1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2025-10-23 17:40:54 +00:00
Commit Graph

943 Commits

Author SHA1 Message Date
github@kiekerjan.isdronken.nl
eeada2b9b5 merge changes from V55 upstream 2021-10-19 23:07:02 +02:00
Joshua Tauberer
65861c68b7 Version 55 2021-10-18 20:40:51 -04:00
Joshua Tauberer
71a7a3e201 Upgrade to Roundcube 1.5 2021-10-18 20:40:51 -04:00
Joshua Tauberer
113b7bd827 Disable SMTPUTF8 in Postfix because Dovecot LMTP doesn't support it and bounces messages that require SMTPUTF8
By not advertising SMTPUTF8 support at the start, senders may opt to transmit recipient internationalized domain names in IDNA form instead, which will be deliverable.

Incoming mail with internationalized domains was probably working prior to our move to Ubuntu 18.04 when postfix's SMTPUTF8 support became enabled by default.

The previous commit is retained because Mail-in-a-Box users might prefer to keep SMTPUTF8 on for outbound mail, if they are not using internationalized domains for email, in which case the previous commit fixes the 'relay access denied' error even if the emails aren't deliverable.
2021-09-24 08:11:36 -04:00
Joshua Tauberer
3e19f85fad Add domain maps from Unicode forms of internationalized domains to their ASCII forms
When an email is received by Postfix using SMTPUTF8 and the recipient domain is a Unicode internationalized domain, it was failing to be delivered (bouncing with 'relay access denied') because our users and aliases tables only store ASCII (IDNA) forms of internationalized domains. In this commit, domain maps are added to the auto_aliases table from the Unicode form of each mail domain to its IDNA form, if those forms are different. The Postfix domains query is updated to look at the auto_aliases table now as well, since it is the only table with Unicode forms of the mail domains.

However, mail delivery is still not working since the Dovecot LMTP server does not support SMTPUTF8, and mail still bounces but with an error that SMTPUTF8 is not supported.
2021-09-24 08:11:36 -04:00
Joshua Tauberer
11e84d0d40 Move automatically generated aliases to a separate database table
They really should never have been conflated with the user-provided aliases.

Update the postfix alias map to query the automatically generated aliases with lowest priority.
2021-09-24 08:11:36 -04:00
drpixie
df46e1311b
Include NSD config files from /etc/nsd/nsd.conf.d/*.conf (#2035)
And write MIAB dns zone config into /etc/nsd/nsd.conf.d/zones.conf. Delete lingering old zones.conf file.

Co-authored-by: Joshua Tauberer <jt@occams.info>
2021-09-24 08:07:40 -04:00
Joshua Tauberer
e884c4774f Replace HMAC-based session API keys with tokens stored in memory in the daemon process
Since the session cache clears keys after a period of time, this fixes #1821.

Based on https://github.com/mail-in-a-box/mailinabox/pull/2012, and so:

Co-Authored-By: NewbieOrange <NewbieOrange@users.noreply.github.com>

Also fixes #2029 by not revealing through the login failure error message whether a user exists or not.
2021-09-06 09:23:58 -04:00
Joshua Tauberer
700188c443 Roundcube 1.5 RC 2021-09-06 09:23:58 -04:00
KiekerJan
9b39251469 active roundcube markasjunk plugin 2021-09-03 22:23:00 +02:00
github@kiekerjan.isdronken.nl
4b260354c2 revert carddav plugin install 2021-08-02 22:47:42 +02:00
github@kiekerjan.isdronken.nl
75f14a0735 make plugin installation of carddav like other git based installs 2021-08-02 22:09:04 +02:00
github@kiekerjan.isdronken.nl
a3b7878ef4 add contextmenu plugin 2021-08-02 00:44:47 +02:00
github@kiekerjan.isdronken.nl
bd9952704a mute re indexing, could be lots of noise on existing installs 2021-08-02 00:27:45 +02:00
KiekerJan
cf6eac0d0c add nginx security headers 2021-08-02 00:05:12 +02:00
KiekerJan
1f35158211 use predefined DHE field groups 2021-08-01 23:09:59 +02:00
github@kiekerjan.isdronken.nl
dbf029b399 remove old ciphers from postfix 2021-08-01 22:49:25 +02:00
KiekerJan
87be897d36 update DH security to 4096 2021-08-01 21:52:37 +02:00
KiekerJan
f6450c1cae update obsolete settings 2021-07-31 21:43:25 +02:00
KiekerJan
104d40e819 add alternative sshd port to ssh jail 2021-07-31 21:42:57 +02:00
KiekerJan
128541d506 add alternative sshd port to ssh jail 2021-07-31 21:36:38 +02:00
github@kiekerjan.isdronken.nl
1315e02cba mail homes and correct use of STORAGE PATH 2021-07-19 21:41:50 +02:00
github@kiekerjan.isdronken.nl
afe078ce32 remove compression for dovecot 2021-07-19 21:34:51 +02:00
KiekerJan
af079a1139 enable compression for dovecot mailboxes 2021-07-04 20:09:29 +02:00
github@kiekerjan.isdronken.nl
050c77a49a fix sed order 2021-06-27 22:14:57 +02:00
github@kiekerjan.isdronken.nl
212b9a31df add definition of admin ipv6 address 2021-06-27 22:12:15 +02:00
KiekerJan
606e66fe80 fixes 2021-06-22 23:33:11 +02:00
github@kiekerjan.isdronken.nl
ca5fb3c2e0 Merge changes from upstream v0.54 2021-06-20 23:36:54 +02:00
Joshua Tauberer
4cb46ea465 v0.54 2021-06-20 15:50:04 -04:00
KiekerJan
cc234c2cab add notes app to nextcloud 2021-06-12 09:52:37 +02:00
KiekerJan
95712e196b remove chkrootkit,too many false positives 2021-06-05 09:53:07 +02:00
KiekerJan
a24c01973f doveadm fts rescan clears the indices, we don't want that 2021-05-30 21:11:47 +02:00
KiekerJan
5fa27b27e2 make security settings more strict for postfix 2021-05-29 00:18:43 +02:00
Joshua Tauberer
d510c8ae2a Enable and recommend port 465 for mail submission instead of port 587 (fixes #1849)
Port 465 with "implicit" (i.e. always-on) TLS is a more secure approach than port 587 with explicit (i.e. optional and only on with STARTTLS). Although we reject credentials on port 587 without STARTTLS, by that point credentials have already been sent.
2021-05-15 16:42:14 -04:00
github@kiekerjan.isdronken.nl
9bd34141bf add extra munin plugins 2021-05-14 00:12:11 +02:00
github@kiekerjan.isdronken.nl
d1b45945b0 cleanup 2021-05-09 21:47:14 +02:00
KiekerJan
8f4860bc1c merge from master 2021-05-09 12:11:11 +02:00
KiekerJan
cb37c6f2d0 Merge tag 'v0.53a' of https://github.com/mail-in-a-box/mailinabox
v0.53a

Changed the Z-Push download URL.
2021-05-09 11:33:58 +02:00
github@kiekerjan.isdronken.nl
4df61f3325 include library installation in setup 2021-05-09 00:00:26 +02:00
github@kiekerjan.isdronken.nl
6aec61e4e8 cleanup solr files 2021-05-08 23:43:39 +02:00
github@kiekerjan.isdronken.nl
2ee85cb171 Disable solr installation, enable xapian fts 2021-05-08 23:39:12 +02:00
KiekerJan
519fef288e reduce rkhunter logging 2021-05-08 23:37:10 +02:00
KiekerJan
c8a3699a3b append rkhunter log 2021-05-08 23:21:11 +02:00
github@kiekerjan.isdronken.nl
2d05d89cd3 correct configuration details 2021-05-08 23:02:57 +02:00
github@kiekerjan.isdronken.nl
23c0388bb3 base for xapian dovecot fts 2021-05-08 22:35:46 +02:00
Joshua Tauberer
dbd6dae5ce Fix exit status issue cased by 69fc2fdd 2021-05-08 09:02:48 -04:00
Thomas Urban
3701e05d92
Rewrite envelope from address in sieve forwards (#1949)
Fixes #1946.
2021-05-08 08:30:53 -04:00
jvolkenant
49813534bd
Updated Nextcloud to 20.0.8, contacts to 3.5.1, calendar to 2.2.0 (#1960) 2021-05-08 08:24:04 -04:00
jvolkenant
16e81e1439
Fix to allow for non forced "enforce" MTA_STS_MODE (#1970) 2021-05-08 08:18:49 -04:00
Joshua Tauberer
b7b67e31b7 Merged point release branch for v0.53a
Changed the Z-Push download URL.
2021-05-08 08:14:39 -04:00
Joshua Tauberer
2e7f2835e7 v0.53a 2021-05-08 08:13:37 -04:00
Joshua Tauberer
8a5f9f464a Download Z-Push from alternate site
The old server has been down for a few days.

Solution from https://discourse.mailinabox.email/t/temporary-fix-for-failed-wget-o-tmp-z-push-zip-https-stash-z-hub-io/8028. Fixes #1974.
2021-05-08 07:59:53 -04:00
Joshua Tauberer
69fc2fdd3a Hide spurrious Nextcloud setup output 2021-05-03 19:41:00 -04:00
Joshua Tauberer
9b07d86bf7 Use $(...) notation instead of legacy backtick notation for embedded shell commands
shellcheck reported

    SC2006: Use $(...) notation instead of legacy backticked `...`.

Fixed by applying shellcheck's diff output as a patch.
2021-05-03 19:28:23 -04:00
Joshua Tauberer
ae3feebd80 Fix warnings reported by shellcheck
* SC2068: Double quote array expansions to avoid re-splitting elements.
* SC2186: tempfile is deprecated. Use mktemp instead.
* SC2124: Assigning an array to a string! Assign as array, or use * instead of @ to concatenate.
* SC2102: Ranges can only match single chars (mentioned due to duplicates).
* SC2005: Useless echo? Instead of 'echo $(cmd)', just use 'cmd'.
2021-05-03 19:25:09 -04:00
KiekerJan
575e5144d5 add ignore file for chkrootkit 2021-05-01 23:36:51 +02:00
KiekerJan
af5e7ff626 comment 2021-04-30 22:37:03 +02:00
KiekerJan
81d96de21d fixes to rkhunter and chkrootkit installation 2021-04-30 22:15:06 +02:00
KiekerJan
b2d966f8e4 add rootkit detectors 2021-04-29 23:03:09 +02:00
KiekerJan
e1c0cf6c0c fix solr installation 2021-04-29 22:25:19 +02:00
github@kiekerjan.isdronken.nl
39235bea7e fix solr download error 2021-04-29 22:06:37 +02:00
github@kiekerjan.isdronken.nl
f51c0934ab update owncloud version 2021-04-28 11:24:24 +02:00
github@kiekerjan.isdronken.nl
1264fffb4b Add root@primary host alias 2021-04-28 09:23:27 +02:00
github@kiekerjan.isdronken.nl
f60d0f4f1e merge upstram v0.53 2021-04-26 21:50:15 +02:00
github@kiekerjan.isdronken.nl
9b90a8bd38 forward root mail 2021-04-26 21:46:07 +02:00
github@kiekerjan.isdronken.nl
ef59617762 change solr log dir 2021-04-26 10:00:07 +02:00
github@kiekerjan.isdronken.nl
7089bd2748 solr fixes 2021-04-26 09:40:27 +02:00
Joshua Tauberer
2c295bcafd Upgrade the Roundcube persistent login cookie encryption to AES-256-CBC and increase the key length accordingly
This change will force everyone to be logged out of Roundcube since the encryption key and cipher won't match anyone's already-set cookie, but this happens anyway after every Mail-in-a-Box update since we generate a new key each time already.

Fixes #1968.
2021-04-23 17:04:56 -04:00
github@kiekerjan.isdronken.nl
3bf241c3e0 add postfix spamhaus jail 2021-04-23 22:03:22 +02:00
github@kiekerjan.isdronken.nl
1292dce11e merge from 1804 version 2021-04-21 22:42:10 +02:00
github@kiekerjan.isdronken.nl
e946276f15 install solr without ubuntu package 2021-04-21 22:26:49 +02:00
github@kiekerjan.isdronken.nl
ef5b536f43 optimize solr cron and log 2021-04-18 21:52:17 +02:00
github@kiekerjan.isdronken.nl
4aaee13c1c Add solr full text search based on https://github.com/jvolkenant/mailinabox/tree/solr-jetty 2021-04-17 23:00:14 +02:00
github@kiekerjan.isdronken.nl
05eca610df Check munin plugins existence and add fail2ban 2021-04-13 22:31:20 +02:00
github@kiekerjan.isdronken.nl
f5a59d8bb1 add bind9 configuration 2021-04-13 21:28:17 +02:00
github@kiekerjan.isdronken.nl
bd2605221a Synchronize with upstream 2021-04-13 09:58:56 +02:00
github@kiekerjan.isdronken.nl
c24ca5abd4 include changes from v0.53. Remove some POWER modifications to closer follow original mialinabox 2021-04-13 09:50:23 +02:00
Joshua Tauberer
178c587654 Migrate to the ECDSAP256SHA256 (13) DNSSEC algorithm
* Stop generating RSASHA1-NSEC3-SHA1 keys on new installs since it is no longer recommended, but preserve the key on existing installs so that we continue to sign zones with existing keys to retain the chain of trust with existing DS records.
* Start generating ECDSAP256SHA256 keys during setup, the current best practice (in addition to RSASHA256 which is also ok). See https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1 and https://www.cloudflare.com/dns/dnssec/ecdsa-and-dnssec/.
* Sign zones using all available keys rather than choosing just one based on the TLD to enable rotation/migration to the new key and to give the user some options since not every registrar/TLD supports every algorithm.
* Allow a user to drop a key from signing specific domains using DOMAINS= in our key configuration file. Signing the zones with extraneous keys may increase the size of DNS responses, which isn't ideal, although I don't know if this is a problem in practice. (Although a user can delete the RSASHA1-NSEC3-SHA1 key file, the other keys will be re-generated on upgrade.)
* When generating zonefiles, add a hash of all of the DNSSEC signing keys so that when the keys change the zone is definitely regenerated and re-signed.
* In status checks, if DNSSEC is not active (or not valid), offer to use all of the keys that have been generated (for RSASHA1-NSEC3-SHA1 on existing installs, RSASHA256, and now ECDSAP256SHA256) with all digest types, since not all registers support everything, but list them in an order that guides users to the best practice.
* In status checks, if the deployed DS record doesn't use a ECDSAP256SHA256 key, prompt the user to update their DS record.
* In status checks, if multiple DS records are set, only fail if none are valid. If some use ECDSAP256SHA256 and some don't, remind the user to delete the DS records that don't.
* Don't fail if the DS record uses the SHA384 digest (by pre-generating a DS record with that digest type) but don't recommend it because it is not in the IANA mandatory list yet (https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml).

See #1953
2021-04-12 19:42:12 -04:00
github@kiekerjan.isdronken.nl
40adef2261 Fix carddav url and file handling 2021-04-12 22:04:06 +02:00
Jan van de Wijdeven
d9629caab7 Fixes for 20.04 version 2021-04-11 23:09:41 +02:00
github@kiekerjan.isdronken.nl
daf5a62e83 Merge changes from kiekerjan special 2021-04-11 20:45:24 +02:00
Joshua Tauberer
34569d24a9 v0.53 2021-04-11 12:45:37 -04:00
github@kiekerjan.isdronken.nl
12d0aee27a Add own changes 2021-04-11 12:14:41 +02:00
github@kiekerjan.isdronken.nl
98c6bdbf27 Move editconf.py 2021-03-11 23:25:58 +01:00
Jan van de Wijdeven
7b82b3023c Merge remote-tracking branch 'powermiab/master' into 20.04 2021-03-11 22:57:17 +01:00
Paul
a839602cba
Enable sending DMARC failure reports (#1929)
Configures opendmarc to send failure reports for domains that request them, including when p=none.

The emails are sent as the package default of package name and user@hostname: OpenDMARC Filter <opendmarc@box.example.com>

Note I have been running this for several months with a configuration I did not include in the PR to have reports BCC'd to me (FailureReportsBcc postmaster@example.com). Very low load for my personal server of rarely more than a dozen emails sent out per day.

I am not familiar with editing scripts, so apologies in advance and please feel free to correct me.
2021-02-28 08:21:15 -05:00
Joshua Tauberer
f21a41dc84 Merge #1932, with some edits 2021-02-28 08:16:50 -05:00
davDevOps
055ac07663 Update roundcube to 1.4.11
roundcube Bug Fixes:

Fix for Cross-Site Scripting (XSS) via HTML messages with malicious CSS content
General Improvements from roundcube's Issue Tracker
2021-02-28 08:14:17 -05:00
davDevOps
c7b295f403 Update zpush to 2.6.2 2021-02-28 08:05:40 -05:00
Joshua Tauberer
d36a2cc938 Enable Backblaze B2 backups
This reverts commit b1d703a5e7 and adds python3-setuptools per the first version of #1899 which fixes an installation error for the b2sdk Python package.
2021-02-28 08:04:14 -05:00
jvolkenant
af62e7a99b
Fixes unbound variable when upgrading from Nextcloud 13 (#1913) 2021-02-06 16:49:43 -05:00
David Duque
f41eeb37c1
Release v0.52.POWER.0 2021-02-01 02:22:15 +00:00
David Duque
ba68bd9941
Automatically import existing local CA cerificates 2021-02-01 02:20:38 +00:00
David Duque
e6f22c53e5
Update admin panel dependencies 2021-02-01 01:57:38 +00:00
David Duque
18d36831dc
Update NextCloud components 2021-02-01 01:49:05 +00:00
David Duque
4829e687ff
Merge changes from master 2021-01-31 16:20:15 +00:00
Joshua Tauberer
90d63fd208 v0.52 2021-01-31 08:48:14 -05:00
Joshua Tauberer
b1d703a5e7 Disable Backblaze B2 backups until #1899 is resolved 2021-01-31 08:33:56 -05:00
jvolkenant
50d50ba653
Update zpush to 2.6.1 (#1908) 2021-01-28 18:20:19 -05:00
jcm-shove-it
e2f9cd845a
Update roundcube to 1.4.10 (#1891) 2020-12-28 08:11:33 -05:00