Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							c8856f107d 
							
						 
					 
					
						
						
							
							migrate the SSL certificates path for non-primary certs to a new layout using a new migration script  
						
						
						
					 
					
						2014-06-30 20:41:29 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							06ba25151f 
							
						 
					 
					
						
						
							
							get_domain_ssl_files returned the wrong path for the CSR for PRIMARY_HOSTNAME  
						
						
						
					 
					
						2014-06-30 19:49:41 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							b5aa1b0f31 
							
						 
					 
					
						
						
							
							walk the user through choosing the PRIMARY_HOSTNAME by first asking for their email address  
						
						
						
					 
					
						2014-06-30 10:20:58 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							fed5959288 
							
						 
					 
					
						
						
							
							s/PUBLIC_HOSTNAME/PRIMARY_HOSTNAME/ throughout  
						
						
						
					 
					
						2014-06-30 09:15:36 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							573faa2bf5 
							
						 
					 
					
						
						
							
							install the backup script as a daily cron job  
						
						
						
					 
					
						2014-06-26 10:46:22 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							87f001a5d5 
							
						 
					 
					
						
						
							
							some comments  
						
						
						
					 
					
						2014-06-24 03:24:41 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							f8cd2bb805 
							
						 
					 
					
						
						
							
							typo: www/default/index.html would be overwritten if it already exists  
						
						
						
					 
					
						2014-06-23 19:43:19 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							1dec8c65ce 
							
						 
					 
					
						
						
							
							move the SSH password login check into whats_next.py (it used to be in start.sh and then moved to an unused script when it became a problem for Vagrant)  
						
						
						
					 
					
						2014-06-23 19:39:20 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							d4ce50de86 
							
						 
					 
					
						
						
							
							new tool to purchase and install a SSL certificate using Gandi.net's API  
						
						
						
					 
					
						2014-06-23 10:53:29 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							30c416ff6e 
							
						 
					 
					
						
						
							
							rename the new checklist script to whats_next.py  
						
						
						
					 
					
						2014-06-23 00:11:24 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							5aa09c3f9b 
							
						 
					 
					
						
						
							
							let the user override some DNS records in a different way  
						
						... 
						
						
						
						Moved the configuration to a single YAML file, rather than one per domain, to be clearer.
re-does 33f06f29c1 
						
					 
					
						2014-06-22 19:33:30 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							45e93f7dcc 
							
						 
					 
					
						
						
							
							strengthen the cyphers and protocols allowed by Dovecot and Postfix submission  
						
						
						
					 
					
						2014-06-22 19:03:11 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							343886d818 
							
						 
					 
					
						
						
							
							add mail alias checks and other cleanup  
						
						
						
					 
					
						2014-06-22 16:28:55 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							deab8974ec 
							
						 
					 
					
						
						
							
							if we handle mail for both a domain and any subdomain, only create a zone for the domain and put the subdomain's DNS records in the main domain's zone file  
						
						
						
					 
					
						2014-06-22 16:24:15 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							4668367420 
							
						 
					 
					
						
						
							
							first pass at a management tool for checking what the user must do to finish his configuration: set NS records, DS records, sign his certificates, etc.  
						
						
						
					 
					
						2014-06-22 15:54:22 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							ec6c7d84c1 
							
						 
					 
					
						
						
							
							dont ask for a CSR country code on second runs because the CSR is already generated and any new country code won't be used anyway  
						
						
						
					 
					
						2014-06-22 15:36:14 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							8076ce4ab9 
							
						 
					 
					
						
						
							
							Merge pull request  #74  from mkropat/mgmt-auth  
						
						... 
						
						
						
						Add authentication to mailinabox-daemon; resolves  #67  
						
					 
					
						2014-06-22 11:36:04 -04:00 
						 
				 
			
				
					
						
							
							
								Michael Kropat 
							
						 
					 
					
						
						
						
						
							
						
						
							9e63ec62fb 
							
						 
					 
					
						
						
							
							Cleanup: remove env dependency  
						
						
						
					 
					
						2014-06-22 08:55:19 -04:00 
						 
				 
			
				
					
						
							
							
								Michael Kropat 
							
						 
					 
					
						
						
						
						
							
						
						
							d100a790a0 
							
						 
					 
					
						
						
							
							Remove API_KEY_FILE setting  
						
						
						
					 
					
						2014-06-22 08:45:29 -04:00 
						 
				 
			
				
					
						
							
							
								Michael Kropat 
							
						 
					 
					
						
						
						
						
							
						
						
							554a28479f 
							
						 
					 
					
						
						
							
							Merge remote-tracking branch 'upstream/master' into mgmt-auth  
						
						... 
						
						
						
						Conflicts:
	management/daemon.py 
						
					 
					
						2014-06-21 21:29:25 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							064d75e261 
							
						 
					 
					
						
						
							
							Merge pull request  #73  from mkropat/syslog-logging  
						
						... 
						
						
						
						Tell Flask to log to syslog 
						
					 
					
						2014-06-21 21:22:27 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							e70bc50432 
							
						 
					 
					
						
						
							
							README parallel sentence structure  
						
						
						
					 
					
						2014-06-22 00:34:49 +00:00 
						 
				 
			
				
					
						
							
							
								Michael Kropat 
							
						 
					 
					
						
						
						
						
							
						
						
							bb394242ef 
							
						 
					 
					
						
						
							
							Update documentation to use API auth  
						
						... 
						
						
						
						The updated instruction is not very user-friendly. I think the right
solution is to wrap the `/dns` commands in a `tools/dns.py` style
script, along the lines of `tools/mail.py`. 
						
					 
					
						2014-06-22 00:07:14 +00:00 
						 
				 
			
				
					
						
							
							
								Michael Kropat 
							
						 
					 
					
						
						
						
						
							
						
						
							88e496eba4 
							
						 
					 
					
						
						
							
							Update setup scripts to auth against the API  
						
						
						
					 
					
						2014-06-22 00:02:52 +00:00 
						 
				 
			
				
					
						
							
							
								Michael Kropat 
							
						 
					 
					
						
						
						
						
							
						
						
							447399e8cd 
							
						 
					 
					
						
						
							
							Update mail tool to pass api key auth  
						
						
						
					 
					
						2014-06-21 23:49:09 +00:00 
						 
				 
			
				
					
						
							
							
								Michael Kropat 
							
						 
					 
					
						
						
						
						
							
						
						
							067052d4ea 
							
						 
					 
					
						
						
							
							Add key-based authentication to management service  
						
						... 
						
						
						
						Intended to be the simplest auth possible: every time the service
starts, a random key is written to `/var/lib/mailinabox/api.key`. In
order to authenticate to the service, the client must pass the contents
of `api.key` in an HTTP basic auth header. In this way, users who do not
have read access to that file are not able to communicate with the
service. 
						
					 
					
						2014-06-21 23:42:48 +00:00 
						 
				 
			
				
					
						
							
							
								Michael Kropat 
							
						 
					 
					
						
						
						
						
							
						
						
							53e15eae15 
							
						 
					 
					
						
						
							
							Tell Flask to log to syslog  
						
						... 
						
						
						
						- Writes Flask warnings and errors to `/var/log/syslog`
- Helps to debug issues when running in production 
						
					 
					
						2014-06-21 23:25:35 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							67d31ed998 
							
						 
					 
					
						
						
							
							move the SSL setup into its own bash script since it is used for much more than email now  
						
						
						
					 
					
						2014-06-21 22:16:46 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							0ab43ef4fd 
							
						 
					 
					
						
						
							
							have webfinger output a JSON file in STORAGE_ROOT/webfinger/(acct/..)  
						
						
						
					 
					
						2014-06-21 17:08:18 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							326cc2a451 
							
						 
					 
					
						
						
							
							obviously put our stuff in /usr/local and not /usr  
						
						
						
					 
					
						2014-06-21 12:35:00 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							d3cacd4a11 
							
						 
					 
					
						
						
							
							update test_dns  
						
						... 
						
						
						
						Don't check NS records for now because they will only appear on zones.
If a hostname is a subdomain on a zone and not itself a zone, it will
lack NS records.
Also stop testing for ADSP, which we dropped in 126ea94ccf 
						
					 
					
						2014-06-21 12:32:20 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							87b0608f15 
							
						 
					 
					
						
						
							
							test_dns: DNSSEC signing inserts empty text string components  
						
						
						
					 
					
						2014-06-21 12:32:20 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							85169dc960 
							
						 
					 
					
						
						
							
							preliminary support for webfinger  
						
						... 
						
						
						
						It just echos back the subject given to it. 
						
					 
					
						2014-06-20 01:55:16 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							5faa1cae71 
							
						 
					 
					
						
						
							
							manage the nginx conf in the management daemon too so we can have nginx operate on all domains that we serve mail for  
						
						
						
					 
					
						2014-06-20 01:55:12 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							a1a80b295e 
							
						 
					 
					
						
						
							
							update docs a bit  
						
						
						
					 
					
						2014-06-18 23:12:05 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							94a140a27a 
							
						 
					 
					
						
						
							
							linkify README  
						
						
						
					 
					
						2014-06-18 23:04:06 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							126ea94ccf 
							
						 
					 
					
						
						
							
							drop support for ADSP which since last November is no longer recommended per  http://datatracker.ietf.org/doc/status-change-adsp-rfc5617-to-historic/  
						
						
						
					 
					
						2014-06-18 22:56:55 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							0f72f78eea 
							
						 
					 
					
						
						
							
							add DNSSEC/DANE TLSA to the README  
						
						
						
					 
					
						2014-06-19 02:23:07 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							782ad04b10 
							
						 
					 
					
						
						
							
							use DANE when sending mail: if the recipient MX has a DANE TLSA record in DNS then Postfix will necessarily encrypt the mail in transport  
						
						
						
					 
					
						2014-06-19 01:58:14 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							95e61bc110 
							
						 
					 
					
						
						
							
							add DANE TLSA records to the PUBLIC_HOSTNAME's DNS  
						
						... 
						
						
						
						Postfix has a tls_security_level called "dane" which uses DNS-Based Authentication of Named Entities (DANE)
to require, if specified in the DNS of the MX host, an encrpyted connection with a known certificate.
This commit adds TLSA records. 
						
					 
					
						2014-06-19 01:39:27 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							699bccad80 
							
						 
					 
					
						
						
							
							missing spaces in nsd.conf (has no effect but looks proper)  
						
						
						
					 
					
						2014-06-18 23:53:52 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							afb6c26c8b 
							
						 
					 
					
						
						
							
							run bind9 on the loopback interface for ensuring we are using a DNSSEC-aware nameserver to resolve our own DNS queries (i.e. when sending mail) since we can't trust that the network configuration provided for us gives us a DNSSEC-aware DNS server  
						
						... 
						
						
						
						see #71  
						
					 
					
						2014-06-18 19:45:47 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							761fac729b 
							
						 
					 
					
						
						
							
							nsd.conf wasn't properly using the signed zone files  
						
						
						
					 
					
						2014-06-18 23:30:35 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							dd15bf4384 
							
						 
					 
					
						
						
							
							use a better sort order for records in DNS zone files  
						
						
						
					 
					
						2014-06-17 23:34:06 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							14396e58f8 
							
						 
					 
					
						
						
							
							dont create a separate zone for PUBLIC_HOSTNAME if it is a subdomain of another zone (hmm, this is a general principle that could apply to any two domains the box is serving)  
						
						
						
					 
					
						2014-06-17 23:30:00 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							33f06f29c1 
							
						 
					 
					
						
						
							
							let the user override some DNS records  
						
						
						
					 
					
						2014-06-17 22:21:51 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							88709506f8 
							
						 
					 
					
						
						
							
							add DNSSEC  
						
						... 
						
						
						
						* sign zones
* in a cron job, periodically re-sign zones because they expire (not tested) 
						
					 
					
						2014-06-17 22:21:12 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							aaa735dbfe 
							
						 
					 
					
						
						
							
							write nsd.conf zones in a predictable order so that we don't keep rewriting it  
						
						
						
					 
					
						2014-06-12 22:28:37 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							e9cde52a48 
							
						 
					 
					
						
						
							
							two more cases of shelling out external programs in a more secure way, see  cecda9cec5 
						
						
						
					 
					
						2014-06-12 21:06:04 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							c925f72b0b 
							
						 
					 
					
						
						
							
							remove obsoleted parts of setup/dns.sh  
						
						... 
						
						
						
						Now that dns_update is a part of the management daemon, we no
longer are using STORAGE_ROOT/dns for anything. 
						
					 
					
						2014-06-12 20:18:55 -04:00