anoma
b6f26c0f1e
Revert to defaults FAIL2BAN findtime and maxretry
...
Reverts the remaining FAIL2BAN settings to default: findtime 600 and maxretry 3. As jail settings override default settings this was hardly being used anyway so it is better to explicitly set it per jail as and when required.
2015-07-06 13:42:41 +01:00
anoma
b2eaaeca4b
Revert to default 6 ssh/ddos login attempts
...
No legitimate admin will require 20 login attempts. The default 6 is a sane middle ground especially since in 10 minutes they can try again or immediately from another IP anyway.
2015-07-02 10:23:48 +01:00
anoma
e2d9a523c3
Cleanup blank lines, comments and whitespace to make it easier to follow
2015-07-02 10:19:37 +01:00
anoma
11df1e4680
Unnecessary config item, inherited from default jail.conf
2015-07-02 10:10:50 +01:00
anoma
53d5542402
Revert to default 600 second ban time
...
A 60 second/1 minute ban time is not long enough to counter brute force attacks which is the main purpose of fail2ban for mail in a box. The default bantime of 10 minutes is still sane and I think we have proven fail2ban is reliable enough not to cause problems in general. It is not worth sacrificing security for the rare case where an admin locks themselves out for 10 minutes.
2015-07-02 10:08:50 +01:00
anoma
bfda3f40b9
Unnecessary config item, inherited from default jail.conf
2015-07-02 09:55:59 +01:00
Joshua Tauberer
53f84a8092
set ssl_stapling_verify back to on, reverts part of 47de93961e
...
The sslmate guidance changed. See #458 .
2015-06-27 07:14:16 -04:00
Marc Schiller
0cc20cbb97
Fixed a bug where autoconfiguration for Z-Push fails due to case of URL.
2015-06-25 11:56:33 +02:00
Joshua Tauberer
be2b5a62de
ownCloud updated to version 8.0.4
2015-06-14 16:04:07 +00:00
bizonix
2c90c267bd
fix loop redirecting
...
server is redirecting the request for this address in a way that will never complete
2015-06-07 21:50:41 +03:00
Joshua Tauberer
47de93961e
OCSP improvements
...
* Set ssl_stapling_verify to off per https://sslmate.com/blog/post/ocsp_stapling_in_apache_and_nginx ('on' has no security benefits).
* Set resolver to 127.0.0.1, instead of Google Public DNS, because we might as well use our local nameserver anyway.
* Remove the commented line which per the link above would never be necessary anyway.
OCSP seems to work just fine after these changes.
2015-06-06 23:24:09 +00:00
Joshua Tauberer
5008cc603e
merge - munin system monitoring
2015-06-06 12:52:22 +00:00
Joshua Tauberer
95173bb327
provide redirects from www subdomains of zones to their parent domain
...
* Split the nginx templates again so we have just the part needed to make a domain do a redirect separate from the rest.
* Add server blocks to the nginx config for these domains.
* List these domains in the SSL certificate install admin panel.
* Generate default 'www' records just for domains we provide default redirects for.
Fixes #321 .
2015-06-04 12:19:01 +00:00
Joshua Tauberer
a0e6c7ceb6
fix downloading dotfiles through ownCloud's webdav
...
fixes #414
2015-05-30 18:03:37 +00:00
Joshua Tauberer
a9ed9ae936
more work on munin
...
* install the munin-node package
* don't install munin-plugins-extra (if the user wants it they can add it)
* expose the munin www directory via the management daemon so that it can handle authorization, rather than manintaining a separate password file
2015-05-25 17:03:52 +00:00
Joshua Tauberer
ce94ef38b2
anonymize X-Pgp-Agent, Mime-Version outgoing mail headers; fixes #342
...
I don't have a mail client that sets Mime-Version with a user agent string so I couldn't really test.
2015-05-03 14:03:59 +00:00
Joshua Tauberer
6bb8f5d889
ownCloud 8 busted MOD_X_ACCEL_REDIRECT_ENABLED
...
see https://github.com/owncloud/core/issues/14976
We will need to update when ownCloud makes this better with MOD_X_ACCEL_REDIRECT_PREFIX.
See https://discourse.mailinabox.email/t/owncloud-can-not-read-uploaded-data/428 .
2015-04-20 22:18:45 +00:00
H8H
c443524ee2
Configure fail2ban jails to prevent dumb brute-force attacks against postfix, dovecot and ssh. See #319
2015-03-08 01:13:55 +01:00
BiZoNiX
e14b2826e0
Disable viewing dotfiles (.htaccess, .svn, .git, etc.)
2015-02-09 19:41:42 +02:00
ikarus
3a09b04786
hide nginx version an OS information for better privacy.
2015-02-01 20:13:03 +01:00
ikarus
e330abd587
do better redirection from http to https
...
Redirect using the 'return' directive and the built-in
variable '$request_uri' to avoid any capturing, matching
or evaluation of regular expressions.
It's best practice. See: http://wiki.nginx.org/Pitfalls#Taxing_Rewrites
2015-02-01 01:32:07 +01:00
Joshua Tauberer
b9ca74c915
implement Mozilla (e.g. Thunderbird) autoconfiguration file
...
fixes #241
2015-01-31 21:33:18 +00:00
H8H
6efeff6fce
[Z-Push] Owncloud doesnt't support CARDDAV_SUPPORTS_SYNC, so set it to false
2014-12-29 16:35:47 +01:00
Joshua Tauberer
31d6128a2b
nginx: explicitly listen on both ipv4 and ipv6 (works even if ipv6 isn't present)
2014-11-30 14:41:30 +00:00
Joshua Tauberer
06f2477cfd
the new iOS configuration profile also is used on OS X 10.10.1, see #261
2014-11-18 16:32:37 +00:00
Joshua Tauberer
cdaa2c847d
[merge] iOS Mobile Configuration Profile
2014-11-14 13:56:18 +00:00
Joshua Tauberer
b04addda9a
move the mobileconfig into the conf directory as a plain XML file and handle substitutions and copying to /var in web.sh
2014-11-14 13:52:29 +00:00
Norman
5775cab175
various fixes
2014-11-06 15:33:08 +01:00
David Piggott
be9d97902f
Disable encapsulation of spam and marking of it as seen
2014-10-28 15:15:21 +00:00
Joshua Tauberer
20c5471a89
expose the ownCloud API, fixes #240 , fixes #242
2014-10-28 12:05:07 +00:00
Joshua Tauberer
6585384daa
bring the max outgoing mail size via webmail and z-push in line with the limit set in postfix: 128 MB
...
The limit was previously the nginx default (2MB?).
fixes #236
2014-10-16 22:11:10 +00:00
Joshua Tauberer
8566b78202
drop webfinger, see #95
2014-10-07 20:30:36 +00:00
Joshua Tauberer
d9ecc50119
since the management server binds to 127.0.0.1, must use that and not 'localhost' to connect to it because 'localhost' resolves to the IPv6 ::1 when it is available, see #224
2014-10-05 09:01:26 -04:00
h8h
ba33669a62
generate the locales before change to it.
...
For my german box changing the locale failed:
´´´´/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
setup/functions.sh: line 6: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)´´´´
see #206 and 4e6d572de9
closes #220
commit modified by joshdata
2014-10-02 11:05:42 +00:00
jkaberg
68efef1164
dont log robots.txt and favicon.ico. we should REALLY consider creating seperate include files for *all* of our "apps", this is getting messy..
2014-09-27 17:04:05 +00:00
Joshua Tauberer
6ecada7eed
Merge commit '93a722f'
2014-09-27 16:56:38 +00:00
Joshua Tauberer
39bca053ed
add 2048 bits of DH params for nginx, postfix, dovecot
...
nginx/postfix use a new pre-generated dh2048.pem file. dovecot generates the bits on its own.
ssllabs.com reports that TLS_DHE ciphers went from 1024 to 2048 bits as expected. The ECDHE ciphers remain at 256 bits --- no idea what that really means. (This tests nginx only. I haven't tested postfix/dovecot.)
see https://discourse.mailinabox.email/t/fips-ready-for-ssl-dhec-key-exchange/76/3
2014-09-26 22:09:22 +00:00
Joshua Tauberer
4e6d572de9
ensure Python operates in UTF-8 with a consistent locale for all users
...
fixes #206 (hopefully)
2014-09-26 08:26:09 -04:00
jkaberg
93a722f85b
ownCloud (witch is based on SabreDAV) supports sync
2014-09-10 21:22:56 +02:00
Joshua Tauberer
f77f1e656c
split CardDAV instrctions into a new page and add CalDAV instructions; create nice redirects at /cloud/calendar and /cloud/contacts
2014-09-03 10:51:19 +00:00
Joshua Tauberer
24ff0e04b1
output/text tweaks
2014-08-27 14:42:00 +00:00
Joshua Tauberer
aa3bc3225e
expose the control panel only on PRIMARY_HOSTNAME since /admin might conflict with other stuff hosted on other domains
2014-08-27 02:38:43 +00:00
Joshua Tauberer
df20d447a9
add an api for setting custom DNS records
...
Works like this:
```curl -d "" --user email:password https://.../admin/dns/set/qname/rtype/value ```
where the rtype and value default to "A" and the remote IP address of the request, so that a simple, empty POST to
```https://.../admin/dns/set/desktop.mydomain.com ```
will point desktop.mydomain.com to the caller's IPv4 address.
closes #140
2014-08-23 23:03:45 +00:00
Joshua Tauberer
a0b056ae29
put a sterner warning in nginx local.conf about not modifying it
2014-08-23 12:35:59 +00:00
Joshua Tauberer
a501256fb9
fix the include path for our second use of z-push
2014-08-19 15:07:55 +00:00
Joshua Tauberer
80a05c3bbf
short_open_tag=Off was mistakenly left in the earlier merge (was a fix for my old autodiscover.php but not needed with z-push), also regrouping the nginx directive to be near the rest of Z-Push
2014-08-19 12:07:54 +00:00
Joshua Tauberer
b6dd407aa7
z-push autodiscover should use the primary hostname for the mail server and not the domain part of the email address (both may work, but the primary hostname is more likely to have a signed SSL cert)
2014-08-19 11:49:20 +00:00
jkaberg
9a1989357c
some makeup
2014-08-19 13:17:13 +02:00
jkaberg
a0df18506b
use z-push autodisover instead
2014-08-19 13:03:44 +02:00
jkaberg
f7d2dfd1c0
xml generation fails when short_open_tag is on
2014-08-19 11:27:50 +02:00