Commit Graph

2183 Commits

Author SHA1 Message Date
Joshua Tauberer 82229ce04b Document how to start the control panel from the command line and in debugging use a stable API key 2020-11-26 07:11:49 -05:00
Richard Willis f66e609d3f
Api spec cleanup (#1869)
* Fix indentation

* Add parameter definition and remove unused model

* Update version

* Quote example string
2020-11-26 06:56:04 -05:00
David Duque ef282fc7d0
Version bump - v0.51.POWER.1 2020-11-21 02:42:26 +00:00
David Duque ef116f13de
system-status: Make system status cover the whole page width 2020-11-21 02:41:37 +00:00
David Duque a35b885fac
Replace dead glyphicons (with FontAwesome alternative) 2020-11-21 02:27:52 +00:00
David Duque 4fcde9223e
modal: Reorder header positions 2020-11-21 02:02:43 +00:00
Victor b85b86e6de
Add download zonefile button to external DNS page (#1853)
Co-authored-by: Joshua Tauberer <jt@occams.info>
2020-11-16 06:03:41 -05:00
Joshua Tauberer 7fd35bbd11 Disable default Nextcloud apps that we don't support
Contacts and calendar are the only supported apps in Mail-in-a-Box.

Files can't be disabled.

Fixes #1864
2020-11-15 17:17:58 -05:00
David Duque 2f50c5e6c2
Version bump 2020-11-15 18:45:13 +00:00
David Duque c767f9eebe
Update Bootstrap to version 4.5.3 2020-11-15 18:33:46 +00:00
David Duque a67a57913d v0.51 (November 14, 2020)
Software updates:
 
 * Upgraded Nextcloud from 17.0.6 to 20.0.1 (with Contacts from 3.3.0 to 3.4.1 and Calendar from 2.0.3 to 2.1.2)
 * Upgraded Roundcube to version 1.4.9.
 
 Mail:
 
 * The MTA-STA max_age value was increased to the normal one week.
 
 Control Panel:
 
 * Two-factor authentication can now be enabled for logins to the control panel. However, keep in mind that many online services (including domain name registrars, cloud server providers, and TLS certificate providers) may allow an attacker to take over your account or issue a fraudulent TLS certificate with only access to your email address, and this new two-factor authentication does not protect access to your inbox. It therefore remains very important that user accounts with administrative email addresses have strong passwords.
 * TLS certificate expiry dates are now shown in ISO8601 format for clarity.
 -----BEGIN PGP SIGNATURE-----
 
 iQFDBAABCgAtFiEEX0wOcxPM10RpOyrquSBB9MEL3YEFAl+v8k4PHGp0QG9jY2Ft
 cy5pbmZvAAoJELkgQfTBC92BMYUIAJTD1iKzY1SoDNSp8JMPn2sWusOnJNrnvYEV
 vsrBM4AzwJv3DIZKSkYCitbTQW2FsTcjF6Jl5PCavEmAGe55AIKAPM/52Uq6jqDE
 aR8EZvI9ca1i7yR7DOHEI043QSPmp/iCFD48vvmKgN/LZy67TaHaOlGJbc3nfpk0
 y7ejMpF/6RP6ik4snnRQoWTFShaOpB9WcEVnUO7CHZdWcpSCZ55c9yi6A6ExGk7e
 97R5+JN1MgOdZ6rzWZuMWiz7EZ/Ew4jYLZpOwg8qJm0HNbYJ6+/xxsQBwaQzyBw3
 TsTl4GmunNPfoNrmKdJeLy0sBwiVBv/rysjWjim5v8jAYBoKoUQ=
 =2oRU
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEAKK/toPAcMkE+dinLzJ3OKPArjoFAl+xc7sACgkQLzJ3OKPA
 rjo6Zw//eYyTBlfQfFHIsLYKxJbwh6fDrIG6/Za6898cPhkJ/ugBeJlNEyT/EjpU
 MvtIgEU9xbG/tjsnQXsgAXJ6s7ZWm1QB5D+wqUIEeAFUn5IkCnXo0wPZJhSTNZhD
 4InnWsicYZj/ByuSH179xHyTAx2uYDBbPT4HjUlzIsaopvWOKLvAfzY3r42AiNvZ
 e79MhKbtOs9kDkrB2LULRzz6WzJDKb11fJccf7UaBerwFvOarMr8hSpOysK0ocHk
 H0wbrGxjb8iBjczVP4OFh36satQ5l4B1W+QVIxZG9ufVAOe3dhv8HngaHqAVyUgF
 gWjDYTnL/anoMMew+kbn2sjeKH6m2ZA+u9g+mDyMGSECVVYhkpOpcbPjZlmlNAQN
 C5BHmHltIg90uicrhzEEPFDBR1JF7JrYO42EwnOWMwjhzRkH2cepVw86lDr+pbrH
 s3hvoWiFFt7cs5ShCpgZDL20ey1e+9wL6b72Qlo7ls7MK3vfZvLPxJLpTi+bnymD
 CNt82Mjpu3BrhjCIGp+px9E2JU/7wUwqyUbgWFtyqxCdJOZXA4ZXVtDs5pQFzhug
 G+Z1HxFmhxck17SD0uHhXJKRD8IRttnO5sBESJaLNB4Ws/KspHVPePNskB/1XSfr
 pFOqikZsoKOICZnpd/eTnUlciqFygqvB0WuFsJNttQN2dBpJViA=
 =ZMFZ
 -----END PGP SIGNATURE-----

Merge upstream v0.51
2020-11-15 18:30:19 +00:00
gumida 7ce41e3865
Changed mta-sts.txt end of line from LF to CRLF per RFC 8461 (#1863) 2020-11-15 07:54:34 -05:00
Joshua Tauberer 92221f9efb v0.51 2020-11-14 10:05:20 -05:00
Joshua Tauberer 0bd3977cde CHANGELOG updates 2020-10-31 10:36:40 -04:00
Joshua Tauberer 6a979f4f52
Add TOTP two-factor authentication to admin panel login (#1814)
* add user interface for managing 2fa

* update user schema with 2fa columns

* implement two factor check during login

* Use pyotp for validating TOTP codes

* also implements resynchronisation support via `pyotp`'s `valid_window option

* Update API route naming, update setup page

* Rename /two-factor-auth/ => /2fa/
* Nest totp routes under /2fa/totp/
* Update ids and methods in panel to allow for different setup types

* Autofocus otp input when logging in, update layout

* Extract TOTPStrategy class to totp.py

* this decouples `TOTP` validation and storage logic from `auth` and moves it to `totp`
* reduce `pyotp.validate#valid_window` from `2` to `1`

* Update OpenApi docs, rename /2fa/ => /mfa/

* Decouple totp from users table by moving to totp_credentials table

* this allows implementation of other mfa schemes in the future (webauthn)
* also makes key management easier and enforces one totp credentials per user on db-level

* Add sqlite migration

* Rename internal validate_two_factor_secret => validate_two_factor_secret

* conn.close() if mru_token update can't .commit()

* Address review feedback, thanks @hija

* Use hmac.compare_digest() to compare mru_token

* Safeguard against empty mru_token column

* hmac.compare_digest() expects arguments of type string, make sure we don't pass None
 * Currently, this cannot happen but we might not want to store `mru_token` during setup

* Do not log failed login attempts for MissingToken errors

* Due to the way that the /login UI works, this persists at least one failed login each time a user logs into the admin panel. This in turn triggers fail2ban at some point.

* Add TOTP secret to user_key hash

thanks @downtownallday
* this invalidates all user_keys after TOTP status is changed for user
* after changing TOTP state, a login is required
* due to the forced login, we can't and don't need to store the code used for setup in `mru_code`

* Typo

* Reorganize the MFA backend methods

* Reorganize MFA front-end and add label column

* Fix handling of bad input when enabling mfa

* Update openAPI docs

* Remove unique key constraint on foreign key user_id in mfa table

* Don't expose mru_token and secret for enabled mfas over HTTP

* Only update mru_token for matched mfa row

* Exclude mru_token in user key hash

* Rename tools/mail.py to management/cli.py

* Add MFA list/disable to the management CLI so admins can restore access if MFA device is lost

Co-authored-by: Joshua Tauberer <jt@occams.info>
2020-10-31 10:27:38 -04:00
Joshua Tauberer 545e7a52e4 Add MFA list/disable to the management CLI so admins can restore access if MFA device is lost 2020-10-31 10:23:43 -04:00
David Duque 48c233ebe5
Update Roundcube to version 1.4.9 (#1830) 2020-10-31 10:01:14 -04:00
Michael Kroes 9a588de754
Upgrade Nextcloud to version 20.0.1 (#1848) 2020-10-31 09:58:26 -04:00
Joshua Tauberer ac9ecc3bd3 Rename tools/mail.py to management/cli.py 2020-10-29 15:41:54 -04:00
David Duque 8b166f3041
Display certificate expiry dates in ISO format (#1841) 2020-10-16 16:22:36 -04:00
Joshua Tauberer 5509420637 s/Days/Retention Days/ on the backup settings page 2020-10-15 14:11:43 -04:00
Felix Spöttel 7d6c7b6610
Increase mta-sts max_age to one week (#1829)
This aligns the policy with the example policy found in the  spec
see https://tools.ietf.org/html/rfc8461#section-3.2
2020-10-02 21:27:21 -04:00
Felix Spöttel 1f0e493b8c Exclude mru_token in user key hash 2020-09-30 12:34:26 +02:00
Felix Spöttel ada2167d08 Only update mru_token for matched mfa row 2020-09-29 20:05:58 +02:00
Felix Spöttel be5032ffbe Don't expose mru_token and secret for enabled mfas over HTTP 2020-09-29 19:46:02 +02:00
Felix Spöttel 00b3a3b0a9 Remove unique key constraint on foreign key user_id in mfa table 2020-09-29 19:39:40 +02:00
Felix Spöttel 6d82c0035a Update openAPI docs 2020-09-28 21:27:24 +02:00
Felix Spöttel 4dced10a3f Fix handling of bad input when enabling mfa 2020-09-28 21:06:59 +02:00
Joshua Tauberer b80f225691 Reorganize MFA front-end and add label column 2020-09-27 08:31:23 -04:00
0pis 7f0f28f8e3
Use tabs instead of spaces in nginx conf (#1827)
* conf/nginx-primaryonly.conf: Use tabs instead of spaces
* management/web_update.py: Includes the tabs so they display with the correct indentation when added to the local.conf

Co-authored-by: 0pis <0pis>
2020-09-27 07:13:33 -04:00
David Duque 59f36b4dd6
Release v0.50.POWER.1 2020-09-27 02:36:03 +01:00
David Duque d3b5ddf891
Update Bootstrap: 4.5.2 2020-09-27 02:34:37 +01:00
David Duque 5caaf4fd98
Update Nextcloud: 19.0.3 2020-09-27 02:23:45 +01:00
David Duque 2bfa65329a
Keep root in actual local.conf file 2020-09-27 02:17:49 +01:00
David Duque 81c64f0a8f
Re-add webmail roundcube (to primaryonly) 2020-09-27 02:05:16 +01:00
David Duque 4b7f6e20da
Update nginx files to discard non-essential locations for non-primary domains 2020-09-27 02:01:17 +01:00
David Duque 7725e6efe6
Revert .nginx.conf file features 2020-09-27 01:31:51 +01:00
David Duque 689df9cff5
Version bump 2020-09-27 00:38:53 +01:00
David Duque 6c608ea868
Update API docs 2020-09-27 00:36:33 +01:00
Joshua Tauberer a8ea456b49 Reorganize the MFA backend methods 2020-09-26 09:58:25 -04:00
David Duque 7de99aa690 v0.50 (September 25, 2020)
--------------------------
 
 Setup:
 
 * When upgrading from versions before v0.40, setup will now warn that ownCloud/Nextcloud data cannot be migrated rather than failing the installation.
 
 Mail:
 
 * An MTA-STS policy for incoming mail is now published (in DNS and over HTTPS) when the primary hostname and email address domain both have a signed TLS certificate installed, allowing senders to know that an encrypted connection should be enforced.
 * The per-IP connection limit to the IMAP server has been doubled to allow more devices to connect at once, especially with multiple users behind a NAT.
 
 DNS:
 
 * autoconfig and autodiscover subdomains and CalDAV/CardDAV SRV records are no longer generated for domains that don't have user accounts since they are unnecessary.
 * IPv6 addresses can now be specified for secondary DNS nameservers in the control panel.
 
 TLS:
 
 * TLS certificates are now provisioned in groups by parent domain to limit easy domain enumeration and make provisioning more resilient to errors for particular domains.
 
 Control Panel:
 
 * The control panel API is now fully documented at https://mailinabox.email/api-docs.html.
 * User passwords can now have spaces.
 * Status checks for automatic subdomains have been moved into the section for the parent domain.
 * Typo fixed.
 
 Web:
 
 * The default web page served on fresh installations now adds the `noindex` meta tag.
 * The HSTS header is revised to also be sent on non-success responses.
 -----BEGIN PGP SIGNATURE-----
 
 iQFDBAABCgAtFiEEX0wOcxPM10RpOyrquSBB9MEL3YEFAl9t2AgPHGp0QG9jY2Ft
 cy5pbmZvAAoJELkgQfTBC92BZNkH/1jIGoWTz0xlS+e+TeXpHoCp/7zYAvQq/a/y
 vj9t1N1+bBg6Ywbd8UxyvOHwuL/UQU/5LTq6hk3gD+2ARfJUvDRbb047Xzlisg3N
 LhNoVhVbsxqKP1X2ZjeIBq9DgzMavuB64Bwd5UNdceM0Addi8KuCDOMF+FNY2t8k
 xytGjYdBi1/BG6SLBX+FAm5yrJghmkUJs2FnJjebSyyeV2HP3L1iBrk2N8UBd6PU
 fVjde534lgygFZK/8yXJpY2olfLMYJv7CaOMxvaW6RpbMI8VeLwDLfRt5LcrQZqq
 YXkuEnUI0eygbQYkeK/Vr1Vey6uQAWzIfbImEglHfvOXsZSYFXs=
 =SJNM
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEAKK/toPAcMkE+dinLzJ3OKPArjoFAl9vB/0ACgkQLzJ3OKPA
 rjpXTg/+L2W6LXtqJcDdPiLb7uRJ1a+R7DAPPLhZOXT8alFt6g2nAJHHI3NxKWVM
 KsrSGlL+XSw744tfEzw21WsDuoME2F536/q4V4iprQx0LSJ61EQtqFYABbHT7lSc
 EyJellcIBxvK9ZTrHhJy3jVJL5eEkrHr4YpaRd68CZGneziMbxZusrlD23OfOn+U
 Pi6O39+Xh9lB4nxMfzkjYwCPEyNsTaCieKforPE+7TYh6d5NFHp22e2/yNEwYHhv
 90txul+/ByeT6UNFsVQ+QXCpMr/m06W9zbCDgrArol12MlgeAg4bL2trgDUV2D9j
 Dpfo1SYo/VUYetlT98adxW7BK2JuGe3SsFDrgjNPDyMBZRoybLY/l1X5TF5d7dq/
 bhgDcHXSJ6iBmhZ8nGDuBWhiEld9orn/9vfj/nHmleurXxgDwMcGKn0eINDuX8Xd
 NauJdhyOiZLfy8+Rha9ltLlFC/sX8nq0o6iM1Xr+4UOTFVVxlVadkPTMOxuRIQfD
 +JaMRCoXLfbAknoGdKfAcxEAzzyylO6z4Ztj/fVp9SHjQgby1paLpJMHEVUaQzEZ
 VYqdOzmz7vrV1H5OHOIy6mthQrTw+Mg4KubJs7w99e3pZKJBpvp55+DLvA0JhKLD
 dVXqr7rBTkLk/tg4u2SWlj3aZOnkzMz0Iwiu5X+hx3kLl0f3Zgk=
 =VgsY
 -----END PGP SIGNATURE-----

Merge v0.50 from upstream
2020-09-26 10:21:01 +01:00
Joshua Tauberer 03bff5292b v0.50
v0.50 (September 25, 2020)
--------------------------

Setup:

* When upgrading from versions before v0.40, setup will now warn that ownCloud/Nextcloud data cannot be migrated rather than failing the installation.

Mail:

* An MTA-STS policy for incoming mail is now published (in DNS and over HTTPS) when the primary hostname and email address domain both have a signed TLS certificate installed, allowing senders to know that an encrypted connection should be enforced.
* The per-IP connection limit to the IMAP server has been doubled to allow more devices to connect at once, especially with multiple users behind a NAT.

DNS:

* autoconfig and autodiscover subdomains and CalDAV/CardDAV SRV records are no longer generated for domains that don't have user accounts since they are unnecessary.
* IPv6 addresses can now be specified for secondary DNS nameservers in the control panel.

TLS:

* TLS certificates are now provisioned in groups by parent domain to limit easy domain enumeration and make provisioning more resilient to errors for particular domains.

Control Panel:

* The control panel API is now fully documented at https://mailinabox.email/api-docs.html.
* User passwords can now have spaces.
* Status checks for automatic subdomains have been moved into the section for the parent domain.
* Typo fixed.

Web:

* The default web page served on fresh installations now adds the `noindex` meta tag.
* The HSTS header is revised to also be sent on non-success responses.
2020-09-25 07:43:30 -04:00
Joshua Tauberer e891a9a3f3 Update CHANGELOG 2020-09-21 15:59:38 -04:00
Joshua Tauberer 51aedcf6c3 Drop the MTA-STS TLSRPT record unless set explicitly 2020-09-21 15:57:17 -04:00
b-k 853008ddcc
Be more forgiving of people who missed the train on upgrading NextCloud (#1813)
Co-authored-by: B <ben@klemens.org>
2020-09-21 15:45:58 -04:00
Felix Spöttel 7d6427904f Typo 2020-09-12 16:38:44 +02:00
Felix Spöttel dcb93d071c Add TOTP secret to user_key hash
thanks @downtownallday
* this invalidates all user_keys after TOTP status is changed for user
* after changing TOTP state, a login is required
* due to the forced login, we can't and don't need to store the code used for setup in `mru_code`
2020-09-12 16:34:06 +02:00
Felix Spöttel 2ea97f0643 Do not log failed login attempts for MissingToken errors
* Due to the way that the /login UI works, this persists at least one failed login each time a user logs into the admin panel. This in turn triggers fail2ban at some point.
2020-09-06 13:08:44 +02:00
Felix Spöttel 4791c2fc62 Safeguard against empty mru_token column
* hmac.compare_digest() expects arguments of type string, make sure we don't pass None
 * Currently, this cannot happen but we might not want to store `mru_token` during setup
2020-09-06 13:03:54 +02:00
Felix Spöttel 49c333221a Use hmac.compare_digest() to compare mru_token 2020-09-06 12:54:45 +02:00