Commit Graph

870 Commits

Author SHA1 Message Date
github@kiekerjan.isdronken.nl 2e23e44582 merge prelim 22.04 changes from upstream 2022-02-16 23:32:30 +01:00
github@kiekerjan.isdronken.nl 686e878af5 merge master 2022-02-02 12:15:22 +01:00
KiekerJan 72b08d6b9a fix installer bugs 2022-02-01 23:14:26 +01:00
Joshua Tauberer cb564a130a Fix DNS secondary nameserver refesh failure retry period
Fixes #1979
2022-01-08 09:38:41 -05:00
Erik Hennig 520caf6557
fix: typo in system backup template (#2081) 2022-01-02 08:11:41 -05:00
github@kiekerjan.isdronken.nl 73833e9e76 merge master 2021-12-28 23:33:22 +01:00
KiekerJan e98a86b8d0 merge upstream 2021-12-28 23:12:08 +01:00
Arno Hautala a85c429a85
regex change to exclude comma from sasl_username (#2074)
as proposed in #2071 by @jvolkenant
2021-12-19 08:33:59 -05:00
github@kiekerjan.isdronken.nl ded1b55ebd First steps in migrating to dkimpy-milter 2021-12-11 00:54:56 +01:00
KiekerJan 617dcbded9 merge upstream 2021-12-08 21:35:10 +01:00
steadfasterX aac878dce5
fix: key flag id for KSK, fix format (#2063)
as mentioned (https://github.com/mail-in-a-box/mailinabox/pull/2033#issuecomment-976365087) KSK is 257, not 256
2021-11-23 11:06:17 -05:00
KiekerJan 21fd62ef4f more elaborate logfile analysis 2021-11-22 07:05:10 +01:00
kiekerjan d8dd4cb215
Merge pull request #9 from mail-in-a-box/main
Merge upstream
2021-11-04 00:31:43 +01:00
Joshua Tauberer 34017548d5 Don't crash if a custom DNS entry is not under a zone managed by the box, fixes #1961 2021-10-22 18:39:53 -04:00
github@kiekerjan.isdronken.nl 3ce59172cf remove ignoring MFA for munin 2021-10-19 23:23:49 +02:00
github@kiekerjan.isdronken.nl eeada2b9b5 merge changes from V55 upstream 2021-10-19 23:07:02 +02:00
Richard Willis 1c3bca53bb
Fix broken link in external-dns.html (#2045) 2021-10-18 07:36:48 -04:00
ukfhVp0zms b643cb3478
Update calendar/contacts android app info (#2044)
DAVdroid has been renamed to DAVx⁵ and price increased from $3.69 to $5.99.
CardDAV-Sync free is no longer in beta.
CalDAV-Sync price increased from $2.89 to $2.99.
2021-10-13 19:09:05 -04:00
Joshua Tauberer 113b7bd827 Disable SMTPUTF8 in Postfix because Dovecot LMTP doesn't support it and bounces messages that require SMTPUTF8
By not advertising SMTPUTF8 support at the start, senders may opt to transmit recipient internationalized domain names in IDNA form instead, which will be deliverable.

Incoming mail with internationalized domains was probably working prior to our move to Ubuntu 18.04 when postfix's SMTPUTF8 support became enabled by default.

The previous commit is retained because Mail-in-a-Box users might prefer to keep SMTPUTF8 on for outbound mail, if they are not using internationalized domains for email, in which case the previous commit fixes the 'relay access denied' error even if the emails aren't deliverable.
2021-09-24 08:11:36 -04:00
Joshua Tauberer 3e19f85fad Add domain maps from Unicode forms of internationalized domains to their ASCII forms
When an email is received by Postfix using SMTPUTF8 and the recipient domain is a Unicode internationalized domain, it was failing to be delivered (bouncing with 'relay access denied') because our users and aliases tables only store ASCII (IDNA) forms of internationalized domains. In this commit, domain maps are added to the auto_aliases table from the Unicode form of each mail domain to its IDNA form, if those forms are different. The Postfix domains query is updated to look at the auto_aliases table now as well, since it is the only table with Unicode forms of the mail domains.

However, mail delivery is still not working since the Dovecot LMTP server does not support SMTPUTF8, and mail still bounces but with an error that SMTPUTF8 is not supported.
2021-09-24 08:11:36 -04:00
Joshua Tauberer 11e84d0d40 Move automatically generated aliases to a separate database table
They really should never have been conflated with the user-provided aliases.

Update the postfix alias map to query the automatically generated aliases with lowest priority.
2021-09-24 08:11:36 -04:00
Joshua Tauberer 79966e36e3 Set a cookie for /admin/munin pages to grant access to Munin reports
The /admin/munin routes used the same Authorization: header logic as the other API routes, but they are browsed directly in the browser because they are handled as static pages or as a proxy to a CGI script.

This required users to enter their email username/password for HTTP basic authentication in the standard browser auth prompt, which wasn't ideal (and may leak the password in browser storage). It also stopped working when MFA was enabled for user accounts.

A token is now set in a cookie when visiting /admin/munin which is then checked in the routes that proxy the Munin pages. The cookie's lifetime is kept limited to limit the opportunity for any unknown CSRF attacks via the Munin CGI script.
2021-09-24 08:11:36 -04:00
drpixie df46e1311b
Include NSD config files from /etc/nsd/nsd.conf.d/*.conf (#2035)
And write MIAB dns zone config into /etc/nsd/nsd.conf.d/zones.conf. Delete lingering old zones.conf file.

Co-authored-by: Joshua Tauberer <jt@occams.info>
2021-09-24 08:07:40 -04:00
KiekerJan e54dc19854 slightly change dns resolver call 2021-09-21 22:17:10 +02:00
Elsie Hupp 353084ce67
Use "smart invert" for dark mode (#2038)
* Use "smart invert" for dark mode

Signed-off-by: Elsie Hupp <9206310+elsiehupp@users.noreply.github.com>

* Add more contrast to form controls

Co-authored-by: Joshua Tauberer <jt@occams.info>
2021-09-19 09:53:03 -04:00
mailinabox-contributor 91079ab934
add numeric flag value to DNSSEC DS status message (#2033)
Some registrars (e.g. Porkbun) accept Key Data when creating a DS RR,
but accept only a numeric flags value to indicate the key type (256 for KSK, 257 for ZSK).

https://datatracker.ietf.org/doc/html/rfc5910#section-4.3
2021-09-10 16:12:41 -04:00
Joshua Tauberer e5909a6287 Allow non-admin login to the control panel and show/hide menu items depending on the login state
* When logged out, no menu items are shown.
* When logged in, Log Out is shown.
* When logged in as an admin, the remaining menu items are also shown.
* When logged in as a non-admin, the mail and contacts/calendar instruction pages are shown.

Fixes #1987
2021-09-06 09:23:58 -04:00
Joshua Tauberer 26932ecb10 Add a 'welcome' panel to the control panel and make it the default page instead of the status checks which take too long to load
Fixes #2014
2021-09-06 09:23:58 -04:00
Joshua Tauberer e884c4774f Replace HMAC-based session API keys with tokens stored in memory in the daemon process
Since the session cache clears keys after a period of time, this fixes #1821.

Based on https://github.com/mail-in-a-box/mailinabox/pull/2012, and so:

Co-Authored-By: NewbieOrange <NewbieOrange@users.noreply.github.com>

Also fixes #2029 by not revealing through the login failure error message whether a user exists or not.
2021-09-06 09:23:58 -04:00
Joshua Tauberer 53ec0f39cb Use 'secrets' to generate the system API key and remove some debugging-related code
* Rename the 'master' API key to be called the 'system' API key
* Generate the key using the Python secrets module which is meant for this
* Remove some debugging helper code which will be obsoleted by the upcoming changes for session keys
2021-09-06 09:23:58 -04:00
kiekerjan 98c00d1c6a
Merge branch 'mail-in-a-box:main' into master 2021-08-28 13:38:15 +02:00
David Duque ba80d9e72d
Show backup retention period form when configuring B2 backups (#2024) 2021-08-23 06:25:41 -04:00
Joshua Tauberer 67b5711c68 Recommend that DS records be updated to not use SHA1 and exclude MUST NOT methods (SHA1) and the unlikely option RSASHA1-NSEC3-SHA1 (7) + SHA-384 (4) from the DS record suggestions 2021-08-22 14:43:46 -04:00
myfirstnameispaul 20ccda8710 Re-order DS record algorithms by digest type and revise warning message.
Note that 7, 4 is printed last in the status checks page but does not appear in the file, and I couldn't figure out why.
2021-08-22 14:29:36 -04:00
lamkin daad122236
Ignore bad encoding in email addresses when parsing maillog files (#2017)
local/domain parts of email address should be standard ASCII or
UTF-8. Some email addresses contain extended ASCII, leading to
decode failure by the UTF-8 codec (and thus failure of the
Usage-Report script)

This change allows maillog parsing to continue over lines
containing such addresses
2021-08-16 11:46:32 -04:00
kiekerjan ea452d5441
Merge branch 'mail-in-a-box:main' into master 2021-08-16 11:49:46 +02:00
KiekerJan 87be897d36 update DH security to 4096 2021-08-01 21:52:37 +02:00
NewbieOrange 21ad26e452
Disable auto-complete for 2FA code in the control panel login form (#2013) 2021-07-28 16:39:40 -04:00
KiekerJan fa66b767af add debugging info to email admin tool 2021-07-26 10:04:35 +02:00
github@kiekerjan.isdronken.nl 75390e11fd cleanup 2021-07-24 21:19:01 +02:00
github@kiekerjan.isdronken.nl efdd1f2442 initial work on configurable backup folder 2021-07-19 23:18:39 +02:00
KiekerJan db612e91e5 do not generate dns zonefiles for www only websites with external DNS records 2021-06-25 00:36:12 +02:00
KiekerJan eb36091d41 syntax error fix 2021-06-24 12:56:18 +02:00
github@kiekerjan.isdronken.nl 4f7957a5ab check presence of dnssec key file before reading it 2021-06-24 12:47:46 +02:00
KiekerJan 56f9df738f version recognition 2021-06-23 21:02:21 +02:00
KiekerJan 4323b5af01 simple fault catching email admin 2021-06-22 22:50:06 +02:00
github@kiekerjan.isdronken.nl ca5fb3c2e0 Merge changes from upstream v0.54 2021-06-20 23:36:54 +02:00
github@kiekerjan.isdronken.nl b007b74a89 try hide admin links 2021-05-31 23:29:00 +02:00
kiekerjan c25bb085d6
Merge pull request #3 from kiekerjan/develop-dns-mods
Develop dns mods
2021-05-29 22:39:31 +02:00
KiekerJan 28b828be12 check service on ipv6 if it is not found on ipv4 2021-05-28 23:36:25 +02:00
github@kiekerjan.isdronken.nl 1d96be9ea9 take hidden master dns into account for the status checks 2021-05-24 21:32:13 +02:00
github@kiekerjan.isdronken.nl d88d7d0371 Merge branch 'develop-dns-mods' of https://github.com/kiekerjan/mailinabox into develop-dns-mods 2021-05-24 14:24:18 +02:00
github@kiekerjan.isdronken.nl ee87feb571 modify dns TTLs according to recommendations from zonemaster.iis.se 2021-05-24 14:24:09 +02:00
KiekerJan e928b915f4 clean strings before comparing 2021-05-23 21:47:37 +02:00
KiekerJan 6be8ae1e4b correct use of Pyhton Booleans 2021-05-22 18:47:37 +02:00
github@kiekerjan.isdronken.nl 544f06b100 document DNS mods and make DNS options configurable per domain 2021-05-19 22:48:21 +02:00
github@kiekerjan.isdronken.nl 14394ef05b add missing . in nameserver definition 2021-05-19 22:01:25 +02:00
github@kiekerjan.isdronken.nl 856d94b74f use shorthand for ttl periods, more correct secondary ns list handling 2021-05-19 21:17:55 +02:00
github@kiekerjan.isdronken.nl b9e7175d9f add principal functionality to act as hidden master 2021-05-18 22:51:29 +02:00
github@kiekerjan.isdronken.nl 8b13a3b177 short TTL for DNS entries if config file set 2021-05-18 13:28:09 +02:00
KiekerJan 1af0c58623 add daily ip blacklist check 2021-05-18 13:02:05 +02:00
Joshua Tauberer d510c8ae2a Enable and recommend port 465 for mail submission instead of port 587 (fixes #1849)
Port 465 with "implicit" (i.e. always-on) TLS is a more secure approach than port 587 with explicit (i.e. optional and only on with STARTTLS). Although we reject credentials on port 587 without STARTTLS, by that point credentials have already been sent.
2021-05-15 16:42:14 -04:00
Joshua Tauberer e283a12047 Add null SPF, DMARC, and MX records for automatically generated autoconfig, autodiscover, and mta-sts subdomains; add null MX records for custom A-record subdomains
All A/AAAA-resolvable domains that don't send or receive mail should have these null records.

This simplifies the handling of domains a bit by handling automatically generated subdomains more like other domains.
2021-05-15 16:42:14 -04:00
KiekerJan aadd37e248 correct python spacing, sigh 2021-05-10 09:42:03 +02:00
KiekerJan 764a81d335 Merge branch 'develop-xapian-fts' 2021-05-09 21:20:58 +02:00
github@kiekerjan.isdronken.nl 2865cad111 take possible kiekerjan edition into account in tag 2021-05-09 21:16:22 +02:00
Joshua Tauberer e421addf1c Pre-load domain purpopses when building DNS zonefiles rather than querying mail domains at each subdomain 2021-05-09 08:16:07 -04:00
Joshua Tauberer 354a774989 Remove a debug line added in 8cda58fb 2021-05-09 07:34:44 -04:00
github@kiekerjan.isdronken.nl d875c9ff70 remove check on solr service 2021-05-08 23:04:13 +02:00
Joshua Tauberer aaa81ec879 Fix indentation issue in bc4ae51c2d 2021-05-08 09:06:18 -04:00
John @ S4 d4c5872547
Make clear that non-AWS S3 backups are supported (#1947)
Just a few wording changes to show that it is possible to make S3 backups to other services than AWS - prompted by a thread on MIAB discourse.
2021-05-08 08:32:58 -04:00
Hala Alajlan bc4ae51c2d
Handle query dns timeout unhandled error (#1950)
Co-authored-by: hala alajlan <halalajlan@gmail.com>
2021-05-08 08:26:40 -04:00
Jawad Seddar 12aaebfc54
`custom.yaml`: add support for X-Frame-Options header and proxy_redirect off (#1954) 2021-05-08 08:25:33 -04:00
github@kiekerjan.isdronken.nl 3609a9e96c fix Solr report 2021-04-29 23:11:19 +02:00
github@kiekerjan.isdronken.nl 39235bea7e fix solr download error 2021-04-29 22:06:37 +02:00
github@kiekerjan.isdronken.nl 1264fffb4b Add root@primary host alias 2021-04-28 09:23:27 +02:00
github@kiekerjan.isdronken.nl 1292dce11e merge from 1804 version 2021-04-21 22:42:10 +02:00
github@kiekerjan.isdronken.nl e946276f15 install solr without ubuntu package 2021-04-21 22:26:49 +02:00
github@kiekerjan.isdronken.nl 4aaee13c1c Add solr full text search based on https://github.com/jvolkenant/mailinabox/tree/solr-jetty 2021-04-17 23:00:14 +02:00
github@kiekerjan.isdronken.nl bd2605221a Synchronize with upstream 2021-04-13 09:58:56 +02:00
github@kiekerjan.isdronken.nl c24ca5abd4 include changes from v0.53. Remove some POWER modifications to closer follow original mialinabox 2021-04-13 09:50:23 +02:00
Joshua Tauberer 8cda58fb22 Speed up status checks a bit by removing a redundant check if the PRIMARY_HOSTNAME certificate is signed and valid 2021-04-12 19:42:12 -04:00
Joshua Tauberer 178c587654 Migrate to the ECDSAP256SHA256 (13) DNSSEC algorithm
* Stop generating RSASHA1-NSEC3-SHA1 keys on new installs since it is no longer recommended, but preserve the key on existing installs so that we continue to sign zones with existing keys to retain the chain of trust with existing DS records.
* Start generating ECDSAP256SHA256 keys during setup, the current best practice (in addition to RSASHA256 which is also ok). See https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1 and https://www.cloudflare.com/dns/dnssec/ecdsa-and-dnssec/.
* Sign zones using all available keys rather than choosing just one based on the TLD to enable rotation/migration to the new key and to give the user some options since not every registrar/TLD supports every algorithm.
* Allow a user to drop a key from signing specific domains using DOMAINS= in our key configuration file. Signing the zones with extraneous keys may increase the size of DNS responses, which isn't ideal, although I don't know if this is a problem in practice. (Although a user can delete the RSASHA1-NSEC3-SHA1 key file, the other keys will be re-generated on upgrade.)
* When generating zonefiles, add a hash of all of the DNSSEC signing keys so that when the keys change the zone is definitely regenerated and re-signed.
* In status checks, if DNSSEC is not active (or not valid), offer to use all of the keys that have been generated (for RSASHA1-NSEC3-SHA1 on existing installs, RSASHA256, and now ECDSAP256SHA256) with all digest types, since not all registers support everything, but list them in an order that guides users to the best practice.
* In status checks, if the deployed DS record doesn't use a ECDSAP256SHA256 key, prompt the user to update their DS record.
* In status checks, if multiple DS records are set, only fail if none are valid. If some use ECDSAP256SHA256 and some don't, remind the user to delete the DS records that don't.
* Don't fail if the DS record uses the SHA384 digest (by pre-generating a DS record with that digest type) but don't recommend it because it is not in the IANA mandatory list yet (https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml).

See #1953
2021-04-12 19:42:12 -04:00
github@kiekerjan.isdronken.nl 40adef2261 Fix carddav url and file handling 2021-04-12 22:04:06 +02:00
Jan van de Wijdeven 01ec2ab436 fix webupdate 2021-04-11 23:17:42 +02:00
github@kiekerjan.isdronken.nl 12d0aee27a Add own changes 2021-04-11 12:14:41 +02:00
Jan van de Wijdeven c063c1c50e merge powermiab 2021-03-11 23:02:58 +01:00
Joshua Tauberer 6653dbb2e2 Sort the Custom DNS by zone and qname, and add an option to go back to the old sort order (creation order)
Update the zone grouping style on the users and aliases page to match.

Fixes #1927
2021-02-28 09:40:32 -05:00
Joshua Tauberer d36a2cc938 Enable Backblaze B2 backups
This reverts commit b1d703a5e7 and adds python3-setuptools per the first version of #1899 which fixes an installation error for the b2sdk Python package.
2021-02-28 08:04:14 -05:00
jeremitu 82ca54df96
Fixed #1894 log date over year change, START_DATE < END_DATE now. (#1905)
* Fixed #1894 log date over year change, START_DATE < END_DATE now.

* Corrected mail_log.py argument help and message.

Co-authored-by: Jarek <jarek@box.jurasz.de>
2021-02-28 07:59:26 -05:00
David Duque f47cdbaee1
External DNS: Add some margin between dropdown and buttons 2021-02-01 01:29:23 +00:00
David Duque 4829e687ff
Merge changes from master 2021-01-31 16:20:15 +00:00
Joshua Tauberer b1d703a5e7 Disable Backblaze B2 backups until #1899 is resolved 2021-01-31 08:33:56 -05:00
Felix Spöttel e3d98b781e
Warn when connection to Spamhaus times out (#1817) 2021-01-28 18:22:43 -05:00
Josh Brown 879467d358
Fix typo in users.html (#1895)
lettters -> letters
fixes #1888
2021-01-05 21:12:01 -05:00
Nicolas North 8025c41ee4
Bump TTL for NS records to 1800 (30 min) to 86400 (1 day) as some registries require this (#1892)
Co-authored-by: Nicolas North [norðurljósahviða] <nz@tillverka.xyz>
2021-01-03 17:57:54 -05:00
Hilko 8664afa997
Implement Backblaze for Backup (#1812)
* Installing b2sdk for b2 support
* Added Duplicity PPA so the most recent version is used
* Implemented list_target_files for b2
* Implemented b2 in frontend
* removed python2 boto package
2020-11-26 07:13:31 -05:00
Joshua Tauberer 82229ce04b Document how to start the control panel from the command line and in debugging use a stable API key 2020-11-26 07:11:49 -05:00
David Duque ef116f13de
system-status: Make system status cover the whole page width 2020-11-21 02:41:37 +00:00
David Duque a35b885fac
Replace dead glyphicons (with FontAwesome alternative) 2020-11-21 02:27:52 +00:00