1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2025-04-05 00:27:25 +00:00
Commit Graph

879 Commits

Author SHA1 Message Date
downtownallday
8392eacd94 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-12-28 08:59:09 -05:00
jvolkenant
c92fd02262
Don't die if column already exists on Nextcloud 18 upgrade (#2078) 2021-12-25 10:17:34 -05:00
downtownallday
d9cd7d2002 Add a setup mod to configure unattended-upgrades to email root on failures 2021-12-15 09:03:58 -05:00
downtownallday
177fd19b9b Increase session lifetime from 10 minutes to 1 hour 2021-12-05 16:22:12 -05:00
downtownallday
6c24a130b9 Display common name in the directory 2021-12-05 16:11:48 -05:00
downtownallday
d2c4be41e0 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-12-02 06:10:01 -05:00
Ilnahro
50a5cb90bc
Include rsync to the installed basic packages (#2067)
Some VPS providers strip this package from their Ubuntu 18.04 VM images. This will help avoid errors.
2021-11-30 19:50:01 -05:00
downtownallday
06216876a2 Update roundcube carddav plugin to support roundcube 1.5 and close a security hole 2021-11-15 16:07:54 -05:00
downtownallday
334c7f71b5 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-11-13 19:36:00 -05:00
jvolkenant
58b0323b36
Update persistent_login for Roundcube 1.5 (#2055) 2021-11-04 18:59:10 -04:00
downtownallday
bb543700f5 Fix smart host alias (alias with no forward to's). Postfix recently started rejecting these mails with "Sender address rejected: domain not found". This ensures the special case is handled properly. 2021-10-19 08:15:28 -04:00
downtownallday
00805cb52c Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	README.md
2021-10-19 07:11:33 -04:00
Joshua Tauberer
65861c68b7 Version 55 2021-10-18 20:40:51 -04:00
Joshua Tauberer
71a7a3e201 Upgrade to Roundcube 1.5 2021-10-18 20:40:51 -04:00
downtownallday
31dc96757c Add help text 2021-10-02 10:10:06 -04:00
downtownallday
66ac35871e Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox
Upstream is adding handling for utf8 domains by creating a domain alias @utf8 -> @idna. I'm deviating from this approach by setting multiple email address (idna and utf8) per user and alias where a domain contains non-ascii characters. The maildrop (mailbox) remains the same - all mail goes to the user's mailbox regardless of which email address was used. This is more in line with how other systems (eg. active directory), handle multiple email addresses for a single user.

# Conflicts:
#	README.md
#	management/mailconfig.py
#	management/templates/index.html
#	setup/dns.sh
#	setup/mail-users.sh
2021-10-01 17:43:48 -04:00
Joshua Tauberer
113b7bd827 Disable SMTPUTF8 in Postfix because Dovecot LMTP doesn't support it and bounces messages that require SMTPUTF8
By not advertising SMTPUTF8 support at the start, senders may opt to transmit recipient internationalized domain names in IDNA form instead, which will be deliverable.

Incoming mail with internationalized domains was probably working prior to our move to Ubuntu 18.04 when postfix's SMTPUTF8 support became enabled by default.

The previous commit is retained because Mail-in-a-Box users might prefer to keep SMTPUTF8 on for outbound mail, if they are not using internationalized domains for email, in which case the previous commit fixes the 'relay access denied' error even if the emails aren't deliverable.
2021-09-24 08:11:36 -04:00
Joshua Tauberer
3e19f85fad Add domain maps from Unicode forms of internationalized domains to their ASCII forms
When an email is received by Postfix using SMTPUTF8 and the recipient domain is a Unicode internationalized domain, it was failing to be delivered (bouncing with 'relay access denied') because our users and aliases tables only store ASCII (IDNA) forms of internationalized domains. In this commit, domain maps are added to the auto_aliases table from the Unicode form of each mail domain to its IDNA form, if those forms are different. The Postfix domains query is updated to look at the auto_aliases table now as well, since it is the only table with Unicode forms of the mail domains.

However, mail delivery is still not working since the Dovecot LMTP server does not support SMTPUTF8, and mail still bounces but with an error that SMTPUTF8 is not supported.
2021-09-24 08:11:36 -04:00
Joshua Tauberer
11e84d0d40 Move automatically generated aliases to a separate database table
They really should never have been conflated with the user-provided aliases.

Update the postfix alias map to query the automatically generated aliases with lowest priority.
2021-09-24 08:11:36 -04:00
drpixie
df46e1311b
Include NSD config files from /etc/nsd/nsd.conf.d/*.conf (#2035)
And write MIAB dns zone config into /etc/nsd/nsd.conf.d/zones.conf. Delete lingering old zones.conf file.

Co-authored-by: Joshua Tauberer <jt@occams.info>
2021-09-24 08:07:40 -04:00
downtownallday
3d32dbab22 Explicitly create a /etc/ldap/ldap.conf in the docker image so ldap tools recognize the system's trusted root certificate list 2021-09-14 08:18:53 -04:00
downtownallday
402207714b Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	management/auth.py
#	management/daemon.py
#	management/templates/index.html
#	setup/management.sh
2021-09-14 08:16:08 -04:00
Joshua Tauberer
e884c4774f Replace HMAC-based session API keys with tokens stored in memory in the daemon process
Since the session cache clears keys after a period of time, this fixes #1821.

Based on https://github.com/mail-in-a-box/mailinabox/pull/2012, and so:

Co-Authored-By: NewbieOrange <NewbieOrange@users.noreply.github.com>

Also fixes #2029 by not revealing through the login failure error message whether a user exists or not.
2021-09-06 09:23:58 -04:00
Joshua Tauberer
700188c443 Roundcube 1.5 RC 2021-09-06 09:23:58 -04:00
downtownallday
71d3b79965 avoid installing php-xsl, which is a virtual package provided by php-xml on github images 2021-08-23 13:45:25 -04:00
downtownallday
508ac8b0f8 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	CHANGELOG.md
#	README.md
2021-07-18 20:41:37 -04:00
Joshua Tauberer
4cb46ea465 v0.54 2021-06-20 15:50:04 -04:00
downtownallday
fc4ad70535 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	management/dns_update.py
#	management/web_update.py
#	tests/test_mail.py
2021-05-15 22:35:48 -04:00
Joshua Tauberer
d510c8ae2a Enable and recommend port 465 for mail submission instead of port 587 (fixes #1849)
Port 465 with "implicit" (i.e. always-on) TLS is a more secure approach than port 587 with explicit (i.e. optional and only on with STARTTLS). Although we reject credentials on port 587 without STARTTLS, by that point credentials have already been sent.
2021-05-15 16:42:14 -04:00
downtownallday
7144ed041e Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	README.md
#	setup/start.sh
2021-05-08 09:20:04 -04:00
Joshua Tauberer
dbd6dae5ce Fix exit status issue cased by 69fc2fdd 2021-05-08 09:02:48 -04:00
Thomas Urban
3701e05d92
Rewrite envelope from address in sieve forwards (#1949)
Fixes #1946.
2021-05-08 08:30:53 -04:00
jvolkenant
49813534bd
Updated Nextcloud to 20.0.8, contacts to 3.5.1, calendar to 2.2.0 (#1960) 2021-05-08 08:24:04 -04:00
jvolkenant
16e81e1439
Fix to allow for non forced "enforce" MTA_STS_MODE (#1970) 2021-05-08 08:18:49 -04:00
Joshua Tauberer
b7b67e31b7 Merged point release branch for v0.53a
Changed the Z-Push download URL.
2021-05-08 08:14:39 -04:00
Joshua Tauberer
2e7f2835e7 v0.53a 2021-05-08 08:13:37 -04:00
Joshua Tauberer
8a5f9f464a Download Z-Push from alternate site
The old server has been down for a few days.

Solution from https://discourse.mailinabox.email/t/temporary-fix-for-failed-wget-o-tmp-z-push-zip-https-stash-z-hub-io/8028. Fixes #1974.
2021-05-08 07:59:53 -04:00
Joshua Tauberer
69fc2fdd3a Hide spurrious Nextcloud setup output 2021-05-03 19:41:00 -04:00
Joshua Tauberer
9b07d86bf7 Use $(...) notation instead of legacy backtick notation for embedded shell commands
shellcheck reported

    SC2006: Use $(...) notation instead of legacy backticked `...`.

Fixed by applying shellcheck's diff output as a patch.
2021-05-03 19:28:23 -04:00
Joshua Tauberer
ae3feebd80 Fix warnings reported by shellcheck
* SC2068: Double quote array expansions to avoid re-splitting elements.
* SC2186: tempfile is deprecated. Use mktemp instead.
* SC2124: Assigning an array to a string! Assign as array, or use * instead of @ to concatenate.
* SC2102: Ranges can only match single chars (mentioned due to duplicates).
* SC2005: Useless echo? Instead of 'echo $(cmd)', just use 'cmd'.
2021-05-03 19:25:09 -04:00
downtownallday
1933818843 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-04-26 19:29:09 -04:00
Joshua Tauberer
2c295bcafd Upgrade the Roundcube persistent login cookie encryption to AES-256-CBC and increase the key length accordingly
This change will force everyone to be logged out of Roundcube since the encryption key and cipher won't match anyone's already-set cookie, but this happens anyway after every Mail-in-a-Box update since we generate a new key each time already.

Fixes #1968.
2021-04-23 17:04:56 -04:00
downtownallday
d20c3e6ffa Merge branch 'master' into postgrey-whitelist 2021-04-13 07:00:47 -04:00
downtownallday
4227fa2b42 Merge branch 'master' into reporting 2021-04-13 06:51:05 -04:00
downtownallday
6bfcd679e1 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	README.md
2021-04-13 00:22:55 -04:00
Downtown Allday
f14eb2cdce v0.53
# Conflicts:
#	README.md
2021-04-12 23:27:11 -04:00
Joshua Tauberer
178c587654 Migrate to the ECDSAP256SHA256 (13) DNSSEC algorithm
* Stop generating RSASHA1-NSEC3-SHA1 keys on new installs since it is no longer recommended, but preserve the key on existing installs so that we continue to sign zones with existing keys to retain the chain of trust with existing DS records.
* Start generating ECDSAP256SHA256 keys during setup, the current best practice (in addition to RSASHA256 which is also ok). See https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1 and https://www.cloudflare.com/dns/dnssec/ecdsa-and-dnssec/.
* Sign zones using all available keys rather than choosing just one based on the TLD to enable rotation/migration to the new key and to give the user some options since not every registrar/TLD supports every algorithm.
* Allow a user to drop a key from signing specific domains using DOMAINS= in our key configuration file. Signing the zones with extraneous keys may increase the size of DNS responses, which isn't ideal, although I don't know if this is a problem in practice. (Although a user can delete the RSASHA1-NSEC3-SHA1 key file, the other keys will be re-generated on upgrade.)
* When generating zonefiles, add a hash of all of the DNSSEC signing keys so that when the keys change the zone is definitely regenerated and re-signed.
* In status checks, if DNSSEC is not active (or not valid), offer to use all of the keys that have been generated (for RSASHA1-NSEC3-SHA1 on existing installs, RSASHA256, and now ECDSAP256SHA256) with all digest types, since not all registers support everything, but list them in an order that guides users to the best practice.
* In status checks, if the deployed DS record doesn't use a ECDSAP256SHA256 key, prompt the user to update their DS record.
* In status checks, if multiple DS records are set, only fail if none are valid. If some use ECDSAP256SHA256 and some don't, remind the user to delete the DS records that don't.
* Don't fail if the DS record uses the SHA384 digest (by pre-generating a DS record with that digest type) but don't recommend it because it is not in the IANA mandatory list yet (https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml).

See #1953
2021-04-12 19:42:12 -04:00
Joshua Tauberer
34569d24a9 v0.53 2021-04-11 12:45:37 -04:00
downtownallday
fe4581e849 Merge branch 'reporting' into postgrey-whitelist 2021-04-09 12:05:00 -04:00
downtownallday
8093837e93 use systemctl 'restart' instead of 'start' 2021-04-09 12:04:11 -04:00