All A/AAAA-resolvable domains that don't send or receive mail should have these null records.
This simplifies the handling of domains a bit by handling automatically generated subdomains more like other domains.
* Stop generating RSASHA1-NSEC3-SHA1 keys on new installs since it is no longer recommended, but preserve the key on existing installs so that we continue to sign zones with existing keys to retain the chain of trust with existing DS records.
* Start generating ECDSAP256SHA256 keys during setup, the current best practice (in addition to RSASHA256 which is also ok). See https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1 and https://www.cloudflare.com/dns/dnssec/ecdsa-and-dnssec/.
* Sign zones using all available keys rather than choosing just one based on the TLD to enable rotation/migration to the new key and to give the user some options since not every registrar/TLD supports every algorithm.
* Allow a user to drop a key from signing specific domains using DOMAINS= in our key configuration file. Signing the zones with extraneous keys may increase the size of DNS responses, which isn't ideal, although I don't know if this is a problem in practice. (Although a user can delete the RSASHA1-NSEC3-SHA1 key file, the other keys will be re-generated on upgrade.)
* When generating zonefiles, add a hash of all of the DNSSEC signing keys so that when the keys change the zone is definitely regenerated and re-signed.
* In status checks, if DNSSEC is not active (or not valid), offer to use all of the keys that have been generated (for RSASHA1-NSEC3-SHA1 on existing installs, RSASHA256, and now ECDSAP256SHA256) with all digest types, since not all registers support everything, but list them in an order that guides users to the best practice.
* In status checks, if the deployed DS record doesn't use a ECDSAP256SHA256 key, prompt the user to update their DS record.
* In status checks, if multiple DS records are set, only fail if none are valid. If some use ECDSAP256SHA256 and some don't, remind the user to delete the DS records that don't.
* Don't fail if the DS record uses the SHA384 digest (by pre-generating a DS record with that digest type) but don't recommend it because it is not in the IANA mandatory list yet (https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml).
See #1953
--------------------------
Setup:
* When upgrading from versions before v0.40, setup will now warn that ownCloud/Nextcloud data cannot be migrated rather than failing the installation.
Mail:
* An MTA-STS policy for incoming mail is now published (in DNS and over HTTPS) when the primary hostname and email address domain both have a signed TLS certificate installed, allowing senders to know that an encrypted connection should be enforced.
* The per-IP connection limit to the IMAP server has been doubled to allow more devices to connect at once, especially with multiple users behind a NAT.
DNS:
* autoconfig and autodiscover subdomains and CalDAV/CardDAV SRV records are no longer generated for domains that don't have user accounts since they are unnecessary.
* IPv6 addresses can now be specified for secondary DNS nameservers in the control panel.
TLS:
* TLS certificates are now provisioned in groups by parent domain to limit easy domain enumeration and make provisioning more resilient to errors for particular domains.
Control Panel:
* The control panel API is now fully documented at https://mailinabox.email/api-docs.html.
* User passwords can now have spaces.
* Status checks for automatic subdomains have been moved into the section for the parent domain.
* Typo fixed.
Web:
* The default web page served on fresh installations now adds the `noindex` meta tag.
* The HSTS header is revised to also be sent on non-success responses.
-----BEGIN PGP SIGNATURE-----
iQFDBAABCgAtFiEEX0wOcxPM10RpOyrquSBB9MEL3YEFAl9t2AgPHGp0QG9jY2Ft
cy5pbmZvAAoJELkgQfTBC92BZNkH/1jIGoWTz0xlS+e+TeXpHoCp/7zYAvQq/a/y
vj9t1N1+bBg6Ywbd8UxyvOHwuL/UQU/5LTq6hk3gD+2ARfJUvDRbb047Xzlisg3N
LhNoVhVbsxqKP1X2ZjeIBq9DgzMavuB64Bwd5UNdceM0Addi8KuCDOMF+FNY2t8k
xytGjYdBi1/BG6SLBX+FAm5yrJghmkUJs2FnJjebSyyeV2HP3L1iBrk2N8UBd6PU
fVjde534lgygFZK/8yXJpY2olfLMYJv7CaOMxvaW6RpbMI8VeLwDLfRt5LcrQZqq
YXkuEnUI0eygbQYkeK/Vr1Vey6uQAWzIfbImEglHfvOXsZSYFXs=
=SJNM
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEAKK/toPAcMkE+dinLzJ3OKPArjoFAl9vB/0ACgkQLzJ3OKPA
rjpXTg/+L2W6LXtqJcDdPiLb7uRJ1a+R7DAPPLhZOXT8alFt6g2nAJHHI3NxKWVM
KsrSGlL+XSw744tfEzw21WsDuoME2F536/q4V4iprQx0LSJ61EQtqFYABbHT7lSc
EyJellcIBxvK9ZTrHhJy3jVJL5eEkrHr4YpaRd68CZGneziMbxZusrlD23OfOn+U
Pi6O39+Xh9lB4nxMfzkjYwCPEyNsTaCieKforPE+7TYh6d5NFHp22e2/yNEwYHhv
90txul+/ByeT6UNFsVQ+QXCpMr/m06W9zbCDgrArol12MlgeAg4bL2trgDUV2D9j
Dpfo1SYo/VUYetlT98adxW7BK2JuGe3SsFDrgjNPDyMBZRoybLY/l1X5TF5d7dq/
bhgDcHXSJ6iBmhZ8nGDuBWhiEld9orn/9vfj/nHmleurXxgDwMcGKn0eINDuX8Xd
NauJdhyOiZLfy8+Rha9ltLlFC/sX8nq0o6iM1Xr+4UOTFVVxlVadkPTMOxuRIQfD
+JaMRCoXLfbAknoGdKfAcxEAzzyylO6z4Ztj/fVp9SHjQgby1paLpJMHEVUaQzEZ
VYqdOzmz7vrV1H5OHOIy6mthQrTw+Mg4KubJs7w99e3pZKJBpvp55+DLvA0JhKLD
dVXqr7rBTkLk/tg4u2SWlj3aZOnkzMz0Iwiu5X+hx3kLl0f3Zgk=
=VgsY
-----END PGP SIGNATURE-----
Merge v0.50 from upstream
These subdomains/records are for automatic configuration of mail clients, but if there are no user accounts on a domain, there is no need to publish a DNS record, provision a TLS certificate, or create an nginx server config block.
* Create the mta_sts A/AAAA records even if there is no valid TLS certificate because we can't get a TLS certificate if we don't set up the domains.
* Make the policy id in the TXT record stable by using a hash of the policy file so that the DNS record doesn't change every day, which means no nightly notification and also it allows for longer caching by sending MTAs.
KiekerJan
KiekerJan
Joshua Tauberer
David Duque
Nicolas North
Victor
David Duque
A. Schippers
Edwin Schaap