Commit Graph

212 Commits

Author SHA1 Message Date
KiekerJan 87be897d36 update DH security to 4096 2021-08-01 21:52:37 +02:00
KiekerJan 3592b6463d add ipv6 localhost to ignore ip list 2021-07-04 20:09:07 +02:00
github@kiekerjan.isdronken.nl 212b9a31df add definition of admin ipv6 address 2021-06-27 22:12:15 +02:00
github@kiekerjan.isdronken.nl ca5fb3c2e0 Merge changes from upstream v0.54 2021-06-20 23:36:54 +02:00
KiekerJan 95712e196b remove chkrootkit,too many false positives 2021-06-05 09:53:07 +02:00
KiekerJan f722eef9d7 remove not belonging data 2021-05-31 23:45:46 +02:00
github@kiekerjan.isdronken.nl 9f7ced57a6 add favicon 2021-05-31 23:38:35 +02:00
KiekerJan a24c01973f doveadm fts rescan clears the indices, we don't want that 2021-05-30 21:11:47 +02:00
KiekerJan 7ffc87c529 more to ignore for chkrootkit 2021-05-28 23:37:53 +02:00
KiekerJan b0e053bc4a update chkrootkit ignore file 2021-05-18 13:03:23 +02:00
Joshua Tauberer d510c8ae2a Enable and recommend port 465 for mail submission instead of port 587 (fixes #1849)
Port 465 with "implicit" (i.e. always-on) TLS is a more secure approach than port 587 with explicit (i.e. optional and only on with STARTTLS). Although we reject credentials on port 587 without STARTTLS, by that point credentials have already been sent.
2021-05-15 16:42:14 -04:00
KiekerJan 6f804ea5fe only cron errors as output 2021-05-09 09:23:58 +02:00
github@kiekerjan.isdronken.nl 6aec61e4e8 cleanup solr files 2021-05-08 23:43:39 +02:00
github@kiekerjan.isdronken.nl 23c0388bb3 base for xapian dovecot fts 2021-05-08 22:35:46 +02:00
KiekerJan 575e5144d5 add ignore file for chkrootkit 2021-05-01 23:36:51 +02:00
github@kiekerjan.isdronken.nl 7368b4caea simplify fail2ban configuration 2021-04-28 15:57:52 +02:00
github@kiekerjan.isdronken.nl 7089bd2748 solr fixes 2021-04-26 09:40:27 +02:00
github@kiekerjan.isdronken.nl b1671df028 update once every hour, not every day 2021-04-25 20:53:32 +02:00
github@kiekerjan.isdronken.nl 3bf241c3e0 add postfix spamhaus jail 2021-04-23 22:03:22 +02:00
github@kiekerjan.isdronken.nl 1292dce11e merge from 1804 version 2021-04-21 22:42:10 +02:00
github@kiekerjan.isdronken.nl e946276f15 install solr without ubuntu package 2021-04-21 22:26:49 +02:00
github@kiekerjan.isdronken.nl ef5b536f43 optimize solr cron and log 2021-04-18 21:52:17 +02:00
github@kiekerjan.isdronken.nl 4aaee13c1c Add solr full text search based on https://github.com/jvolkenant/mailinabox/tree/solr-jetty 2021-04-17 23:00:14 +02:00
github@kiekerjan.isdronken.nl c24ca5abd4 include changes from v0.53. Remove some POWER modifications to closer follow original mialinabox 2021-04-13 09:50:23 +02:00
github@kiekerjan.isdronken.nl daf5a62e83 Merge changes from kiekerjan special 2021-04-11 20:45:24 +02:00
github@kiekerjan.isdronken.nl 12d0aee27a Add own changes 2021-04-11 12:14:41 +02:00
David Duque 4829e687ff
Merge changes from master 2021-01-31 16:20:15 +00:00
David Duque a67a57913d v0.51 (November 14, 2020)
Software updates:
 
 * Upgraded Nextcloud from 17.0.6 to 20.0.1 (with Contacts from 3.3.0 to 3.4.1 and Calendar from 2.0.3 to 2.1.2)
 * Upgraded Roundcube to version 1.4.9.
 
 Mail:
 
 * The MTA-STA max_age value was increased to the normal one week.
 
 Control Panel:
 
 * Two-factor authentication can now be enabled for logins to the control panel. However, keep in mind that many online services (including domain name registrars, cloud server providers, and TLS certificate providers) may allow an attacker to take over your account or issue a fraudulent TLS certificate with only access to your email address, and this new two-factor authentication does not protect access to your inbox. It therefore remains very important that user accounts with administrative email addresses have strong passwords.
 * TLS certificate expiry dates are now shown in ISO8601 format for clarity.
 -----BEGIN PGP SIGNATURE-----
 
 iQFDBAABCgAtFiEEX0wOcxPM10RpOyrquSBB9MEL3YEFAl+v8k4PHGp0QG9jY2Ft
 cy5pbmZvAAoJELkgQfTBC92BMYUIAJTD1iKzY1SoDNSp8JMPn2sWusOnJNrnvYEV
 vsrBM4AzwJv3DIZKSkYCitbTQW2FsTcjF6Jl5PCavEmAGe55AIKAPM/52Uq6jqDE
 aR8EZvI9ca1i7yR7DOHEI043QSPmp/iCFD48vvmKgN/LZy67TaHaOlGJbc3nfpk0
 y7ejMpF/6RP6ik4snnRQoWTFShaOpB9WcEVnUO7CHZdWcpSCZ55c9yi6A6ExGk7e
 97R5+JN1MgOdZ6rzWZuMWiz7EZ/Ew4jYLZpOwg8qJm0HNbYJ6+/xxsQBwaQzyBw3
 TsTl4GmunNPfoNrmKdJeLy0sBwiVBv/rysjWjim5v8jAYBoKoUQ=
 =2oRU
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEAKK/toPAcMkE+dinLzJ3OKPArjoFAl+xc7sACgkQLzJ3OKPA
 rjo6Zw//eYyTBlfQfFHIsLYKxJbwh6fDrIG6/Za6898cPhkJ/ugBeJlNEyT/EjpU
 MvtIgEU9xbG/tjsnQXsgAXJ6s7ZWm1QB5D+wqUIEeAFUn5IkCnXo0wPZJhSTNZhD
 4InnWsicYZj/ByuSH179xHyTAx2uYDBbPT4HjUlzIsaopvWOKLvAfzY3r42AiNvZ
 e79MhKbtOs9kDkrB2LULRzz6WzJDKb11fJccf7UaBerwFvOarMr8hSpOysK0ocHk
 H0wbrGxjb8iBjczVP4OFh36satQ5l4B1W+QVIxZG9ufVAOe3dhv8HngaHqAVyUgF
 gWjDYTnL/anoMMew+kbn2sjeKH6m2ZA+u9g+mDyMGSECVVYhkpOpcbPjZlmlNAQN
 C5BHmHltIg90uicrhzEEPFDBR1JF7JrYO42EwnOWMwjhzRkH2cepVw86lDr+pbrH
 s3hvoWiFFt7cs5ShCpgZDL20ey1e+9wL6b72Qlo7ls7MK3vfZvLPxJLpTi+bnymD
 CNt82Mjpu3BrhjCIGp+px9E2JU/7wUwqyUbgWFtyqxCdJOZXA4ZXVtDs5pQFzhug
 G+Z1HxFmhxck17SD0uHhXJKRD8IRttnO5sBESJaLNB4Ws/KspHVPePNskB/1XSfr
 pFOqikZsoKOICZnpd/eTnUlciqFygqvB0WuFsJNttQN2dBpJViA=
 =ZMFZ
 -----END PGP SIGNATURE-----

Merge upstream v0.51
2020-11-15 18:30:19 +00:00
gumida 7ce41e3865
Changed mta-sts.txt end of line from LF to CRLF per RFC 8461 (#1863) 2020-11-15 07:54:34 -05:00
Felix Spöttel 7d6c7b6610
Increase mta-sts max_age to one week (#1829)
This aligns the policy with the example policy found in the  spec
see https://tools.ietf.org/html/rfc8461#section-3.2
2020-10-02 21:27:21 -04:00
0pis 7f0f28f8e3
Use tabs instead of spaces in nginx conf (#1827)
* conf/nginx-primaryonly.conf: Use tabs instead of spaces
* management/web_update.py: Includes the tabs so they display with the correct indentation when added to the local.conf

Co-authored-by: 0pis <0pis>
2020-09-27 07:13:33 -04:00
David Duque 2bfa65329a
Keep root in actual local.conf file 2020-09-27 02:17:49 +01:00
David Duque 81c64f0a8f
Re-add webmail roundcube (to primaryonly) 2020-09-27 02:05:16 +01:00
David Duque 4b7f6e20da
Update nginx files to discard non-essential locations for non-primary domains 2020-09-27 02:01:17 +01:00
David Duque 7725e6efe6
Revert .nginx.conf file features 2020-09-27 01:31:51 +01:00
David Duque 7de99aa690 v0.50 (September 25, 2020)
--------------------------
 
 Setup:
 
 * When upgrading from versions before v0.40, setup will now warn that ownCloud/Nextcloud data cannot be migrated rather than failing the installation.
 
 Mail:
 
 * An MTA-STS policy for incoming mail is now published (in DNS and over HTTPS) when the primary hostname and email address domain both have a signed TLS certificate installed, allowing senders to know that an encrypted connection should be enforced.
 * The per-IP connection limit to the IMAP server has been doubled to allow more devices to connect at once, especially with multiple users behind a NAT.
 
 DNS:
 
 * autoconfig and autodiscover subdomains and CalDAV/CardDAV SRV records are no longer generated for domains that don't have user accounts since they are unnecessary.
 * IPv6 addresses can now be specified for secondary DNS nameservers in the control panel.
 
 TLS:
 
 * TLS certificates are now provisioned in groups by parent domain to limit easy domain enumeration and make provisioning more resilient to errors for particular domains.
 
 Control Panel:
 
 * The control panel API is now fully documented at https://mailinabox.email/api-docs.html.
 * User passwords can now have spaces.
 * Status checks for automatic subdomains have been moved into the section for the parent domain.
 * Typo fixed.
 
 Web:
 
 * The default web page served on fresh installations now adds the `noindex` meta tag.
 * The HSTS header is revised to also be sent on non-success responses.
 -----BEGIN PGP SIGNATURE-----
 
 iQFDBAABCgAtFiEEX0wOcxPM10RpOyrquSBB9MEL3YEFAl9t2AgPHGp0QG9jY2Ft
 cy5pbmZvAAoJELkgQfTBC92BZNkH/1jIGoWTz0xlS+e+TeXpHoCp/7zYAvQq/a/y
 vj9t1N1+bBg6Ywbd8UxyvOHwuL/UQU/5LTq6hk3gD+2ARfJUvDRbb047Xzlisg3N
 LhNoVhVbsxqKP1X2ZjeIBq9DgzMavuB64Bwd5UNdceM0Addi8KuCDOMF+FNY2t8k
 xytGjYdBi1/BG6SLBX+FAm5yrJghmkUJs2FnJjebSyyeV2HP3L1iBrk2N8UBd6PU
 fVjde534lgygFZK/8yXJpY2olfLMYJv7CaOMxvaW6RpbMI8VeLwDLfRt5LcrQZqq
 YXkuEnUI0eygbQYkeK/Vr1Vey6uQAWzIfbImEglHfvOXsZSYFXs=
 =SJNM
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEAKK/toPAcMkE+dinLzJ3OKPArjoFAl9vB/0ACgkQLzJ3OKPA
 rjpXTg/+L2W6LXtqJcDdPiLb7uRJ1a+R7DAPPLhZOXT8alFt6g2nAJHHI3NxKWVM
 KsrSGlL+XSw744tfEzw21WsDuoME2F536/q4V4iprQx0LSJ61EQtqFYABbHT7lSc
 EyJellcIBxvK9ZTrHhJy3jVJL5eEkrHr4YpaRd68CZGneziMbxZusrlD23OfOn+U
 Pi6O39+Xh9lB4nxMfzkjYwCPEyNsTaCieKforPE+7TYh6d5NFHp22e2/yNEwYHhv
 90txul+/ByeT6UNFsVQ+QXCpMr/m06W9zbCDgrArol12MlgeAg4bL2trgDUV2D9j
 Dpfo1SYo/VUYetlT98adxW7BK2JuGe3SsFDrgjNPDyMBZRoybLY/l1X5TF5d7dq/
 bhgDcHXSJ6iBmhZ8nGDuBWhiEld9orn/9vfj/nHmleurXxgDwMcGKn0eINDuX8Xd
 NauJdhyOiZLfy8+Rha9ltLlFC/sX8nq0o6iM1Xr+4UOTFVVxlVadkPTMOxuRIQfD
 +JaMRCoXLfbAknoGdKfAcxEAzzyylO6z4Ztj/fVp9SHjQgby1paLpJMHEVUaQzEZ
 VYqdOzmz7vrV1H5OHOIy6mthQrTw+Mg4KubJs7w99e3pZKJBpvp55+DLvA0JhKLD
 dVXqr7rBTkLk/tg4u2SWlj3aZOnkzMz0Iwiu5X+hx3kLl0f3Zgk=
 =VgsY
 -----END PGP SIGNATURE-----

Merge v0.50 from upstream
2020-09-26 10:21:01 +01:00
Hilko 1098e2b48e
Add noindex to www_default meta tags (#1791) 2020-07-29 10:03:33 -04:00
David Duque c8fbe2dd5d
Determine the PHP version at runtime (instead of at setup-time) 2020-07-15 15:28:02 +01:00
David Duque ffc7e8d77e
Add comments explaining 2020-06-28 10:05:25 +01:00
David Duque 7f305ee02e
Add /.well-known/mta-sts.txt to all nginx dotfiles 2020-06-28 09:57:28 +01:00
David Duque 022a11e159 Merge remote-tracking branch 'up/master' 2020-06-21 15:52:31 +01:00
David Duque 5d6c23cff9 Finalize php configuration 2020-06-21 15:18:46 +01:00
A. Schippers afc9f9686a
Publish MTA-STS policy for incoming mail (#1731)
Co-authored-by: Daniel Mabbett <triumph_2500@hotmail.com>
2020-05-29 15:30:07 -04:00
David Duque de115fe01e Merge remote-tracking branch 'up/master' 2020-05-11 19:42:54 +01:00
yeuna92 c87b62b8c2
Fix path to Roundcube error log in fail2ban jails.conf (#1761) 2020-05-11 08:59:42 -04:00
Joshua Tauberer c19f8c9ee6 Change Mozilla autoconfig useGlobalPreferredServer property to false
Fixes #1736.
2020-05-10 19:29:01 -04:00
David Duque 5f15c2e53b
Fix some stuff 2020-04-20 19:15:43 +01:00
David Duque 72070ee7bd
Create custom nginx files 2020-04-20 18:17:41 +01:00
David Duque b6342d34d2
Start web templating work 2020-04-20 15:55:05 +01:00
David Duque 2ce037af5e
Modifications to nginx configuration files 2020-04-20 13:05:58 +01:00