
						2015-05-03 14:03:59 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							6bb8f5d889 
							
						 
					 
					
						
						
							
							ownCloud 8 busted MOD_X_ACCEL_REDIRECT_ENABLED  
						
						... 
						
						
						
						see https://github.com/owncloud/core/issues/14976 
We will need to update when ownCloud makes this better with MOD_X_ACCEL_REDIRECT_PREFIX.
See https://discourse.mailinabox.email/t/owncloud-can-not-read-uploaded-data/428 . 
						
					 
					
						2015-04-20 22:18:45 +00:00 
						 
				 
			
				
					
						
							
							
								H8H 
							
						 
					 
					
						
						
						
						
							
						
						
							c443524ee2 
							
						 
					 
					
						
						
							
							Configure fail2ban jails to prevent dumb brute-force attacks against postfix, dovecot and ssh. See  #319  
						
						
						
					 
					
						2015-03-08 01:13:55 +01:00 
						 
				 
			
				
					
						
							
							
								BiZoNiX 
							
						 
					 
					
						
						
						
						
							
						
						
							e14b2826e0 
							
						 
					 
					
						
						
							
							Disable viewing dotfiles (.htaccess, .svn, .git, etc.)  
						
						
						
					 
					
						2015-02-09 19:41:42 +02:00 
						 
				 
			
				
					
						
							
							
								ikarus 
							
						 
					 
					
						
						
						
						
							
						
						
							3a09b04786 
							
						 
					 
					
						
						
							
							hide nginx version an OS information for better privacy.  
						
						
						
					 
					
						2015-02-01 20:13:03 +01:00 
						 
				 
			
				
					
						
							
							
								ikarus 
							
						 
					 
					
						
						
						
						
							
						
						
							e330abd587 
							
						 
					 
					
						
						
							
							do better redirection from http to https  
						
						... 
						
						
						
						Redirect using the 'return' directive and the built-in
variable '$request_uri' to avoid any capturing, matching
or evaluation of regular expressions.
It's best practice. See: http://wiki.nginx.org/Pitfalls#Taxing_Rewrites  
						
					 
					
						2015-02-01 01:32:07 +01:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							b9ca74c915 
							
						 
					 
					
						
						
							
							implement Mozilla (e.g. Thunderbird) autoconfiguration file  
						
						... 
						
						
						
						fixes  #241  
					
						2015-01-31 21:33:18 +00:00 
						 
				 
			
				
					
						
							
							
								H8H 
							
						 
					 
					
						
						
						
						
							
						
						
							6efeff6fce 
							
						 
					 
					
						
						
							
							[Z-Push] Owncloud doesnt't support CARDDAV_SUPPORTS_SYNC, so set it to false  
						
						
						
					 
					
						2014-12-29 16:35:47 +01:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							31d6128a2b 
							
						 
					 
					
						
						
							
							nginx: explicitly listen on both ipv4 and ipv6 (works even if ipv6 isn't present)  
						
						
						
					 
					
						2014-11-30 14:41:30 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							06f2477cfd 
							
						 
					 
					
						
						
							
							the new iOS configuration profile also is used on OS X 10.10.1, see  #261  
						
						
						
					 
					
						2014-11-18 16:32:37 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							cdaa2c847d 
							
						 
					 
					
						
						
							
							[merge] iOS Mobile Configuration Profile  
						
						
						
					 
					
						2014-11-14 13:56:18 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							b04addda9a 
							
						 
					 
					
						
						
							
							move the mobileconfig into the conf directory as a plain XML file and handle substitutions and copying to /var in web.sh  
						
						
						
					 
					
						2014-11-14 13:52:29 +00:00 
						 
				 
			
				
					
						
							
							
								Norman 
							
						 
					 
					
						
						
						
						
							
						
						
							5775cab175 
							
						 
					 
					
						
						
							
							various fixes  
						
						
						
					 
					
						2014-11-06 15:33:08 +01:00 
						 
				 
			
				
					
						
							
							
								David Piggott 
							
						 
					 
					
						
						
						
						
							
						
						
							be9d97902f 
							
						 
					 
					
						
						
							
							Disable encapsulation of spam and marking of it as seen  
						
						
						
					 
					
						2014-10-28 15:15:21 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							20c5471a89 
							
						 
					 
					
						
						
							
							expose the ownCloud API,  fixes   #240 ,  fixes   #242  
						
						
						
					 
					
						2014-10-28 12:05:07 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							6585384daa 
							
						 
					 
					
						
						
							
							bring the max outgoing mail size via webmail and z-push in line with the limit set in postfix: 128 MB  
						
						... 
						
						
						
						The limit was previously the nginx default (2MB?).
fixes  #236  
						
					 
					
						2014-10-16 22:11:10 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							8566b78202 
							
						 
					 
					
						
						
							
							drop webfinger, see  #95  
						
						
						
					 
					
						2014-10-07 20:30:36 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							d9ecc50119 
							
						 
					 
					
						
						
							
							since the management server binds to 127.0.0.1, must use that and not 'localhost' to connect to it because 'localhost' resolves to the IPv6 ::1 when it is available, see  #224  
						
						
						
					 
					
						2014-10-05 09:01:26 -04:00 
						 
				 
			
				
					
						
							
							
								h8h 
							
						 
					 
					
						
						
						
						
							
						
						
							ba33669a62 
							
						 
					 
					
						
						
							
							generate the locales before change to it.  
						
						... 
						
						
						
						For my german box changing the locale failed:
´´´´/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
setup/functions.sh: line 6: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)´´´´
see #206  and 4e6d572de9closes  #220 
commit modified by joshdata 
						
					 
					
						2014-10-02 11:05:42 +00:00 
						 
				 
			
				
					
						
							
							
								jkaberg 
							
						 
					 
					
						
						
						
						
							
						
						
							68efef1164 
							
						 
					 
					
						
						
							
							dont log robots.txt and favicon.ico. we should REALLY consider creating seperate include files for *all* of our "apps", this is getting messy..  
						
						
						
					 
					
						2014-09-27 17:04:05 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							6ecada7eed 
							
						 
					 
					
						
						
							
							Merge commit '93a722f'  
						
						
						
					 
					
						2014-09-27 16:56:38 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							39bca053ed 
							
						 
					 
					
						
						
							
							add 2048 bits of DH params for nginx, postfix, dovecot  
						
						... 
						
						
						
						nginx/postfix use a new pre-generated dh2048.pem file. dovecot generates the bits on its own.
ssllabs.com reports that TLS_DHE ciphers went from 1024 to 2048 bits as expected. The ECDHE ciphers remain at 256 bits --- no idea what that really means. (This tests nginx only. I haven't tested postfix/dovecot.)
see https://discourse.mailinabox.email/t/fips-ready-for-ssl-dhec-key-exchange/76/3  
						
					 
					
						2014-09-26 22:09:22 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							4e6d572de9 
							
						 
					 
					
						
						
							
							ensure Python operates in UTF-8 with a consistent locale for all users  
						
						... 
						
						
						
						fixes  #206  (hopefully) 
					
						2014-09-26 08:26:09 -04:00 
						 
				 
			
				
					
						
							
							
								jkaberg 
							
						 
					 
					
						
						
						
						
							
						
						
							93a722f85b 
							
						 
					 
					
						
						
							
							ownCloud (witch is based on SabreDAV) supports sync  
						
						
						
					 
					
						2014-09-10 21:22:56 +02:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							f77f1e656c 
							
						 
					 
					
						
						
							
							split CardDAV instrctions into a new page and add CalDAV instructions; create nice redirects at /cloud/calendar and /cloud/contacts  
						
						
						
					 
					
						2014-09-03 10:51:19 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							24ff0e04b1 
							
						 
					 
					
						
						
							
							output/text tweaks  
						
						
						
					 
					
						2014-08-27 14:42:00 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							aa3bc3225e 
							
						 
					 
					
						
						
							
							expose the control panel only on PRIMARY_HOSTNAME since /admin might conflict with other stuff hosted on other domains  
						
						
						
					 
					
						2014-08-27 02:38:43 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							df20d447a9 
							
						 
					 
					
						
						
							
							add an api for setting custom DNS records  
						
						... 
						
						
						
						Works like this:
```curl -d "" --user email:password https://.../admin/dns/set/qname/rtype/value ```
where the rtype and value default to "A" and the remote IP address of the request, so that a simple, empty POST to
```https://.../admin/dns/set/desktop.mydomain.com ```
will point desktop.mydomain.com to the caller's IPv4 address.
closes  #140  
						
					 
					
						2014-08-23 23:03:45 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							a0b056ae29 
							
						 
					 
					
						
						
							
							put a sterner warning in nginx local.conf about not modifying it  
						
						
						
					 
					
						2014-08-23 12:35:59 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							a501256fb9 
							
						 
					 
					
						
						
							
							fix the include path for our second use of z-push  
						
						
						
					 
					
						2014-08-19 15:07:55 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							80a05c3bbf 
							
						 
					 
					
						
						
							
							short_open_tag=Off was mistakenly left in the earlier merge (was a fix for my old autodiscover.php but not needed with z-push), also regrouping the nginx directive to be near the rest of Z-Push  
						
						
						
					 
					
						2014-08-19 12:07:54 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							b6dd407aa7 
							
						 
					 
					
						
						
							
							z-push autodiscover should use the primary hostname for the mail server and not the domain part of the email address (both may work, but the primary hostname is more likely to have a signed SSL cert)  
						
						
						
					 
					
						2014-08-19 11:49:20 +00:00 
						 
				 
			
				
					
						
							
							
								jkaberg 
							
						 
					 
					
						
						
						
						
							
						
						
							9a1989357c 
							
						 
					 
					
						
						
							
							some makeup  
						
						
						
					 
					
						2014-08-19 13:17:13 +02:00 
						 
				 
			
				
					
						
							
							
								jkaberg 
							
						 
					 
					
						
						
						
						
							
						
						
							a0df18506b 
							
						 
					 
					
						
						
							
							use z-push autodisover instead  
						
						
						
					 
					
						2014-08-19 13:03:44 +02:00 
						 
				 
			
				
					
						
							
							
								jkaberg 
							
						 
					 
					
						
						
						
						
							
						
						
							f7d2dfd1c0 
							
						 
					 
					
						
						
							
							xml generation fails when short_open_tag is on  
						
						
						
					 
					
						2014-08-19 11:27:50 +02:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							92acef9b87 
							
						 
					 
					
						
						
							
							fix PHP path for Z-Push so it can see libawl-php  
						
						... 
						
						
						
						broken in 04454b35c6fixes  #143  
						
					 
					
						2014-08-17 22:53:46 +00:00