Commit Graph

1032 Commits

Author SHA1 Message Date
Joshua Tauberer 3d4eadd436 the new migration management in c8856f107d left out the part where we actually keep the system's current MIGRATIONID... it was being lost when setup/start.sh was re-run 2014-07-07 11:29:21 +00:00
Joshua Tauberer cf7053c124 set nginx server_names_hash_bucket_size to 64, fixes #93 2014-07-07 11:23:41 +00:00
Joshua Tauberer 430b2dec11 update default www page to link to the website, fixes #96 2014-07-07 07:07:54 -04:00
Joshua Tauberer ad3f6f8424 adding externals and .env to gitignore 2014-07-07 07:06:36 -04:00
Joshua Tauberer 65fb65ada7 an mx record may be missing if the A record matches the A record of PRIMARY_HOSTNAME 2014-07-07 02:35:45 +00:00
Joshua Tauberer 28e254fb84 whats_next: Allow the PRIMARY_HOSTNAME to not have an MX because the default value means the domain itself, which is what we want anyway 2014-07-07 02:35:45 +00:00
Joshua Tauberer e898cd5d2a whats_next: wrap output to the actual width of the terminal 2014-07-07 02:35:45 +00:00
Joshua Tauberer 6a231d4409 clarify that an SSL cert can remain self-signed on the non-primary domains if the domain isn't being used for web 2014-07-07 02:35:45 +00:00
Joshua Tauberer dcce98f84b and remove the old documentation now that there is documentation on the website 2014-07-06 11:57:57 -04:00
Joshua Tauberer 05664f0a3b have the README refer to the website for details 2014-07-06 11:31:17 -04:00
Joshua Tauberer 49d5561933 when adding/removing mail addresses also update nginx's config 2014-07-06 12:16:50 +00:00
Joshua Tauberer c8856f107d migrate the SSL certificates path for non-primary certs to a new layout using a new migration script 2014-06-30 20:41:29 +00:00
Joshua Tauberer 06ba25151f get_domain_ssl_files returned the wrong path for the CSR for PRIMARY_HOSTNAME 2014-06-30 19:49:41 +00:00
Joshua Tauberer b5aa1b0f31 walk the user through choosing the PRIMARY_HOSTNAME by first asking for their email address 2014-06-30 10:20:58 -04:00
Joshua Tauberer fed5959288 s/PUBLIC_HOSTNAME/PRIMARY_HOSTNAME/ throughout 2014-06-30 09:15:36 -04:00
Joshua Tauberer 573faa2bf5 install the backup script as a daily cron job 2014-06-26 10:46:22 +00:00
Joshua Tauberer 87f001a5d5 some comments 2014-06-24 03:24:41 +00:00
Joshua Tauberer f8cd2bb805 typo: www/default/index.html would be overwritten if it already exists 2014-06-23 19:43:19 +00:00
Joshua Tauberer 1dec8c65ce move the SSH password login check into whats_next.py (it used to be in start.sh and then moved to an unused script when it became a problem for Vagrant) 2014-06-23 19:39:20 +00:00
Joshua Tauberer d4ce50de86 new tool to purchase and install a SSL certificate using Gandi.net's API 2014-06-23 10:53:29 +00:00
Joshua Tauberer 30c416ff6e rename the new checklist script to whats_next.py 2014-06-23 00:11:24 +00:00
Joshua Tauberer 5aa09c3f9b let the user override some DNS records in a different way
Moved the configuration to a single YAML file, rather than one per domain, to be clearer.

re-does 33f06f29c1
2014-06-22 19:33:30 +00:00
Joshua Tauberer 45e93f7dcc strengthen the cyphers and protocols allowed by Dovecot and Postfix submission 2014-06-22 19:03:11 +00:00
Joshua Tauberer 343886d818 add mail alias checks and other cleanup 2014-06-22 16:28:55 +00:00
Joshua Tauberer deab8974ec if we handle mail for both a domain and any subdomain, only create a zone for the domain and put the subdomain's DNS records in the main domain's zone file 2014-06-22 16:24:15 +00:00
Joshua Tauberer 4668367420 first pass at a management tool for checking what the user must do to finish his configuration: set NS records, DS records, sign his certificates, etc. 2014-06-22 15:54:22 +00:00
Joshua Tauberer ec6c7d84c1 dont ask for a CSR country code on second runs because the CSR is already generated and any new country code won't be used anyway 2014-06-22 15:36:14 +00:00
Joshua Tauberer 8076ce4ab9 Merge pull request #74 from mkropat/mgmt-auth
Add authentication to mailinabox-daemon; resolves #67
2014-06-22 11:36:04 -04:00
Michael Kropat 9e63ec62fb Cleanup: remove env dependency 2014-06-22 08:55:19 -04:00
Michael Kropat d100a790a0 Remove API_KEY_FILE setting 2014-06-22 08:45:29 -04:00
Michael Kropat 554a28479f Merge remote-tracking branch 'upstream/master' into mgmt-auth
Conflicts:
	management/daemon.py
2014-06-21 21:29:25 -04:00
Joshua Tauberer 064d75e261 Merge pull request #73 from mkropat/syslog-logging
Tell Flask to log to syslog
2014-06-21 21:22:27 -04:00
Joshua Tauberer e70bc50432 README parallel sentence structure 2014-06-22 00:34:49 +00:00
Michael Kropat bb394242ef Update documentation to use API auth
The updated instruction is not very user-friendly. I think the right
solution is to wrap the `/dns` commands in a `tools/dns.py` style
script, along the lines of `tools/mail.py`.
2014-06-22 00:07:14 +00:00
Michael Kropat 88e496eba4 Update setup scripts to auth against the API 2014-06-22 00:02:52 +00:00
Michael Kropat 447399e8cd Update mail tool to pass api key auth 2014-06-21 23:49:09 +00:00
Michael Kropat 067052d4ea Add key-based authentication to management service
Intended to be the simplest auth possible: every time the service
starts, a random key is written to `/var/lib/mailinabox/api.key`. In
order to authenticate to the service, the client must pass the contents
of `api.key` in an HTTP basic auth header. In this way, users who do not
have read access to that file are not able to communicate with the
service.
2014-06-21 23:42:48 +00:00
Michael Kropat 53e15eae15 Tell Flask to log to syslog
- Writes Flask warnings and errors to `/var/log/syslog`
- Helps to debug issues when running in production
2014-06-21 23:25:35 +00:00
Joshua Tauberer 67d31ed998 move the SSL setup into its own bash script since it is used for much more than email now 2014-06-21 22:16:46 +00:00
Joshua Tauberer 0ab43ef4fd have webfinger output a JSON file in STORAGE_ROOT/webfinger/(acct/..) 2014-06-21 17:08:18 +00:00
Joshua Tauberer 326cc2a451 obviously put our stuff in /usr/local and not /usr 2014-06-21 12:35:00 -04:00
Joshua Tauberer d3cacd4a11 update test_dns
Don't check NS records for now because they will only appear on zones.
If a hostname is a subdomain on a zone and not itself a zone, it will
lack NS records.

Also stop testing for ADSP, which we dropped in 126ea94ccf.
2014-06-21 12:32:20 -04:00
Joshua Tauberer 87b0608f15 test_dns: DNSSEC signing inserts empty text string components 2014-06-21 12:32:20 -04:00
Joshua Tauberer 85169dc960 preliminary support for webfinger
It just echos back the subject given to it.
2014-06-20 01:55:16 +00:00
Joshua Tauberer 5faa1cae71 manage the nginx conf in the management daemon too so we can have nginx operate on all domains that we serve mail for 2014-06-20 01:55:12 +00:00
Joshua Tauberer a1a80b295e update docs a bit 2014-06-18 23:12:05 -04:00
Joshua Tauberer 94a140a27a linkify README 2014-06-18 23:04:06 -04:00
Joshua Tauberer 126ea94ccf drop support for ADSP which since last November is no longer recommended per http://datatracker.ietf.org/doc/status-change-adsp-rfc5617-to-historic/ 2014-06-18 22:56:55 -04:00
Joshua Tauberer 0f72f78eea add DNSSEC/DANE TLSA to the README 2014-06-19 02:23:07 +00:00
Joshua Tauberer 782ad04b10 use DANE when sending mail: if the recipient MX has a DANE TLSA record in DNS then Postfix will necessarily encrypt the mail in transport 2014-06-19 01:58:14 +00:00