102b2d46ab
typo fix: seconday -> secondary ( #939 )
2016-09-18 08:10:49 -04:00
58541c467f
merge #936 - fix wonky free disk space messages - from cmsirbu/master
...
fix status_checks.py free disk space reporting, fixes #932
2016-09-16 07:31:57 -04:00
00bd23eb04
fix status_checks.py free disk space reporting #932
2016-09-15 17:01:21 +01:00
d73d1c6900
changelog typos
2016-08-24 07:47:55 -04:00
fc0abd5b4d
confirm that fail2ban is protecting pop3s, closes #629
2016-08-22 19:18:23 -04:00
27b4edfc76
v0.19b
...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJXuHvJAAoJELkgQfTBC92B2IsIAJl+tQkkVp5cu4zuSLOpHj73
LFGGCrGTSMwuyNbnklkLmLIfRxlmNfHNfQqHYhxJQq7JVLuDRJS2rTJnSWGg4PuE
vyrjOEFNNqFp9cy00j6NMUUcJa4kte4cvMg3Sonz7JkVwS3fxp7hSgZknYOjlLvh
R/FmrqVhpDtTZRtMjcQaCtCTWUEETYFLsJZ2iZkIlpGhoxPGEhKZquNrT0s3qrNv
Rwf6O3i9RIS/bOu2lWI+ymdStPVJnn+deRTBWPpsxXdNC/NG9+gWiqGgRnjTBbMO
uzH1hYct+J6TWeNpesECfMMjTOZ+T7yrRJc1s9ThuLokyAlo9yf4E5YFziZ0hi4=
=JxNp
-----END PGP SIGNATURE-----
merge v0.19b hot fix release
2016-08-20 11:50:26 -04:00
ba75ff7820
v0.19b
2016-08-20 11:48:08 -04:00
a14b17794b
simplify how munin-cgi-graph is called to reduce the attack surface area
...
Seems like if REQUEST_METHOD is set to GET, then we can drop two redundant ways the query string is given. munin-cgi-graph itself reads the environment variables only, but its calls to Perl's CGI::param will look at the command line if REQUEST_METHOD is not used, otherwise it uses environment variables like CGI used to work.
Since this is all behind admin auth anyway, there isn't a public vulnerability. #914 was opened without comment which lead me to notice the redundancy and worry about a vulnerability, before I realized this is admin-only anyway.
The vulnerability was created by 6d6f3ea391#914 .
This is the v0.19b hotfix commit.
2016-08-20 11:47:44 -04:00
35a360ef0b
simplify how munin-cgi-graph is called to reduce the attack surface area
...
Seems like if REQUEST_METHOD is set to GET, then we can drop two redundant ways the query string is given. munin-cgi-graph itself reads the environment variables only, but its calls to Perl's CGI::param will look at the command line if REQUEST_METHOD is not used, otherwise it uses environment variables like CGI used to work.
Since this is all behind admin auth anyway, there isn't a public vulnerability. #914 was opened without comment which lead me to notice the redundancy and worry about a vulnerability, before I realized this is admin-only anyway.
2016-08-19 12:42:43 -04:00
86457e5bc4
merge: fail2ban broke, released v0.19a
2016-08-18 08:39:31 -04:00
7c9f3e0b23
v0.19a
2016-08-18 08:36:28 -04:00
83d8dbca3e
fail2ban won't start until the roundcube log file is created
...
fixes #911
2016-08-18 08:32:14 -04:00
8cf2e468bd
[merge #900 ] Adding a Code of Conduct
...
Merge pull request #900 from mail-in-a-box/code_of_conduct
2016-08-15 20:10:37 -04:00
440a545010
some improvements suggested by the community
2016-08-15 20:09:05 -04:00
942bcfc7c5
Update Bootstrap to 3.3.7 ( #909 )
...
Signed-off-by: Marius Blüm <marius@lineone.io>
2016-08-15 18:06:12 -04:00
4f2d16a31d
Update README URLs based on HTTP redirects ( #908 )
2016-08-15 11:07:09 -04:00
e9368de462
[merge #902 ] Upgrade ownCloud from 8.2.3 to 8.2.7
...
Merge https://github.com/mar1u5/mailinabox
fixes #901
2016-08-13 17:36:08 -04:00
cdd0a821eb
v0.19
...
closes #898
2016-08-13 17:27:10 -04:00
6f165d0aeb
Update Changelog
...
Signed-off-by: Marius Blüm <marius@lineone.io>
2016-08-09 00:58:10 +02:00
6c22c0533e
Upgrade ownCloud from 8.2.3 to 8.2.7
...
Signed-off-by: Marius Blüm <marius@lineone.io>
2016-08-09 00:53:15 +02:00
d38b732b0a
add a Code of Conduct
2016-08-08 08:19:42 -04:00
81b5af6b64
document fail2ban filters in security.md
2016-08-08 07:55:46 -04:00
fc5cc9753b
roundcube 1.2.1
2016-08-08 07:32:02 -04:00
1aca6fe08f
some minor tweaks to the new users/aliases API documentation
2016-08-08 07:28:10 -04:00
cf3e1cd595
add SRV records for CardDAV/CalDAV
...
DavDroid's latest version's account configuration no longer just asked for a hostname. Its email address & password configuration mode did not work without a SRV record.
2016-07-31 20:53:57 -04:00
b044dda28f
put the ufw status checks in the network section, add a punctuation mark, add changelog entry
2016-07-29 09:23:36 -04:00
f66f39b61d
Merge branch 'ufw_status_check' of https://github.com/yodax/mailinabox
2016-07-29 09:16:22 -04:00
6de7d59f14
changelog entries
2016-07-29 09:12:01 -04:00
9c8f2e75fc
allow i686 as a supported architecture
...
This is checked during preflight. See https://github.com/mail-in-a-box/mailinabox/issues/885 (#889 )
2016-07-29 09:07:16 -04:00
cbc4bf553d
Merge pull request #880 from schlypel/master
...
Added information about API endpoints
2016-07-29 09:04:27 -04:00
4e3cfead46
Add HSTS to the control panel headers ( #879 )
2016-07-29 09:01:40 -04:00
8844a9185f
Merge pull request #798 from mail-in-a-box/fail2banjails
...
add fail2ban jails for ownCloud, postfix submission, roundcube, and the Mail-in-a-Box management daemon
2016-07-29 08:52:44 -04:00
3249a55f3a
added API info to users page template
2016-06-29 13:35:42 +02:00
b58fb54725
added API info to aliases page template
2016-06-29 13:34:54 +02:00
82903cd09e
Merge pull request #857 from biermeester/master
...
Small extension to mail log management script
2016-06-27 06:17:16 -04:00
fb14e30feb
Remove owncloud log configuration from initial setup and only apply it during the configuration updates. This applies to both the timezone and the log format
2016-06-27 06:03:24 -04:00
d9ac321f25
Owncloud needs more time to detect blocks. It doesn't respond as fast as the other services. Also owncloud logs UTC (since latest update) even though the timezone is not UTC. Also to detect a block, we get a timeout instead of a refused)
2016-06-27 06:03:19 -04:00
bf5e9200f8
Update owncloud url to use webdav and increase http timeout
2016-06-27 06:03:14 -04:00
5f5f00af4a
for DANE, the smtp_tls_mandatory_protocols setting seems like it also needs to be set (unlike the cipher settings, this isn't documented to be in addition to the non-mandatory setting)
2016-06-12 09:11:55 -04:00
6b73bb5d80
outbound SMTP connections should use the same TLS settings as inbound: drop SSLv2, SSLv3, anonymous ciphers, RC4
2016-06-12 09:11:54 -04:00
3055f9a79c
drop SSLv3, RC4 ciphers from SMTP port 25
...
Per http://googleappsupdates.blogspot.ro/2016/05/disabling-support-for-sslv3-and-rc4-for.html , Google is about to do the same.
fixes #611
2016-06-12 09:11:50 -04:00
1c84e0aeb6
Added received mail count to hourly activity overview in mail log management script
2016-06-10 13:08:57 +02:00
ae1b56d23f
Added POP3 support to mail log management script
2016-06-10 11:19:03 +02:00
946cd63e8e
Mail log management script cleanup
2016-06-10 10:32:32 +02:00
01fa8cf72c
add fail2ban jails for ownCloud, postfix submission, roundcube, and the Mail-in-a-Box management daemon
...
(tests squashed into this commit by josh)
2016-06-06 09:13:10 -04:00
fac8477ba1
Configured Dovecot to log into its own logfile
2016-06-06 08:21:44 -04:00
61744095a8
Update Roundcube to 1.2.0
...
closes #840
2016-06-06 07:32:54 -04:00
d5b38a27e6
run roundcube's database migration script on every update
...
There hasn't been a sqlite migration yet, since Mail-in-a-Box's creation, but with Roundcube 1.2 there will be.
2016-06-06 07:28:12 -04:00
6666d28c44
v0.18c
2016-06-02 15:47:45 -04:00
66675ff2e9
Dovecot LMTP accepted all mail regardless of whether destination was a user, broken by ae8cd4ef, fixes #852
...
In the earlier commit, I added a Dovecot userdb lookup. Without a userdb lookup, Dovecot would use the password db for user lookups. With a userdb lookup we can support iterating over users.
But I forgot the WHERE clause in the query, resulting in every incoming message being accepted if the user database contained any users at all. Since the mailbox path template is the same for all users, mail was delivered correctly except that mail that should have been rejected was delivered too.
2016-06-02 08:05:34 -04:00
Scott Bronson
Joshua Tauberer
cs@twoflower
Marius Blüm
ReadmeCritic
Michael Kroes
schlypel
Rinze
Chris Blankenship
aspdye