jkaberg
b92033cafe
install fpm instead of cgi
2014-08-12 15:39:45 +02:00
Joshua Tauberer
c9bf57eacd
Merge branch 'master' into owncloud (php5-fpm)
2014-08-12 13:30:55 +00:00
Joshua Tauberer
791e68a3af
automate more of the initial configuration
2014-08-12 13:29:44 +00:00
Joshua Tauberer
4d64246b22
tweak z-push/owncloud installation scripts: hide output, check if z-push needs an update, dont use /etc/timezone because its contents would need to be escaped before being passed into sed
2014-08-12 13:29:44 +00:00
Joshua Tauberer
9d6dc78b15
keep Roundcube working too, put owncloud at /cloud rather than at /
2014-08-12 13:29:43 +00:00
jkaberg
57a441a547
small script to update the mail app
2014-08-12 15:27:37 +02:00
jkaberg
afb09a84b7
use tools/editconf.py to edit php.ini for large file uploads
2014-08-12 14:00:28 +02:00
jkaberg
7396785a9a
install php5-xsl as carddav is dependent on it
2014-08-12 13:22:34 +02:00
Joshua Tauberer
cf4f519cc0
zpush/owncloud: inject mail using 'sendmail' not SMTP
2014-08-12 11:18:45 +00:00
jkaberg
654c200709
properly escape $
2014-08-12 13:12:57 +02:00
Joshua Tauberer
0eceb2012f
use php5-fpm rather than our own custom launcher script for PHP+FastCGI
2014-08-12 11:00:54 +00:00
jkaberg
9f5fd6b474
fix user_backends array
2014-08-12 12:33:42 +02:00
jkaberg
5cf2965633
tls instead of ssl
2014-08-12 12:04:27 +02:00
jkaberg
e8a1837d02
properly set correct timezone
2014-08-12 12:01:18 +02:00
jkaberg
7ba79effae
moved TODO
2014-08-12 11:02:13 +02:00
jkaberg
9d41530232
clarifications
2014-08-12 10:10:53 +02:00
jkaberg
a6ba2da68b
create an no-reply user to use with SMTP from ownCloud
2014-08-12 10:09:44 +02:00
jkaberg
17c4edb58d
add cron job for owncloud
2014-08-12 09:24:49 +02:00
jkaberg
7b5ebb093f
properly chmod HTMLPurifier
2014-08-12 02:04:38 +02:00
jkaberg
2d74fad947
restart using php5-fpm
2014-08-12 01:26:51 +02:00
jkaberg
01d7d4e860
restart using php5-fpm
2014-08-12 01:15:17 +02:00
jkaberg
bfbd85183e
hide_output dosnt work
2014-08-12 00:49:26 +02:00
jkaberg
1e91cb0683
well that didnt work..
2014-08-12 00:44:54 +02:00
jkaberg
bc48e7d871
proper indentation
2014-08-12 00:33:13 +02:00
jkaberg
881b693cd4
use memcache with owncloud
2014-08-12 00:10:52 +02:00
jkaberg
54fe92615b
include php-libawl and cleanup
2014-08-11 23:43:16 +02:00
jkaberg
f287ca3b6c
dont replace owncloud config if it exists (we dont want this as it will contain vital data)
2014-08-11 23:01:18 +02:00
jkaberg
a80c076d8f
safe apphroach, sid dosnt like special characters like %
2014-08-11 19:42:52 +02:00
jkaberg
1621a2940f
use sub dir
2014-08-11 19:31:05 +02:00
jkaberg
cc8e1fa7b7
set working dir for composer
2014-08-11 19:09:42 +02:00
jkaberg
d53cb88a92
update z-push with carddav and caldav support
2014-08-11 19:08:02 +02:00
jkaberg
3540a1677d
install php5-imap, restart php service
2014-08-11 17:59:04 +02:00
jkaberg
bc0c0bf0fb
owncloud config.php markup
2014-08-11 17:53:01 +02:00
jkaberg
51bb781ffd
fix composer.phar not finding the composer.json file
2014-08-11 17:44:30 +02:00
jkaberg
d324f0981a
cleanup owncloud.sh
2014-08-11 17:08:13 +02:00
jkaberg
0899952fe1
initial owncloud port, untested and unfinished
2014-08-11 16:24:29 +02:00
Joshua Tauberer
140c508ff6
increase dovecot imap_idle_notify_interval to 4 minutes
...
Doesn't seem like 2 minutes is a problem, but 4 minutes seems better. A little less bandwidth, possibly less battery usage (though we don't have evidence that's actually true), and the interval should be shorter than any peer timeouts that might occur due to inactivity
fixes #129
2014-08-10 11:39:29 +00:00
Joshua Tauberer
b56f82cb92
make a privileges column in the users table and mark the first user as an admin
2014-08-08 12:31:22 +00:00
Joshua Tauberer
880ec44a0c
if the machine didn't have resolvconf before (my box didn't after an upgrade from Ubuntu 13.xx), make sure it has it now and archive any old resolv.conf since it should now only list 127.0.0.1 for bind9
2014-08-07 14:00:16 +00:00
Joshua Tauberer
5db12be507
migrate the migration state from MIGRATIONID in /etc/mailinabox.conf to STORAGE_ROOT/mailinabox.version so that the data format of STORAGE_ROOT is stored in the directory itself
2014-08-03 17:44:17 -04:00
Joshua Tauberer
64cb00b9d6
add reject_unlisted_recipient before greylisting, fixes #127
2014-08-03 00:06:54 +00:00
Joshua Tauberer
b86656243f
avoid mail.log warnings about untrusted certificates on outgoing mail, fixes #124
2014-08-02 15:39:47 +00:00
Joshua Tauberer
cd59025979
dont ask the user for the machine's IP address if we can be sure our guess is right (trust icanhazip to give us the right answer)
2014-07-29 20:07:26 -04:00
Joshua Tauberer
0be92d776e
put a 15-second timeout in asking icanhazip.com for our IP address, although this limit does not seem to actually work (i.e. if I set the limit to 5 seconds, curl still hangs 10+ when I turn off my network connection)
2014-07-29 20:07:26 -04:00
Joshua Tauberer
168c06939d
have nsd bind to the network interaface that is connected to the Internet, rather than all non-loopback network interfaces
...
hopefully fixes #121 ; thanks for the help @sfPlayer1
2014-07-29 20:07:26 -04:00
Joshua Tauberer
c74bef12d2
allow for network checks to be skips in setup while testing using SKIP_NETWORK_CHECKS=1
2014-07-29 20:07:26 -04:00
Joshua Tauberer
6619239280
the SSL private key would be overwritten if ssl_certificate.pem file was deleted; maybe the cause of #98
2014-07-28 15:38:23 -04:00
Joshua Tauberer
834a7b9096
run network checks during setup and stop if there is a bad condition
...
* check that the PUBLIC_IP is not listed in zen.spamhaus.org
* check that the PRIMARY_HOSTNAME is not listed in dbl.spamhaus.org
* check that a connection to Google's MTA is working (i.e. we're not on a residential network that blocks outbound port 25)
2014-07-26 11:26:59 -04:00
Joshua Tauberer
86ec0f6da7
the cron job to re-sign DNSSEC zones was still not working because the script needed a hash-bang line; what I did in 65c3a44e63
didn't actually fix the problem
2014-07-25 12:15:30 +00:00
Joshua Tauberer
f50cf10249
also accept Ubuntu 14.04.1 LTS, the point release that people are automatically pushed to
...
fixes #116
2014-07-22 21:36:59 +00:00
Joshua Tauberer
621fcc2233
use /dev/random for crypto-grade RNG with the help of haveged
...
Rather than pass `-r /dev/random` to ldns-keygen (it was `-r /dev/urandom`),
don't pass `-r` at all since /dev/random is the default.
Merges branch 'master' of github.com:pysiak/mailinabox
2014-07-21 07:31:14 -04:00
solt
69f0e1d07a
Use /dev/random instead of /dev/urandom
...
/dev/random should be used for crypto-grade RNG.
To make sure use of /dev/random doesn't stall due to lack of entropy, install haveged which fills the entropy pool with sources such as network traffic, key strokes, etc.
On branch master
Your branch is up-to-date with 'origin/master'.
Changes to be committed:
modified: setup/dns.sh
modified: setup/system.sh
modified: setup/webmail.sh
2014-07-20 23:14:13 +02:00
Joshua Tauberer
65c3a44e63
the cron job to re-sign DNSSEC zones wasnt working after adding the API key to the management daemon because the script relied on a bash-ism but cron runs it with (probably) sh
2014-07-19 16:31:05 +00:00
Joshua Tauberer
91cf45c843
add a comment
2014-07-16 09:39:13 -04:00
Joshua Tauberer
023cd12e1a
hide lots of unnecessary and scary output during setup
2014-07-16 09:36:56 -04:00
Joshua Tauberer
465aaf2d30
check that we're running as root before doing anything
2014-07-16 09:36:31 -04:00
Joshua Tauberer
5a4f5b1874
move the welcome message to after the system checks
2014-07-16 09:36:31 -04:00
Joshua Tauberer
c716fd27bf
refuse to start if the system has less than 768 MB of RAM, except when testing within Vagrant
2014-07-16 09:36:31 -04:00
Joshua Tauberer
4e5b5f2852
Vagrant typo
2014-07-16 09:36:31 -04:00
h8h
9b887d2e63
Use $STORAGE_ROOT
...
Better to use $STORAGE_ROOT instead of hardcoded /home/user-data/
2014-07-16 15:33:40 +02:00
Joshua Tauberer
fb357dee33
add z-push to the start script
2014-07-12 00:04:56 +00:00
Joshua Tauberer
2a7669a0d3
z-push: an Exchange ActiveSync server
2014-07-12 00:02:32 +00:00
Joshua Tauberer
67c7391546
Roundcube's classic skin is nicer
2014-07-11 21:52:46 +00:00
Joshua Tauberer
85bd2c8804
use the Dovecot managesieve service to manage sieve scripts
...
This lets roundcube's manageseive plugin do cool things like vacation responses.
Also:
* Run the spam filtering sieve script out of a global sieve file that we'll place in /etc/dovecot. It is no longer necessary to create per-user sieve files for this. Remove them with a new migration. Remove the code that created them.
* Corrects the spam script. Backslashes were double-escaped probably because this script started embedded within the bash script. Not sure how this was working until now.
this adapts work by @h8h in #103
2014-07-10 23:09:07 +00:00
Joshua Tauberer
e713af5f5a
refactor the mail setup scripts
...
As the scripts keep growing, it's time to split them up to
keep them understandable.
This splits mail.sh into mail-postfix.sh, mail-dovecot.sh,
and mail-users.sh, which has all of the user database-related
configurations shared by Dovecot and Postfix. Also from
spamassassin.sh the core sieve configuration is moved into
mail-dovecot.sh and the virtual transport setting is moved
into mail-postfix.sh.
Also revising one of the sed scripts in mail-dovecot to
not insert a new additional # at the start of a line each
time the script is run.
2014-07-10 12:49:28 +00:00
Joshua Tauberer
6f51b49671
remove the hard-coded migration ID from setup.sh
2014-07-10 12:49:19 +00:00
Joshua Tauberer
41b3df6d78
manage hostmaster@ and postmaster@ automatically, create administrator@ during setup instead
...
closes #94
2014-07-09 19:30:17 +00:00
Joshua Tauberer
3bab63d4ce
update to Roundcube 1.0.1
2014-07-08 00:37:53 +00:00
Joshua Tauberer
3d4eadd436
the new migration management in c8856f107d
left out the part where we actually keep the system's current MIGRATIONID... it was being lost when setup/start.sh was re-run
2014-07-07 11:29:21 +00:00
Joshua Tauberer
cf7053c124
set nginx server_names_hash_bucket_size to 64, fixes #93
2014-07-07 11:23:41 +00:00
Joshua Tauberer
c8856f107d
migrate the SSL certificates path for non-primary certs to a new layout using a new migration script
2014-06-30 20:41:29 +00:00
Joshua Tauberer
b5aa1b0f31
walk the user through choosing the PRIMARY_HOSTNAME by first asking for their email address
2014-06-30 10:20:58 -04:00
Joshua Tauberer
fed5959288
s/PUBLIC_HOSTNAME/PRIMARY_HOSTNAME/ throughout
2014-06-30 09:15:36 -04:00
Joshua Tauberer
573faa2bf5
install the backup script as a daily cron job
2014-06-26 10:46:22 +00:00
Joshua Tauberer
f8cd2bb805
typo: www/default/index.html would be overwritten if it already exists
2014-06-23 19:43:19 +00:00
Joshua Tauberer
1dec8c65ce
move the SSH password login check into whats_next.py (it used to be in start.sh and then moved to an unused script when it became a problem for Vagrant)
2014-06-23 19:39:20 +00:00
Joshua Tauberer
d4ce50de86
new tool to purchase and install a SSL certificate using Gandi.net's API
2014-06-23 10:53:29 +00:00
Joshua Tauberer
45e93f7dcc
strengthen the cyphers and protocols allowed by Dovecot and Postfix submission
2014-06-22 19:03:11 +00:00
Joshua Tauberer
4668367420
first pass at a management tool for checking what the user must do to finish his configuration: set NS records, DS records, sign his certificates, etc.
2014-06-22 15:54:22 +00:00
Joshua Tauberer
ec6c7d84c1
dont ask for a CSR country code on second runs because the CSR is already generated and any new country code won't be used anyway
2014-06-22 15:36:14 +00:00
Michael Kropat
d100a790a0
Remove API_KEY_FILE setting
2014-06-22 08:45:29 -04:00
Michael Kropat
554a28479f
Merge remote-tracking branch 'upstream/master' into mgmt-auth
...
Conflicts:
management/daemon.py
2014-06-21 21:29:25 -04:00
Michael Kropat
88e496eba4
Update setup scripts to auth against the API
2014-06-22 00:02:52 +00:00
Michael Kropat
067052d4ea
Add key-based authentication to management service
...
Intended to be the simplest auth possible: every time the service
starts, a random key is written to `/var/lib/mailinabox/api.key`. In
order to authenticate to the service, the client must pass the contents
of `api.key` in an HTTP basic auth header. In this way, users who do not
have read access to that file are not able to communicate with the
service.
2014-06-21 23:42:48 +00:00
Joshua Tauberer
67d31ed998
move the SSL setup into its own bash script since it is used for much more than email now
2014-06-21 22:16:46 +00:00
Joshua Tauberer
0ab43ef4fd
have webfinger output a JSON file in STORAGE_ROOT/webfinger/(acct/..)
2014-06-21 17:08:18 +00:00
Joshua Tauberer
326cc2a451
obviously put our stuff in /usr/local and not /usr
2014-06-21 12:35:00 -04:00
Joshua Tauberer
85169dc960
preliminary support for webfinger
...
It just echos back the subject given to it.
2014-06-20 01:55:16 +00:00
Joshua Tauberer
5faa1cae71
manage the nginx conf in the management daemon too so we can have nginx operate on all domains that we serve mail for
2014-06-20 01:55:12 +00:00
Joshua Tauberer
782ad04b10
use DANE when sending mail: if the recipient MX has a DANE TLSA record in DNS then Postfix will necessarily encrypt the mail in transport
2014-06-19 01:58:14 +00:00
Joshua Tauberer
afb6c26c8b
run bind9 on the loopback interface for ensuring we are using a DNSSEC-aware nameserver to resolve our own DNS queries (i.e. when sending mail) since we can't trust that the network configuration provided for us gives us a DNSSEC-aware DNS server
...
see #71
2014-06-18 19:45:47 -04:00
Joshua Tauberer
33f06f29c1
let the user override some DNS records
2014-06-17 22:21:51 +00:00
Joshua Tauberer
88709506f8
add DNSSEC
...
* sign zones
* in a cron job, periodically re-sign zones because they expire (not tested)
2014-06-17 22:21:12 +00:00
Joshua Tauberer
c925f72b0b
remove obsoleted parts of setup/dns.sh
...
Now that dns_update is a part of the management daemon, we no
longer are using STORAGE_ROOT/dns for anything.
2014-06-12 20:18:55 -04:00
Joshua Tauberer
d28d07f78e
increase the postfix message size limit from 10MB to 128MB
2014-06-10 10:21:43 +00:00
Joshua Tauberer
cad868c6c9
reorganize mail.sh a little
2014-06-10 10:19:49 +00:00
Joshua Tauberer
5490142df5
re-do the backup script to use the duplicity program
...
Duplicity will manage the process of creating incremental backups for us.
Although duplicity can both encrypt & copy files to a remote host, I really
don't like PGP and so I don't want to use that.
Instead, we'll back up to a local directory unencrypted, then manually
encrypt the full & incremental backup files. Synchronizing the encrypted
backup directory to a remote host is a TODO.
2014-06-09 09:34:52 -04:00
Joshua Tauberer
70bd96f643
Merge pull request #70 from mkropat/ipv6-support
...
Support dual-stack IPv4/IPv6 mail servers
2014-06-08 19:03:33 -04:00
Michael Kropat
fb957d2de7
Populate default values before echoing help text
...
Testing showed that it may take a few seconds for the default values to
populate. If the help text is shown, “Enter the public IP address…,”
but no prompt is shown, the user may get confused and try to enter the
IP address before mailinabox has had a chance to figure out and display
a suitable default value.
2014-06-08 18:44:08 -04:00
Joshua Tauberer
cd1802fecc
Filter privacy-sensitive headers on outgoing mail
...
This re-implements part of PR #69 by @mkropat, who wrote:
By default, Postfix adds a Received header — on all mail that you send —
that lists the IP of the device you sent the mail from. This feature is
great if you're a mail provider and you need to debug why one user is
having sending issues. This feature is not so great if you run your own
mail server and you don't want every recipient of every email you send
to know the device and IP you sent the email from.
To limit this filtering to outgoing mail only, we apply the filters just
to the submission port. See these guides [1] [2] for more context.
[1] http://askubuntu.com/a/78168/11259
[2] http://www.void.gr/kargig/blog/2013/11/24/anonymize-headers-in-postfix/
2014-06-08 18:35:09 -04:00