1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-11-26 02:57:04 +00:00
Commit Graph

78 Commits

Author SHA1 Message Date
Joshua Tauberer
64cb00b9d6 add reject_unlisted_recipient before greylisting, fixes #127 2014-08-03 00:06:54 +00:00
Joshua Tauberer
b86656243f avoid mail.log warnings about untrusted certificates on outgoing mail, fixes #124 2014-08-02 15:39:47 +00:00
Joshua Tauberer
cd59025979 dont ask the user for the machine's IP address if we can be sure our guess is right (trust icanhazip to give us the right answer) 2014-07-29 20:07:26 -04:00
Joshua Tauberer
0be92d776e put a 15-second timeout in asking icanhazip.com for our IP address, although this limit does not seem to actually work (i.e. if I set the limit to 5 seconds, curl still hangs 10+ when I turn off my network connection) 2014-07-29 20:07:26 -04:00
Joshua Tauberer
168c06939d have nsd bind to the network interaface that is connected to the Internet, rather than all non-loopback network interfaces
hopefully fixes #121; thanks for the help @sfPlayer1
2014-07-29 20:07:26 -04:00
Joshua Tauberer
c74bef12d2 allow for network checks to be skips in setup while testing using SKIP_NETWORK_CHECKS=1 2014-07-29 20:07:26 -04:00
Joshua Tauberer
6619239280 the SSL private key would be overwritten if ssl_certificate.pem file was deleted; maybe the cause of #98 2014-07-28 15:38:23 -04:00
Joshua Tauberer
834a7b9096 run network checks during setup and stop if there is a bad condition
* check that the PUBLIC_IP is not listed in zen.spamhaus.org
* check that the PRIMARY_HOSTNAME is not listed in dbl.spamhaus.org
* check that a connection to Google's MTA is working (i.e. we're not on a residential network that blocks outbound port 25)
2014-07-26 11:26:59 -04:00
Joshua Tauberer
86ec0f6da7 the cron job to re-sign DNSSEC zones was still not working because the script needed a hash-bang line; what I did in 65c3a44e63 didn't actually fix the problem 2014-07-25 12:15:30 +00:00
Joshua Tauberer
f50cf10249 also accept Ubuntu 14.04.1 LTS, the point release that people are automatically pushed to
fixes #116
2014-07-22 21:36:59 +00:00
Joshua Tauberer
621fcc2233 use /dev/random for crypto-grade RNG with the help of haveged
Rather than pass `-r /dev/random` to ldns-keygen (it was `-r /dev/urandom`),
don't pass `-r` at all since /dev/random is the default.

Merges branch 'master' of github.com:pysiak/mailinabox
2014-07-21 07:31:14 -04:00
solt
69f0e1d07a Use /dev/random instead of /dev/urandom
/dev/random should be used for crypto-grade RNG.

To make sure use of /dev/random doesn't stall due to lack of entropy, install haveged which fills the entropy pool with sources such as network traffic, key strokes, etc.

On branch master
Your branch is up-to-date with 'origin/master'.

Changes to be committed:
	modified:   setup/dns.sh
	modified:   setup/system.sh
	modified:   setup/webmail.sh
2014-07-20 23:14:13 +02:00
Joshua Tauberer
65c3a44e63 the cron job to re-sign DNSSEC zones wasnt working after adding the API key to the management daemon because the script relied on a bash-ism but cron runs it with (probably) sh 2014-07-19 16:31:05 +00:00
Joshua Tauberer
91cf45c843 add a comment 2014-07-16 09:39:13 -04:00
Joshua Tauberer
023cd12e1a hide lots of unnecessary and scary output during setup 2014-07-16 09:36:56 -04:00
Joshua Tauberer
465aaf2d30 check that we're running as root before doing anything 2014-07-16 09:36:31 -04:00
Joshua Tauberer
5a4f5b1874 move the welcome message to after the system checks 2014-07-16 09:36:31 -04:00
Joshua Tauberer
c716fd27bf refuse to start if the system has less than 768 MB of RAM, except when testing within Vagrant 2014-07-16 09:36:31 -04:00
Joshua Tauberer
4e5b5f2852 Vagrant typo 2014-07-16 09:36:31 -04:00
h8h
9b887d2e63 Use $STORAGE_ROOT
Better to use $STORAGE_ROOT instead of hardcoded /home/user-data/
2014-07-16 15:33:40 +02:00
Joshua Tauberer
fb357dee33 add z-push to the start script 2014-07-12 00:04:56 +00:00
Joshua Tauberer
2a7669a0d3 z-push: an Exchange ActiveSync server 2014-07-12 00:02:32 +00:00
Joshua Tauberer
67c7391546 Roundcube's classic skin is nicer 2014-07-11 21:52:46 +00:00
Joshua Tauberer
85bd2c8804 use the Dovecot managesieve service to manage sieve scripts
This lets roundcube's manageseive plugin do cool things like vacation responses.

Also:

* Run the spam filtering sieve script out of a global sieve file that we'll place in /etc/dovecot. It is no longer necessary to create per-user sieve files for this. Remove them with a new migration. Remove the code that created them.

* Corrects the spam script. Backslashes were double-escaped probably because this script started embedded within the bash script. Not sure how this was working until now.

this adapts work by @h8h in #103
2014-07-10 23:09:07 +00:00
Joshua Tauberer
e713af5f5a refactor the mail setup scripts
As the scripts keep growing, it's time to split them up to
keep them understandable.

This splits mail.sh into mail-postfix.sh, mail-dovecot.sh,
and mail-users.sh, which has all of the user database-related
configurations shared by Dovecot and Postfix. Also from
spamassassin.sh the core sieve configuration is moved into
mail-dovecot.sh and the virtual transport setting is moved
into mail-postfix.sh.

Also revising one of the sed scripts in mail-dovecot to
not insert a new additional # at the start of a line each
time the script is run.
2014-07-10 12:49:28 +00:00
Joshua Tauberer
6f51b49671 remove the hard-coded migration ID from setup.sh 2014-07-10 12:49:19 +00:00
Joshua Tauberer
41b3df6d78 manage hostmaster@ and postmaster@ automatically, create administrator@ during setup instead
closes #94
2014-07-09 19:30:17 +00:00
Joshua Tauberer
3bab63d4ce update to Roundcube 1.0.1 2014-07-08 00:37:53 +00:00
Joshua Tauberer
3d4eadd436 the new migration management in c8856f107d left out the part where we actually keep the system's current MIGRATIONID... it was being lost when setup/start.sh was re-run 2014-07-07 11:29:21 +00:00
Joshua Tauberer
cf7053c124 set nginx server_names_hash_bucket_size to 64, fixes #93 2014-07-07 11:23:41 +00:00
Joshua Tauberer
c8856f107d migrate the SSL certificates path for non-primary certs to a new layout using a new migration script 2014-06-30 20:41:29 +00:00
Joshua Tauberer
b5aa1b0f31 walk the user through choosing the PRIMARY_HOSTNAME by first asking for their email address 2014-06-30 10:20:58 -04:00
Joshua Tauberer
fed5959288 s/PUBLIC_HOSTNAME/PRIMARY_HOSTNAME/ throughout 2014-06-30 09:15:36 -04:00
Joshua Tauberer
573faa2bf5 install the backup script as a daily cron job 2014-06-26 10:46:22 +00:00
Joshua Tauberer
f8cd2bb805 typo: www/default/index.html would be overwritten if it already exists 2014-06-23 19:43:19 +00:00
Joshua Tauberer
1dec8c65ce move the SSH password login check into whats_next.py (it used to be in start.sh and then moved to an unused script when it became a problem for Vagrant) 2014-06-23 19:39:20 +00:00
Joshua Tauberer
d4ce50de86 new tool to purchase and install a SSL certificate using Gandi.net's API 2014-06-23 10:53:29 +00:00
Joshua Tauberer
45e93f7dcc strengthen the cyphers and protocols allowed by Dovecot and Postfix submission 2014-06-22 19:03:11 +00:00
Joshua Tauberer
4668367420 first pass at a management tool for checking what the user must do to finish his configuration: set NS records, DS records, sign his certificates, etc. 2014-06-22 15:54:22 +00:00
Joshua Tauberer
ec6c7d84c1 dont ask for a CSR country code on second runs because the CSR is already generated and any new country code won't be used anyway 2014-06-22 15:36:14 +00:00
Michael Kropat
d100a790a0 Remove API_KEY_FILE setting 2014-06-22 08:45:29 -04:00
Michael Kropat
554a28479f Merge remote-tracking branch 'upstream/master' into mgmt-auth
Conflicts:
	management/daemon.py
2014-06-21 21:29:25 -04:00
Michael Kropat
88e496eba4 Update setup scripts to auth against the API 2014-06-22 00:02:52 +00:00
Michael Kropat
067052d4ea Add key-based authentication to management service
Intended to be the simplest auth possible: every time the service
starts, a random key is written to `/var/lib/mailinabox/api.key`. In
order to authenticate to the service, the client must pass the contents
of `api.key` in an HTTP basic auth header. In this way, users who do not
have read access to that file are not able to communicate with the
service.
2014-06-21 23:42:48 +00:00
Joshua Tauberer
67d31ed998 move the SSL setup into its own bash script since it is used for much more than email now 2014-06-21 22:16:46 +00:00
Joshua Tauberer
0ab43ef4fd have webfinger output a JSON file in STORAGE_ROOT/webfinger/(acct/..) 2014-06-21 17:08:18 +00:00
Joshua Tauberer
326cc2a451 obviously put our stuff in /usr/local and not /usr 2014-06-21 12:35:00 -04:00
Joshua Tauberer
85169dc960 preliminary support for webfinger
It just echos back the subject given to it.
2014-06-20 01:55:16 +00:00
Joshua Tauberer
5faa1cae71 manage the nginx conf in the management daemon too so we can have nginx operate on all domains that we serve mail for 2014-06-20 01:55:12 +00:00
Joshua Tauberer
782ad04b10 use DANE when sending mail: if the recipient MX has a DANE TLSA record in DNS then Postfix will necessarily encrypt the mail in transport 2014-06-19 01:58:14 +00:00