1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2025-10-24 17:50:54 +00:00
Commit Graph

896 Commits

Author SHA1 Message Date
downtownallday
53cbabac75 Fix url redirection when a remote nextcloud is used so that .well-known/caldav and carddav work properly, as well as the redirecting /cloud to the remote Nextcloud. Since the nginx config is replaced by the management daemon whenever a new domain is added, this change adds a hooking mechanism for setup mods.Fix url redirection when a remote nextcloud is in use. This corrects redirection for /.well-known/caldav, /.well-known/carddav and /cloud to send the client to the remote nextcloud. This requires an nginx configuration change, and since the nginx config is replaced by the management daemon whenever a new domain is added, this change adds a hooking mechanism for setup mods allowing them to intercept and modify the resultant nginx config. 2022-09-21 15:52:47 -04:00
downtownallday
dae697e6af fix case where value is None 2022-09-21 09:07:23 -04:00
downtownallday
76e7528b34 hook python's log to gunicorn's 2022-09-19 14:47:50 -04:00
downtownallday
bf63ca827e Add copyright to source files 2022-09-19 14:45:11 -04:00
downtownallday
5e1dcc933f close the multiprocessing pool to avoid hang 2022-09-18 15:42:15 -04:00
downtownallday
45d5b7cb25 Merge branch 'jammyjellyfish2204' of https://github.com/mail-in-a-box/mailinabox into jammyjellyfish2204
# Conflicts:
#	setup/webmail.sh
#	tools/editconf.py
2022-09-17 19:54:52 -04:00
downtownallday
688d1f668b Add custom backup option to nuke current backup before full backup.
When short on disk space and storing backup locally, delete all local backups before a new one is created. Otherwise, enough disk space for a minimum of 2 full backups is needed, which may not be available.
2022-09-17 18:11:09 -04:00
Joshua Tauberer
58ded74181 Restore the backup S3 host select box if an S3 target has been set
Also remove unnecessary import added in 7cda439c. Was a mistake from edits during PR review.
2022-09-17 09:07:54 -04:00
Steve Hay
3fd2e3efa9
Replace Flask built-in WSGI server with gunicorn (#2158) 2022-09-17 08:03:16 -04:00
Steve Hay
7cda439c80
Port boto to boto3 and fix asyncio issue in the management daemon (#2156)
Co-authored-by: Steve Hay <hay.steve@gmail.com>
2022-09-17 07:57:12 -04:00
downtownallday
f63488aa1a Merge branch 'master' into jammyjellyfish2204
# Conflicts:
#	setup/management.sh
#	setup/mods.available/connect-nextcloud-to-miab.sh
#	setup/start.sh
#	setup/webmail.sh
#	tests/lib/carddav.sh
#	tests/lib/system.sh
#	tests/system-setup/setup-defaults.sh
#	tests/system-setup/setup-funcs.sh
#	tests/system-setup/upgrade.sh
2022-09-05 10:30:45 -04:00
downtownallday
a7739196b4 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox into jammyjellyfish2204 2022-09-05 09:28:26 -04:00
downtownallday
f6cd8f56c3 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2022-08-21 14:07:30 -04:00
Sudheesh Singanamalla
d7244ed920
Fixes #2149 Append ; in policy strings for DMARC settings (#2151)
Signed-off-by: Sudheesh Singanamalla <sudheesh@cloudflare.com>
2022-08-19 13:23:42 -04:00
Joshua Tauberer
ab71abbc7c Update to latest cryptography Python package, add missing source at top of management.sh so it can run standalone (needs STORAGE_ROOT) 2022-07-28 14:42:51 -04:00
Joshua Tauberer
78d71498fa Upgrade from PHP 7.2 to 8.0 for Ubuntu 22.04
* Add the PHP PPA.
* Specify the version when invoking the php CLI.
* Specify the version in package names.
* Update paths to 8.0 (using a variable in the setup scripts).
* Update z-push's php-xsl dependency to php8.0-xml.
* php-json is now built-into PHP.

Although PHP 8.1 is the stock version in Ubuntu 22.04, it's not supported by Nextcloud yet, and it likely will never be supported by the the version of Nextcloud that succeeds the last version of Nextcloud that supports PHP 7.2, and we have to install the next version so that an upgrade is permitted, so skipping to PHP 8.1 may not be easily possible.
2022-07-28 14:02:46 -04:00
Joshua Tauberer
b41a0ad80e Drop some hacks that we needed for Ubuntu 18.04
* certbot's PPA is no longer needed because a recent version is now included in the Ubuntu respository.
* Un-pin b2sdk (reverts 69d8fdef99 and d829d74048).
* Revert boto+s3 workaround for duplicity (partial revert of 99474b348f).
* Revert old "fix boto 2 conflict on Google Compute Engine instances" (cf33be4596) which is probably no longer needed.
2022-07-28 14:02:46 -04:00
Rauno Moisto
78569e9a88 Fix DeprecationWarning in dnspython query vs resolve method
The resolve method disables resolving relative names by default. This change probably makes a7710e90 unnecessary. @JoshData added some additional changes from query to resolve.
2022-07-28 14:02:46 -04:00
downtownallday
88733f3d0e Ignore opendkim message
We only care about messages regarding the validity of incoming mail.
2022-06-27 14:31:00 -04:00
downtownallday
23d895b509 Fix another postgrey reload error 2022-06-27 14:28:43 -04:00
downtownallday
1c0d9a3221 Allow .local domains as valid email address, which fixes an issue caused by the 'email_validator' python module that was recently updated to version 1.2.1 2022-06-22 19:33:19 -04:00
downtownallday
c79fca6a45 Allow .local domains as valid email address, which fixes an issue caused by the 'email_validator' python module that was recently updated to version 1.2.1 2022-06-22 11:23:32 -04:00
downtownallday
c135bf1f77 Merge branch 'jammyjellyfish2204' of https://github.com/mail-in-a-box/mailinabox into jammyjellyfish2204
# Conflicts:
#	CHANGELOG.md
#	README.md
#	conf/nginx-top.conf
#	management/backup.py
#	setup/bootstrap.sh
#	setup/management.sh
#	setup/nextcloud.sh
#	setup/system.sh
#	setup/web.sh
#	setup/webmail.sh
#	setup/zpush.sh
#	tests/test_mail.py
2022-06-21 23:58:17 -04:00
Joshua Tauberer
a6ae0e6da1 Update to latest cryptography Python package, add missing source at top of management.sh so it can run standalone (needs STORAGE_ROOT) 2022-06-19 07:31:07 -04:00
Joshua Tauberer
0159347673 Upgrade from PHP 7.2 to 8.0 for Ubuntu 22.04
* Add the PHP PPA.
* Specify the version when invoking the php CLI.
* Specify the version in package names.
* Update paths to 8.0 (using a variable in the setup scripts).
* Update z-push's php-xsl dependency to php8.0-xml.
* php-json is now built-into PHP.

Although PHP 8.1 is the stock version in Ubuntu 22.04, it's not supported by Nextcloud yet, and it likely will never be supported by the the version of Nextcloud that succeeds the last version of Nextcloud that supports PHP 7.2, and we have to install the next version so that an upgrade is permitted, so skipping to PHP 8.1 may not be easily possible.
2022-06-19 07:31:05 -04:00
Joshua Tauberer
794d3fb0d8 Drop some hacks that we needed for Ubuntu 18.04
* certbot's PPA is no longer needed because a recent version is now included in the Ubuntu respository.
* Un-pin b2sdk (reverts 69d8fdef99 and d829d74048).
* Revert boto+s3 workaround for duplicity (partial revert of 99474b348f).
* Revert old "fix boto 2 conflict on Google Compute Engine instances" (cf33be4596) which is probably no longer needed.
2022-06-19 07:30:24 -04:00
Rauno Moisto
07d850e751 Fix DeprecationWarning in dnspython query vs resolve method
The resolve method disables resolving relative names by default. This change probably makes a7710e90 unnecessary. @JoshData added some additional changes from query to resolve.
2022-06-19 05:45:29 -04:00
downtownallday
639826b97a Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	README.md
2022-06-12 17:22:13 -04:00
Joshua Tauberer
99474b348f Update backup to be compatible with duplicity 0.8.23
We were using duplicity 0.8.21-ppa202111091602~ubuntu1 from the duplicity PPA probably until June 5, which is when my box automatically updated to 0.8.23-ppa202205151528~ubuntu18.04.1. Starting with that version, two changes broke backups:

* The default s3 backend was changed to boto3. But boto3 depends on the AWS SDK which does not support Ubuntu 18.04, so we can't install it. Instead, we map s3: backup target URLs to the boto+s3 scheme which tells duplicity to use legacy boto. This should be reverted when we can switch to boto3.
* Contrary to the documentation, the s3 target no longer accepts a S3 hostname in the URL. It now reads the bucket from the hostname part of the URL. So we now drop the hostname from our target URL before passing it to duplicity and we pass the endpoint URL in a separate command-line argument. (The boto backend was dropped from duplicity's "uses_netloc" in 74d4cf44b1 (f5a07610d36bd242c3e5b98f8348879a468b866a_37_34), but other changes may be related.)

The change of target URL (due to both changes) seems to also cause duplicity to store cached data in a different directory within $STORAGE_ROOT/backup/cache, so on the next backup it will re-download cached manifest/signature files. Since the cache directory will still hold the prior data which is no longer needed, it might be a good idea to clear out the cache directory to save space. A system status checks message is added about that.

Fixes #2123
2022-06-12 08:17:48 -04:00
Joshua Tauberer
8bebaf6a48 Simplify duplicity command line by omitting rsync options if the backup target type is not rsync 2022-06-11 15:12:31 -04:00
downtownallday
5caaab9a8f Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2022-05-04 17:15:45 -04:00
lamberete
6e40c69cb5
Error message using IPv4 instead of failing IPv6.
One of the error messages around IPv6 was using the IPv4 for the output, making the error message confusing.
2022-03-26 13:50:24 +01:00
lamberete
c0e54f87d7
Sorting ds records on report.
When building the part of the report about the current DS records founded, they are added in the same order as they were received when calling query_dns(), which can differ from run to run. This was making the difflib.SequenceMatcher() method to find the same line removed and added one line later, and sending an Status Checks Change Notice email with the same line added and removed when there was actually no real changes.
2022-03-26 13:45:49 +01:00
downtownallday
72827f365d Change service and package names referring to php 8.0 to php 8.1 2022-02-25 19:47:30 -05:00
downtownallday
82e203b3ec Fix issue where a postfix/submission connection using TLS on port 465 would be reported as "insecure" 2022-02-08 11:35:27 -05:00
downtownallday
4e6550ed22 Merge branch 'jammyjellyfish2204' of https://github.com/mail-in-a-box/mailinabox into jammyjellyfish2204
# Conflicts:
#	README.md
#	setup/mail-dovecot.sh
#	setup/system.sh
#	setup/webmail.sh
#	setup/zpush.sh
#	tests/test_mail.py
2022-01-11 16:39:39 -05:00
downtownallday
f5c92d936d Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	setup/webmail.sh
2022-01-11 09:52:34 -05:00
Daniel Mabbett
ae20878431 Upgrade from PHP 7.2 to 8.0 for Ubuntu 22.04
(Updated by @JoshData from the original commit which was for Ubuntu 20.04 using PHP 7.4. And although 8.1 seems to be available, it's not supported by Nextcloud yet, and it likely will never be supported by the the version of Nextcloud that succeeds the last version of Nextcloud that supports PHP 7.2, and we have to install the next version so that an upgrade is permitted, so skipping to PHP 8.1 may not be easily possible.)
2022-01-08 20:07:32 -05:00
Rauno Moisto
22fc612a82 Fix DeprecationWarning in dnspython query vs resolve method
The resolve method disables resolving relative names by default. This change probably makes a7710e90 unnecessary. @JoshData added some additional changes from query to resolve.
2022-01-08 20:07:32 -05:00
Joshua Tauberer
cb564a130a Fix DNS secondary nameserver refesh failure retry period
Fixes #1979
2022-01-08 09:38:41 -05:00
Erik Hennig
520caf6557
fix: typo in system backup template (#2081) 2022-01-02 08:11:41 -05:00
downtownallday
8392eacd94 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-12-28 08:59:09 -05:00
Arno Hautala
a85c429a85
regex change to exclude comma from sasl_username (#2074)
as proposed in #2071 by @jvolkenant
2021-12-19 08:33:59 -05:00
downtownallday
250a53c025 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-11-27 14:22:13 -05:00
steadfasterX
aac878dce5
fix: key flag id for KSK, fix format (#2063)
as mentioned (https://github.com/mail-in-a-box/mailinabox/pull/2033#issuecomment-976365087) KSK is 257, not 256
2021-11-23 11:06:17 -05:00
downtownallday
4767afe8de Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-10-26 23:05:35 -04:00
Joshua Tauberer
34017548d5 Don't crash if a custom DNS entry is not under a zone managed by the box, fixes #1961 2021-10-22 18:39:53 -04:00
downtownallday
00805cb52c Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	README.md
2021-10-19 07:11:33 -04:00
Richard Willis
1c3bca53bb
Fix broken link in external-dns.html (#2045) 2021-10-18 07:36:48 -04:00
downtownallday
e3bc8b1a41 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-10-15 18:49:48 -04:00
ukfhVp0zms
b643cb3478
Update calendar/contacts android app info (#2044)
DAVdroid has been renamed to DAVx⁵ and price increased from $3.69 to $5.99.
CardDAV-Sync free is no longer in beta.
CalDAV-Sync price increased from $2.89 to $2.99.
2021-10-13 19:09:05 -04:00
downtownallday
66ac35871e Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox
Upstream is adding handling for utf8 domains by creating a domain alias @utf8 -> @idna. I'm deviating from this approach by setting multiple email address (idna and utf8) per user and alias where a domain contains non-ascii characters. The maildrop (mailbox) remains the same - all mail goes to the user's mailbox regardless of which email address was used. This is more in line with how other systems (eg. active directory), handle multiple email addresses for a single user.

# Conflicts:
#	README.md
#	management/mailconfig.py
#	management/templates/index.html
#	setup/dns.sh
#	setup/mail-users.sh
2021-10-01 17:43:48 -04:00
Joshua Tauberer
113b7bd827 Disable SMTPUTF8 in Postfix because Dovecot LMTP doesn't support it and bounces messages that require SMTPUTF8
By not advertising SMTPUTF8 support at the start, senders may opt to transmit recipient internationalized domain names in IDNA form instead, which will be deliverable.

Incoming mail with internationalized domains was probably working prior to our move to Ubuntu 18.04 when postfix's SMTPUTF8 support became enabled by default.

The previous commit is retained because Mail-in-a-Box users might prefer to keep SMTPUTF8 on for outbound mail, if they are not using internationalized domains for email, in which case the previous commit fixes the 'relay access denied' error even if the emails aren't deliverable.
2021-09-24 08:11:36 -04:00
Joshua Tauberer
3e19f85fad Add domain maps from Unicode forms of internationalized domains to their ASCII forms
When an email is received by Postfix using SMTPUTF8 and the recipient domain is a Unicode internationalized domain, it was failing to be delivered (bouncing with 'relay access denied') because our users and aliases tables only store ASCII (IDNA) forms of internationalized domains. In this commit, domain maps are added to the auto_aliases table from the Unicode form of each mail domain to its IDNA form, if those forms are different. The Postfix domains query is updated to look at the auto_aliases table now as well, since it is the only table with Unicode forms of the mail domains.

However, mail delivery is still not working since the Dovecot LMTP server does not support SMTPUTF8, and mail still bounces but with an error that SMTPUTF8 is not supported.
2021-09-24 08:11:36 -04:00
Joshua Tauberer
11e84d0d40 Move automatically generated aliases to a separate database table
They really should never have been conflated with the user-provided aliases.

Update the postfix alias map to query the automatically generated aliases with lowest priority.
2021-09-24 08:11:36 -04:00
Joshua Tauberer
79966e36e3 Set a cookie for /admin/munin pages to grant access to Munin reports
The /admin/munin routes used the same Authorization: header logic as the other API routes, but they are browsed directly in the browser because they are handled as static pages or as a proxy to a CGI script.

This required users to enter their email username/password for HTTP basic authentication in the standard browser auth prompt, which wasn't ideal (and may leak the password in browser storage). It also stopped working when MFA was enabled for user accounts.

A token is now set in a cookie when visiting /admin/munin which is then checked in the routes that proxy the Munin pages. The cookie's lifetime is kept limited to limit the opportunity for any unknown CSRF attacks via the Munin CGI script.
2021-09-24 08:11:36 -04:00
drpixie
df46e1311b
Include NSD config files from /etc/nsd/nsd.conf.d/*.conf (#2035)
And write MIAB dns zone config into /etc/nsd/nsd.conf.d/zones.conf. Delete lingering old zones.conf file.

Co-authored-by: Joshua Tauberer <jt@occams.info>
2021-09-24 08:07:40 -04:00
downtownallday
4403e65053 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-09-23 17:11:53 -04:00
Elsie Hupp
353084ce67
Use "smart invert" for dark mode (#2038)
* Use "smart invert" for dark mode

Signed-off-by: Elsie Hupp <9206310+elsiehupp@users.noreply.github.com>

* Add more contrast to form controls

Co-authored-by: Joshua Tauberer <jt@occams.info>
2021-09-19 09:53:03 -04:00
downtownallday
763cdfcd7e remove /admin/me call, which is no longer available, and use the new api_credentials Object, which used to be a String.
add X-Requested-With header to requests so 401's are not returned by daemon.py.
2021-09-14 10:00:17 -04:00
downtownallday
026115b845 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-09-14 08:37:22 -04:00
downtownallday
402207714b Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	management/auth.py
#	management/daemon.py
#	management/templates/index.html
#	setup/management.sh
2021-09-14 08:16:08 -04:00
mailinabox-contributor
91079ab934
add numeric flag value to DNSSEC DS status message (#2033)
Some registrars (e.g. Porkbun) accept Key Data when creating a DS RR,
but accept only a numeric flags value to indicate the key type (256 for KSK, 257 for ZSK).

https://datatracker.ietf.org/doc/html/rfc5910#section-4.3
2021-09-10 16:12:41 -04:00
Joshua Tauberer
e5909a6287 Allow non-admin login to the control panel and show/hide menu items depending on the login state
* When logged out, no menu items are shown.
* When logged in, Log Out is shown.
* When logged in as an admin, the remaining menu items are also shown.
* When logged in as a non-admin, the mail and contacts/calendar instruction pages are shown.

Fixes #1987
2021-09-06 09:23:58 -04:00
Joshua Tauberer
26932ecb10 Add a 'welcome' panel to the control panel and make it the default page instead of the status checks which take too long to load
Fixes #2014
2021-09-06 09:23:58 -04:00
Joshua Tauberer
e884c4774f Replace HMAC-based session API keys with tokens stored in memory in the daemon process
Since the session cache clears keys after a period of time, this fixes #1821.

Based on https://github.com/mail-in-a-box/mailinabox/pull/2012, and so:

Co-Authored-By: NewbieOrange <NewbieOrange@users.noreply.github.com>

Also fixes #2029 by not revealing through the login failure error message whether a user exists or not.
2021-09-06 09:23:58 -04:00
Joshua Tauberer
53ec0f39cb Use 'secrets' to generate the system API key and remove some debugging-related code
* Rename the 'master' API key to be called the 'system' API key
* Generate the key using the Python secrets module which is meant for this
* Remove some debugging helper code which will be obsoleted by the upcoming changes for session keys
2021-09-06 09:23:58 -04:00
downtownallday
4bf71e68be Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-08-23 17:48:17 -04:00
David Duque
ba80d9e72d
Show backup retention period form when configuring B2 backups (#2024) 2021-08-23 06:25:41 -04:00
downtownallday
b6fd371615 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-08-22 16:28:54 -04:00
Joshua Tauberer
67b5711c68 Recommend that DS records be updated to not use SHA1 and exclude MUST NOT methods (SHA1) and the unlikely option RSASHA1-NSEC3-SHA1 (7) + SHA-384 (4) from the DS record suggestions 2021-08-22 14:43:46 -04:00
myfirstnameispaul
20ccda8710 Re-order DS record algorithms by digest type and revise warning message.
Note that 7, 4 is printed last in the status checks page but does not appear in the file, and I couldn't figure out why.
2021-08-22 14:29:36 -04:00
lamkin
daad122236
Ignore bad encoding in email addresses when parsing maillog files (#2017)
local/domain parts of email address should be standard ASCII or
UTF-8. Some email addresses contain extended ASCII, leading to
decode failure by the UTF-8 codec (and thus failure of the
Usage-Report script)

This change allows maillog parsing to continue over lines
containing such addresses
2021-08-16 11:46:32 -04:00
downtownallday
e87290dd42 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox 2021-08-03 05:40:16 -04:00
NewbieOrange
21ad26e452
Disable auto-complete for 2FA code in the control panel login form (#2013) 2021-07-28 16:39:40 -04:00
downtownallday
0f09880aa6 add -H option to /bin/chown call in case 'encrypted' is a symbolic link 2021-06-07 06:40:05 -04:00
downtownallday
fc4ad70535 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	management/dns_update.py
#	management/web_update.py
#	tests/test_mail.py
2021-05-15 22:35:48 -04:00
Joshua Tauberer
d510c8ae2a Enable and recommend port 465 for mail submission instead of port 587 (fixes #1849)
Port 465 with "implicit" (i.e. always-on) TLS is a more secure approach than port 587 with explicit (i.e. optional and only on with STARTTLS). Although we reject credentials on port 587 without STARTTLS, by that point credentials have already been sent.
2021-05-15 16:42:14 -04:00
Joshua Tauberer
e283a12047 Add null SPF, DMARC, and MX records for automatically generated autoconfig, autodiscover, and mta-sts subdomains; add null MX records for custom A-record subdomains
All A/AAAA-resolvable domains that don't send or receive mail should have these null records.

This simplifies the handling of domains a bit by handling automatically generated subdomains more like other domains.
2021-05-15 16:42:14 -04:00
Joshua Tauberer
e421addf1c Pre-load domain purpopses when building DNS zonefiles rather than querying mail domains at each subdomain 2021-05-09 08:16:07 -04:00
Joshua Tauberer
354a774989 Remove a debug line added in 8cda58fb 2021-05-09 07:34:44 -04:00
downtownallday
7144ed041e Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	README.md
#	setup/start.sh
2021-05-08 09:20:04 -04:00
Joshua Tauberer
aaa81ec879 Fix indentation issue in bc4ae51c2d 2021-05-08 09:06:18 -04:00
John @ S4
d4c5872547
Make clear that non-AWS S3 backups are supported (#1947)
Just a few wording changes to show that it is possible to make S3 backups to other services than AWS - prompted by a thread on MIAB discourse.
2021-05-08 08:32:58 -04:00
Hala Alajlan
bc4ae51c2d
Handle query dns timeout unhandled error (#1950)
Co-authored-by: hala alajlan <halalajlan@gmail.com>
2021-05-08 08:26:40 -04:00
Jawad Seddar
12aaebfc54
custom.yaml: add support for X-Frame-Options header and proxy_redirect off (#1954) 2021-05-08 08:25:33 -04:00
downtownallday
30f9cc07cd Clarify entry description 2021-04-15 09:09:24 -04:00
downtownallday
d20c3e6ffa Merge branch 'master' into postgrey-whitelist 2021-04-13 07:00:47 -04:00
downtownallday
4227fa2b42 Merge branch 'master' into reporting 2021-04-13 06:51:05 -04:00
downtownallday
6bfcd679e1 Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	README.md
2021-04-13 00:22:55 -04:00
Joshua Tauberer
8cda58fb22 Speed up status checks a bit by removing a redundant check if the PRIMARY_HOSTNAME certificate is signed and valid 2021-04-12 19:42:12 -04:00
Joshua Tauberer
178c587654 Migrate to the ECDSAP256SHA256 (13) DNSSEC algorithm
* Stop generating RSASHA1-NSEC3-SHA1 keys on new installs since it is no longer recommended, but preserve the key on existing installs so that we continue to sign zones with existing keys to retain the chain of trust with existing DS records.
* Start generating ECDSAP256SHA256 keys during setup, the current best practice (in addition to RSASHA256 which is also ok). See https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1 and https://www.cloudflare.com/dns/dnssec/ecdsa-and-dnssec/.
* Sign zones using all available keys rather than choosing just one based on the TLD to enable rotation/migration to the new key and to give the user some options since not every registrar/TLD supports every algorithm.
* Allow a user to drop a key from signing specific domains using DOMAINS= in our key configuration file. Signing the zones with extraneous keys may increase the size of DNS responses, which isn't ideal, although I don't know if this is a problem in practice. (Although a user can delete the RSASHA1-NSEC3-SHA1 key file, the other keys will be re-generated on upgrade.)
* When generating zonefiles, add a hash of all of the DNSSEC signing keys so that when the keys change the zone is definitely regenerated and re-signed.
* In status checks, if DNSSEC is not active (or not valid), offer to use all of the keys that have been generated (for RSASHA1-NSEC3-SHA1 on existing installs, RSASHA256, and now ECDSAP256SHA256) with all digest types, since not all registers support everything, but list them in an order that guides users to the best practice.
* In status checks, if the deployed DS record doesn't use a ECDSAP256SHA256 key, prompt the user to update their DS record.
* In status checks, if multiple DS records are set, only fail if none are valid. If some use ECDSAP256SHA256 and some don't, remind the user to delete the DS records that don't.
* Don't fail if the DS record uses the SHA384 digest (by pre-generating a DS record with that digest type) but don't recommend it because it is not in the IANA mandatory list yet (https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml).

See #1953
2021-04-12 19:42:12 -04:00
downtownallday
36d9cbb4e8 Split the User Activity/IMAP connections tab into two tables to better deal with the quantity of data 2021-04-12 15:07:56 -04:00
downtownallday
212b0b74cb Add missing file 2021-04-10 17:26:36 -04:00
downtownallday
9c87884837 Merge branch 'reporting' into postgrey-whitelist 2021-04-10 16:50:30 -04:00
downtownallday
26609c4223 Fix cell alignment 2021-04-10 16:49:46 -04:00
downtownallday
b881325bcb Add ability to view message headers in the user activity panel
... and add message-id to output detail
2021-04-10 13:33:08 -04:00
downtownallday
f80978b6d8 Add missing import 2021-04-10 10:09:05 -04:00
downtownallday
2ec25b75c1 Switch to ES6 modules 2021-04-10 09:29:29 -04:00
downtownallday
c1d92195d8 Change text case 2021-04-09 14:58:30 -04:00
downtownallday
0df9de30c9 Manage the local Postgrey whitelist in the admin console 2021-04-09 09:47:07 -04:00
downtownallday
82e06a6f15 Include remote_host, remote_ip and failure_info with user's received mail details 2021-04-09 07:33:49 -04:00
downtownallday
0ec968c3b6 Fix model update on create and activate 2021-04-09 06:44:25 -04:00
downtownallday
606e5e0569 Better handling of timeseries containing just one value 2021-04-08 14:43:35 -04:00
downtownallday
26319ac59b Add 'today' and 'yesterday' to date range picker 2021-04-08 14:41:53 -04:00
downtownallday
b4c2cdef7d Include IMAP connection records in overall db stats table 2021-04-08 13:29:04 -04:00
downtownallday
721dd1273f Add IMAP connection reporting
Fix binsizes and barwidths on timeseries charts
Fix timezone issue in timeseries scales
2021-04-08 12:53:32 -04:00
downtownallday
ac811bcbd1 Add some test scripts 2021-04-07 18:11:21 -04:00
downtownallday
2b3c2fcc02 Fix slowness when typing in search box 2021-04-07 18:03:50 -04:00
downtownallday
33ea865d65 Capture Dovecot logs 2021-04-07 18:03:06 -04:00
downtownallday
87cc106574 Add 'last 7 days' and 'last 30 days' to report date range dropdown 2021-04-07 09:25:26 -04:00
downtownallday
ff6cdf14f6 Merge branch 'master' into reporting 2021-04-07 08:28:31 -04:00
downtownallday
002c4edb88 Fix table alignment 2021-04-07 08:27:22 -04:00
downtownallday
b7faafca6b Only consider messages that weren't rejected 2021-03-17 15:33:16 -04:00
downtownallday
8a6f962b3e Merge branch 'master' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	setup/management.sh
2021-02-28 12:47:10 -05:00
Joshua Tauberer
6653dbb2e2 Sort the Custom DNS by zone and qname, and add an option to go back to the old sort order (creation order)
Update the zone grouping style on the users and aliases page to match.

Fixes #1927
2021-02-28 09:40:32 -05:00
Joshua Tauberer
d36a2cc938 Enable Backblaze B2 backups
This reverts commit b1d703a5e7 and adds python3-setuptools per the first version of #1899 which fixes an installation error for the b2sdk Python package.
2021-02-28 08:04:14 -05:00
jeremitu
82ca54df96
Fixed #1894 log date over year change, START_DATE < END_DATE now. (#1905)
* Fixed #1894 log date over year change, START_DATE < END_DATE now.

* Corrected mail_log.py argument help and message.

Co-authored-by: Jarek <jarek@box.jurasz.de>
2021-02-28 07:59:26 -05:00
downtownallday
e5d762da38 Don't report the api key to syslog 2021-02-19 05:22:35 -05:00
downtownallday
3c676fd2c1 Merge branch 'master' into reporting 2021-01-31 17:16:34 -05:00
downtownallday
810bf15a43 Merge branch 'master' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	README.md
#	setup/management.sh
2021-01-31 16:56:49 -05:00
Joshua Tauberer
b1d703a5e7 Disable Backblaze B2 backups until #1899 is resolved 2021-01-31 08:33:56 -05:00
Felix Spöttel
e3d98b781e
Warn when connection to Spamhaus times out (#1817) 2021-01-28 18:22:43 -05:00
downtownallday
2b44fe4a12 Only show alias if one 2021-01-14 15:00:29 -05:00
downtownallday
9b89a5c504 Better handling of mail addressed to an alias 2021-01-13 22:29:16 -05:00
downtownallday
523a63f776 Make the default table row limit 500 instead of 1000 2021-01-12 09:22:41 -05:00
downtownallday
3e2858f5de Change wording 2021-01-12 09:22:22 -05:00
downtownallday
a392dca264 Merge branch 'master' into reporting 2021-01-11 21:50:58 -05:00
downtownallday
a395b1c48f Merge branch 'master' of https://github.com/mail-in-a-box/mailinabox 2021-01-11 21:30:10 -05:00
downtownallday
2a0e50c8d4 Initial commit of a log capture and reporting feature
This adds a new section to the admin panel called "Activity", that
supplies charts, graphs and details about messages entering and leaving
the host.

A new daemon captures details of system mail activity by monitoring
the /var/log/mail.log file, summarizing it into a sqllite database
that's kept in user-data.
2021-01-11 18:02:07 -05:00
Josh Brown
879467d358
Fix typo in users.html (#1895)
lettters -> letters
fixes #1888
2021-01-05 21:12:01 -05:00
Nicolas North
8025c41ee4
Bump TTL for NS records to 1800 (30 min) to 86400 (1 day) as some registries require this (#1892)
Co-authored-by: Nicolas North [norðurljósahviða] <nz@tillverka.xyz>
2021-01-03 17:57:54 -05:00
downtownallday
24c156c594 Merge branch 'master' of https://github.com/mail-in-a-box/mailinabox
# Conflicts:
#	setup/management.sh
2020-11-27 16:50:12 -05:00
Hilko
8664afa997
Implement Backblaze for Backup (#1812)
* Installing b2sdk for b2 support
* Added Duplicity PPA so the most recent version is used
* Implemented list_target_files for b2
* Implemented b2 in frontend
* removed python2 boto package
2020-11-26 07:13:31 -05:00
Joshua Tauberer
82229ce04b Document how to start the control panel from the command line and in debugging use a stable API key 2020-11-26 07:11:49 -05:00
downtownallday
a0dd58d29e Merge branch 'master' of https://github.com/mail-in-a-box/mailinabox 2020-11-17 07:46:22 -05:00
Victor
b85b86e6de
Add download zonefile button to external DNS page (#1853)
Co-authored-by: Joshua Tauberer <jt@occams.info>
2020-11-16 06:03:41 -05:00
downtownallday
ad3174f08e Merge branch 'totp' 2020-10-31 11:39:35 -04:00
downtownallday
d1110c4c02 merge from upstream 2020-10-31 11:31:44 -04:00
Joshua Tauberer
6a979f4f52
Add TOTP two-factor authentication to admin panel login (#1814)
* add user interface for managing 2fa

* update user schema with 2fa columns

* implement two factor check during login

* Use pyotp for validating TOTP codes

* also implements resynchronisation support via `pyotp`'s `valid_window option

* Update API route naming, update setup page

* Rename /two-factor-auth/ => /2fa/
* Nest totp routes under /2fa/totp/
* Update ids and methods in panel to allow for different setup types

* Autofocus otp input when logging in, update layout

* Extract TOTPStrategy class to totp.py

* this decouples `TOTP` validation and storage logic from `auth` and moves it to `totp`
* reduce `pyotp.validate#valid_window` from `2` to `1`

* Update OpenApi docs, rename /2fa/ => /mfa/

* Decouple totp from users table by moving to totp_credentials table

* this allows implementation of other mfa schemes in the future (webauthn)
* also makes key management easier and enforces one totp credentials per user on db-level

* Add sqlite migration

* Rename internal validate_two_factor_secret => validate_two_factor_secret

* conn.close() if mru_token update can't .commit()

* Address review feedback, thanks @hija

* Use hmac.compare_digest() to compare mru_token

* Safeguard against empty mru_token column

* hmac.compare_digest() expects arguments of type string, make sure we don't pass None
 * Currently, this cannot happen but we might not want to store `mru_token` during setup

* Do not log failed login attempts for MissingToken errors

* Due to the way that the /login UI works, this persists at least one failed login each time a user logs into the admin panel. This in turn triggers fail2ban at some point.

* Add TOTP secret to user_key hash

thanks @downtownallday
* this invalidates all user_keys after TOTP status is changed for user
* after changing TOTP state, a login is required
* due to the forced login, we can't and don't need to store the code used for setup in `mru_code`

* Typo

* Reorganize the MFA backend methods

* Reorganize MFA front-end and add label column

* Fix handling of bad input when enabling mfa

* Update openAPI docs

* Remove unique key constraint on foreign key user_id in mfa table

* Don't expose mru_token and secret for enabled mfas over HTTP

* Only update mru_token for matched mfa row

* Exclude mru_token in user key hash

* Rename tools/mail.py to management/cli.py

* Add MFA list/disable to the management CLI so admins can restore access if MFA device is lost

Co-authored-by: Joshua Tauberer <jt@occams.info>
2020-10-31 10:27:38 -04:00
Joshua Tauberer
545e7a52e4 Add MFA list/disable to the management CLI so admins can restore access if MFA device is lost 2020-10-31 10:23:43 -04:00
downtownallday
a7370beae0 Merge remote-tracking branch 'fspoettel/admin-panel-2fa' into totp
# Conflicts:
#	management/daemon.py
#	management/mfa.py
2020-10-29 16:56:36 -04:00
Joshua Tauberer
601c23d91b Add MFA list/disable to the management CLI so admins can restore access if MFA device is lost 2020-10-29 15:42:00 -04:00
Joshua Tauberer
ac9ecc3bd3 Rename tools/mail.py to management/cli.py 2020-10-29 15:41:54 -04:00
downtownallday
9057c12c38 Merge branch 'master' of https://github.com/mail-in-a-box/mailinabox 2020-10-16 21:07:36 -04:00
David Duque
8b166f3041
Display certificate expiry dates in ISO format (#1841) 2020-10-16 16:22:36 -04:00
Joshua Tauberer
5509420637 s/Days/Retention Days/ on the backup settings page 2020-10-15 14:11:43 -04:00
downtownallday
f6b04b314f Add totpMruTokenTime to upgrade 2020-09-30 11:50:49 -04:00
downtownallday
100acb119b Add a totpMruTokenTime value to record the time when the mru token was used
Use the totpMruTokenTime as the id to uniquely identify a totp entry
2020-09-30 11:00:58 -04:00
downtownallday
a5ebd07549 Merge remote-tracking branch 'fspoettel/admin-panel-2fa' into totp
# Conflicts:
#	management/auth.py
#	management/mfa.py
2020-09-30 09:05:03 -04:00