Joshua Tauberer
28e254fb84
whats_next: Allow the PRIMARY_HOSTNAME to not have an MX because the default value means the domain itself, which is what we want anyway
2014-07-07 02:35:45 +00:00
Joshua Tauberer
e898cd5d2a
whats_next: wrap output to the actual width of the terminal
2014-07-07 02:35:45 +00:00
Joshua Tauberer
6a231d4409
clarify that an SSL cert can remain self-signed on the non-primary domains if the domain isn't being used for web
2014-07-07 02:35:45 +00:00
Joshua Tauberer
dcce98f84b
and remove the old documentation now that there is documentation on the website
2014-07-06 11:57:57 -04:00
Joshua Tauberer
05664f0a3b
have the README refer to the website for details
2014-07-06 11:31:17 -04:00
Joshua Tauberer
49d5561933
when adding/removing mail addresses also update nginx's config
2014-07-06 12:16:50 +00:00
Joshua Tauberer
c8856f107d
migrate the SSL certificates path for non-primary certs to a new layout using a new migration script
2014-06-30 20:41:29 +00:00
Joshua Tauberer
06ba25151f
get_domain_ssl_files returned the wrong path for the CSR for PRIMARY_HOSTNAME
2014-06-30 19:49:41 +00:00
Joshua Tauberer
b5aa1b0f31
walk the user through choosing the PRIMARY_HOSTNAME by first asking for their email address
2014-06-30 10:20:58 -04:00
Joshua Tauberer
fed5959288
s/PUBLIC_HOSTNAME/PRIMARY_HOSTNAME/ throughout
2014-06-30 09:15:36 -04:00
Joshua Tauberer
573faa2bf5
install the backup script as a daily cron job
2014-06-26 10:46:22 +00:00
Joshua Tauberer
87f001a5d5
some comments
2014-06-24 03:24:41 +00:00
Joshua Tauberer
f8cd2bb805
typo: www/default/index.html would be overwritten if it already exists
2014-06-23 19:43:19 +00:00
Joshua Tauberer
1dec8c65ce
move the SSH password login check into whats_next.py (it used to be in start.sh and then moved to an unused script when it became a problem for Vagrant)
2014-06-23 19:39:20 +00:00
Joshua Tauberer
d4ce50de86
new tool to purchase and install a SSL certificate using Gandi.net's API
2014-06-23 10:53:29 +00:00
Joshua Tauberer
30c416ff6e
rename the new checklist script to whats_next.py
2014-06-23 00:11:24 +00:00
Joshua Tauberer
5aa09c3f9b
let the user override some DNS records in a different way
...
Moved the configuration to a single YAML file, rather than one per domain, to be clearer.
re-does 33f06f29c1
2014-06-22 19:33:30 +00:00
Joshua Tauberer
45e93f7dcc
strengthen the cyphers and protocols allowed by Dovecot and Postfix submission
2014-06-22 19:03:11 +00:00
Joshua Tauberer
343886d818
add mail alias checks and other cleanup
2014-06-22 16:28:55 +00:00
Joshua Tauberer
deab8974ec
if we handle mail for both a domain and any subdomain, only create a zone for the domain and put the subdomain's DNS records in the main domain's zone file
2014-06-22 16:24:15 +00:00
Joshua Tauberer
4668367420
first pass at a management tool for checking what the user must do to finish his configuration: set NS records, DS records, sign his certificates, etc.
2014-06-22 15:54:22 +00:00
Joshua Tauberer
ec6c7d84c1
dont ask for a CSR country code on second runs because the CSR is already generated and any new country code won't be used anyway
2014-06-22 15:36:14 +00:00
Joshua Tauberer
8076ce4ab9
Merge pull request #74 from mkropat/mgmt-auth
...
Add authentication to mailinabox-daemon; resolves #67
2014-06-22 11:36:04 -04:00
Michael Kropat
9e63ec62fb
Cleanup: remove env dependency
2014-06-22 08:55:19 -04:00
Michael Kropat
d100a790a0
Remove API_KEY_FILE setting
2014-06-22 08:45:29 -04:00
Michael Kropat
554a28479f
Merge remote-tracking branch 'upstream/master' into mgmt-auth
...
Conflicts:
management/daemon.py
2014-06-21 21:29:25 -04:00
Joshua Tauberer
064d75e261
Merge pull request #73 from mkropat/syslog-logging
...
Tell Flask to log to syslog
2014-06-21 21:22:27 -04:00
Joshua Tauberer
e70bc50432
README parallel sentence structure
2014-06-22 00:34:49 +00:00
Michael Kropat
bb394242ef
Update documentation to use API auth
...
The updated instruction is not very user-friendly. I think the right
solution is to wrap the `/dns` commands in a `tools/dns.py` style
script, along the lines of `tools/mail.py`.
2014-06-22 00:07:14 +00:00
Michael Kropat
88e496eba4
Update setup scripts to auth against the API
2014-06-22 00:02:52 +00:00
Michael Kropat
447399e8cd
Update mail tool to pass api key auth
2014-06-21 23:49:09 +00:00
Michael Kropat
067052d4ea
Add key-based authentication to management service
...
Intended to be the simplest auth possible: every time the service
starts, a random key is written to `/var/lib/mailinabox/api.key`. In
order to authenticate to the service, the client must pass the contents
of `api.key` in an HTTP basic auth header. In this way, users who do not
have read access to that file are not able to communicate with the
service.
2014-06-21 23:42:48 +00:00
Michael Kropat
53e15eae15
Tell Flask to log to syslog
...
- Writes Flask warnings and errors to `/var/log/syslog`
- Helps to debug issues when running in production
2014-06-21 23:25:35 +00:00
Joshua Tauberer
67d31ed998
move the SSL setup into its own bash script since it is used for much more than email now
2014-06-21 22:16:46 +00:00
Joshua Tauberer
0ab43ef4fd
have webfinger output a JSON file in STORAGE_ROOT/webfinger/(acct/..)
2014-06-21 17:08:18 +00:00
Joshua Tauberer
326cc2a451
obviously put our stuff in /usr/local and not /usr
2014-06-21 12:35:00 -04:00
Joshua Tauberer
d3cacd4a11
update test_dns
...
Don't check NS records for now because they will only appear on zones.
If a hostname is a subdomain on a zone and not itself a zone, it will
lack NS records.
Also stop testing for ADSP, which we dropped in 126ea94ccf
.
2014-06-21 12:32:20 -04:00
Joshua Tauberer
87b0608f15
test_dns: DNSSEC signing inserts empty text string components
2014-06-21 12:32:20 -04:00
Joshua Tauberer
85169dc960
preliminary support for webfinger
...
It just echos back the subject given to it.
2014-06-20 01:55:16 +00:00
Joshua Tauberer
5faa1cae71
manage the nginx conf in the management daemon too so we can have nginx operate on all domains that we serve mail for
2014-06-20 01:55:12 +00:00
Joshua Tauberer
a1a80b295e
update docs a bit
2014-06-18 23:12:05 -04:00
Joshua Tauberer
94a140a27a
linkify README
2014-06-18 23:04:06 -04:00
Joshua Tauberer
126ea94ccf
drop support for ADSP which since last November is no longer recommended per http://datatracker.ietf.org/doc/status-change-adsp-rfc5617-to-historic/
2014-06-18 22:56:55 -04:00
Joshua Tauberer
0f72f78eea
add DNSSEC/DANE TLSA to the README
2014-06-19 02:23:07 +00:00
Joshua Tauberer
782ad04b10
use DANE when sending mail: if the recipient MX has a DANE TLSA record in DNS then Postfix will necessarily encrypt the mail in transport
2014-06-19 01:58:14 +00:00
Joshua Tauberer
95e61bc110
add DANE TLSA records to the PUBLIC_HOSTNAME's DNS
...
Postfix has a tls_security_level called "dane" which uses DNS-Based Authentication of Named Entities (DANE)
to require, if specified in the DNS of the MX host, an encrpyted connection with a known certificate.
This commit adds TLSA records.
2014-06-19 01:39:27 +00:00
Joshua Tauberer
699bccad80
missing spaces in nsd.conf (has no effect but looks proper)
2014-06-18 23:53:52 +00:00
Joshua Tauberer
afb6c26c8b
run bind9 on the loopback interface for ensuring we are using a DNSSEC-aware nameserver to resolve our own DNS queries (i.e. when sending mail) since we can't trust that the network configuration provided for us gives us a DNSSEC-aware DNS server
...
see #71
2014-06-18 19:45:47 -04:00
Joshua Tauberer
761fac729b
nsd.conf wasn't properly using the signed zone files
2014-06-18 23:30:35 +00:00
Joshua Tauberer
dd15bf4384
use a better sort order for records in DNS zone files
2014-06-17 23:34:06 +00:00