1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-12-26 07:57:05 +00:00
Commit Graph

151 Commits

Author SHA1 Message Date
github@kiekerjan.isdronken.nl
eeada2b9b5 merge changes from V55 upstream 2021-10-19 23:07:02 +02:00
KiekerJan
e54dc19854 slightly change dns resolver call 2021-09-21 22:17:10 +02:00
kiekerjan
98c00d1c6a
Merge branch 'mail-in-a-box:main' into master 2021-08-28 13:38:15 +02:00
Joshua Tauberer
67b5711c68 Recommend that DS records be updated to not use SHA1 and exclude MUST NOT methods (SHA1) and the unlikely option RSASHA1-NSEC3-SHA1 (7) + SHA-384 (4) from the DS record suggestions 2021-08-22 14:43:46 -04:00
myfirstnameispaul
20ccda8710 Re-order DS record algorithms by digest type and revise warning message.
Note that 7, 4 is printed last in the status checks page but does not appear in the file, and I couldn't figure out why.
2021-08-22 14:29:36 -04:00
KiekerJan
eb36091d41 syntax error fix 2021-06-24 12:56:18 +02:00
github@kiekerjan.isdronken.nl
4f7957a5ab check presence of dnssec key file before reading it 2021-06-24 12:47:46 +02:00
KiekerJan
56f9df738f version recognition 2021-06-23 21:02:21 +02:00
github@kiekerjan.isdronken.nl
ca5fb3c2e0 Merge changes from upstream v0.54 2021-06-20 23:36:54 +02:00
kiekerjan
c25bb085d6
Merge pull request #3 from kiekerjan/develop-dns-mods
Develop dns mods
2021-05-29 22:39:31 +02:00
KiekerJan
28b828be12 check service on ipv6 if it is not found on ipv4 2021-05-28 23:36:25 +02:00
github@kiekerjan.isdronken.nl
1d96be9ea9 take hidden master dns into account for the status checks 2021-05-24 21:32:13 +02:00
Joshua Tauberer
d510c8ae2a Enable and recommend port 465 for mail submission instead of port 587 (fixes #1849)
Port 465 with "implicit" (i.e. always-on) TLS is a more secure approach than port 587 with explicit (i.e. optional and only on with STARTTLS). Although we reject credentials on port 587 without STARTTLS, by that point credentials have already been sent.
2021-05-15 16:42:14 -04:00
KiekerJan
aadd37e248 correct python spacing, sigh 2021-05-10 09:42:03 +02:00
KiekerJan
764a81d335 Merge branch 'develop-xapian-fts' 2021-05-09 21:20:58 +02:00
github@kiekerjan.isdronken.nl
2865cad111 take possible kiekerjan edition into account in tag 2021-05-09 21:16:22 +02:00
github@kiekerjan.isdronken.nl
d875c9ff70 remove check on solr service 2021-05-08 23:04:13 +02:00
Joshua Tauberer
aaa81ec879 Fix indentation issue in bc4ae51c2d 2021-05-08 09:06:18 -04:00
Hala Alajlan
bc4ae51c2d
Handle query dns timeout unhandled error (#1950)
Co-authored-by: hala alajlan <halalajlan@gmail.com>
2021-05-08 08:26:40 -04:00
github@kiekerjan.isdronken.nl
3609a9e96c fix Solr report 2021-04-29 23:11:19 +02:00
github@kiekerjan.isdronken.nl
e946276f15 install solr without ubuntu package 2021-04-21 22:26:49 +02:00
github@kiekerjan.isdronken.nl
4aaee13c1c Add solr full text search based on https://github.com/jvolkenant/mailinabox/tree/solr-jetty 2021-04-17 23:00:14 +02:00
github@kiekerjan.isdronken.nl
c24ca5abd4 include changes from v0.53. Remove some POWER modifications to closer follow original mialinabox 2021-04-13 09:50:23 +02:00
Joshua Tauberer
178c587654 Migrate to the ECDSAP256SHA256 (13) DNSSEC algorithm
* Stop generating RSASHA1-NSEC3-SHA1 keys on new installs since it is no longer recommended, but preserve the key on existing installs so that we continue to sign zones with existing keys to retain the chain of trust with existing DS records.
* Start generating ECDSAP256SHA256 keys during setup, the current best practice (in addition to RSASHA256 which is also ok). See https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1 and https://www.cloudflare.com/dns/dnssec/ecdsa-and-dnssec/.
* Sign zones using all available keys rather than choosing just one based on the TLD to enable rotation/migration to the new key and to give the user some options since not every registrar/TLD supports every algorithm.
* Allow a user to drop a key from signing specific domains using DOMAINS= in our key configuration file. Signing the zones with extraneous keys may increase the size of DNS responses, which isn't ideal, although I don't know if this is a problem in practice. (Although a user can delete the RSASHA1-NSEC3-SHA1 key file, the other keys will be re-generated on upgrade.)
* When generating zonefiles, add a hash of all of the DNSSEC signing keys so that when the keys change the zone is definitely regenerated and re-signed.
* In status checks, if DNSSEC is not active (or not valid), offer to use all of the keys that have been generated (for RSASHA1-NSEC3-SHA1 on existing installs, RSASHA256, and now ECDSAP256SHA256) with all digest types, since not all registers support everything, but list them in an order that guides users to the best practice.
* In status checks, if the deployed DS record doesn't use a ECDSAP256SHA256 key, prompt the user to update their DS record.
* In status checks, if multiple DS records are set, only fail if none are valid. If some use ECDSAP256SHA256 and some don't, remind the user to delete the DS records that don't.
* Don't fail if the DS record uses the SHA384 digest (by pre-generating a DS record with that digest type) but don't recommend it because it is not in the IANA mandatory list yet (https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml).

See #1953
2021-04-12 19:42:12 -04:00
github@kiekerjan.isdronken.nl
12d0aee27a Add own changes 2021-04-11 12:14:41 +02:00
David Duque
4829e687ff
Merge changes from master 2021-01-31 16:20:15 +00:00
Felix Spöttel
e3d98b781e
Warn when connection to Spamhaus times out (#1817) 2021-01-28 18:22:43 -05:00
David Duque
94da7bb088
status_checks.py: Properly terminate the process pools (#1795)
* Only spawn a thread pool when strictly needed

For --check-primary-hostname, the pool is not used.
When exiting, the other processes are left alive and will hang.

* Acquire pools with the 'with' statement
2020-08-09 11:42:39 -04:00
David Duque
5e597bb536
Update deprecated function from dnspython 2020-07-26 01:00:17 +01:00
David Duque
fc0bd12631
Acquire pools with the 'with' statement 2020-07-22 12:42:10 +01:00
David Duque
a0da88834c
Terminate the status checks process pool before exiting 2020-07-21 19:21:46 +01:00
David Duque
022a11e159 Merge remote-tracking branch 'up/master' 2020-06-21 15:52:31 +01:00
David Duque
0ccbf1b809 Only spawn a thread pool when strictly needed
For --check-primary-hostname, the pool is not used.
When exiting, the other processes are left alive and will hang.
2020-06-21 15:05:17 +01:00
Joshua Tauberer
b805f8695e Move status checks for www, autoconfig, autodiscover, and mta-sts to within the section for the parent domain
Since we're checking the MTA-STS policy, there's no need to check that the domain resolves etc. directly.
2020-05-29 15:38:13 -04:00
Joshua Tauberer
10bedad3a3 MTA-STS tweaks, add status check using postfix-mta-sts-resolver, change to enforce 2020-05-29 15:36:52 -04:00
David Duque
2176d59727
Version check will now use the correct endpoint 2020-04-20 23:35:11 +01:00
David Duque
9a6a35cadc
Update version display 2020-04-20 00:43:20 +01:00
David Duque
4ed014a50c
Add SMTP Relay status checks 2020-04-18 15:00:51 +01:00
David Duque
0d17caccfe
Downgrade port 25 blockage error to warn; mention SMTP relays 2020-04-13 01:10:38 +01:00
Snacho
08021ea19f Fix an issue when Secondary NS has multiple A records (#1633)
If a custom secondary NS server has multiple A records status_checks.py will fail with a timeout and Web UI won't load.
2019-08-31 07:58:12 -04:00
Joshua Tauberer
60f9c9e3b7 show the Mail-in-a-Box version in the system status checks even when the new-version check is disabled
fixes #922
2018-11-30 10:46:54 -05:00
Christopher A. DeFlumeri
d96613b8fe minimal changeset to get things working on 18.04
@joshdata squashed pull request #1398, removed some comments, and added these notes:

* The old init.d script for the management daemon is replaced with a systemd service.
* A systemd service configuration is added to configure permissions for munin on startup.
* nginx SSL settings are updated because nginx's options and defaults have changed, and we now enable http2.
* Automatic SSHFP record generation is updated to know that 22 is the default SSH daemon port, since it is no longer explicit in sshd_config.
* The dovecot-lucene package is dropped because the Mail-in-a-Box PPA where we built the package has not been updated for Ubuntu 18.04.
* The stock postgrey package is installed instead of the one from our PPA (which we no longer support), which loses the automatic whitelisting of DNSWL.org-whitelisted senders.
* Drop memcached and the status check for memcached, which we used to use with ownCloud long ago but are no longer installing.
* Other minor changes.
2018-10-03 13:00:06 -04:00
Joshua Tauberer
8be23d5ef6 ssl_certificates: reuse query_dns function in status_checks and simplify calls by calling normalize_ip within query_dns 2018-06-29 16:46:21 -04:00
Joshua Tauberer
0088fb4553 install Python 3 packages in a virtualenv
The cryptography package has created all sorts of installation trouble over the last few years, probably because of mismatches between OS-installed packages and pip-installed packages. Using a virtualenv for all Python packages used by the management daemon should make sure everything is consistent.

See #1298, see #1264.
2018-01-15 13:27:04 -05:00
Michael Kroes
2c324d0bc9 web_domains should also normalize ipv6 addresses (#1201) 2017-07-13 07:16:12 -04:00
Michael Kroes
a072730fb8 Wrap normalize_ip in try..except (#1139)
closes #1134
2017-04-03 16:53:53 -04:00
Joshua Tauberer
a24977a96e normalize_ip for ipv6 still not correct, was broken if box has no IPv6 address 2017-01-18 07:51:59 -05:00
Jonathan Chun
584cfe42c4 compare IPv6 addresses correctly with normalization (#1052) 2017-01-15 10:41:12 -05:00
Michael Kroes
41601a592f Improve error handling when doing update checks (#1065)
* Added an error message to handle exceptions when the setup script is trying to determine the latest Miab version
2017-01-15 10:35:33 -05:00
Joshua Tauberer
99d0afd650 secondary nameserver check fails if domain has custom DNS (round-robin) multiple A records
fixes #834
2016-12-07 07:02:52 -05:00