1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-12-27 08:07:04 +00:00
Commit Graph

1773 Commits

Author SHA1 Message Date
Joshua Tauberer
e9cde52a48 two more cases of shelling out external programs in a more secure way, see cecda9cec5 2014-06-12 21:06:04 -04:00
Joshua Tauberer
c925f72b0b remove obsoleted parts of setup/dns.sh
Now that dns_update is a part of the management daemon, we no
longer are using STORAGE_ROOT/dns for anything.
2014-06-12 20:18:55 -04:00
Joshua Tauberer
e18c51293d update News Challenge status in README 2014-06-10 18:48:12 -04:00
Joshua Tauberer
d28d07f78e increase the postfix message size limit from 10MB to 128MB 2014-06-10 10:21:43 +00:00
Joshua Tauberer
cad868c6c9 reorganize mail.sh a little 2014-06-10 10:19:49 +00:00
Joshua Tauberer
8bd62aa3bc increase duplicity's volume size from the default of 25MB to 100MB so we create fewer files 2014-06-09 13:47:41 +00:00
Joshua Tauberer
5490142df5 re-do the backup script to use the duplicity program
Duplicity will manage the process of creating incremental backups for us.
Although duplicity can both encrypt & copy files to a remote host, I really
don't like PGP and so I don't want to use that.

Instead, we'll back up to a local directory unencrypted, then manually
encrypt the full & incremental backup files. Synchronizing the encrypted
backup directory to a remote host is a TODO.
2014-06-09 09:34:52 -04:00
Joshua Tauberer
cecda9cec5 management: shell out external programs in a more secure way 2014-06-09 08:09:45 -04:00
Joshua Tauberer
70bd96f643 Merge pull request #70 from mkropat/ipv6-support
Support dual-stack IPv4/IPv6 mail servers
2014-06-08 19:03:33 -04:00
Michael Kropat
fb957d2de7 Populate default values before echoing help text
Testing showed that it may take a few seconds for the default values to
populate.  If the help text is shown, “Enter the public IP address…,”
but no prompt is shown, the user may get confused and try to enter the
IP address before mailinabox has had a chance to figure out and display
a suitable default value.
2014-06-08 18:44:08 -04:00
Joshua Tauberer
cd1802fecc Filter privacy-sensitive headers on outgoing mail
This re-implements part of PR #69 by @mkropat, who wrote:

By default, Postfix adds a Received header — on all mail that you send —
that lists the IP of the device you sent the mail from.  This feature is
great if you're a mail provider and you need to debug why one user is
having sending issues.  This feature is not so great if you run your own
mail server and you don't want every recipient of every email you send
to know the device and IP you sent the email from.

To limit this filtering to outgoing mail only, we apply the filters just
to the submission port.  See these guides [1] [2] for more context.

  [1] http://askubuntu.com/a/78168/11259
  [2] http://www.void.gr/kargig/blog/2013/11/24/anonymize-headers-in-postfix/
2014-06-08 18:35:09 -04:00
Michael Kropat
ae67409603 Support dual-stack IPv4/IPv6 mail servers
Addresses #3

Added support by adding parallel code wherever `$PUBLIC_IP` was used.
Providing an IPv6 address is completely optional.

Playing around on my IPv6-enabled mail server revealed that — before
this change — mailinabox might try to use an IPv6 address as the value
for `$PUBLIC_IP`, which wouldn't work out well.
2014-06-08 18:32:52 -04:00
Joshua Tauberer
2c4212fa36 use editconf.py to mangle /etc/postfix/master.cf
* using it to enable the Postfix submission service
* per @mkropat's suggestion in #69, set an option to distinguish submission from regular smpd in syslog by giving submission a new name (doing this here to test that editconf is working right on master.cf)
2014-06-08 17:31:12 -04:00
Joshua Tauberer
5b72e5419d fix shebang lines in the tests to take advantage of any activated python environment 2014-06-08 17:31:12 -04:00
Joshua Tauberer
ad520b45ff adding a new script archive_conf_files.sh to dump the contents of all files modified by editconf.py so testing is easier 2014-06-08 17:31:12 -04:00
Joshua Tauberer
ca34c1b1ae Merge pull request #68 from mkropat/protect-key
Protect private key from being world-readable
2014-06-07 20:19:40 -04:00
Michael Kropat
42bf624045 Protect private key from being world-readable
Postfix, Dovecot, and nginx all read the key file while they're running
as root — before dropping permissions — so no authorization is needed on
the private key file beyond being root-readable.
2014-06-07 19:40:50 -04:00
Joshua Tauberer
3fa8e384d4 improve hostname/IP default values
Merges branch 'mkropat-populate-hostname-ip'
2014-06-07 14:57:22 -04:00
Joshua Tauberer
b60ca25e53 add comments to the new get_default_hostname etc. functions, and simplify the logic in the Vagrantfile and start.sh so that we always call into the same two functions 2014-06-07 14:57:03 -04:00
Michael Kropat
43ef49c737 Improve hostname/IP default values
Default IP+hostname values were incorrect for my VPS provider. I
improved the detection, which should give correct results results for
almost any provider. Specific issues addressed:

- icanhazip.com detection was only enabled in non-interactive mode
- `hostname` is by convention a short (non-fqdn) name in Ubuntu
- `hostname --fqdn` fails if provider does not pouplate `hosts` file
- `hostname -i` fails if provider does not populate `hosts` file
- `curl` without `--fail` will someday return crazy results
  when icanhazip.com returns 500 errors or similar
2014-06-07 14:11:42 -04:00
Joshua Tauberer
add1545deb Merge pull request #65 from mkropat/mkropat/password-mask
Mask password input on stdin in tools/mail.py
2014-06-06 17:18:33 -04:00
Michael Kropat
5774205bc2 Mask password input on stdin 2014-06-06 17:07:30 -04:00
Joshua Tauberer
242cadebc8 allow dashes in emails during validation, and for aliases allow a much wider range of characters, fixes #64
* for local mail users, also disallows periods at the beginning or end of the local or domain parts
* Dovecot gets confused if the string contains any unusual characters, so local mail users are restricted to a narrow regex
* for mail aliases Postfix is not confused so use a regex based on RFC 2822
2014-06-06 10:51:36 -04:00
Joshua Tauberer
f1dac1fe13 show less output when updating DNS configuration 2014-06-06 10:51:36 -04:00
Joshua Tauberer
389c354c8f Vagrant updates
* use a public box (the official Ubuntu 14.04 box which contra the description does have VBox Guest Additions installed)
* now that we allow SSH password logins, since Vagrant requires it, dont muck with sshd_config here
* don't put the machine on the public network because that will allow anyone to log into it with Vagrant's default username/password, duh
2014-06-06 10:51:36 -04:00
Joshua Tauberer
f9c3f33e74 move the SSH password login check out of setup because it interfers with Vagrant and into a separate script that we'll use for auditing in a later phase 2014-06-06 10:51:36 -04:00
Joshua Tauberer
6194c63f76 add management comments for checking for updated Ubuntu packages and applying updates 2014-06-05 20:57:30 +00:00
Joshua Tauberer
cab7321dbb remove vestigal docker compatibility that prevented starting services during setup 2014-06-04 20:04:26 -04:00
Joshua Tauberer
295981828f Vagrantize
* adding a Vagrantfile
* in a non-interactive setup like this, create the user's first email account for them
* let the machine auto-detect its IP address using http://icanhazip.com/
* use our own justtesting.email domain to provision a subdomain for users so they can quickly get started
2014-06-04 19:39:58 -04:00
Joshua Tauberer
3961e1aec3 test_dns: more error handling 2014-06-04 19:31:55 -04:00
Joshua Tauberer
7fa4862f1a refactor dns_update so that the zone is first generated in a file-format agnostic way 2014-06-04 19:00:31 -04:00
Joshua Tauberer
8ed15168c0 the new dns_update totally forgot to write the OpenDKIM tables 2014-06-04 18:44:13 -04:00
Joshua Tauberer
2f0d036504 the bc package is no longer needed since redoing dns_update 2014-06-04 17:27:01 -04:00
Joshua Tauberer
d6e6cfd3c9 mail test: catch typical connecting errors and display nicer output 2014-06-04 17:13:06 -04:00
Joshua Tauberer
fff06f7d71 improve DNS test output 2014-06-04 17:01:49 -04:00
Joshua Tauberer
2bbb7a5e7e remove Docker stuff since it doesnt work 2014-06-04 10:57:23 -04:00
Joshua Tauberer
a35fa12465 script to check the SSL certificate, with instructions for turning the self-signed certificate into a properly signed certificate 2014-06-04 11:38:20 +00:00
Joshua Tauberer
ea62c2419d typo in updating DKIM, dont regenerate the DKIM private key each time setup is run 2014-06-03 21:42:33 +00:00
Joshua Tauberer
2a9349a64e show the SSL certificate's fingerprint during setup so the user can sort of pin it 2014-06-03 21:39:49 +00:00
Joshua Tauberer
bb7905aefd on second and later runs of start.sh, recall the inputs the user entered the last time 2014-06-03 21:31:13 +00:00
Joshua Tauberer
24edd5ce91 the SSL CSR must be generated with a country code 2014-06-03 21:17:10 +00:00
Joshua Tauberer
89730bd643 new backup script, see #11 2014-06-03 21:16:38 +00:00
Joshua Tauberer
51dd2ed70b update nginx SSL options, fixes #61 2014-06-03 14:06:02 +00:00
Joshua Tauberer
c54b0cbefc move management into a daemon service running as root
* Created a new Python/flask-based management daemon.
* Moved the mail user management core code from tools/mail.py to the new daemon.
* tools/mail.py is a wrapper around the daemon and can be run as a non-root user.
* Adding a new initscript for the management daemon.
* Moving dns_update.sh to the management daemon, called via curl'ing the daemon's API.

This also now runs the DNS update after mail users and aliases are added/removed,
which sets up new domains' DNS as needed.
2014-06-03 13:56:40 +00:00
Joshua Tauberer
da15ae5375 rename the scripts directory to setup 2014-06-03 11:12:38 +00:00
Joshua Tauberer
af03feb389 remove permit_dnswl_client because postfix has odd behavior when an IP address is not listed: it turns all bounces into deferrals (retry)
partially reverts 6d473f81ac
2014-05-23 09:01:03 +00:00
Joshua Tauberer
19aba091d7 test_mail: if EHLO test fails continue testing the rest, since user may be waiting on DNS propagation 2014-05-17 08:32:40 -04:00
Joshua Tauberer
f91830f0e3 clean up README a bit; moving the bit Rationale into the github wiki 2014-05-15 08:57:44 -04:00
Joshua Tauberer
6d473f81ac add more postfix rules: reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rhsbl_sender, and permit_dnswl_client 2014-05-15 12:10:35 +00:00
Joshua Tauberer
b646771517 redirect all HTTP to HTTPS and enable HSTS, closes #18 2014-05-14 12:15:11 +00:00