Commit Graph

503 Commits

Author SHA1 Message Date
Joshua Tauberer 6dd6353d41 move sa-learn-pipe.sh from /usr to /usr/local 2014-09-27 16:18:40 +00:00
Joshua Tauberer d06bfa6c1b tweak the site-wide bayesian spam filtering config 2014-09-27 16:18:36 +00:00
Joshua Tauberer 698ae03505 catch-all addresses should not have precedence over mail users
Aliases have precedence over mail users. A catch-all address would grab mail intended for a mail user and send it elsewhere. This adds some SQL hackery to create dummy aliases for all mail users.

fixes #200
closes #214 another way
2014-09-27 13:32:10 +00:00
Joshua Tauberer a4c70f7a92 revert dovecot part of 39bca053ed because dovecot started behaving weird and I don't have time to debug it 2014-09-26 22:41:59 +00:00
Joshua Tauberer 39bca053ed add 2048 bits of DH params for nginx, postfix, dovecot
nginx/postfix use a new pre-generated dh2048.pem file. dovecot generates the bits on its own.

ssllabs.com reports that TLS_DHE ciphers went from 1024 to 2048 bits as expected. The ECDHE ciphers remain at 256 bits --- no idea what that really means. (This tests nginx only. I haven't tested postfix/dovecot.)

see https://discourse.mailinabox.email/t/fips-ready-for-ssl-dhec-key-exchange/76/3
2014-09-26 22:09:22 +00:00
Joshua Tauberer c2eb8e5330 typo in roundcube download URL
see 8e0967dd8e (commitcomment-7940724)
2014-09-26 14:26:45 +00:00
Joshua Tauberer 4e6d572de9 ensure Python operates in UTF-8 with a consistent locale for all users
fixes #206 (hopefully)
2014-09-26 08:26:09 -04:00
Joshua Tauberer 5714b3c6b7 bump bootstrap.sh to incoming 0.03 tag 2014-09-24 12:48:15 +00:00
Joshua Tauberer 8e0967dd8e if an earlier version of roundcube had already been installed, update to our target version
fixes #195
2014-09-24 12:46:51 +00:00
Joshua Tauberer ed8fb2d06d the latest z-push introduces a new/second USE_FULLEMAIL_FOR_LOGIN parameter
see http://discourse.mailinabox.email/t/activesync-z-push-not-working/94/3
2014-09-24 12:24:35 +00:00
Joshua Tauberer 8c8d9304ac lock z-push to a particular upstream version by fmbiete/Z-Push-contrib commit hash 2014-09-24 12:20:10 +00:00
Joshua Tauberer c1ccd22531 put a start script at /usr/local/bin/mailinabox 2014-09-22 16:37:12 -04:00
Joshua Tauberer 01c964bfe3 update bootstrap.sh for next tag 2014-09-22 16:35:07 -04:00
Joshua Tauberer 6c59294e7b more readable bash 2014-09-21 16:05:11 -04:00
Joshua Tauberer 9d40a12f44 first pass at making readable documentation by parsing the bash scripts 2014-09-21 13:43:31 -04:00
jmar71n b5bb12d0d2 enable site-wide bayesian filtering
Create directory in $STORAGE_ROOT for bayes database.

Added --username arg to sa-learn as the user mail does not have permission to edit files in $STORAGE_ROOT. There is probably a better solution to this...
2014-09-20 16:07:30 +01:00
Joshua Tauberer dd91553689 open the firewall to an alternative SSH port if set
https://discourse.mailinabox.email/t/opening-up-a-custom-port-for-ssh-after-install/55/2
2014-09-20 08:26:10 -04:00
Joshua Tauberer 98651deea4 python3-dev is a dependency for many pip packages, including pyyaml, fixes #196 2014-09-17 21:56:09 +00:00
Bretos 467f04facb update roundcube version 2014-09-10 12:32:32 +02:00
Joshua Tauberer 7ea956d3bc install network-checks's dependencies
Since it runs before the real setup begins, we must make sure that packages are installed.

Also removing bind9-host's installation from system.sh. In 189dd6000e I added this so we could use `host`
to aid Docker autoconfiguration. Docker support was since removed but this hadn't gotten removed, which lead me to think it was
normally installed by Ubuntu. It's now installed in `network-checks.sh`.

fixes #180
2014-09-07 12:29:23 +00:00
Joel Kåberg 6b13ac1ca9 Support more concurrent connections 2014-09-04 16:40:33 +02:00
Joel Kåberg 9fd6958dc2 Revert commit "Support more concurrent connections for z-push" 2014-09-04 16:39:38 +02:00
Joel Kåberg e434bf9fce Support more concurrent connections for z-push
My logs were showing lots of: 
[04-Sep-2014 15:52:41] WARNING: [pool www] server reached pm.max_children setting (5), consider raising it
2014-09-04 16:11:06 +02:00
Joshua Tauberer 3853e8dd93 show the status of backups in the control panel 2014-09-01 13:06:53 +00:00
Joshua Tauberer 4ec6692f21 showing the mail-in-a-box version might fail if git isn't actually installed
The user might acquire the sources via some means other than a git clone. On Vagrant, the files come in via Vagrant. So test for git before running `git describe`.
2014-09-01 07:51:25 -04:00
Joel Kåberg 7603ce0489 this is what I meant 2014-09-01 10:32:44 +02:00
Joel Kåberg 8b2fed1a2a fixes comments by @JoshData 2014-09-01 10:02:46 +02:00
Joel Kåberg ee244386ed update ownCloud if necessary
this will always download the latest ownCloud and upgrade if ownCloud install dir exist, this apphroach allows us to keep existing user plugins. currently not checking if currently installed version is equal to the one we're downloading as I couldn't find a proper solution for that
2014-08-31 20:34:57 +02:00
Joshua Tauberer cfffb38508 link-local IPv6 addresses need a '%interface' specification to be useful 2014-08-31 08:09:13 -04:00
Joshua Tauberer 24ff0e04b1 output/text tweaks 2014-08-27 14:42:00 +00:00
Joshua Tauberer 10a37cd033 add SSHFP records to DNS 2014-08-27 12:59:40 +00:00
Joshua Tauberer 8586723e70 Merge pull request #168 from hjjg/feature-localehandling1
locale-safe check if we have enough memory installed
2014-08-27 07:41:49 -04:00
Joshua Tauberer da2af2ea5c once the user has a signed SSL cert, simplify the message at the end of setup 2014-08-27 02:37:03 +00:00
Joshua Tauberer 6a311ee7d9 show the tag or commit the user is on in the output to aid debugging when a user posts the output somewhere 2014-08-27 02:37:03 +00:00
Helmuth Gronewold 756ba111a3 Also swith blocksize and count at the owncloud-specific key generation to ensure get as much bytes as you wanted. 2014-08-26 22:22:43 +02:00
Helmuth Gronewold ab3d205ef6 Switch blocksize and count when reading from urandom with dd, to prevent getting fewer bytes for the secret key. 2014-08-26 22:16:31 +02:00
Joshua Tauberer c0f4618bef normalize some whitespace 2014-08-26 07:13:47 -04:00
Joshua Tauberer 245864caac bug in the IPV6 question 2014-08-26 10:34:22 +00:00
Helmuth Gronewold 3774f589c8 locale-safe check if we have enough memory installed 2014-08-25 23:36:55 +02:00
Joshua Tauberer d1c7617cdb Merge branch 'master' into usedialog 2014-08-25 08:26:59 -04:00
Joshua Tauberer ea32af1f0e Merge commit 'b0d6473c3c6748a68f4845324fee13f3153bc18f' into usedialog
Conflicts:
	setup/start.sh (changes are in questions.sh now)
2014-08-25 08:26:39 -04:00
Joshua Tauberer c18200d9b1 Merge commit '09d2a08ce620928d0398068197951e5acebca0f0' into usedialog
Conflicts:
	setup/start.sh (change was already applied)
2014-08-25 08:23:28 -04:00
Joshua Tauberer bf5016a8ac bootstrap.sh: allow overring the tag to checkout by setting the TAG environment variable (helpful for debugging) 2014-08-25 08:18:46 -04:00
Joshua Tauberer e0dc8ff04a when deleting my old /usr/local/bin/mailinabox-exchange-autodiscover.php file from existing systems, don't emit an error if the file doesn't exist (added -f) 2014-08-25 08:10:54 -04:00
Joshua Tauberer faf6f87a63 move the user-interactive questions and other parts of start.sh into new files 2014-08-25 08:09:37 -04:00
Joshua Tauberer 4ed69cbae5 replace '-t 0' test with an environment variable since '-t 0' is false when standard input has been redirected and doesn't tell us whether or not we can use dialog for input, but Vagrant must be non-interactive 2014-08-25 07:54:11 -04:00
Joshua Tauberer 28231ac248 Merge pull request #150 from hjjg/secretkeyfix
The secret key that encrypts the backups should not be world readable.
2014-08-24 17:21:38 -04:00
Helmuth Gronewold 90c7655d82 Fix wrong permissions of backup secret. Pyhton 3 needs octal permissions. 2014-08-24 21:27:39 +02:00
Joshua Tauberer 6e3b04ce83 when generating SSL CSRs, using SHA256 as SHA1 is being phased out, per @konklone 2014-08-23 17:49:33 -04:00
Joshua Tauberer b0d6473c3c Merge branch 'box-in-a-name' of github.com:hjjg/mailinabox 2014-08-23 12:43:47 +00:00
Joshua Tauberer 03bbd25a10 re-do allow apt to perform security updates on its own
Move this into system.sh rather than anagement.sh.

This reverts commit eab28c97ff.
2014-08-23 12:35:59 +00:00
Helmuth Gronewold ff8413a622 Better handling of hostname and email address recommendation. 2014-08-23 08:51:18 +02:00
Helmuth Gronewold ee9552734f Fix permissions of backup secret according to Josh's comment at
https://github.com/mail-in-a-box/mailinabox/pull/150#issuecomment-53120156
2014-08-22 23:23:56 +02:00
Helmuth Gronewold a68fd6429f The secret key that encrypts the backups should not be world readable. 2014-08-22 22:55:34 +02:00
Joshua Tauberer f7c7d5b9c3 Merge pull request #146 from ls42/zpush/auto-timezone
Read timezone from /etc/timezone.
2014-08-21 17:21:47 -04:00
Christian Koptein 09d2a08ce6 Typo in introduction 2014-08-21 21:51:54 +02:00
Joshua Tauberer 9576594cfe bootstrap script should check out a particular tag rather than master 2014-08-21 17:28:20 +00:00
Joshua Tauberer 76dcab3139 now that we use `dialog` for input we can pipe the bootstrap script to bash 2014-08-21 17:28:12 +00:00
Joshua Tauberer 7e8e104964 when asking for a CSR country code, give the user a list 2014-08-21 17:28:04 +00:00
Joshua Tauberer 7ea4d33e06 simplify the input_box function 2014-08-21 16:01:12 +00:00
Joshua Tauberer eab28c97ff allow apt to perform security updates on its own 2014-08-21 11:47:28 +00:00
Joshua Tauberer 294d19e0af rename whats_next.py to status_checks.py 2014-08-21 10:43:55 +00:00
H8H 980b83b124 Added dialogs, so that the setup.sh can ask the user any questions even when its piped; Added additional email valdidation for the last step 2014-08-21 03:09:09 +02:00
Stephan Brauer 2cab02c831 Read timezone from /etc/timezone. 2014-08-20 23:51:10 +02:00
Joshua Tauberer aaea954072 remove my old Exchange autodiscover PHP script from systems 2014-08-19 11:50:00 +00:00
Joshua Tauberer b6dd407aa7 z-push autodiscover should use the primary hostname for the mail server and not the domain part of the email address (both may work, but the primary hostname is more likely to have a signed SSL cert) 2014-08-19 11:49:20 +00:00
jkaberg a0df18506b use z-push autodisover instead 2014-08-19 13:03:44 +02:00
Joshua Tauberer b30d7ad80a web-based administrative UI
closes #19
2014-08-17 22:46:06 +00:00
Joshua Tauberer 04454b35c6 (merge) CardDAV, CalDAV via ownCloud and move to z-push fork fork
Merges branch 'owncloud' of github.com:jkaberg/mailinabox
which is pull request #135, closes #135

thanks @jkaberg, @fmbiete, @owncloud
2014-08-17 15:31:08 -04:00
Joshua Tauberer 56c7d7436e warn that generating DNSSEC keys takes a while (still slow in some virtualized environments) 2014-08-17 11:50:05 -04:00
Joshua Tauberer 062e8b839e failed network checks should result in start.sh exiting with a non-zero exit status 2014-08-17 11:50:05 -04:00
Joshua Tauberer 7e62131fbc a bootstrapping script to support a one-line install command
based on a script by @jkaberg in #141
2014-08-16 13:31:42 -04:00
Joshua Tauberer e1606df237 s/joshdata/mailinabox/ due to repo moving to the org account 2014-08-16 13:16:01 +00:00
Joshua Tauberer bbd35f4906 ownCloud: do cron the same way we do the others 2014-08-16 13:00:36 +00:00
Joshua Tauberer ae1e69a5e3 ownCloud: code a way to add admins from our users table, but dont use it 2014-08-16 12:59:29 +00:00
Joshua Tauberer 9e86c67534 make setup/owncloud.sh idempotent: don't wreck user data on second run 2014-08-16 12:38:03 +00:00
Joshua Tauberer 277f98aac8 drop the owncloud mail app for now 2014-08-16 12:19:40 +00:00
Joshua Tauberer 398b538e2b owncloud: automatically set it up with an administrator account that even the box owner doesn't have access to, because we do not want to have the user hit ownCloud's setup page on first visit 2014-08-15 23:07:20 +00:00
Joshua Tauberer ca45c88a32 owncloud: set forcessl to be true to get the corret HSTS header (would be better if we could prevent ownCloud from sending one) 2014-08-15 22:32:01 +00:00
Joshua Tauberer 5ecbaa2b41 Merge branch 'owncloud' of github.com:jkaberg/mailinabox into owncloud 2014-08-15 18:30:17 -04:00
Joshua Tauberer a10b828d5c when modifying php.ini, use ; as the comment char not # because php emits horrid deprecation warnings otherwise 2014-08-15 18:29:05 -04:00
jkaberg 7024b428ad increased timeouts so that owncloud properly loads with larger db 2014-08-13 07:30:32 +02:00
Joshua Tauberer d03bc0cefa more owncloud configuration tweaks 2014-08-13 00:30:09 +00:00
Joshua Tauberer 05cc63b5d5 Merge branch 'owncloud' of github.com:jkaberg/mailinabox into owncloud
Conflicts:
	conf/nginx.conf
	setup/zpush.sh
2014-08-12 23:10:51 +00:00
jkaberg e828dd63e1 auto enable apps in owncloud (FINAL COMMIT!) 2014-08-12 16:45:36 +02:00
jkaberg b92033cafe install fpm instead of cgi 2014-08-12 15:39:45 +02:00
Joshua Tauberer c9bf57eacd Merge branch 'master' into owncloud (php5-fpm) 2014-08-12 13:30:55 +00:00
Joshua Tauberer 791e68a3af automate more of the initial configuration 2014-08-12 13:29:44 +00:00
Joshua Tauberer 4d64246b22 tweak z-push/owncloud installation scripts: hide output, check if z-push needs an update, dont use /etc/timezone because its contents would need to be escaped before being passed into sed 2014-08-12 13:29:44 +00:00
Joshua Tauberer 9d6dc78b15 keep Roundcube working too, put owncloud at /cloud rather than at / 2014-08-12 13:29:43 +00:00
jkaberg 57a441a547 small script to update the mail app 2014-08-12 15:27:37 +02:00
jkaberg afb09a84b7 use tools/editconf.py to edit php.ini for large file uploads 2014-08-12 14:00:28 +02:00
jkaberg 7396785a9a install php5-xsl as carddav is dependent on it 2014-08-12 13:22:34 +02:00
Joshua Tauberer cf4f519cc0 zpush/owncloud: inject mail using 'sendmail' not SMTP 2014-08-12 11:18:45 +00:00
jkaberg 654c200709 properly escape $ 2014-08-12 13:12:57 +02:00
Joshua Tauberer 0eceb2012f use php5-fpm rather than our own custom launcher script for PHP+FastCGI 2014-08-12 11:00:54 +00:00
jkaberg 9f5fd6b474 fix user_backends array 2014-08-12 12:33:42 +02:00
jkaberg 5cf2965633 tls instead of ssl 2014-08-12 12:04:27 +02:00
jkaberg e8a1837d02 properly set correct timezone 2014-08-12 12:01:18 +02:00
jkaberg 7ba79effae moved TODO 2014-08-12 11:02:13 +02:00
jkaberg 9d41530232 clarifications 2014-08-12 10:10:53 +02:00
jkaberg a6ba2da68b create an no-reply user to use with SMTP from ownCloud 2014-08-12 10:09:44 +02:00
jkaberg 17c4edb58d add cron job for owncloud 2014-08-12 09:24:49 +02:00
jkaberg 7b5ebb093f properly chmod HTMLPurifier 2014-08-12 02:04:38 +02:00
jkaberg 2d74fad947 restart using php5-fpm 2014-08-12 01:26:51 +02:00
jkaberg 01d7d4e860 restart using php5-fpm 2014-08-12 01:15:17 +02:00
jkaberg bfbd85183e hide_output dosnt work 2014-08-12 00:49:26 +02:00
jkaberg 1e91cb0683 well that didnt work.. 2014-08-12 00:44:54 +02:00
jkaberg bc48e7d871 proper indentation 2014-08-12 00:33:13 +02:00
jkaberg 881b693cd4 use memcache with owncloud 2014-08-12 00:10:52 +02:00
jkaberg 54fe92615b include php-libawl and cleanup 2014-08-11 23:43:16 +02:00
jkaberg f287ca3b6c dont replace owncloud config if it exists (we dont want this as it will contain vital data) 2014-08-11 23:01:18 +02:00
jkaberg a80c076d8f safe apphroach, sid dosnt like special characters like % 2014-08-11 19:42:52 +02:00
jkaberg 1621a2940f use sub dir 2014-08-11 19:31:05 +02:00
jkaberg cc8e1fa7b7 set working dir for composer 2014-08-11 19:09:42 +02:00
jkaberg d53cb88a92 update z-push with carddav and caldav support 2014-08-11 19:08:02 +02:00
jkaberg 3540a1677d install php5-imap, restart php service 2014-08-11 17:59:04 +02:00
jkaberg bc0c0bf0fb owncloud config.php markup 2014-08-11 17:53:01 +02:00
jkaberg 51bb781ffd fix composer.phar not finding the composer.json file 2014-08-11 17:44:30 +02:00
jkaberg d324f0981a cleanup owncloud.sh 2014-08-11 17:08:13 +02:00
jkaberg 0899952fe1 initial owncloud port, untested and unfinished 2014-08-11 16:24:29 +02:00
Joshua Tauberer 140c508ff6 increase dovecot imap_idle_notify_interval to 4 minutes
Doesn't seem like 2 minutes is a problem, but 4 minutes seems better. A little less bandwidth, possibly less battery usage (though we don't have evidence that's actually true), and the interval should be shorter than any peer timeouts that might occur due to inactivity

fixes #129
2014-08-10 11:39:29 +00:00
Joshua Tauberer b56f82cb92 make a privileges column in the users table and mark the first user as an admin 2014-08-08 12:31:22 +00:00
Joshua Tauberer 880ec44a0c if the machine didn't have resolvconf before (my box didn't after an upgrade from Ubuntu 13.xx), make sure it has it now and archive any old resolv.conf since it should now only list 127.0.0.1 for bind9 2014-08-07 14:00:16 +00:00
Joshua Tauberer 5db12be507 migrate the migration state from MIGRATIONID in /etc/mailinabox.conf to STORAGE_ROOT/mailinabox.version so that the data format of STORAGE_ROOT is stored in the directory itself 2014-08-03 17:44:17 -04:00
Joshua Tauberer 64cb00b9d6 add reject_unlisted_recipient before greylisting, fixes #127 2014-08-03 00:06:54 +00:00
Joshua Tauberer b86656243f avoid mail.log warnings about untrusted certificates on outgoing mail, fixes #124 2014-08-02 15:39:47 +00:00
Joshua Tauberer cd59025979 dont ask the user for the machine's IP address if we can be sure our guess is right (trust icanhazip to give us the right answer) 2014-07-29 20:07:26 -04:00
Joshua Tauberer 0be92d776e put a 15-second timeout in asking icanhazip.com for our IP address, although this limit does not seem to actually work (i.e. if I set the limit to 5 seconds, curl still hangs 10+ when I turn off my network connection) 2014-07-29 20:07:26 -04:00
Joshua Tauberer 168c06939d have nsd bind to the network interaface that is connected to the Internet, rather than all non-loopback network interfaces
hopefully fixes #121; thanks for the help @sfPlayer1
2014-07-29 20:07:26 -04:00
Joshua Tauberer c74bef12d2 allow for network checks to be skips in setup while testing using SKIP_NETWORK_CHECKS=1 2014-07-29 20:07:26 -04:00
Joshua Tauberer 6619239280 the SSL private key would be overwritten if ssl_certificate.pem file was deleted; maybe the cause of #98 2014-07-28 15:38:23 -04:00
Joshua Tauberer 834a7b9096 run network checks during setup and stop if there is a bad condition
* check that the PUBLIC_IP is not listed in zen.spamhaus.org
* check that the PRIMARY_HOSTNAME is not listed in dbl.spamhaus.org
* check that a connection to Google's MTA is working (i.e. we're not on a residential network that blocks outbound port 25)
2014-07-26 11:26:59 -04:00
Joshua Tauberer 86ec0f6da7 the cron job to re-sign DNSSEC zones was still not working because the script needed a hash-bang line; what I did in 65c3a44e63 didn't actually fix the problem 2014-07-25 12:15:30 +00:00
Joshua Tauberer f50cf10249 also accept Ubuntu 14.04.1 LTS, the point release that people are automatically pushed to
fixes #116
2014-07-22 21:36:59 +00:00
Joshua Tauberer 621fcc2233 use /dev/random for crypto-grade RNG with the help of haveged
Rather than pass `-r /dev/random` to ldns-keygen (it was `-r /dev/urandom`),
don't pass `-r` at all since /dev/random is the default.

Merges branch 'master' of github.com:pysiak/mailinabox
2014-07-21 07:31:14 -04:00
solt 69f0e1d07a Use /dev/random instead of /dev/urandom
/dev/random should be used for crypto-grade RNG.

To make sure use of /dev/random doesn't stall due to lack of entropy, install haveged which fills the entropy pool with sources such as network traffic, key strokes, etc.

On branch master
Your branch is up-to-date with 'origin/master'.

Changes to be committed:
	modified:   setup/dns.sh
	modified:   setup/system.sh
	modified:   setup/webmail.sh
2014-07-20 23:14:13 +02:00
Joshua Tauberer 65c3a44e63 the cron job to re-sign DNSSEC zones wasnt working after adding the API key to the management daemon because the script relied on a bash-ism but cron runs it with (probably) sh 2014-07-19 16:31:05 +00:00
Joshua Tauberer 91cf45c843 add a comment 2014-07-16 09:39:13 -04:00
Joshua Tauberer 023cd12e1a hide lots of unnecessary and scary output during setup 2014-07-16 09:36:56 -04:00
Joshua Tauberer 465aaf2d30 check that we're running as root before doing anything 2014-07-16 09:36:31 -04:00
Joshua Tauberer 5a4f5b1874 move the welcome message to after the system checks 2014-07-16 09:36:31 -04:00
Joshua Tauberer c716fd27bf refuse to start if the system has less than 768 MB of RAM, except when testing within Vagrant 2014-07-16 09:36:31 -04:00
Joshua Tauberer 4e5b5f2852 Vagrant typo 2014-07-16 09:36:31 -04:00
h8h 9b887d2e63 Use $STORAGE_ROOT
Better to use $STORAGE_ROOT instead of hardcoded /home/user-data/
2014-07-16 15:33:40 +02:00
Joshua Tauberer fb357dee33 add z-push to the start script 2014-07-12 00:04:56 +00:00
Joshua Tauberer 2a7669a0d3 z-push: an Exchange ActiveSync server 2014-07-12 00:02:32 +00:00
Joshua Tauberer 67c7391546 Roundcube's classic skin is nicer 2014-07-11 21:52:46 +00:00
Joshua Tauberer 85bd2c8804 use the Dovecot managesieve service to manage sieve scripts
This lets roundcube's manageseive plugin do cool things like vacation responses.

Also:

* Run the spam filtering sieve script out of a global sieve file that we'll place in /etc/dovecot. It is no longer necessary to create per-user sieve files for this. Remove them with a new migration. Remove the code that created them.

* Corrects the spam script. Backslashes were double-escaped probably because this script started embedded within the bash script. Not sure how this was working until now.

this adapts work by @h8h in #103
2014-07-10 23:09:07 +00:00
Joshua Tauberer e713af5f5a refactor the mail setup scripts
As the scripts keep growing, it's time to split them up to
keep them understandable.

This splits mail.sh into mail-postfix.sh, mail-dovecot.sh,
and mail-users.sh, which has all of the user database-related
configurations shared by Dovecot and Postfix. Also from
spamassassin.sh the core sieve configuration is moved into
mail-dovecot.sh and the virtual transport setting is moved
into mail-postfix.sh.

Also revising one of the sed scripts in mail-dovecot to
not insert a new additional # at the start of a line each
time the script is run.
2014-07-10 12:49:28 +00:00
Joshua Tauberer 6f51b49671 remove the hard-coded migration ID from setup.sh 2014-07-10 12:49:19 +00:00
Joshua Tauberer 41b3df6d78 manage hostmaster@ and postmaster@ automatically, create administrator@ during setup instead
closes #94
2014-07-09 19:30:17 +00:00
Joshua Tauberer 3bab63d4ce update to Roundcube 1.0.1 2014-07-08 00:37:53 +00:00
Joshua Tauberer 3d4eadd436 the new migration management in c8856f107d left out the part where we actually keep the system's current MIGRATIONID... it was being lost when setup/start.sh was re-run 2014-07-07 11:29:21 +00:00
Joshua Tauberer cf7053c124 set nginx server_names_hash_bucket_size to 64, fixes #93 2014-07-07 11:23:41 +00:00
Joshua Tauberer c8856f107d migrate the SSL certificates path for non-primary certs to a new layout using a new migration script 2014-06-30 20:41:29 +00:00
Joshua Tauberer b5aa1b0f31 walk the user through choosing the PRIMARY_HOSTNAME by first asking for their email address 2014-06-30 10:20:58 -04:00
Joshua Tauberer fed5959288 s/PUBLIC_HOSTNAME/PRIMARY_HOSTNAME/ throughout 2014-06-30 09:15:36 -04:00
Joshua Tauberer 573faa2bf5 install the backup script as a daily cron job 2014-06-26 10:46:22 +00:00
Joshua Tauberer f8cd2bb805 typo: www/default/index.html would be overwritten if it already exists 2014-06-23 19:43:19 +00:00
Joshua Tauberer 1dec8c65ce move the SSH password login check into whats_next.py (it used to be in start.sh and then moved to an unused script when it became a problem for Vagrant) 2014-06-23 19:39:20 +00:00
Joshua Tauberer d4ce50de86 new tool to purchase and install a SSL certificate using Gandi.net's API 2014-06-23 10:53:29 +00:00
Joshua Tauberer 45e93f7dcc strengthen the cyphers and protocols allowed by Dovecot and Postfix submission 2014-06-22 19:03:11 +00:00
Joshua Tauberer 4668367420 first pass at a management tool for checking what the user must do to finish his configuration: set NS records, DS records, sign his certificates, etc. 2014-06-22 15:54:22 +00:00
Joshua Tauberer ec6c7d84c1 dont ask for a CSR country code on second runs because the CSR is already generated and any new country code won't be used anyway 2014-06-22 15:36:14 +00:00
Michael Kropat d100a790a0 Remove API_KEY_FILE setting 2014-06-22 08:45:29 -04:00
Michael Kropat 554a28479f Merge remote-tracking branch 'upstream/master' into mgmt-auth
Conflicts:
	management/daemon.py
2014-06-21 21:29:25 -04:00
Michael Kropat 88e496eba4 Update setup scripts to auth against the API 2014-06-22 00:02:52 +00:00
Michael Kropat 067052d4ea Add key-based authentication to management service
Intended to be the simplest auth possible: every time the service
starts, a random key is written to `/var/lib/mailinabox/api.key`. In
order to authenticate to the service, the client must pass the contents
of `api.key` in an HTTP basic auth header. In this way, users who do not
have read access to that file are not able to communicate with the
service.
2014-06-21 23:42:48 +00:00
Joshua Tauberer 67d31ed998 move the SSL setup into its own bash script since it is used for much more than email now 2014-06-21 22:16:46 +00:00
Joshua Tauberer 0ab43ef4fd have webfinger output a JSON file in STORAGE_ROOT/webfinger/(acct/..) 2014-06-21 17:08:18 +00:00
Joshua Tauberer 326cc2a451 obviously put our stuff in /usr/local and not /usr 2014-06-21 12:35:00 -04:00
Joshua Tauberer 85169dc960 preliminary support for webfinger
It just echos back the subject given to it.
2014-06-20 01:55:16 +00:00
Joshua Tauberer 5faa1cae71 manage the nginx conf in the management daemon too so we can have nginx operate on all domains that we serve mail for 2014-06-20 01:55:12 +00:00
Joshua Tauberer 782ad04b10 use DANE when sending mail: if the recipient MX has a DANE TLSA record in DNS then Postfix will necessarily encrypt the mail in transport 2014-06-19 01:58:14 +00:00
Joshua Tauberer afb6c26c8b run bind9 on the loopback interface for ensuring we are using a DNSSEC-aware nameserver to resolve our own DNS queries (i.e. when sending mail) since we can't trust that the network configuration provided for us gives us a DNSSEC-aware DNS server
see #71
2014-06-18 19:45:47 -04:00
Joshua Tauberer 33f06f29c1 let the user override some DNS records 2014-06-17 22:21:51 +00:00
Joshua Tauberer 88709506f8 add DNSSEC
* sign zones
* in a cron job, periodically re-sign zones because they expire (not tested)
2014-06-17 22:21:12 +00:00
Joshua Tauberer c925f72b0b remove obsoleted parts of setup/dns.sh
Now that dns_update is a part of the management daemon, we no
longer are using STORAGE_ROOT/dns for anything.
2014-06-12 20:18:55 -04:00
Joshua Tauberer d28d07f78e increase the postfix message size limit from 10MB to 128MB 2014-06-10 10:21:43 +00:00
Joshua Tauberer cad868c6c9 reorganize mail.sh a little 2014-06-10 10:19:49 +00:00
Joshua Tauberer 5490142df5 re-do the backup script to use the duplicity program
Duplicity will manage the process of creating incremental backups for us.
Although duplicity can both encrypt & copy files to a remote host, I really
don't like PGP and so I don't want to use that.

Instead, we'll back up to a local directory unencrypted, then manually
encrypt the full & incremental backup files. Synchronizing the encrypted
backup directory to a remote host is a TODO.
2014-06-09 09:34:52 -04:00
Joshua Tauberer 70bd96f643 Merge pull request #70 from mkropat/ipv6-support
Support dual-stack IPv4/IPv6 mail servers
2014-06-08 19:03:33 -04:00
Michael Kropat fb957d2de7 Populate default values before echoing help text
Testing showed that it may take a few seconds for the default values to
populate.  If the help text is shown, “Enter the public IP address…,”
but no prompt is shown, the user may get confused and try to enter the
IP address before mailinabox has had a chance to figure out and display
a suitable default value.
2014-06-08 18:44:08 -04:00
Joshua Tauberer cd1802fecc Filter privacy-sensitive headers on outgoing mail
This re-implements part of PR #69 by @mkropat, who wrote:

By default, Postfix adds a Received header — on all mail that you send —
that lists the IP of the device you sent the mail from.  This feature is
great if you're a mail provider and you need to debug why one user is
having sending issues.  This feature is not so great if you run your own
mail server and you don't want every recipient of every email you send
to know the device and IP you sent the email from.

To limit this filtering to outgoing mail only, we apply the filters just
to the submission port.  See these guides [1] [2] for more context.

  [1] http://askubuntu.com/a/78168/11259
  [2] http://www.void.gr/kargig/blog/2013/11/24/anonymize-headers-in-postfix/
2014-06-08 18:35:09 -04:00
Michael Kropat ae67409603 Support dual-stack IPv4/IPv6 mail servers
Addresses #3

Added support by adding parallel code wherever `$PUBLIC_IP` was used.
Providing an IPv6 address is completely optional.

Playing around on my IPv6-enabled mail server revealed that — before
this change — mailinabox might try to use an IPv6 address as the value
for `$PUBLIC_IP`, which wouldn't work out well.
2014-06-08 18:32:52 -04:00
Joshua Tauberer 2c4212fa36 use editconf.py to mangle /etc/postfix/master.cf
* using it to enable the Postfix submission service
* per @mkropat's suggestion in #69, set an option to distinguish submission from regular smpd in syslog by giving submission a new name (doing this here to test that editconf is working right on master.cf)
2014-06-08 17:31:12 -04:00
Michael Kropat 42bf624045 Protect private key from being world-readable
Postfix, Dovecot, and nginx all read the key file while they're running
as root — before dropping permissions — so no authorization is needed on
the private key file beyond being root-readable.
2014-06-07 19:40:50 -04:00
Joshua Tauberer b60ca25e53 add comments to the new get_default_hostname etc. functions, and simplify the logic in the Vagrantfile and start.sh so that we always call into the same two functions 2014-06-07 14:57:03 -04:00
Michael Kropat 43ef49c737 Improve hostname/IP default values
Default IP+hostname values were incorrect for my VPS provider. I
improved the detection, which should give correct results results for
almost any provider. Specific issues addressed:

- icanhazip.com detection was only enabled in non-interactive mode
- `hostname` is by convention a short (non-fqdn) name in Ubuntu
- `hostname --fqdn` fails if provider does not pouplate `hosts` file
- `hostname -i` fails if provider does not populate `hosts` file
- `curl` without `--fail` will someday return crazy results
  when icanhazip.com returns 500 errors or similar
2014-06-07 14:11:42 -04:00
Joshua Tauberer f1dac1fe13 show less output when updating DNS configuration 2014-06-06 10:51:36 -04:00
Joshua Tauberer f9c3f33e74 move the SSH password login check out of setup because it interfers with Vagrant and into a separate script that we'll use for auditing in a later phase 2014-06-06 10:51:36 -04:00
Joshua Tauberer cab7321dbb remove vestigal docker compatibility that prevented starting services during setup 2014-06-04 20:04:26 -04:00
Joshua Tauberer 295981828f Vagrantize
* adding a Vagrantfile
* in a non-interactive setup like this, create the user's first email account for them
* let the machine auto-detect its IP address using http://icanhazip.com/
* use our own justtesting.email domain to provision a subdomain for users so they can quickly get started
2014-06-04 19:39:58 -04:00
Joshua Tauberer 2f0d036504 the bc package is no longer needed since redoing dns_update 2014-06-04 17:27:01 -04:00
Joshua Tauberer a35fa12465 script to check the SSL certificate, with instructions for turning the self-signed certificate into a properly signed certificate 2014-06-04 11:38:20 +00:00
Joshua Tauberer ea62c2419d typo in updating DKIM, dont regenerate the DKIM private key each time setup is run 2014-06-03 21:42:33 +00:00
Joshua Tauberer 2a9349a64e show the SSL certificate's fingerprint during setup so the user can sort of pin it 2014-06-03 21:39:49 +00:00
Joshua Tauberer bb7905aefd on second and later runs of start.sh, recall the inputs the user entered the last time 2014-06-03 21:31:13 +00:00
Joshua Tauberer 24edd5ce91 the SSL CSR must be generated with a country code 2014-06-03 21:17:10 +00:00
Joshua Tauberer 89730bd643 new backup script, see #11 2014-06-03 21:16:38 +00:00
Joshua Tauberer c54b0cbefc move management into a daemon service running as root
* Created a new Python/flask-based management daemon.
* Moved the mail user management core code from tools/mail.py to the new daemon.
* tools/mail.py is a wrapper around the daemon and can be run as a non-root user.
* Adding a new initscript for the management daemon.
* Moving dns_update.sh to the management daemon, called via curl'ing the daemon's API.

This also now runs the DNS update after mail users and aliases are added/removed,
which sets up new domains' DNS as needed.
2014-06-03 13:56:40 +00:00
Joshua Tauberer da15ae5375 rename the scripts directory to setup 2014-06-03 11:12:38 +00:00