Commit Graph

100 Commits

Author SHA1 Message Date
Chad Furman e9feefa5d3 Merge remote-tracking branch 'upstream/main' into chad/resolve-merge-conflicts 2024-04-27 10:41:39 -04:00
Teal Dulcet c719fce40a Fixed UP032 (f-string): Use f-string instead of `format` call 2024-03-10 07:56:49 -04:00
Teal Dulcet ec32e1d578 Fixed E703 (useless-semicolon): Statement ends with an unnecessary semicolon 2024-03-10 07:56:49 -04:00
Teal Dulcet 57dcd4bb51 Fixed E713 (not-in-test): Test for membership should be `not in` 2024-03-10 07:56:49 -04:00
Teal Dulcet 845393b6e0 Fixed RET503 (implicit-return): Missing explicit `return` at the end of function able to return non-`None` value 2024-03-10 07:56:49 -04:00
Teal Dulcet 57d05c1ab2 Fixed B007 (unused-loop-control-variable) 2024-03-10 07:54:51 -04:00
Teal Dulcet 81a4da0181 Fixed SIM110 (reimplemented-builtin) 2024-03-10 07:54:51 -04:00
Teal Dulcet 14a5613dc8 Fixed UP031 (printf-string-formatting): Use format specifiers instead of percent format 2024-03-10 07:54:51 -04:00
Teal Dulcet fba92de051 Fixed SIM108 (if-else-block-instead-of-if-exp) 2024-03-10 07:54:51 -04:00
Teal Dulcet b7f70b17ac Fixed RET504 (unnecessary-assign) 2024-03-10 07:54:51 -04:00
Teal Dulcet 555ecc1ebb Fixed PIE810 (multiple-starts-ends-with): Call `startswith` once with a `tuple` 2024-03-10 07:54:51 -04:00
Teal Dulcet dd61844ced Fixed EM101 (raw-string-in-exception): Exception must not use a string literal, assign to variable first 2024-03-10 07:54:51 -04:00
Teal Dulcet 49124cc9ca Fixed PLR6201 (literal-membership): Use a `set` literal when testing for membership 2024-03-10 07:54:51 -04:00
Teal Dulcet 0ee64f2fe8 Fixed F401 (unused-import) 2024-03-10 07:54:21 -04:00
John R. Supplee 894df240cb Merge tag 'v55' of https://github.com/mail-in-a-box/mailinabox
Version 55 (October 18, 2021)
-----------------------------

Mail:

* "SMTPUTF8" is now disabled in Postfix. Because Dovecot still does not
support SMTPUTF8, incoming mail to internationalized addresses was
bouncing. This fixes incoming mail to internationalized domains (which
was probably working prior to v0.40), but it will prevent sending
outbound mail to addresses with internationalized local-parts.
* Upgraded to Roundcube 1.5.

Control panel:

* The control panel menus are now hidden before login, but now
non-admins can log in to access the mail and contacts/calendar
instruction pages.
* The login form now disables browser autocomplete in the two-factor
authentication code field.
* After logging in, the default page is now a fast-loading welcome page
rather than the slow-loading system status checks page.
* The backup retention period option now displays for B2 backup targets.
* The DNSSEC DS record recommendations are cleaned up and now recommend
changing records that use SHA1.
* The Munin monitoring pages no longer require a separate HTTP basic
authentication login and can be used if two-factor authentication is
turned on.
* Control panel logins are now tied to a session backend that allows
true logouts (rather than an encrypted cookie).
* Failed logins no longer directly reveal whether the email address
corresponds to a user account.
* Browser dark mode now inverts the color scheme.

Other:

* Fail2ban's IPv6 support is enabled.
* The mail log tool now doesn't crash if there are email addresess in
log messages with invalid UTF-8 characters.
* Additional nsd.conf files can be placed in /etc/nsd.conf.d.
2021-10-30 11:58:47 +02:00
Joshua Tauberer 113b7bd827 Disable SMTPUTF8 in Postfix because Dovecot LMTP doesn't support it and bounces messages that require SMTPUTF8
By not advertising SMTPUTF8 support at the start, senders may opt to transmit recipient internationalized domain names in IDNA form instead, which will be deliverable.

Incoming mail with internationalized domains was probably working prior to our move to Ubuntu 18.04 when postfix's SMTPUTF8 support became enabled by default.

The previous commit is retained because Mail-in-a-Box users might prefer to keep SMTPUTF8 on for outbound mail, if they are not using internationalized domains for email, in which case the previous commit fixes the 'relay access denied' error even if the emails aren't deliverable.
2021-09-24 08:11:36 -04:00
Joshua Tauberer 3e19f85fad Add domain maps from Unicode forms of internationalized domains to their ASCII forms
When an email is received by Postfix using SMTPUTF8 and the recipient domain is a Unicode internationalized domain, it was failing to be delivered (bouncing with 'relay access denied') because our users and aliases tables only store ASCII (IDNA) forms of internationalized domains. In this commit, domain maps are added to the auto_aliases table from the Unicode form of each mail domain to its IDNA form, if those forms are different. The Postfix domains query is updated to look at the auto_aliases table now as well, since it is the only table with Unicode forms of the mail domains.

However, mail delivery is still not working since the Dovecot LMTP server does not support SMTPUTF8, and mail still bounces but with an error that SMTPUTF8 is not supported.
2021-09-24 08:11:36 -04:00
Joshua Tauberer 11e84d0d40 Move automatically generated aliases to a separate database table
They really should never have been conflated with the user-provided aliases.

Update the postfix alias map to query the automatically generated aliases with lowest priority.
2021-09-24 08:11:36 -04:00
John Supplee 19e2066969 v0.51 (November 14, 2020)
Software updates:
 
 * Upgraded Nextcloud from 17.0.6 to 20.0.1 (with Contacts from 3.3.0 to 3.4.1 and Calendar from 2.0.3 to 2.1.2)
 * Upgraded Roundcube to version 1.4.9.
 
 Mail:
 
 * The MTA-STA max_age value was increased to the normal one week.
 
 Control Panel:
 
 * Two-factor authentication can now be enabled for logins to the control panel. However, keep in mind that many online services (including domain name registrars, cloud server providers, and TLS certificate providers) may allow an attacker to take over your account or issue a fraudulent TLS certificate with only access to your email address, and this new two-factor authentication does not protect access to your inbox. It therefore remains very important that user accounts with administrative email addresses have strong passwords.
 * TLS certificate expiry dates are now shown in ISO8601 format for clarity.
 -----BEGIN PGP SIGNATURE-----
 
 iQFDBAABCgAtFiEEX0wOcxPM10RpOyrquSBB9MEL3YEFAl+v8k4PHGp0QG9jY2Ft
 cy5pbmZvAAoJELkgQfTBC92BMYUIAJTD1iKzY1SoDNSp8JMPn2sWusOnJNrnvYEV
 vsrBM4AzwJv3DIZKSkYCitbTQW2FsTcjF6Jl5PCavEmAGe55AIKAPM/52Uq6jqDE
 aR8EZvI9ca1i7yR7DOHEI043QSPmp/iCFD48vvmKgN/LZy67TaHaOlGJbc3nfpk0
 y7ejMpF/6RP6ik4snnRQoWTFShaOpB9WcEVnUO7CHZdWcpSCZ55c9yi6A6ExGk7e
 97R5+JN1MgOdZ6rzWZuMWiz7EZ/Ew4jYLZpOwg8qJm0HNbYJ6+/xxsQBwaQzyBw3
 TsTl4GmunNPfoNrmKdJeLy0sBwiVBv/rysjWjim5v8jAYBoKoUQ=
 =2oRU
 -----END PGP SIGNATURE-----

Merge tag 'v0.51' of https://github.com/mail-in-a-box/mailinabox

v0.51 (November 14, 2020)

Software updates:

* Upgraded Nextcloud from 17.0.6 to 20.0.1 (with Contacts from 3.3.0 to 3.4.1 and Calendar from 2.0.3 to 2.1.2)
* Upgraded Roundcube to version 1.4.9.

Mail:

* The MTA-STA max_age value was increased to the normal one week.

Control Panel:

* Two-factor authentication can now be enabled for logins to the control panel. However, keep in mind that many online services (including domain name registrars, cloud server providers, and TLS certificate providers) may allow an attacker to take over your account or issue a fraudulent TLS certificate with only access to your email address, and this new two-factor authentication does not protect access to your inbox. It therefore remains very important that user accounts with administrative email addresses have strong passwords.
* TLS certificate expiry dates are now shown in ISO8601 format for clarity.

# gpg verification failed.

# Conflicts:
#	management/daemon.py
#	setup/bootstrap.sh
#	setup/mail-users.sh
#	tools/mail.py
2020-12-03 23:21:37 +02:00
John Supplee 38ac127344 v0.50 (September 25, 2020)
--------------------------
 
 Setup:
 
 * When upgrading from versions before v0.40, setup will now warn that ownCloud/Nextcloud data cannot be migrated rather than failing the installation.
 
 Mail:
 
 * An MTA-STS policy for incoming mail is now published (in DNS and over HTTPS) when the primary hostname and email address domain both have a signed TLS certificate installed, allowing senders to know that an encrypted connection should be enforced.
 * The per-IP connection limit to the IMAP server has been doubled to allow more devices to connect at once, especially with multiple users behind a NAT.
 
 DNS:
 
 * autoconfig and autodiscover subdomains and CalDAV/CardDAV SRV records are no longer generated for domains that don't have user accounts since they are unnecessary.
 * IPv6 addresses can now be specified for secondary DNS nameservers in the control panel.
 
 TLS:
 
 * TLS certificates are now provisioned in groups by parent domain to limit easy domain enumeration and make provisioning more resilient to errors for particular domains.
 
 Control Panel:
 
 * The control panel API is now fully documented at https://mailinabox.email/api-docs.html.
 * User passwords can now have spaces.
 * Status checks for automatic subdomains have been moved into the section for the parent domain.
 * Typo fixed.
 
 Web:
 
 * The default web page served on fresh installations now adds the `noindex` meta tag.
 * The HSTS header is revised to also be sent on non-success responses.
 -----BEGIN PGP SIGNATURE-----
 
 iQFDBAABCgAtFiEEX0wOcxPM10RpOyrquSBB9MEL3YEFAl9t2AgPHGp0QG9jY2Ft
 cy5pbmZvAAoJELkgQfTBC92BZNkH/1jIGoWTz0xlS+e+TeXpHoCp/7zYAvQq/a/y
 vj9t1N1+bBg6Ywbd8UxyvOHwuL/UQU/5LTq6hk3gD+2ARfJUvDRbb047Xzlisg3N
 LhNoVhVbsxqKP1X2ZjeIBq9DgzMavuB64Bwd5UNdceM0Addi8KuCDOMF+FNY2t8k
 xytGjYdBi1/BG6SLBX+FAm5yrJghmkUJs2FnJjebSyyeV2HP3L1iBrk2N8UBd6PU
 fVjde534lgygFZK/8yXJpY2olfLMYJv7CaOMxvaW6RpbMI8VeLwDLfRt5LcrQZqq
 YXkuEnUI0eygbQYkeK/Vr1Vey6uQAWzIfbImEglHfvOXsZSYFXs=
 =SJNM
 -----END PGP SIGNATURE-----

Merge tag 'v0.50' of https://github.com/mail-in-a-box/mailinabox into master

v0.50 (September 25, 2020)
--------------------------

Setup:

* When upgrading from versions before v0.40, setup will now warn that ownCloud/Nextcloud data cannot be migrated rather than failing the installation.

Mail:

* An MTA-STS policy for incoming mail is now published (in DNS and over HTTPS) when the primary hostname and email address domain both have a signed TLS certificate installed, allowing senders to know that an encrypted connection should be enforced.
* The per-IP connection limit to the IMAP server has been doubled to allow more devices to connect at once, especially with multiple users behind a NAT.

DNS:

* autoconfig and autodiscover subdomains and CalDAV/CardDAV SRV records are no longer generated for domains that don't have user accounts since they are unnecessary.
* IPv6 addresses can now be specified for secondary DNS nameservers in the control panel.

TLS:

* TLS certificates are now provisioned in groups by parent domain to limit easy domain enumeration and make provisioning more resilient to errors for particular domains.

Control Panel:

* The control panel API is now fully documented at https://mailinabox.email/api-docs.html.
* User passwords can now have spaces.
* Status checks for automatic subdomains have been moved into the section for the parent domain.
* Typo fixed.

Web:

* The default web page served on fresh installations now adds the `noindex` meta tag.
* The HSTS header is revised to also be sent on non-success responses.

# gpg verification failed.

# Conflicts:
#	.gitignore
#	setup/bootstrap.sh
2020-10-11 18:16:36 +02:00
Joshua Tauberer a8ea456b49 Reorganize the MFA backend methods 2020-09-26 09:58:25 -04:00
Felix Spöttel dcb93d071c Add TOTP secret to user_key hash
thanks @downtownallday
* this invalidates all user_keys after TOTP status is changed for user
* after changing TOTP state, a login is required
* due to the forced login, we can't and don't need to store the code used for setup in `mru_code`
2020-09-12 16:34:06 +02:00
Felix Spöttel 4791c2fc62 Safeguard against empty mru_token column
* hmac.compare_digest() expects arguments of type string, make sure we don't pass None
 * Currently, this cannot happen but we might not want to store `mru_token` during setup
2020-09-06 13:03:54 +02:00
Felix Spöttel 481a333dc0 Address review feedback, thanks @hija 2020-09-04 20:28:15 +02:00
Felix Spöttel b0df35eba0 conn.close() if mru_token update can't .commit() 2020-09-03 20:39:03 +02:00
Felix Spöttel 08ae3d2b7f Rename internal validate_two_factor_secret => validate_two_factor_secret 2020-09-03 19:48:54 +02:00
Felix Spöttel ee01eae55e Decouple totp from users table by moving to totp_credentials table
* this allows implementation of other mfa schemes in the future (webauthn)
* also makes key management easier and enforces one totp credentials per user on db-level
2020-09-03 19:07:21 +02:00
Felix Spöttel a7a66929aa add user interface for managing 2fa
* update user schema with 2fa columns
2020-09-02 16:48:23 +02:00
David Duque 967409b157
Drop requirement for passwords to have no spaces (#1789) 2020-07-16 07:23:11 -04:00
Joshua Tauberer e03a6541ce Don't make autoconfig/autodiscover subdomains and SRV records when the parent domain has no user accounts
These subdomains/records are for automatic configuration of mail clients, but if there are no user accounts on a domain, there is no need to publish a DNS record, provision a TLS certificate, or create an nginx server config block.
2020-06-11 12:20:17 -04:00
John Supplee 8e94402282 Fix bug in displaying users when there is an archived user 2019-11-22 17:13:57 +02:00
John R. Supplee fa3c3236d8 v0.43 (September 1, 2019)
-------------------------
 
 Security fixes:
 
 * A security issue was discovered in rsync backups. If you have enabled rsync backups, the file `id_rsa_miab` may have been copied to your backup destination. This file can be used to access your backup destination. If the file was copied to your backup destination, we recommend that you delete the file on your backup destination, delete `/root/.ssh/id_rsa_miab` on your Mail-in-a-Box, then re-run Mail-in-a-Box setup, and re-configure your SSH public key at your backup destination according to the instructions in the Mail-in-a-Box control panel.
 * Brute force attack prevention was missing for the managesieve service.
 
 Setup:
 
 * Nextcloud was not upgraded properly after restoring Mail-in-a-Box from a backup from v0.40 or earlier.
 
 Mail:
 
 * Upgraded Roundcube to 1.3.10.
 * Fetch an updated whitelist for greylisting on a monthly basis to reduce the number of delayed incoming emails.
 
 Control panel:
 
 * When using secondary DNS, it is now possible to specify a subnet range with the `xfr:` option.
 * Fixed an issue when the secondary DNS option is used and the secondary DNS hostname resolves to multiple IP addresses.
 * Fix a bug in how a backup configuration error is shown.
 -----BEGIN PGP SIGNATURE-----
 
 iQFDBAABCgAtFiEEX0wOcxPM10RpOyrquSBB9MEL3YEFAl1rrwIPHGp0QG9jY2Ft
 cy5pbmZvAAoJELkgQfTBC92BgckIALFnDFxhQ18MtClpi79+rnl1aA5DqbToCuI2
 MHIAOmxIVSavnd5MZZ3efXWAzIniEpbq0X+6Rlzas5lkreT1mHoJsKdkt0bOqy1a
 ZF2vT5UnUM9cwPHkU1ak/TaD9v97wbHpWWGwAK+/zTL6w1ReCVfQ2QzCzoDaY7xh
 OZFXE+YsaI7qZeG3Q4jfFr0IYDowLgjgBpdWvO71QKzWjIIvBNX1ZGt2r+cuKmQ5
 JOXIAR4fdri0p8dMd2sqq0FatBBCfjHDBykA/+GzJJDBX7MNoZsQT3bowrhj8XPS
 f5cKUKm7zlDsm02bfCtDD6nvYYUxvOdQx7yfdL8RYSdy71Chs20=
 =7M/i
 -----END PGP SIGNATURE-----

Merge tag 'v0.43' of https://github.com/mail-in-a-box/mailinabox

v0.43 (September 1, 2019)
-------------------------

Security fixes:

* A security issue was discovered in rsync backups. If you have enabled
rsync backups, the file `id_rsa_miab` may have been copied to your
backup destination. This file can be used to access your backup
destination. If the file was copied to your backup destination, we
recommend that you delete the file on your backup destination, delete
`/root/.ssh/id_rsa_miab` on your Mail-in-a-Box, then re-run
Mail-in-a-Box setup, and re-configure your SSH public key at your backup
destination according to the instructions in the Mail-in-a-Box control
panel.
* Brute force attack prevention was missing for the managesieve service.

Setup:

* Nextcloud was not upgraded properly after restoring Mail-in-a-Box from
a backup from v0.40 or earlier.

Mail:

* Upgraded Roundcube to 1.3.10.
* Fetch an updated whitelist for greylisting on a monthly basis to
reduce the number of delayed incoming emails.

Control panel:

* When using secondary DNS, it is now possible to specify a subnet range
with the `xfr:` option.
* Fixed an issue when the secondary DNS option is used and the secondary
DNS hostname resolves to multiple IP addresses.
* Fix a bug in how a backup configuration error is shown.

5F4C0E7313CCD744693B2AEAB92041F4C10BDD81
2019-09-02 18:33:26 -04:00
mbraem fb25013334 user privileges is a set (#1551)
fixes #1540
2019-04-14 14:17:43 -04:00
John Supplee 4bed222162 Fix bug where quotas are not being recalculated 2019-02-06 12:53:46 +02:00
John Supplee 19f204a9af Do not execute a dovecot reload on every quota update 2019-02-05 13:32:43 +02:00
John Supplee a60e1c274a Do not allow decimal points in quota sizes 2019-02-05 01:47:39 +02:00
John Supplee 686a074fab Force recalculation of a user's quota after setting a new value 2019-02-05 01:47:09 +02:00
John Supplee 7874683618 Add percentage used and update tools/mail.py to set quotas 2019-02-01 15:36:27 +02:00
John Supplee d1906bd055 Add support for a default quota value and allow setting quota when adding user 2019-01-31 22:57:04 +02:00
John Supplee a8f02c1eb0 Fix problems with users that do not have maildirsize file 2019-01-30 00:01:16 +02:00
John Supplee b3f9063ae7 comment out code generating errors
When the `maildirsize` file does not exist it causes the script to fail.
The IOError is not caught by the execpt
2019-01-29 19:41:54 +02:00
John Supplee f68ef70b94 Calculate and display mailbox sizes in user list 2019-01-29 19:18:48 +02:00
John Supplee c5c7de8b2b allow decimal points in quotas 2019-01-29 17:42:17 +02:00
John Supplee ccad47937e Add components to user interface for setting quotas 2019-01-28 23:27:03 +02:00
John Supplee b557e69313 display unlimited when quota is 0 2019-01-28 17:24:11 +02:00
John Supplee dad22f7261 bug fix 2019-01-28 17:17:43 +02:00
John Supplee 587f33b6c0 bug fix for displaying quotas 2019-01-28 16:34:34 +02:00
John Supplee 3cd14bd4b8 Add display of quotas 2019-01-28 16:19:36 +02:00
Joshua Tauberer c5c413b447 remove user account mailbox size from the control panel because it takes way too long to compute on very large mailboxes
fixes #531
2018-12-02 18:02:00 -05:00
Joshua Tauberer 8d6d84d87f run mailconfig.py's email address validator outside of the virtualenv during questions.sh
We don't have the virtualenv this early in setup.

Broken by 0088fb4553.

Fixes #1326.

See https://discourse.mailinabox.email/t/that-is-not-a-valid-email-error-during-mailinabox-installation/2793.
2018-01-20 10:59:37 -05:00