e29e3a5cba
fix QUERY_STRING to only have the image request
2019-03-03 19:23:58 +02:00
6883a60f5d
load images as base64
2019-03-03 19:15:59 +02:00
dce4058705
process images returned from mailgraph
2019-03-03 00:34:41 +02:00
5ffa71999a
work on the daemon for mailgraph
2019-03-02 20:47:54 +02:00
fefb5ebc33
more work on control panel integration
2019-03-02 20:16:39 +02:00
fc1f211af5
initial work on extended configuration
2019-02-10 23:39:38 +02:00
7874683618
Add percentage used and update tools/mail.py to set quotas
2019-02-01 15:36:27 +02:00
70c607e256
more default quota work
2019-01-31 23:58:10 +02:00
d1906bd055
Add support for a default quota value and allow setting quota when adding user
2019-01-31 22:57:04 +02:00
8bd9cf38ab
Use tabs for indentation
2019-01-29 23:31:56 +02:00
ccad47937e
Add components to user interface for setting quotas
2019-01-28 23:27:03 +02:00
870b82637a
fix some wrong variable names, fixes #1353
2018-11-30 10:46:54 -05:00
b05b06c74a
remove user account mailbox size from the control panel because it takes way too long to compute on very large mailboxes
...
fixes #531
2018-11-30 10:46:54 -05:00
2a72c800f6
replace free_tls_certificates with certbot
2018-06-29 16:46:21 -04:00
0088fb4553
install Python 3 packages in a virtualenv
...
The cryptography package has created all sorts of installation trouble over the last few years, probably because of mismatches between OS-installed packages and pip-installed packages. Using a virtualenv for all Python packages used by the management daemon should make sure everything is consistent.
See #1298 , see #1264 .
2018-01-15 13:27:04 -05:00
35a360ef0b
simplify how munin-cgi-graph is called to reduce the attack surface area
...
Seems like if REQUEST_METHOD is set to GET, then we can drop two redundant ways the query string is given. munin-cgi-graph itself reads the environment variables only, but its calls to Perl's CGI::param will look at the command line if REQUEST_METHOD is not used, otherwise it uses environment variables like CGI used to work.
Since this is all behind admin auth anyway, there isn't a public vulnerability. #914 was opened without comment which lead me to notice the redundancy and worry about a vulnerability, before I realized this is admin-only anyway.
2016-08-19 12:42:43 -04:00
01fa8cf72c
add fail2ban jails for ownCloud, postfix submission, roundcube, and the Mail-in-a-Box management daemon
...
(tests squashed into this commit by josh)
2016-06-06 09:13:10 -04:00
f292e8fc5b
Add generic login failed message
2016-03-26 14:06:43 +01:00
5edefbec27
merge #735 - Allow a server to be rebooted when a reboot is required
2016-03-23 16:39:40 -04:00
67555679bd
move the reboot button, fix grammar, refactor check for DRY, add changelog entry
2016-03-23 16:37:15 -04:00
546d6f0026
merge #674 - Support munin's cgi dynazoom
2016-03-23 16:10:30 -04:00
bd86d44c8b
simplify the munin_cgi wrapper / add changelog entry
2016-03-23 16:09:19 -04:00
b71ad85e9f
Restore an empty line
2016-02-26 09:51:22 +01:00
8ea2f5a766
Allow a server to be rebooted when a reboot is required
2016-02-25 21:56:27 +01:00
721730f0e8
Create a temporary multiprocessing pool
2016-02-23 06:32:01 +01:00
0843159fb4
Reduce number of processes in the pool to 5
2016-02-22 17:38:30 +01:00
6b408ef824
Use utils.shell instead of subprocess.Popen
2016-01-14 10:24:04 -05:00
8932aaf4ef
needed libcgi-fast-perl and chown log files
2016-01-13 23:55:45 -05:00
6d6f3ea391
Added ability to use munin's dynazoom
2016-01-13 22:20:33 -05:00
2882e63dd8
second part of provisioning tls certificates from the control panel
2016-01-04 18:43:17 -05:00
b8d6226a9a
when provisioning tls certs from the command line, specify domain names as command line arguments to force getting certs for those domains
2016-01-04 18:43:17 -05:00
bac15d3919
provision tls certificates from the control panel
2016-01-04 18:43:16 -05:00
e288d7730b
backups: trap an error that occurs as early as getting the current backup status
2016-01-04 18:43:02 -05:00
d53332b7cf
drop the CSR_COUNTRY setting and ask within the control panel
2015-12-26 11:48:23 -05:00
808522d895
merge functions get_web_domains and get_default_www_redirects
2015-11-29 14:46:08 +00:00
766b98c4ad
refactor: move SSL-related management functions into a new module ssl_certificates.py
2015-11-29 13:59:22 +00:00
cf33be4596
fix boto 2 conflict on Google Compute Engine instances
...
GCE installs some Python-2-only boto plugin that conflicts with boto running under Python 3. It gives a SyntaxError in /usr/share/google/boto/boto_plugins/compute_auth.py (https://github.com/GoogleCloudPlatform/compute-image-packages ).
Disabling boto's default configuration file prior to importing boto so that GCE's plugin is not loaded.
See https://discourse.mailinabox.email/t/500-internal-server-error-for-admin/942 .
2015-11-26 14:51:44 +00:00
787beab63f
choose the best SSL cert from among the installed certificates; use the server certificate instead of self-signed certificates
...
For HTTPS for the non-primary domains, instead of selecting an SSL certificate by expecting it to be in a directory named after the domain name (with special-case lookups
for www domains, and reusing the server certificate where possible), now scan all of the certificates that have been installed and just pick the best to use for each domain.
If no certificate is available, don't create a self-signed certificate anymore. This wasn't ever really necessary. Instead just use the server certificate.
2015-09-18 13:25:18 +00:00
a56a9dc6a1
add Mail-in-a-Box version check to status checks
...
closes #502
2015-08-28 12:34:02 +00:00
2b1f7da654
S3 credentials for backup should not be displayed in the control panel, fixes #529
2015-08-28 12:33:07 +00:00
0c9d431a3f
major cleanup to adding new version check to the status checks
2015-08-28 12:29:55 +00:00
1a525df8ad
Add Mail-in-a-Box version status check.
2015-08-28 11:55:21 +00:00
8c08f957cd
bidirectional alias controls: a new permitted_senders column in the aliases table allows setting who can send as an address independently of where the address forwards to
...
But the default permitted senders are the same as the addresses the alias forwards to.
Merge branch 'dhpiggott-bidirectional-alias-controls'
2015-08-14 23:09:22 +00:00
5924d0fe0d
various cleanup related to the new permitted_senders column for aliases
2015-08-14 23:05:08 +00:00
3b4b57c081
switching between backup options in the admin wasn't working at all
...
* going from s3 to file target wasn't working
* use 'local' in the config instead of a file: url, for the local target, so it is not path-specific
* break out the S3 fields since users can't be expected to know how to form a URL
* use boto to generate a list of S3 hosts
* use boto to validate that the user input for s3 is valid
* fix lots of html errors in the backup admin
2015-08-09 20:08:33 +00:00
3f15879578
remove global variables in backup.py
2015-08-09 17:54:46 +00:00
1cdd205eb7
Missed one max_age
2015-07-28 20:58:39 +02:00
91e4ea6e2f
Infer target_type from url
2015-07-27 22:09:58 +02:00
1e3e34f15f
Make backup API RESTful
2015-07-27 22:00:36 +02:00
2e6c410336
Make backups more configurable
...
Backup location and maximum age can now be configured in the admin panel.
For now only S3 is supported, but adding other duplicity supported backends should be straightforward.
2015-07-27 21:53:34 +02:00
423bb8e317
Fix remove-alias button breakage
2015-07-20 12:51:57 +01:00
e6ff280984
Store and set alias receivers and senders separately for maximum control
2015-07-20 12:51:57 +01:00
3fdfad27cd
Add support for bidirectional mail alias controls
...
This is an extension of #427 . Building on that change it adds support in the
aliases table for flagging aliases as:
1. Applicable to inbound and outbound mail.
2. Applicable to inbound mail only.
3. Applicable to outbound mail only.
4. Disabled.
The aliases UI is also updated to allow administrators to set the direction of
each alias.
Using this extra information, the sqlite queries executed by Postfix are
updated so only the relevant alias types are checked.
The goal and result of this change is that outbound-only catch-all aliases can
now be defined (in fact catch-all aliases of any type can be defined).
This allow us to continue supporting relaying as described at
https://mailinabox.email/advanced-configuration.html#relay
without requiring that administrators either create regular aliases for each
outbound *relay* address, or that they create a catch-all alias and then face a
flood of spam.
I have tested the code as it is in this commit and fixed every issue I found,
so in that regard the change is complete. However I see room for improvement
in terms of updating terminology to make the UI etc. easier to understand.
I'll make those changes as subsequent commits so that this tested checkpoint is
not lost, but also so they can be rejected independently of the actual change
if not wanted.
2015-07-20 12:51:57 +01:00
5dd5fc4a1c
clean up multiple secondary nameservers and zone xfr ip addresses
2015-07-10 15:42:33 +00:00
09133c8f59
Initial backend changes to make it possible to have one or more secondary name servers
2015-07-10 14:59:38 +00:00
7527b4dc27
show the Mail-in-a-Box version in the control panel and a button to ping the MiaB website for the latest version
...
fixes #441
2015-06-25 13:43:11 +00:00
5008cc603e
merge - munin system monitoring
2015-06-06 12:52:22 +00:00
e9e6d94e3b
the control panel auth hmac message should also include the user's password so that resetting a password in the database forces that user to log in to the control panel again; also use a sha256 hmac
2015-06-06 12:38:19 +00:00
a9ed9ae936
more work on munin
...
* install the munin-node package
* don't install munin-plugins-extra (if the user wants it they can add it)
* expose the munin www directory via the management daemon so that it can handle authorization, rather than manintaining a separate password file
2015-05-25 17:03:52 +00:00
1e9c587b92
rewrite the DNS API to permit setting multiple records of the same type on the same domain
...
e.g. multiple TXT records
fixes #333
2015-05-03 13:43:38 +00:00
9f1d633ae4
re-do the custom DNS get/set routines so it is possible to store more than one record for a qname-rtype pair, like multiple TXT records
2015-05-03 13:43:38 +00:00
f01189631a
management api: make json responses nicely formatted
...
Better while debugging.
2015-05-03 13:43:38 +00:00
2f8866ef32
if there are no users at all the warning on the control panel login screen was incorrect
2015-04-28 07:17:21 -04:00
4d22fb9b2a
run status checks each night and email the administrator with the changes from the previous day's results
2015-03-21 16:02:42 +00:00
7ec662c83f
status checks: use a worker pool that lives across flask requests, see #327
2015-02-18 16:42:33 +00:00
3c50c9a18b
when serving a 'www.' domain, check if the parent domain's ssl certificate can be used besides checking PRIMARY_HOSTNAME
...
Removing buy_certificate.py which is not working and I don't want to update its call signatures.
2015-02-17 00:42:25 +00:00
1039a08be6
/admin login now issues a user-specific key for future calls (rather than providing the system-wide API key or passing the password on each request)
2015-01-31 20:42:43 +00:00
023b38df50
split management daemon authorization from authentication and use 'doveadm pw' rather than 'doveadm auth test' so that it is decoupled from dovecot's login mechanism
...
This was done to pave the way for two-factor authentication, but that's still a ways off.
2015-01-31 20:41:41 +00:00
3187053b3a
dont save the CSR generated to make self-signed certificates for non-primary domains (it has no value and might be confusing)
2015-01-31 13:27:06 +00:00
90592bb157
add a control panel for setting custom dns records so that we dont have to use the api manually
2014-12-21 11:31:24 -05:00
17331e7d82
adding a really slick ssl certificate installation form in the control panel
2014-10-10 15:49:14 +00:00
0441a2e2e3
make a self-signed certificate on a non-primary domain a warning rather than an error, fixes #95
2014-10-07 20:41:07 +00:00
06a8ce1c9d
in the admin, show user mailbox sizes, fixes #210
2014-10-07 20:24:11 +00:00
443b084a17
in the admin, group aliases by domain, fixes #211
2014-10-07 19:47:46 +00:00
990649af2d
in the admin, group users by domain, fixes 209
2014-10-07 19:47:43 +00:00
6ab29c3244
add instructions for static web hosting into the control panel
2014-10-07 16:05:42 +00:00
f42a1c5a74
allow overriding the second nameserver with a secondary/slave server
...
fixes #151
fixes #223
2014-10-05 14:53:42 +00:00
d9ecc50119
since the management server binds to 127.0.0.1, must use that and not 'localhost' to connect to it because 'localhost' resolves to the IPv6 ::1 when it is available, see #224
2014-10-05 09:01:26 -04:00
846768efcb
admin: update user's password from the admin
2014-09-21 17:24:01 +00:00
1637153566
make the DNS API a little clearer
2014-09-21 13:37:30 +00:00
3853e8dd93
show the status of backups in the control panel
2014-09-01 13:06:53 +00:00
9b8d85de45
if there are no admins when trying to access the control panel, tell the user how to make an admin from SSH
2014-08-26 11:31:45 +00:00
df20d447a9
add an api for setting custom DNS records
...
Works like this:
```curl -d "" --user email:password https://.../admin/dns/set/qname/rtype/value ```
where the rtype and value default to "A" and the remote IP address of the request, so that a simple, empty POST to
```https://.../admin/dns/set/desktop.mydomain.com ```
will point desktop.mydomain.com to the caller's IPv4 address.
closes #140
2014-08-23 23:03:45 +00:00
2d5097345a
move the package update check into the system status checks
2014-08-21 11:24:40 +00:00
294d19e0af
rename whats_next.py to status_checks.py
2014-08-21 10:43:55 +00:00
b30d7ad80a
web-based administrative UI
...
closes #19
2014-08-17 22:46:06 +00:00
b56f82cb92
make a privileges column in the users table and mark the first user as an admin
2014-08-08 12:31:22 +00:00
30178ef019
add a --force flag to dns_update
2014-08-01 12:05:34 +00:00
9e63ec62fb
Cleanup: remove env dependency
2014-06-22 08:55:19 -04:00
554a28479f
Merge remote-tracking branch 'upstream/master' into mgmt-auth
...
Conflicts:
management/daemon.py
2014-06-21 21:29:25 -04:00
067052d4ea
Add key-based authentication to management service
...
Intended to be the simplest auth possible: every time the service
starts, a random key is written to `/var/lib/mailinabox/api.key`. In
order to authenticate to the service, the client must pass the contents
of `api.key` in an HTTP basic auth header. In this way, users who do not
have read access to that file are not able to communicate with the
service.
2014-06-21 23:42:48 +00:00
53e15eae15
Tell Flask to log to syslog
...
- Writes Flask warnings and errors to `/var/log/syslog`
- Helps to debug issues when running in production
2014-06-21 23:25:35 +00:00
5faa1cae71
manage the nginx conf in the management daemon too so we can have nginx operate on all domains that we serve mail for
2014-06-20 01:55:12 +00:00
33f06f29c1
let the user override some DNS records
2014-06-17 22:21:51 +00:00
88709506f8
add DNSSEC
...
* sign zones
* in a cron job, periodically re-sign zones because they expire (not tested)
2014-06-17 22:21:12 +00:00
cecda9cec5
management: shell out external programs in a more secure way
2014-06-09 08:09:45 -04:00
6194c63f76
add management comments for checking for updated Ubuntu packages and applying updates
2014-06-05 20:57:30 +00:00
89730bd643
new backup script, see #11
2014-06-03 21:16:38 +00:00
c54b0cbefc
move management into a daemon service running as root
...
* Created a new Python/flask-based management daemon.
* Moved the mail user management core code from tools/mail.py to the new daemon.
* tools/mail.py is a wrapper around the daemon and can be run as a non-root user.
* Adding a new initscript for the management daemon.
* Moving dns_update.sh to the management daemon, called via curl'ing the daemon's API.
This also now runs the DNS update after mail users and aliases are added/removed,
which sets up new domains' DNS as needed.
2014-06-03 13:56:40 +00:00
John Supplee
Joshua Tauberer
Michael Kroes
mike
Norman Stanke
Leo Koppelkamm
David Piggott
Brian Bustin
Michael Kropat