Joshua Tauberer
27b4edfc76
v0.19b
...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJXuHvJAAoJELkgQfTBC92B2IsIAJl+tQkkVp5cu4zuSLOpHj73
LFGGCrGTSMwuyNbnklkLmLIfRxlmNfHNfQqHYhxJQq7JVLuDRJS2rTJnSWGg4PuE
vyrjOEFNNqFp9cy00j6NMUUcJa4kte4cvMg3Sonz7JkVwS3fxp7hSgZknYOjlLvh
R/FmrqVhpDtTZRtMjcQaCtCTWUEETYFLsJZ2iZkIlpGhoxPGEhKZquNrT0s3qrNv
Rwf6O3i9RIS/bOu2lWI+ymdStPVJnn+deRTBWPpsxXdNC/NG9+gWiqGgRnjTBbMO
uzH1hYct+J6TWeNpesECfMMjTOZ+T7yrRJc1s9ThuLokyAlo9yf4E5YFziZ0hi4=
=JxNp
-----END PGP SIGNATURE-----
merge v0.19b hot fix release
2016-08-20 11:50:26 -04:00
Joshua Tauberer
ba75ff7820
v0.19b
2016-08-20 11:48:08 -04:00
Joshua Tauberer
a14b17794b
simplify how munin-cgi-graph is called to reduce the attack surface area
...
Seems like if REQUEST_METHOD is set to GET, then we can drop two redundant ways the query string is given. munin-cgi-graph itself reads the environment variables only, but its calls to Perl's CGI::param will look at the command line if REQUEST_METHOD is not used, otherwise it uses environment variables like CGI used to work.
Since this is all behind admin auth anyway, there isn't a public vulnerability. #914 was opened without comment which lead me to notice the redundancy and worry about a vulnerability, before I realized this is admin-only anyway.
The vulnerability was created by 6d6f3ea391
.
See #914 .
This is the v0.19b hotfix commit.
2016-08-20 11:47:44 -04:00
Joshua Tauberer
35a360ef0b
simplify how munin-cgi-graph is called to reduce the attack surface area
...
Seems like if REQUEST_METHOD is set to GET, then we can drop two redundant ways the query string is given. munin-cgi-graph itself reads the environment variables only, but its calls to Perl's CGI::param will look at the command line if REQUEST_METHOD is not used, otherwise it uses environment variables like CGI used to work.
Since this is all behind admin auth anyway, there isn't a public vulnerability. #914 was opened without comment which lead me to notice the redundancy and worry about a vulnerability, before I realized this is admin-only anyway.
2016-08-19 12:42:43 -04:00
Joshua Tauberer
86457e5bc4
merge: fail2ban broke, released v0.19a
2016-08-18 08:39:31 -04:00
Joshua Tauberer
7c9f3e0b23
v0.19a
2016-08-18 08:36:28 -04:00
Joshua Tauberer
83d8dbca3e
fail2ban won't start until the roundcube log file is created
...
fixes #911
2016-08-18 08:32:14 -04:00
Joshua Tauberer
8cf2e468bd
[merge #900 ] Adding a Code of Conduct
...
Merge pull request #900 from mail-in-a-box/code_of_conduct
2016-08-15 20:10:37 -04:00
Joshua Tauberer
440a545010
some improvements suggested by the community
2016-08-15 20:09:05 -04:00
Marius Blüm
942bcfc7c5
Update Bootstrap to 3.3.7 ( #909 )
...
Signed-off-by: Marius Blüm <marius@lineone.io>
2016-08-15 18:06:12 -04:00
ReadmeCritic
4f2d16a31d
Update README URLs based on HTTP redirects ( #908 )
2016-08-15 11:07:09 -04:00
Joshua Tauberer
e9368de462
[merge #902 ] Upgrade ownCloud from 8.2.3 to 8.2.7
...
Merge https://github.com/mar1u5/mailinabox
fixes #901
2016-08-13 17:36:08 -04:00
Joshua Tauberer
cdd0a821eb
v0.19
...
closes #898
2016-08-13 17:27:10 -04:00
Marius Blüm
6f165d0aeb
Update Changelog
...
Signed-off-by: Marius Blüm <marius@lineone.io>
2016-08-09 00:58:10 +02:00
Marius Blüm
6c22c0533e
Upgrade ownCloud from 8.2.3 to 8.2.7
...
Signed-off-by: Marius Blüm <marius@lineone.io>
2016-08-09 00:53:15 +02:00
Joshua Tauberer
d38b732b0a
add a Code of Conduct
2016-08-08 08:19:42 -04:00
Joshua Tauberer
81b5af6b64
document fail2ban filters in security.md
2016-08-08 07:55:46 -04:00
Joshua Tauberer
fc5cc9753b
roundcube 1.2.1
2016-08-08 07:32:02 -04:00
Joshua Tauberer
1aca6fe08f
some minor tweaks to the new users/aliases API documentation
2016-08-08 07:28:10 -04:00
Joshua Tauberer
cf3e1cd595
add SRV records for CardDAV/CalDAV
...
DavDroid's latest version's account configuration no longer just asked for a hostname. Its email address & password configuration mode did not work without a SRV record.
2016-07-31 20:53:57 -04:00
Joshua Tauberer
b044dda28f
put the ufw status checks in the network section, add a punctuation mark, add changelog entry
2016-07-29 09:23:36 -04:00
Joshua Tauberer
f66f39b61d
Merge branch 'ufw_status_check' of https://github.com/yodax/mailinabox
2016-07-29 09:16:22 -04:00
Joshua Tauberer
6de7d59f14
changelog entries
2016-07-29 09:12:01 -04:00
Michael Kroes
9c8f2e75fc
allow i686 as a supported architecture
...
This is checked during preflight. See https://github.com/mail-in-a-box/mailinabox/issues/885 (#889 )
2016-07-29 09:07:16 -04:00
Joshua Tauberer
cbc4bf553d
Merge pull request #880 from schlypel/master
...
Added information about API endpoints
2016-07-29 09:04:27 -04:00
Michael Kroes
4e3cfead46
Add HSTS to the control panel headers ( #879 )
2016-07-29 09:01:40 -04:00
Joshua Tauberer
8844a9185f
Merge pull request #798 from mail-in-a-box/fail2banjails
...
add fail2ban jails for ownCloud, postfix submission, roundcube, and the Mail-in-a-Box management daemon
2016-07-29 08:52:44 -04:00
schlypel
3249a55f3a
added API info to users page template
2016-06-29 13:35:42 +02:00
schlypel
b58fb54725
added API info to aliases page template
2016-06-29 13:34:54 +02:00
Joshua Tauberer
82903cd09e
Merge pull request #857 from biermeester/master
...
Small extension to mail log management script
2016-06-27 06:17:16 -04:00
Michael Kroes
fb14e30feb
Remove owncloud log configuration from initial setup and only apply it during the configuration updates. This applies to both the timezone and the log format
2016-06-27 06:03:24 -04:00
Michael Kroes
d9ac321f25
Owncloud needs more time to detect blocks. It doesn't respond as fast as the other services. Also owncloud logs UTC (since latest update) even though the timezone is not UTC. Also to detect a block, we get a timeout instead of a refused)
2016-06-27 06:03:19 -04:00
Michael Kroes
bf5e9200f8
Update owncloud url to use webdav and increase http timeout
2016-06-27 06:03:14 -04:00
Joshua Tauberer
5f5f00af4a
for DANE, the smtp_tls_mandatory_protocols setting seems like it also needs to be set (unlike the cipher settings, this isn't documented to be in addition to the non-mandatory setting)
2016-06-12 09:11:55 -04:00
Joshua Tauberer
6b73bb5d80
outbound SMTP connections should use the same TLS settings as inbound: drop SSLv2, SSLv3, anonymous ciphers, RC4
2016-06-12 09:11:54 -04:00
Joshua Tauberer
3055f9a79c
drop SSLv3, RC4 ciphers from SMTP port 25
...
Per http://googleappsupdates.blogspot.ro/2016/05/disabling-support-for-sslv3-and-rc4-for.html , Google is about to do the same.
fixes #611
2016-06-12 09:11:50 -04:00
Rinze
1c84e0aeb6
Added received mail count to hourly activity overview in mail log management script
2016-06-10 13:08:57 +02:00
Rinze
ae1b56d23f
Added POP3 support to mail log management script
2016-06-10 11:19:03 +02:00
Rinze
946cd63e8e
Mail log management script cleanup
2016-06-10 10:32:32 +02:00
Michael Kroes
01fa8cf72c
add fail2ban jails for ownCloud, postfix submission, roundcube, and the Mail-in-a-Box management daemon
...
(tests squashed into this commit by josh)
2016-06-06 09:13:10 -04:00
Chris Blankenship
fac8477ba1
Configured Dovecot to log into its own logfile
2016-06-06 08:21:44 -04:00
aspdye
61744095a8
Update Roundcube to 1.2.0
...
closes #840
2016-06-06 07:32:54 -04:00
Joshua Tauberer
d5b38a27e6
run roundcube's database migration script on every update
...
There hasn't been a sqlite migration yet, since Mail-in-a-Box's creation, but with Roundcube 1.2 there will be.
2016-06-06 07:28:12 -04:00
Joshua Tauberer
6666d28c44
v0.18c
2016-06-02 15:47:45 -04:00
Joshua Tauberer
66675ff2e9
Dovecot LMTP accepted all mail regardless of whether destination was a user, broken by ae8cd4ef
, fixes #852
...
In the earlier commit, I added a Dovecot userdb lookup. Without a userdb lookup, Dovecot would use the password db for user lookups. With a userdb lookup we can support iterating over users.
But I forgot the WHERE clause in the query, resulting in every incoming message being accepted if the user database contained any users at all. Since the mailbox path template is the same for all users, mail was delivered correctly except that mail that should have been rejected was delivered too.
2016-06-02 08:05:34 -04:00
Joshua Tauberer
9ee2d946b7
Merge pull request #821 from m4rcs/before-backup
...
Added a pre-backup script to complement post-backup script.
2016-05-17 19:48:14 -04:00
Arnaud
ff7d4196a6
target to blank for munin link in tempalte ( #822 )
...
adding :
target="_blank"
to
<li><a href="/admin/munin">Munin Monitoring</a></li> on line 96
Why ?
Because when you click on munin link, and follow links, you lose your index, or click back many times...
So i propose my pull request.
Et voilà ^^
2016-05-17 19:46:45 -04:00
aspdye
490b36d86c
Fix #819 ( #823 )
2016-05-17 19:46:10 -04:00
Joshua Tauberer
867d9c4669
v0.18b
2016-05-16 07:17:20 -04:00
Joshua Tauberer
1ad5892acd
can't change roundcube's default_host setting, partially reverts 6d259a6e12
...
The default_host setting is a part of the internal username key. We can't change that without causing Roundcube to create new internal user accounts.
2016-05-16 07:14:45 -04:00