PortableTech 
							
						 
					 
					
						
						
						
						
							
						
						
							415f95b792 
							
						 
					 
					
						
						
							
							Add TLSA record for HTTPS connections.  
						
						... 
						
						
						
						While not widely supported, there are some browser addons that can
validate DNSSEC and TLSA for additional out-of-band verification of
certificates when browsing the web.  Costs nothing to implement and
might improve security in some situations. 
						
					 
					
						2015-07-13 09:12:13 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							5dd5fc4a1c 
							
						 
					 
					
						
						
							
							clean up multiple secondary nameservers and zone xfr ip addresses  
						
						
						
					 
					
						2015-07-10 15:42:33 +00:00 
						 
				 
			
				
					
						
							
							
								Brian Bustin 
							
						 
					 
					
						
						
						
						
							
						
						
							09133c8f59 
							
						 
					 
					
						
						
							
							Initial backend changes to make it possible to have one or more secondary name servers  
						
						
						
					 
					
						2015-07-10 14:59:38 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							acd91665b5 
							
						 
					 
					
						
						
							
							setting an alias to forward to two or more addresses was broken since  aa33428311 
						
						... 
						
						
						
						fixes  #482  
					
						2015-07-04 15:28:45 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							ff4780d5fb 
							
						 
					 
					
						
						
							
							better error handling of invalid PEM files  
						
						
						
					 
					
						2015-07-03 14:00:59 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							0924f8ca7a 
							
						 
					 
					
						
						
							
							allow for PEM private keys in the 'BEGIN PRIVATE KEY' format too  
						
						... 
						
						
						
						see https://discourse.mailinabox.email/t/another-upgrade-failure/630/5  
						
					 
					
						2015-07-02 15:37:26 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							e57e08088a 
							
						 
					 
					
						
						
							
							the control panel would not allow installing a certificate for a www redirect domain,  fixes   #475  
						
						
						
					 
					
						2015-07-02 10:53:54 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							42a506231b 
							
						 
					 
					
						
						
							
							don't automatically create the administrator@ alias (e.g. on first user creation) because we dont know what it should be an alias to (leave this to be resolved manually),  fixes   #470  
						
						... 
						
						
						
						Was broken by 462a79cf47 
						
					 
					
						2015-06-30 09:16:22 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							e3252f53da 
							
						 
					 
					
						
						
							
							idna domains in certificate subject alternative names were not handled correctly after switching to cryptography package  
						
						
						
					 
					
						2015-06-30 13:09:18 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							aa33428311 
							
						 
					 
					
						
						
							
							some IDNA functionality was still using Python's built-in IDNA 2003 encoder rather than the idna package's IDNA 2008 encoder  
						
						
						
					 
					
						2015-06-30 13:09:18 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							5ef1cfbdc7 
							
						 
					 
					
						
						
							
							forgot new version.html template file  
						
						
						
					 
					
						2015-06-25 17:43:50 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							7527b4dc27 
							
						 
					 
					
						
						
							
							show the Mail-in-a-Box version in the control panel and a button to ping the MiaB website for the latest version  
						
						... 
						
						
						
						fixes  #441  
					
						2015-06-25 13:43:11 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							299a2315c1 
							
						 
					 
					
						
						
							
							dkim 2048 bits - migration and zone file generation changes  
						
						... 
						
						
						
						* Add a migration to delete any existing DKIM key so that existing machines get a fresh 2048-bit key. (Sadly we don't support key rotation so the change is immediate.)
* Because the DNS record for a 2048-bit key is so much longer, the way we read OpenDKIM's DNS record text file had to be modified to combine an arbitrary number of TXT record quoted ("...") strings.
* When writing out the TXT record value, the string must be split into quoted ("...") strings with a maximum length of 255 bytes each, per the DNS spec.
* Added a changelog entry. 
						
					 
					
						2015-06-25 13:06:29 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							dece359c90 
							
						 
					 
					
						
						
							
							validate certificates using the cryptography python package as much as possible, shelling out to openssl just once instead of four times per certificate  
						
						... 
						
						
						
						* Use `cryptography` instead of parsing openssl's output.
* When checking if we can reuse the primary domain certificate or a www-parent-domain certificate for a domain, avoid shelling out to openssl entirely. 
						
					 
					
						2015-06-21 14:53:37 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							43d50d0667 
							
						 
					 
					
						
						
							
							Merge pull request  #445  from bizonix/patch-1  
						
						... 
						
						
						
						fix wrong redirect for automatic www subdomain redirects 
						
					 
					
						2015-06-18 07:05:01 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							6258a7f311 
							
						 
					 
					
						
						
							
							status checks were broken if sshd was not present,  fixes   #444  
						
						
						
					 
					
						2015-06-18 11:01:11 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							ab36cc8968 
							
						 
					 
					
						
						
							
							whitespace=>tabs  
						
						
						
					 
					
						2015-06-18 10:54:51 +00:00 
						 
				 
			
				
					
						
							
							
								bizonix 
							
						 
					 
					
						
						
						
						
							
						
						
							33b71c6b3c 
							
						 
					 
					
						
						
							
							fix wrong redirect  
						
						... 
						
						
						
						$ curl -I https://www.site.co.il/static/images/1.png?a=b  | grep Location
Location: https://site.co.il?a=b 
but should be something like 
Location: https://site.co.il/static/images/1.png?a=b  
						
					 
					
						2015-06-18 01:48:15 +03:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							2af557139d 
							
						 
					 
					
						
						
							
							default IPv6 AAAA records were missing  
						
						... 
						
						
						
						This was broken by the ability to have multiple TXT records in 9f1d633ae4 
						
					 
					
						2015-06-17 06:47:22 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							1990f32ca4 
							
						 
					 
					
						
						
							
							typo,  fixes   #435  
						
						
						
					 
					
						2015-06-06 13:22:50 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							807939c0e4 
							
						 
					 
					
						
						
							
							make the +tag address tips clearer  
						
						
						
					 
					
						2015-06-06 13:02:23 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							5008cc603e 
							
						 
					 
					
						
						
							
							merge - munin system monitoring  
						
						
						
					 
					
						2015-06-06 12:52:22 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							9857db96cd 
							
						 
					 
					
						
						
							
							add a link to the /admin/munin page from the control panel nav bar  
						
						
						
					 
					
						2015-06-06 12:52:16 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							e9e6d94e3b 
							
						 
					 
					
						
						
							
							the control panel auth hmac message should also include the user's password so that resetting a password in the database forces that user to log in to the control panel again; also use a sha256 hmac  
						
						
						
					 
					
						2015-06-06 12:38:19 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							462a79cf47 
							
						 
					 
					
						
						
							
							fix what counts as a required alias,  fixes   #434  
						
						
						
					 
					
						2015-06-06 12:12:10 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							f792deeebd 
							
						 
					 
					
						
						
							
							when the undocumented custom web settings has a redirect or proxy at the root of a domain, use a minimal nginx config template (same as the new default www redirects)  
						
						
						
					 
					
						2015-06-04 12:32:00 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							95173bb327 
							
						 
					 
					
						
						
							
							provide redirects from www subdomains of zones to their parent domain  
						
						... 
						
						
						
						* Split the nginx templates again so we have just the part needed to make a domain do a redirect separate from the rest.
* Add server blocks to the nginx config for these domains.
* List these domains in the SSL certificate install admin panel.
* Generate default 'www' records just for domains we provide default redirects for.
Fixes  #321 . 
						
					 
					
						2015-06-04 12:19:01 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							1d09e2406b 
							
						 
					 
					
						
						
							
							refactor how the nginx config file is assembled  
						
						... 
						
						
						
						This doesn't change anything. Just preparation for the next commit. 
						
					 
					
						2015-06-04 12:19:01 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							c9add7a8bf 
							
						 
					 
					
						
						
							
							if a user sets a custom A record on PRIMARY_HOSTNAME, which is ignored anyway, don't let that cause PRIMARY_HOSTNAME from being dropped from nginx.conf  
						
						... 
						
						
						
						Could be related to https://discourse.mailinabox.email/t/nginx-lost-admin-record-after-install-ssl-cert-problem/528 . 
						
					 
					
						2015-06-04 12:19:01 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							2b341d884f 
							
						 
					 
					
						
						
							
							merge  #396  - allow the backup process to work after a hostname change  
						
						
						
					 
					
						2015-05-30 13:55:08 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							141a09b31e 
							
						 
					 
					
						
						
							
							changelog, comments for duplicity --allow-source-mismatch  
						
						
						
					 
					
						2015-05-30 13:46:39 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							4fa58169f1 
							
						 
					 
					
						
						
							
							after installing an SSL certificate from the control panel the page wasn't being refreshed, broken in  ec73c171c7 
						
						
						
					 
					
						2015-05-28 18:45:53 +00:00 
						 
				 
			
				
					
						
							
							
								David Piggott 
							
						 
					 
					
						
						
						
						
							
						
						
							f78bbab289 
							
						 
					 
					
						
						
							
							Make SPF forbid any outbound mail from non-mail domains  
						
						
						
					 
					
						2015-05-28 18:11:44 +01:00 
						 
				 
			
				
					
						
							
							
								David Piggott 
							
						 
					 
					
						
						
						
						
							
						
						
							7b9b978a6d 
							
						 
					 
					
						
						
							
							Improve DMARC and SPF record descriptions  
						
						
						
					 
					
						2015-05-28 16:34:58 +01:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							202c4a948b 
							
						 
					 
					
						
						
							
							our users/aliases database is case sensitive - force new users/aliases to lowercase  
						
						... 
						
						
						
						Unfortunately our users/aliases database is case sensitive. (Perhaps I should have defined the columns with COLLATE NOCASE, see https://www.sqlite.org/datatype3.html .) Postfix always queries the tables in lowecase, so mail delivery would fail if a user or alias were defined with any capital letters. It would have also been possible to add multiple euqivalent addresses into the database with different case.
This commit rejects new mail users that have capital letters and forces new aliases to lowecase. I prefer to reject rather than casefold user accounts so that the login credentials the user gave are exactly what goes into the database.
https://discourse.mailinabox.email/t/recipient-address-rejected-user-unknown-in-virtual-mailbox-table/512/4  
						
					 
					
						2015-05-28 13:11:30 +00:00 
						 
				 
			
				
					
						
							
							
								David Piggott 
							
						 
					 
					
						
						
						
						
							
						
						
							d6c5f09a1a 
							
						 
					 
					
						
						
							
							Use lowercase h for consistency in aliases template - it reads better (IMO!)  
						
						... 
						
						
						
						This also includes fixes for a typo and some whitespace inconsistencies in
mailconfig.py. In fact the capitalisation change and those fixes are the
remnants of a patch I had been running that changed the default aliases - it
was through developing it that I found the issues.
(I wanted to bring the number of patches I apply before deploying to zero and
in the case of this one I've come to view the way MIAB already is as superior,
so I've undone the core of my patch and these tiny issues are all that remain). 
						
					 
					
						2015-05-28 13:46:15 +01:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							a9ed9ae936 
							
						 
					 
					
						
						
							
							more work on munin  
						
						... 
						
						
						
						* install the munin-node package
* don't install munin-plugins-extra (if the user wants it they can add it)
* expose the munin www directory via the management daemon so that it can handle authorization, rather than manintaining a separate password file 
						
					 
					
						2015-05-25 17:03:52 +00:00 
						 
				 
			
				
					
						
							
							
								StevesMonkey 
							
						 
					 
					
						
						
						
						
							
						
						
							05438d047d 
							
						 
					 
					
						
						
							
							Fixing minor misspelling of the word: encrypted  
						
						
						
					 
					
						2015-05-25 10:15:57 +09:30 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							4f98d470a0 
							
						 
					 
					
						
						
							
							'/dev/stdout' does not exist on some systems (!)  
						
						... 
						
						
						
						The OVH VPS provider creates systems without /dev/stdout. I have never seen that before. But fine. We were passing it as a command line option to `openssl req`, but outputting to stdout is the default so it's not necessary to specify /dev/stdout.
Fixes  #277 . Also https://discourse.mailinabox.email/t/500-internal-server-error/475/10 . 
						
					 
					
						2015-05-16 13:34:47 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							57abae3999 
							
						 
					 
					
						
						
							
							if the main ssl cert is expiring soon, the end of setup would display the control panel instructions as if the cert were self-signed  
						
						
						
					 
					
						2015-05-14 19:16:31 +00:00 
						 
				 
			
				
					
						
							
							
								Xoib 
							
						 
					 
					
						
						
						
						
							
						
						
							202e49a897 
							
						 
					 
					
						
						
							
							allow the backup process to work after a hostname change  
						
						
						
					 
					
						2015-05-13 13:52:23 +02:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							8886c9b6bc 
							
						 
					 
					
						
						
							
							move the server: block of nsd.conf out of the management daemon and into the setup scripts  
						
						
						
					 
					
						2015-05-04 11:24:40 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							fc32cf5bcc 
							
						 
					 
					
						
						
							
							permit the first user account to be a domain control validation address because a) it will necessarily be an admin and b) the user doesn't know the rules yet  
						
						
						
					 
					
						2015-05-03 14:21:36 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							1e9c587b92 
							
						 
					 
					
						
						
							
							rewrite the DNS API to permit setting multiple records of the same type on the same domain  
						
						... 
						
						
						
						e.g. multiple TXT records
fixes  #333  
						
					 
					
						2015-05-03 13:43:38 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							9f1d633ae4 
							
						 
					 
					
						
						
							
							re-do the custom DNS get/set routines so it is possible to store more than one record for a qname-rtype pair, like multiple TXT records  
						
						
						
					 
					
						2015-05-03 13:43:38 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							f01189631a 
							
						 
					 
					
						
						
							
							management api: make json responses nicely formatted  
						
						... 
						
						
						
						Better while debugging. 
						
					 
					
						2015-05-03 13:43:38 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							542877ee46 
							
						 
					 
					
						
						
							
							use the font-awesome .fa-spinner.fa-pulse classes for the AJAX loading indicator, rather than the static glyphicon-time icon  
						
						
						
					 
					
						2015-05-03 13:43:38 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							f1760b516d 
							
						 
					 
					
						
						
							
							control panel: sometimes the ajax loading modal would show after operations were already done  
						
						... 
						
						
						
						Needed to add the clearQueue flag to jQuery's stop() method 
						
					 
					
						2015-05-03 13:43:38 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							febfa72d60 
							
						 
					 
					
						
						
							
							race condition between backups and status checks - connection refused  
						
						... 
						
						
						
						At the end of the backup, wait a bit for dovecot and postfix to finish restarting.
Hopefully fixes  #381 . 
						
					 
					
						2015-04-29 21:06:38 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							c03e00035f 
							
						 
					 
					
						
						
							
							prevent archiving of the user's own account because they'll lose access to the control panel  
						
						
						
					 
					
						2015-04-28 07:17:21 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							2f8866ef32 
							
						 
					 
					
						
						
							
							if there are no users at all the warning on the control panel login screen was incorrect  
						
						
						
					 
					
						2015-04-28 07:17:21 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							f98afac6df 
							
						 
					 
					
						
						
							
							if you make an API call with a user-specific API key (e.g. from control panel) but your account no longer exists on the system, there was an unhandled error  
						
						... 
						
						
						
						see 1039a08be6 
						
					 
					
						2015-04-28 07:17:21 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							5efd5abbe4 
							
						 
					 
					
						
						
							
							move the email address syntax validation for users and aliases into my new email_validator library ( https://github.com/JoshData/python-email-validator )  
						
						
						
					 
					
						2015-04-21 14:43:12 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							35f4a49d10 
							
						 
					 
					
						
						
							
							my html5 stub was wrong;  8c3aed2846 
						
						
						
					 
					
						2015-04-19 13:21:38 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							a31d713fcc 
							
						 
					 
					
						
						
							
							stricter validation of the domain parts of email addresses: only letters, numbers, and hyphens, and the TLD ends with a letter  
						
						
						
					 
					
						2015-04-19 13:06:11 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							8c3aed2846 
							
						 
					 
					
						
						
							
							update the control panel html template to my latest html5 stub  
						
						... 
						
						
						
						jquery 1.11.1, bootstrap 3.3.0, better accessibility, see https://github.com/JoshData/html5-stub  
						
					 
					
						2015-04-11 15:40:19 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							36168b4609 
							
						 
					 
					
						
						
							
							add a 'backup --verify' command to run duplicity's verify command to check that the backup files are OK  
						
						
						
					 
					
						2015-04-11 18:43:46 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							bd498def76 
							
						 
					 
					
						
						
							
							backups now use duplicity's built-in gpg symmetric encryption  
						
						... 
						
						
						
						Merge branch 'dhpiggott-gpg-encrypt-backups' 
						
					 
					
						2015-04-11 18:33:57 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							d8279c48ac 
							
						 
					 
					
						
						
							
							new backup method tweaks  
						
						... 
						
						
						
						* use the AES256 cipher, be explicit that only the first line of secret_key.txt is used, and sanity check that the passphrase is long enough
* change overship of the encrypted files to the user-data user
* simplify variable names in management/backup.py
* although I appreciate long comments I am trimming the commentary about the backup migration
* revise the control panel template to not refer to the old unencrypted files
* add CHANGELOG entry 
						
					 
					
						2015-04-11 18:32:22 +00:00 
						 
				 
			
				
					
						
							
							
								David Piggott 
							
						 
					 
					
						
						
						
						
							
						
						
							4232245546 
							
						 
					 
					
						
						
							
							Use built in duplicity encryption (GPG) for backups,  closes   #362 ,  closes   #363  
						
						... 
						
						
						
						[Josh merged some subsequent commits:]
* Guard via idempotency against termination between migration operations
* Final corrections and tweaks
* Pass passphrase through to all duplicity calls
Empirical evidence (a failed cron job) shows that cleanup requires the
passphrase (so it presumably needs to decrypt metadata), and though
remove-older-than has been working fine without it, it won't do any harm
to set it in case that changes or there are any special cases.
* Add back the archive-dir override but locate it at STORAGE_ROOT/backup/cache 
						
					 
					
						2015-04-11 17:51:44 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							072aeca1be 
							
						 
					 
					
						
						
							
							prevent accidental domain control validation hijacking by limiting use of admin@ etc. addresses in users/aliases  
						
						
						
					 
					
						2015-04-09 14:46:02 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							cb656f9ef4 
							
						 
					 
					
						
						
							
							in status checks replace '=>' with a Unicode arrow and tweak how aliases are reported  
						
						
						
					 
					
						2015-04-09 14:46:02 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							322a5779f1 
							
						 
					 
					
						
						
							
							store IDNs (internationalized domain names) in IDNA (ASCII) in our database, not in Unicode  
						
						... 
						
						
						
						I changed my mind. In 1bf8f1991f1bf8f1991f 
						
					 
					
						2015-04-09 14:46:02 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							ec039719de 
							
						 
					 
					
						
						
							
							prevent caching of ajax responses in the control panel  
						
						... 
						
						
						
						GET requests might be cached. Definitely happens on Internet Explorer. Makes it look like the user is getting unauthorized access.
See https://discourse.mailinabox.email/t/fresh-install-can-login-to-webmail-but-not-admin/394/4 . 
						
					 
					
						2015-03-31 14:52:11 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							14b16b2f36 
							
						 
					 
					
						
						
							
							allow custom DNS TXT records for SPF, DKIM, and DMARC to override the ones we want to set  
						
						... 
						
						
						
						fixes  #323 
fixes  #324  
					
						2015-03-30 01:20:03 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							cbc7e280d6 
							
						 
					 
					
						
						
							
							set the SPF record after custom DNS records so that the SPF record doesn't prevent all custom TXT records from coming in  
						
						
						
					 
					
						2015-03-30 01:18:05 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							3d21f2223e 
							
						 
					 
					
						
						
							
							status checks: turn missing DNSSEC into a warning instead of an error; omit an error about missing TLSA if DNSSEC isn't in use; if DNSSEC is in use, make a missing TLSA record a warning instead of an error  
						
						
						
					 
					
						2015-03-28 11:24:05 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							710a69b812 
							
						 
					 
					
						
						
							
							turn some nameserver status check errors into warnings if the domain resolves correctly since the user might be using External DNS,  closes   #330  
						
						
						
					 
					
						2015-03-28 11:23:59 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							298e19598b 
							
						 
					 
					
						
						
							
							small bug in the new system status checks show-changes command  
						
						... 
						
						
						
						see 4d22fb9b2afixes  #360  
						
					 
					
						2015-03-22 14:03:12 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							680191d7cb 
							
						 
					 
					
						
						
							
							drop the list of aliases from the users control panel page because with more than 50 aliases it seems to be so slow it times out  
						
						... 
						
						
						
						see https://discourse.mailinabox.email/t/small-bug-in-admin-panel-when-49-aliases/378  
						
					 
					
						2015-03-22 13:59:05 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							6df72bf4ac 
							
						 
					 
					
						
						
							
							create the Trash folder on new user creation ( fixes   #359 )  
						
						
						
					 
					
						2015-03-22 13:33:17 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							01f2451349 
							
						 
					 
					
						
						
							
							provide a better error message when creating a user account with non-ASCII characters  
						
						
						
					 
					
						2015-03-22 12:33:06 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							4d22fb9b2a 
							
						 
					 
					
						
						
							
							run status checks each night and email the administrator with the changes from the previous day's results  
						
						
						
					 
					
						2015-03-21 16:02:42 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							c18d58b13f 
							
						 
					 
					
						
						
							
							backups: predict when the next backup will occur  
						
						
						
					 
					
						2015-03-21 15:22:45 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							7c0ca42145 
							
						 
					 
					
						
						
							
							status checks: don't check that dovecot-sieve is publicly accessible  
						
						
						
					 
					
						2015-03-08 18:35:33 +00:00 
						 
				 
			
				
					
						
							
							
								Ben Schumacher 
							
						 
					 
					
						
						
						
						
							
						
						
							6558f05d1d 
							
						 
					 
					
						
						
							
							Give the DNS update tool the ability to customize MX records. Useful if you want a subdomain to send mail to another host.  
						
						
						
					 
					
						2015-03-04 13:32:35 -05:00 
						 
				 
			
				
					
						
							
							
								Jack Twilley 
							
						 
					 
					
						
						
						
						
							
						
						
							b2fcd4c9e5 
							
						 
					 
					
						
						
							
							Now supports domains with multiple MX records.  
						
						... 
						
						
						
						The status check on MX records now correctly handles domains with
multiple MX records. 
						
					 
					
						2015-02-22 17:05:09 -08:00 
						 
				 
			
				
					
						
							
							
								Jack Twilley 
							
						 
					 
					
						
						
						
						
							
						
						
							ead6f96513 
							
						 
					 
					
						
						
							
							Changed MX check to respect priorities other than 10.  
						
						... 
						
						
						
						Reordered the if a little, added some string parsing, and modified the
OK text to include a warning. 
						
					 
					
						2015-02-20 11:29:28 -08:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							7ec662c83f 
							
						 
					 
					
						
						
							
							status checks: use a worker pool that lives across flask requests, see  #327  
						
						
						
					 
					
						2015-02-18 16:42:33 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							348d2b8701 
							
						 
					 
					
						
						
							
							Merge pull request  #326  from dhpiggott/custom-dns-filter-secondary-nameserver  
						
						... 
						
						
						
						Do not show '_secondary_nameserver' in Custom DNS table 
						
					 
					
						2015-02-17 08:31:34 -05:00 
						 
				 
			
				
					
						
							
							
								David Piggott 
							
						 
					 
					
						
						
						
						
							
						
						
							12f0dcb23b 
							
						 
					 
					
						
						
							
							Do not show '_secondary_nameserver' in Custom DNS table  
						
						... 
						
						
						
						It's redundant and potentially confusing, as any secondary NS shows in "Using a
Secondary Nameserver". 
						
					 
					
						2015-02-17 13:28:48 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							449a538e6b 
							
						 
					 
					
						
						
							
							if a CNAME is set for a domain, don't create a website for that domain (just like A/AAAA records)  
						
						
						
					 
					
						2015-02-17 00:48:26 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							3c50c9a18b 
							
						 
					 
					
						
						
							
							when serving a 'www.' domain, check if the parent domain's ssl certificate can be used besides checking PRIMARY_HOSTNAME  
						
						... 
						
						
						
						Removing buy_certificate.py which is not working and I don't want to update its call signatures. 
						
					 
					
						2015-02-17 00:42:25 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							3c10ec70a5 
							
						 
					 
					
						
						
							
							update comment  
						
						
						
					 
					
						2015-02-17 00:08:04 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							fba4d4702e 
							
						 
					 
					
						
						
							
							install opendmarc to add Authentication-Results headers for DMARC too  
						
						
						
					 
					
						2015-02-16 23:17:44 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							143bbf37f4 
							
						 
					 
					
						
						
							
							all mail domains, not just (top-level) zones, must have an entry in the opendkim key tables so that such outgoing mail gets signed  
						
						... 
						
						
						
						If you had both x.y.com and y.com configured here, x.y.com mail would not get DKIM-signed. 
						
					 
					
						2015-02-16 18:13:51 -05:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							fd3ad267ba 
							
						 
					 
					
						
						
							
							if a domain has a catch-all or domain alias then we no longer force the creation of postmaster@ and so we should not be checking for its existence in the status checks  
						
						... 
						
						
						
						see 85a40da83c 
						
					 
					
						2015-02-15 19:07:10 -05:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							330583f71d 
							
						 
					 
					
						
						
							
							status checks: if a service isn't available publicly, check if it is available on the loopback interface to distinguish not running from not accessible  
						
						
						
					 
					
						2015-02-13 09:30:25 -05:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							e096144713 
							
						 
					 
					
						
						
							
							Outlook 2007 or later on Windows 7 and later  
						
						... 
						
						
						
						fixes  #308  
					
						2015-02-13 13:29:01 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							150611123a 
							
						 
					 
					
						
						
							
							typo/text tweak  
						
						
						
					 
					
						2015-02-05 09:17:48 -05:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							abfc17ee62 
							
						 
					 
					
						
						
							
							web admin: simplify the instructions for creating a separate web directory for particular sites by moving it into a modal  
						
						
						
					 
					
						2015-02-05 09:12:55 -05:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							97be9c94b9 
							
						 
					 
					
						
						
							
							if the user has set a http proxy or redirect on the root path of a domain, using custom.yaml, skip the domain from the static hosting panel because it wont be serving any static files  
						
						
						
					 
					
						2015-02-05 08:55:57 -05:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							21b00e8fbb 
							
						 
					 
					
						
						
							
							if a custom A record is set, dont put in a default AAAA record pointing to the box because it will probably be wrong --- the user should either set an AAAA record or let the domain not resolve on IPv6  
						
						
						
					 
					
						2015-02-03 21:51:19 -05:00 
						 
				 
			
				
					
						
							
							
								Ian Beringer 
							
						 
					 
					
						
						
						
						
							
						
						
							20d20df829 
							
						 
					 
					
						
						
							
							allow for non-standard ssh port in status check  
						
						... 
						
						
						
						closes  #313  
					
						2015-02-01 23:06:56 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							7e05d7478f 
							
						 
					 
					
						
						
							
							run status checks asynchronously so that they finish faster, since many checks are waiting on network replies and ought not to block the whole thing  
						
						
						
					 
					
						2015-01-31 20:42:43 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							8fd98d7db3 
							
						 
					 
					
						
						
							
							status checks: s/env['out']/output/  
						
						
						
					 
					
						2015-01-31 20:42:43 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							1039a08be6 
							
						 
					 
					
						
						
							
							/admin login now issues a user-specific key for future calls (rather than providing the system-wide API key or passing the password on each request)  
						
						
						
					 
					
						2015-01-31 20:42:43 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							023b38df50 
							
						 
					 
					
						
						
							
							split management daemon authorization from authentication and use 'doveadm pw' rather than 'doveadm auth test' so that it is decoupled from dovecot's login mechanism  
						
						... 
						
						
						
						This was done to pave the way for two-factor authentication, but that's still a ways off. 
						
					 
					
						2015-01-31 20:41:41 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							3187053b3a 
							
						 
					 
					
						
						
							
							dont save the CSR generated to make self-signed certificates for non-primary domains (it has no value and might be confusing)  
						
						
						
					 
					
						2015-01-31 13:27:06 +00:00 
						 
				 
			
				
					
						
							
							
								David Piggott 
							
						 
					 
					
						
						
						
						
							
						
						
							63f2abd923 
							
						 
					 
					
						
						
							
							Fix typos in backup status template  
						
						
						
					 
					
						2015-01-29 09:25:12 +00:00 
						 
				 
			
				
					
						
							
							
								Kurt Huwig 
							
						 
					 
					
						
						
						
						
							
						
						
							d3059c810f 
							
						 
					 
					
						
						
							
							Fix typo in mail-guide.html  
						
						... 
						
						
						
						Sercurity -> Security 
						
					 
					
						2015-01-21 08:23:26 +01:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							85a40da83c 
							
						 
					 
					
						
						
							
							catch-all aiases and domain aliases should not require postmaster@ and admin@ aliases because they'll forward anyway  
						
						
						
					 
					
						2015-01-19 23:32:36 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							1bf8f1991f 
							
						 
					 
					
						
						
							
							internationalized domain names (DNS, web, CSRs, normalize to Unicode in database, prohibit non-ASCII characters in user account names)  
						
						... 
						
						
						
						* For non-ASCII domain names, we will keep the Unicode encoding in our users/aliases table. This is nice for the user and also simplifies things like sorting domain names (using Unicode lexicographic order is good, using ASCII lexicogrpahic order on IDNA is confusing).
* Write nsd config, nsd zone files, nginx config, and SSL CSRs with domains in IDNA-encoded ASCII.
* When checking SSL certificates, treat the CN and SANs as IDNA.
* Since Chrome has an interesting feature of converting Unicode to IDNA in <input type="email"> form fields, we'll also forcibly convert IDNA to Unicode in the domain part of email addresses before saving email addresses in the users/aliases tables so that the table is normalized to Unicode.
* Don't allow non-ASCII characters in user account email addresses. Dovecot gets confused when querying the Sqlite database (which we observed even for non-word ASCII characters too, so it may not be related to the character encoding). 
						
					 
					
						2015-01-19 23:31:55 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							d155aa8745 
							
						 
					 
					
						
						
							
							if all system services are running, say so in the status checks rather than being totally silent  
						
						
						
					 
					
						2015-01-19 22:04:25 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							24cc108147 
							
						 
					 
					
						
						
							
							if a custom CNAME record is set, don't add a default A/AAAA record, e.g. for 'www'  
						
						... 
						
						
						
						see https://discourse.mailinabox.email/t/multiple-domains-in-mail-in-a-box-with-the-domains-being-hosted-elsewhere/56/18  
						
					 
					
						2015-01-19 22:04:21 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							09713e8eab 
							
						 
					 
					
						
						
							
							status checks: check that system services are running  
						
						... 
						
						
						
						If bind9 isn't running, dont proceed with other checks because we can't do DNS checks. Even though we skip, add error handling so that a failed call to rndc doesn't crash and that a timeout in a DNS check doesn't crash the status checks. 
						
					 
					
						2015-01-11 14:13:35 +00:00 
						 
				 
			
				
					
						
							
							
								Francisco de Juan 
							
						 
					 
					
						
						
						
						
							
						
						
							6499c82d7f 
							
						 
					 
					
						
						
							
							explain how to add SRV records to DNS zonefile using the API  
						
						
						
					 
					
						2015-01-04 10:23:34 +01:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							fddab5d432 
							
						 
					 
					
						
						
							
							allow the dns api to set srv records  
						
						... 
						
						
						
						see https://discourse.mailinabox.email/t/create-srv-record-at-the-dns-server/225  
						
					 
					
						2015-01-02 23:39:09 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							f141af4b61 
							
						 
					 
					
						
						
							
							status checks: dont die if openssh-server isn't installed  
						
						... 
						
						
						
						see https://discourse.mailinabox.email/t/local-dns-is-not-working-was-unable-to-check-system-status/165/39  
						
					 
					
						2015-01-02 22:59:29 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							3d8ea0e6ed 
							
						 
					 
					
						
						
							
							mail log scanner: dont assume lines are utf8  
						
						
						
					 
					
						2015-01-02 22:49:25 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							399f9d9bdf 
							
						 
					 
					
						
						
							
							in status checks, clear bind9 cache using rndc rather than restarting bind9  
						
						
						
					 
					
						2014-12-26 13:22:14 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							2b76fd299e 
							
						 
					 
					
						
						
							
							admin: ensure multiple concurrent api calls dont confuse the ajax loading indicator (track number of open requets, stop fade animation when it is time to hide)  
						
						
						
					 
					
						2014-12-21 22:47:11 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							90592bb157 
							
						 
					 
					
						
						
							
							add a control panel for setting custom dns records so that we dont have to use the api manually  
						
						
						
					 
					
						2014-12-21 11:31:24 -05:00 
						 
				 
			
				
					
						
							
							
								Marc Schiller 
							
						 
					 
					
						
						
						
						
							
						
						
							c3a7e3413b 
							
						 
					 
					
						
						
							
							Fixed a small status check bug, where secondary dns server check fails misleadingly.  
						
						
						
					 
					
						2014-12-09 12:40:32 +01:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							d390bfb215 
							
						 
					 
					
						
						
							
							indicate in the admin when a multi-domain or wildcard certificate is in use  
						
						
						
					 
					
						2014-12-05 14:43:52 -05:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							ceba53f1c4 
							
						 
					 
					
						
						
							
							explain how to install a multi-domain or wildcard ssl cert; if one is installed, the Replace Cert button in the admin for non-primary domains should not replace the cert on the primary domain  
						
						
						
					 
					
						2014-12-05 14:25:14 -05:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							be59bcd47d 
							
						 
					 
					
						
						
							
							for .fund domains use RSASHA256 DNSSEC keys  
						
						
						
					 
					
						2014-12-05 12:03:21 -05:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							cfe0fa912a 
							
						 
					 
					
						
						
							
							add a 'redirects' feature in web/custom.yaml  
						
						
						
					 
					
						2014-12-05 12:03:21 -05:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							82cf5b72e4 
							
						 
					 
					
						
						
							
							simplify some output in the work-in-progress mail log scanner  
						
						
						
					 
					
						2014-11-30 14:41:30 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							a7710e9058 
							
						 
					 
					
						
						
							
							dns.resolver.query treats hostnames as relative names if they don't end in a period  
						
						... 
						
						
						
						Relative hostnames have a fall-back lookup with the machine's hostname appended, which makes no sense. Add a period, e.g. "my.hostname.com" => "my.hostname.com.", to prevent that.
This caused false positive Spamhaus checks. Fixes  #185 . 
						
					 
					
						2014-11-21 15:16:59 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							057c1dd913 
							
						 
					 
					
						
						
							
							recommend IMAP/SMTP for everyone  
						
						
						
					 
					
						2014-11-18 16:47:42 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							06f2477cfd 
							
						 
					 
					
						
						
							
							the new iOS configuration profile also is used on OS X 10.10.1, see  #261  
						
						
						
					 
					
						2014-11-18 16:32:37 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							cdaa2c847d 
							
						 
					 
					
						
						
							
							[merge] iOS Mobile Configuration Profile  
						
						
						
					 
					
						2014-11-14 13:56:18 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							7e7abf3b53 
							
						 
					 
					
						
						
							
							support "domain aliases" (@domain => @domain aliases)  
						
						... 
						
						
						
						This seemed to already be technically supported but the validation is now stricter and the admin is more helpful:
* Postfix seems to allow @domain.tld as an alias destination address but only if it is the only destination address (see the virtual man page).
 * Allow @domain.tld if it is the whole destination address string.
 * Otherwise, do not allow email addresses without local parts in the destination.
* In the admin, add a third tab for making it clear how to add a domain alias.
closes  #265  
						
					 
					
						2014-11-14 13:35:58 +00:00 
						 
				 
			
				
					
						
							
							
								Norman 
							
						 
					 
					
						
						
						
						
							
						
						
							c872e6a9f0 
							
						 
					 
					
						
						
							
							iOS Configuration Profile  
						
						... 
						
						
						
						change name
removed .vagrant
fix guide layout 
						
					 
					
						2014-11-05 18:42:04 +01:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							ec73c171c7 
							
						 
					 
					
						
						
							
							when installing a ssl cert for the primary hostname, dns, postfix, and dovecot all need to be updated/kicked  
						
						... 
						
						
						
						see https://discourse.mailinabox.email/t/there-is-a-problem-with-the-ssl-certificate/144/4  
						
					 
					
						2014-10-28 11:38:04 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							f9acf0adec 
							
						 
					 
					
						
						
							
							better errors for ssl certificates  
						
						
						
					 
					
						2014-10-24 21:30:33 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							8b65c11cdf 
							
						 
					 
					
						
						
							
							the namecheap link was bad  
						
						
						
					 
					
						2014-10-23 17:17:26 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							34fca29dd3 
							
						 
					 
					
						
						
							
							fix the animated scroll target on the ssl panel to scroll so that the header is actually visible and not covered by the nav bar  
						
						
						
					 
					
						2014-10-23 17:10:21 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							b75fbf22ca 
							
						 
					 
					
						
						
							
							clear the local dns cache each time the status checks are run by restarting bind9  
						
						
						
					 
					
						2014-10-23 17:06:33 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							d790cae0e2 
							
						 
					 
					
						
						
							
							DNSSEC: use RSASHA256 for the .guide tld too  
						
						
						
					 
					
						2014-10-23 17:03:23 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							f35b2081a1 
							
						 
					 
					
						
						
							
							s/os.rename/shutil.move/ so that the file can be moved across filesystem boundaries, fxies  #246  
						
						
						
					 
					
						2014-10-21 11:45:14 +00:00 
						 
				 
			
				
					
						
							
							
								David Piggott 
							
						 
					 
					
						
						
						
						
							
						
						
							f0508d8cc9 
							
						 
					 
					
						
						
							
							Improve wrapping of external DNS value column to prevent layout overflow  
						
						... 
						
						
						
						see #244 
Conflicts:
	management/templates/external-dns.html 
						
					 
					
						2014-10-21 11:33:42 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							47dd59c2a7 
							
						 
					 
					
						
						
							
							admin mail guide: use bootstrap .panel to style the tips  
						
						... 
						
						
						
						also give more space for the login settings and less space to the tips 
						
					 
					
						2014-10-21 11:17:49 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							c2fe1bc2e3 
							
						 
					 
					
						
						
							
							document +tag addresses in the mail guide  
						
						
						
					 
					
						2014-10-21 11:17:49 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							cce1184090 
							
						 
					 
					
						
						
							
							admin: change the css class name around the panels to not invoke the bootstrap 'panel' css  
						
						
						
					 
					
						2014-10-21 11:17:49 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							1adb1d8307 
							
						 
					 
					
						
						
							
							admin: there is no need to make each panel a separate bootstrap container  
						
						... 
						
						
						
						* also fixes the footer alignment to be within a container rather than a container-fluid
* this changed the width of the login form slightly, so am cleaning that up too
see #244  
						
					 
					
						2014-10-21 11:17:28 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							c2174e10a6 
							
						 
					 
					
						
						
							
							some admin pages had a container within a container  
						
						... 
						
						
						
						see #244  
						
					 
					
						2014-10-21 11:17:15 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							86a5394f07 
							
						 
					 
					
						
						
							
							fix control panel when no backup has been made yet  
						
						
						
					 
					
						2014-10-15 12:31:08 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							b5b3fca137 
							
						 
					 
					
						
						
							
							report free disk space in the admin  
						
						
						
					 
					
						2014-10-13 14:12:16 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							048e35a80f 
							
						 
					 
					
						
						
							
							fix display of backups that are past due to be reaped  
						
						
						
					 
					
						2014-10-13 14:12:16 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							fb3045f456 
							
						 
					 
					
						
						
							
							retain backups only for 3 days; beyond that the user is responsible for copying files off of the machine  
						
						
						
					 
					
						2014-10-13 14:12:11 +00:00 
						 
				 
			
				
					
						
							
							
								h8h 
							
						 
					 
					
						
						
						
						
							
						
						
							57f8ee0b09 
							
						 
					 
					
						
						
							
							Smoothly scroll to alias edit form.  
						
						
						
					 
					
						2014-10-11 21:52:00 +02:00 
						 
				 
			
				
					
						
							
							
								h8h 
							
						 
					 
					
						
						
						
						
							
						
						
							64220292f1 
							
						 
					 
					
						
						
							
							Jump to the panel_aliases anchor (top) to directly edit the selected alias  
						
						
						
					 
					
						2014-10-11 19:56:36 +02:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							82851d6d2d 
							
						 
					 
					
						
						
							
							suppress "Something went wrong, sorry." when the management daemon's api key has changed  
						
						
						
					 
					
						2014-10-11 17:06:22 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							2f952a7915 
							
						 
					 
					
						
						
							
							delay an ajax call to see if this fixes the problem of the loading indicator not going away after showing the user a panel after login  
						
						
						
					 
					
						2014-10-11 17:06:22 +00:00 
						 
				 
			
				
					
						
							
							
								David Piggott 
							
						 
					 
					
						
						
						
						
							
						
						
							ca57560f11 
							
						 
					 
					
						
						
							
							Pass additional_records to recursive build_zone calls,  closes   #229  
						
						... 
						
						
						
						The problem was that custom records defined for a subdomain where implicit
records are otherwise defined (e.g. A/AAAA records for the root) were ignored.
Though additional_records for a subdomain are processed in the base call to
build_zone (the call for the parent domain), and so custom records that don't
override implicits were working fine, those that overrode implicits were
ignored.
This was because the recursive call to build_zone for the subdomain creates the
implicit records (including A/AAAA records for the root), and so by relying on
the base call to add the additional_records fails because has_rec returned
true.
Adding a subdomain's additional_records in the child call works because has_rec
returns false when testing whether to add an e.g. A/AAAA override for the root,
as the defaults have not yet been added. 
						
					 
					
						2014-10-11 17:04:35 +01:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							17331e7d82 
							
						 
					 
					
						
						
							
							adding a really slick ssl certificate installation form in the control panel  
						
						
						
					 
					
						2014-10-10 15:49:14 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							5130b279d8 
							
						 
					 
					
						
						
							
							management/mail_log.py also include the previously rotated log file  
						
						
						
					 
					
						2014-10-10 13:59:50 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							aac6e49b94 
							
						 
					 
					
						
						
							
							spelling typo  
						
						
						
					 
					
						2014-10-10 13:50:44 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							ac49912b39 
							
						 
					 
					
						
						
							
							recommend DAVdroid  
						
						... 
						
						
						
						see http://discourse.mailinabox.email/t/recommend-a-different-android-carddav-and-caldav-android/102/1  
						
					 
					
						2014-10-07 20:53:37 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							0441a2e2e3 
							
						 
					 
					
						
						
							
							make a self-signed certificate on a non-primary domain a warning rather than an error,  fixes   #95  
						
						
						
					 
					
						2014-10-07 20:41:07 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							06a8ce1c9d 
							
						 
					 
					
						
						
							
							in the admin, show user mailbox sizes,  fixes   #210  
						
						
						
					 
					
						2014-10-07 20:24:11 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							443b084a17 
							
						 
					 
					
						
						
							
							in the admin, group aliases by domain,  fixes   #211  
						
						
						
					 
					
						2014-10-07 19:47:46 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							990649af2d 
							
						 
					 
					
						
						
							
							in the admin, group users by domain, fixes 209  
						
						
						
					 
					
						2014-10-07 19:47:43 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							6f4d29a410 
							
						 
					 
					
						
						
							
							tweak the new web instructions  
						
						
						
					 
					
						2014-10-07 16:17:45 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							6ab29c3244 
							
						 
					 
					
						
						
							
							add instructions for static web hosting into the control panel  
						
						
						
					 
					
						2014-10-07 16:05:42 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							bf9b770255 
							
						 
					 
					
						
						
							
							sort SSHFP records so that DNS updates don't trigger spurrious zone changes  
						
						
						
					 
					
						2014-10-07 15:15:22 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							9210ebdb9f 
							
						 
					 
					
						
						
							
							control panel tweaks  
						
						
						
					 
					
						2014-10-07 15:12:35 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							a56bb984d6 
							
						 
					 
					
						
						
							
							handle catastrophically bad certificates rather than raising an exception  
						
						
						
					 
					
						2014-10-07 14:58:21 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							7d1c0b3834 
							
						 
					 
					
						
						
							
							show SSL certificate expiration info in the control panel even long before certificates expire  
						
						
						
					 
					
						2014-10-07 14:49:36 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							20892b5d5b 
							
						 
					 
					
						
						
							
							status check on ns records should now take into account that secondary dns may be customized, see  #223  
						
						
						
					 
					
						2014-10-05 18:42:52 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							4cf53cd8ee 
							
						 
					 
					
						
						
							
							backup status relativedelta was displaying wrong for deltas greater than 1 month  
						
						
						
					 
					
						2014-10-05 18:23:29 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							f42a1c5a74 
							
						 
					 
					
						
						
							
							allow overriding the second nameserver with a secondary/slave server  
						
						... 
						
						
						
						fixes  #151 
fixes  #223  
					
						2014-10-05 14:53:42 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							092c842a87 
							
						 
					 
					
						
						
							
							split external/custom dns into separate pages in the admin  
						
						
						
					 
					
						2014-10-05 13:38:23 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							d9ecc50119 
							
						 
					 
					
						
						
							
							since the management server binds to 127.0.0.1, must use that and not 'localhost' to connect to it because 'localhost' resolves to the IPv6 ::1 when it is available, see  #224  
						
						
						
					 
					
						2014-10-05 09:01:26 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							4ae76aa2dd 
							
						 
					 
					
						
						
							
							dnssec: use RSASHA256 keys for .email domains  
						
						
						
					 
					
						2014-10-04 17:29:42 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							779d921410 
							
						 
					 
					
						
						
							
							status checks: put DNSSEC tests in a better order w.r.t. other tests  
						
						... 
						
						
						
						* If the PRIMARY_HOSTNAME is in a zone with a DS record set at the registrar, show any DNSSEC failure (but only a failure) immediately since it is probably the cause of other DNS errors displayed later.
* For zones, if a DS record is set at the register, do the DNSSEC test first because even the NS test will fail if DNSSEC is improperly configure.
* But if a DS record is not set, the this is just a suggestion to configure DNSSEC so offer the suggestion last --- after mail and web checks.
see https://discourse.mailinabox.email/t/dns-nameserver-gandi-glue-records-issues/105/3  
						
					 
					
						2014-10-01 12:13:11 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							5c7ba2a4c7 
							
						 
					 
					
						
						
							
							preliminary work on a mail.log scanner to report things in the control panel  
						
						
						
					 
					
						2014-09-27 13:33:13 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							e9cc3fdaab 
							
						 
					 
					
						
						
							
							make mail instructions clearer and describe greylisting, DMARC policy  
						
						
						
					 
					
						2014-09-27 13:32:22 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							8bd37ea53c 
							
						 
					 
					
						
						
							
							add catch-alls to the admin again with nicer instructions  
						
						
						
					 
					
						2014-09-27 13:32:22 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							ab47144ae3 
							
						 
					 
					
						
						
							
							add strict SPF and DMARC records to any subdomains (including custom records) that do not have SPF/DMARC set  
						
						... 
						
						
						
						closes  #208  
					
						2014-09-26 14:01:03 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							9b6f9859d1 
							
						 
					 
					
						
						
							
							dns_update: assume DKIM is present  
						
						
						
					 
					
						2014-09-26 14:01:03 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							5a89f3c633 
							
						 
					 
					
						
						
							
							don't allow catch-all addresses in the admin because they take precedence over mail users and that's counter-intuitive  
						
						... 
						
						
						
						For now use the command-line tools/mail.py if you need it.
see #200 
Revert "Changed incomming-email-input to type text"
This reverts commit 9631fab7b2 
						
					 
					
						2014-09-24 12:36:47 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							c2ddabe683 
							
						 
					 
					
						
						
							
							fix ajax loading indicator positioning  
						
						
						
					 
					
						2014-09-21 17:41:46 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							846768efcb 
							
						 
					 
					
						
						
							
							admin: update user's password from the admin  
						
						
						
					 
					
						2014-09-21 17:24:01 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							8dfbb90f3a 
							
						 
					 
					
						
						
							
							admin: simplify the users table a bit  
						
						
						
					 
					
						2014-09-21 17:10:23 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							c7c3bd33cf 
							
						 
					 
					
						
						
							
							DNS API should reject qnames that aren't in a zone managed by the box  
						
						... 
						
						
						
						see https://discourse.mailinabox.email/t/set-www-a-and-other-dns-records-after-install/63/10  
						
					 
					
						2014-09-21 13:37:30 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							1637153566 
							
						 
					 
					
						
						
							
							make the DNS API a little clearer  
						
						
						
					 
					
						2014-09-21 13:37:30 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							05510f25a5 
							
						 
					 
					
						
						
							
							warn if a SSL cert is expiring in 30 days  
						
						
						
					 
					
						2014-09-21 13:37:30 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							b8ea7282b0 
							
						 
					 
					
						
						
							
							don't run apt-get update when generating the status checks output because it is so slow and should be update daily by cron anyway  
						
						
						
					 
					
						2014-09-21 13:37:30 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							ff0c85615b 
							
						 
					 
					
						
						
							
							correct typo in comment  
						
						
						
					 
					
						2014-09-15 10:02:25 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							16e2350fef 
							
						 
					 
					
						
						
							
							revise the description of A records on domains: the A record must be present for good deliverability so that the envelope domain resolves, but it doesn't have to resolve to this machine  
						
						
						
					 
					
						2014-09-15 06:00:50 -04:00 
						 
				 
			
				
					
						
							
							
								Christian 
							
						 
					 
					
						
						
						
						
							
						
						
							9631fab7b2 
							
						 
					 
					
						
						
							
							Changed incomming-email-input to type text  
						
						... 
						
						
						
						The input type="email" validation won't allow "@example.com", which is needed for catch-all-aliases. 
						
					 
					
						2014-09-12 18:08:33 +02:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							196e42e8b5 
							
						 
					 
					
						
						
							
							don't automatically create an alias if a user account already exists by that name  
						
						... 
						
						
						
						In the event the first user is an address that we'd normally create as an alias,
we'd generate a loop from the alias to the administrative alias to the first user
account (which was the alias again).
hopefully fixes  #186  
						
					 
					
						2014-09-09 11:41:47 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							f09da719f7 
							
						 
					 
					
						
						
							
							show the response from spamhaus.org in the status checks output  
						
						
						
					 
					
						2014-09-08 20:27:26 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							e9e95cbed5 
							
						 
					 
					
						
						
							
							tweak backup explanatory text  
						
						
						
					 
					
						2014-09-08 20:12:31 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							98fc449b49 
							
						 
					 
					
						
						
							
							only hold onto backups for 14 days (not 31) and show when the backups will be deleted in the control panel  
						
						
						
					 
					
						2014-09-08 20:09:18 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							bab8b515ea 
							
						 
					 
					
						
						
							
							new logic for determining when to take a full backup  
						
						
						
					 
					
						2014-09-08 19:42:54 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							cce6bc02a8 
							
						 
					 
					
						
						
							
							add links to IANA tables for DNSSEC algorithm/digest number assignemnts  
						
						
						
					 
					
						2014-09-07 10:59:20 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							110e0f90d9 
							
						 
					 
					
						
						
							
							dns: move the quoting of TXT records to when we write the zone file so that we can display it unquoted in the External DNS instructions  
						
						
						
					 
					
						2014-09-07 11:42:20 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							b5122770cc 
							
						 
					 
					
						
						
							
							tweak admin template for external DNS  
						
						
						
					 
					
						2014-09-07 07:22:39 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							03f9358de4 
							
						 
					 
					
						
						
							
							when checking SSL certs are OK, check for wildcard certificates  
						
						... 
						
						
						
						fixes  #175  (hopefully) 
					
						2014-09-03 17:31:47 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							f77f1e656c 
							
						 
					 
					
						
						
							
							split CardDAV instrctions into a new page and add CalDAV instructions; create nice redirects at /cloud/calendar and /cloud/contacts  
						
						
						
					 
					
						2014-09-03 10:51:19 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							b420e560c3 
							
						 
					 
					
						
						
							
							dont show 'make admin' on archived mailbox accounts and other control panel cleanup  
						
						
						
					 
					
						2014-09-03 10:17:46 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							7a449c76a1 
							
						 
					 
					
						
						
							
							set the DNS TTL to 30 minutes rather than 1 day  
						
						... 
						
						
						
						Also updating the values for secondary DNS, but we're not set up
for secondary DNS so it won't matter.
see #172  
						
					 
					
						2014-09-01 23:06:55 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							3853e8dd93 
							
						 
					 
					
						
						
							
							show the status of backups in the control panel  
						
						
						
					 
					
						2014-09-01 13:06:53 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							10a37cd033 
							
						 
					 
					
						
						
							
							add SSHFP records to DNS  
						
						
						
					 
					
						2014-08-27 12:59:40 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							684d9b3c70 
							
						 
					 
					
						
						
							
							prettify the custom DNS docs  
						
						
						
					 
					
						2014-08-27 12:57:47 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							699923d605 
							
						 
					 
					
						
						
							
							Merge pull request  #166  from benschumacher/master  
						
						... 
						
						
						
						Fix typo in dns_update.py. 
						
					 
					
						2014-08-26 16:13:11 -04:00 
						 
				 
			
				
					
						
							
							
								Ben Schumacher 
							
						 
					 
					
						
						
						
						
							
						
						
							d5efb05f31 
							
						 
					 
					
						
						
							
							Fix typo in dns_update.py.  
						
						
						
					 
					
						2014-08-26 15:58:34 -04:00 
						 
				 
			
				
					
						
							
							
								Sebastian Kosch 
							
						 
					 
					
						
						
						
						
							
						
						
							2afd0be591 
							
						 
					 
					
						
						
							
							Replace spaces by tabs in 106-109  
						
						
						
					 
					
						2014-08-26 12:16:20 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							92c7815d2c 
							
						 
					 
					
						
						
							
							Merge pull request  #156  from skosch/patch-1  
						
						... 
						
						
						
						Allow users to insert custom nginx configuration directives through new optional files. 
						
					 
					
						2014-08-26 10:24:22 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							06a4046d13 
							
						 
					 
					
						
						
							
							fix link to /cloud in the admin,  fixes   #160  
						
						
						
					 
					
						2014-08-26 11:51:47 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							9b8d85de45 
							
						 
					 
					
						
						
							
							if there are no admins when trying to access the control panel, tell the user how to make an admin from SSH  
						
						
						
					 
					
						2014-08-26 11:31:45 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							b76cbae5a0 
							
						 
					 
					
						
						
							
							document the DNS API in the control panel  
						
						... 
						
						
						
						see #140 , #155 , df20d447a9 
						
					 
					
						2014-08-25 23:52:41 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							ed8ce16fb5 
							
						 
					 
					
						
						
							
							show custom DNS records in the control panel too,  fixes   #155  
						
						
						
					 
					
						2014-08-25 23:35:44 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							a32806da32 
							
						 
					 
					
						
						
							
							create STORAGE_ROOT/backup/duplicity if it doesn't exist  
						
						... 
						
						
						
						fixes  #158  
					
						2014-08-25 23:29:00 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							18f0406541 
							
						 
					 
					
						
						
							
							update comments in backup.py  
						
						
						
					 
					
						2014-08-25 23:28:43 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							bc9d670981 
							
						 
					 
					
						
						
							
							prettify mail guide  
						
						
						
					 
					
						2014-08-25 23:24:41 +00:00 
						 
				 
			
				
					
						
							
							
								Sebastian Kosch 
							
						 
					 
					
						
						
						
						
							
						
						
							00b5c6ee9c 
							
						 
					 
					
						
						
							
							test_domain -> domain  
						
						
						
					 
					
						2014-08-25 16:02:13 -04:00 
						 
				 
			
				
					
						
							
							
								Sebastian Kosch 
							
						 
					 
					
						
						
						
						
							
						
						
							76ff9735cc 
							
						 
					 
					
						
						
							
							Move custom server blocks to STORAGE_ROOT  
						
						
						
					 
					
						2014-08-25 13:25:44 -04:00 
						 
				 
			
				
					
						
							
							
								Sebastian Kosch 
							
						 
					 
					
						
						
						
						
							
						
						
							9bfff1f679 
							
						 
					 
					
						
						
							
							Add server block customizations  
						
						... 
						
						
						
						This allows users to add a file /etc/nginx/conf.d/includes/mydomain.com.conf, the contents of which will be included in the server block for mydomain.com. 
						
					 
					
						2014-08-24 17:34:15 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							df20d447a9 
							
						 
					 
					
						
						
							
							add an api for setting custom DNS records  
						
						... 
						
						
						
						Works like this:
```curl -d "" --user email:password https://.../admin/dns/set/qname/rtype/value ```
where the rtype and value default to "A" and the remote IP address of the request, so that a simple, empty POST to
```https://.../admin/dns/set/desktop.mydomain.com ```
will point desktop.mydomain.com to the caller's IPv4 address.
closes  #140  
						
					 
					
						2014-08-23 23:03:45 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							6e3b04ce83 
							
						 
					 
					
						
						
							
							when generating SSL CSRs, using SHA256 as SHA1 is being phased out, per @konklone  
						
						
						
					 
					
						2014-08-23 17:49:33 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							2d5097345a 
							
						 
					 
					
						
						
							
							move the package update check into the system status checks  
						
						
						
					 
					
						2014-08-21 11:24:40 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							294d19e0af 
							
						 
					 
					
						
						
							
							rename whats_next.py to status_checks.py  
						
						
						
					 
					
						2014-08-21 10:43:55 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							46f3d05034 
							
						 
					 
					
						
						
							
							add the network checks to whats_next  
						
						... 
						
						
						
						* zen.spamhaus.org
* dbl.spamhaus.org
* checks if a connection to Google's MTA on port 25 works 
						
					 
					
						2014-08-19 11:16:49 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							91821adfd7 
							
						 
					 
					
						
						
							
							nameserver checks should be case insensitive  
						
						
						
					 
					
						2014-08-18 22:41:27 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							b30d7ad80a 
							
						 
					 
					
						
						
							
							web-based administrative UI  
						
						... 
						
						
						
						closes  #19  
					
						2014-08-17 22:46:06 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							ba8e015795 
							
						 
					 
					
						
						
							
							dns_update: dont restart the opendkim process if nothing changed  
						
						
						
					 
					
						2014-08-17 20:42:17 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							919a5a8f0b 
							
						 
					 
					
						
						
							
							whats_next: when there are multiple responses like for NS records sort the responses so we can compare to a fixed order  
						
						
						
					 
					
						2014-08-17 19:55:03 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							f299825a95 
							
						 
					 
					
						
						
							
							in the nginx override YAML file, change how proxies are specified into a mapping  
						
						
						
					 
					
						2014-08-17 19:40:45 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							04454b35c6 
							
						 
					 
					
						
						
							
							(merge) CardDAV, CalDAV via ownCloud and move to z-push fork fork  
						
						... 
						
						
						
						Merges branch 'owncloud' of github.com:jkaberg/mailinabox
which is pull request #135 , closes  #135 
thanks @jkaberg, @fmbiete, @owncloud 
						
					 
					
						2014-08-17 15:31:08 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							f41ec93cbe 
							
						 
					 
					
						
						
							
							management: dont raise an exception on a poorly formatted authentication header  
						
						
						
					 
					
						2014-08-17 11:50:05 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							6e380ade17 
							
						 
					 
					
						
						
							
							owncloud will only let users access it from the PRIMARY_HOSTNAME (due to its trusted_domains option being set statically), so only include /cloud in the nginx configuration for PRIMARY_HOSTNAME  
						
						
						
					 
					
						2014-08-16 12:33:10 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							8c9f278166 
							
						 
					 
					
						
						
							
							owncloud: support MOD_X_ACCEL_REDIRECT_ENABLED  
						
						... 
						
						
						
						This lets downloads from the file app work. 
						
					 
					
						2014-08-15 23:16:54 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							e625a424fd 
							
						 
					 
					
						
						
							
							whats_next: check that the TLSA record is correct,  fixes   #139  
						
						
						
					 
					
						2014-08-13 19:42:49 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							0eceb2012f 
							
						 
					 
					
						
						
							
							use php5-fpm rather than our own custom launcher script for PHP+FastCGI  
						
						
						
					 
					
						2014-08-12 11:00:54 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							1312b0254b 
							
						 
					 
					
						
						
							
							backup: dont remove old increments because then we lose the backup history right before the last full backup, instead let them disappear along with full backups when a whole chain becomes very old  
						
						
						
					 
					
						2014-08-11 11:45:40 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							f66914d634 
							
						 
					 
					
						
						
							
							backup: automatically take a full backup when the sum of the increments get very large  
						
						
						
					 
					
						2014-08-11 11:38:32 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							58e300e113 
							
						 
					 
					
						
						
							
							backup must be full on the first run because incremental backup will fail,  fixes   #134  
						
						
						
					 
					
						2014-08-11 07:16:58 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							e294f7c181 
							
						 
					 
					
						
						
							
							create the Drafts folder for users so K-9 mail doesn't poll unnecessarily, see  #129  
						
						
						
					 
					
						2014-08-09 16:49:57 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							b56f82cb92 
							
						 
					 
					
						
						
							
							make a privileges column in the users table and mark the first user as an admin  
						
						
						
					 
					
						2014-08-08 12:31:22 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							6a512042dc 
							
						 
					 
					
						
						
							
							after creating the local encrypted backup, execute the after-backup script if the user has provided one to copy the files to a remote location  
						
						
						
					 
					
						2014-08-02 14:16:08 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							6d4fab1e6a 
							
						 
					 
					
						
						
							
							whats_next: offer DNSSEC DS parameters rather than the full record and in validation allow for other digests than the one we suggest using  
						
						... 
						
						
						
						fixes  #120  (hopefully), in which Gandi generates a SHA1 digest but we were only checking against a SHA256 digest
Also see http://discourse.mailinabox.email/t/how-to-set-ds-record-for-gandi-net/24/1  in which a user asks about the DS parameters that Gandi asks for. 
					
						2014-08-01 12:15:05 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							30178ef019 
							
						 
					 
					
						
						
							
							add a --force flag to dns_update  
						
						
						
					 
					
						2014-08-01 12:05:34 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							168c06939d 
							
						 
					 
					
						
						
							
							have nsd bind to the network interaface that is connected to the Internet, rather than all non-loopback network interfaces  
						
						... 
						
						
						
						hopefully fixes  #121 ; thanks for the help @sfPlayer1 
						
					 
					
						2014-07-29 20:07:26 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							8042ab66ac 
							
						 
					 
					
						
						
							
							dont serve web for domains with custom DNS records that point A/AAAA elsewhere, and in whats_next only check that an A record exists on a domain if we are serving web on the domain  
						
						
						
					 
					
						2014-07-20 15:23:17 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							8354d9732a 
							
						 
					 
					
						
						
							
							in the custom DNS yaml config, treat 'local' as an alias for the box's own IP/IPv6 addresses  
						
						
						
					 
					
						2014-07-20 14:53:55 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							1ad9c70887 
							
						 
					 
					
						
						
							
							refactor custom DNS records  
						
						
						
					 
					
						2014-07-20 14:48:20 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							2e0680de4f 
							
						 
					 
					
						
						
							
							the check for whether a custom DNS setting is valid was in the wrong place  
						
						
						
					 
					
						2014-07-20 14:41:02 +00:00 
						 
				 
			
				
					
						
							
							
								sfPlayer1 
							
						 
					 
					
						
						
						
						
							
						
						
							89acbe4127 
							
						 
					 
					
						
						
							
							Update dns_update.py  
						
						... 
						
						
						
						Add new extra bool parameter. 
						
					 
					
						2014-07-18 13:05:32 +02:00 
						 
				 
			
				
					
						
							
							
								sfPlayer1 
							
						 
					 
					
						
						
						
						
							
						
						
							0e893626c8 
							
						 
					 
					
						
						
							
							Add IPv6 glue records as well  
						
						... 
						
						
						
						The dns_update script didn't generate IPv6 (AAAA) glue records for the name servers.
This caused http://dnscheck.pingdom.com  to complain about a mismatch between the glue records reported by the parent name server and mailinabox nsd.
Here's the failing dnscheck output for reference:
> Checking glue for ns1.my.domain.tld (1.2.3.4).
> Child glue for bgwe.eu found: ns1.my.domain.tld (1.2.3.4)
> Checking glue for ns1.my.domain.tld (1234::1).
> Missing glue at child: ns1.my.domain.tld
> Checking glue for ns2.my.domain.tld (1.2.3.4).
> Child glue for bgwe.eu found: ns2.my.domain.tld (1.2.3.4)
> Checking glue for ns2.my.domain.tld (1234::1).
> Missing glue at child: ns2.my.domain.tld
I'm not very familiar with Python and DNS, please verify ;) 
						
					 
					
						2014-07-18 13:03:09 +02:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							42c891032d 
							
						 
					 
					
						
						
							
							don't create a www. subdomain on any domains that are themselves subdomains within a zone, i.e. don't create www.PUBLIC_HOSTNAME if PUBLIC_HOSTNAME is a subdomain of another domain, which is what we normally recommend  
						
						
						
					 
					
						2014-07-17 13:08:05 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							d7a9e7cc17 
							
						 
					 
					
						
						
							
							run management/dns_update.py from the console to dump the DNS records, with explanations, in case the user wants to host DNS off of the box  
						
						
						
					 
					
						2014-07-17 13:08:05 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							7803ac9ca4 
							
						 
					 
					
						
						
							
							write explanatory text as we build DNS zones so we can help the user manage DNS off of the box  
						
						
						
					 
					
						2014-07-17 13:08:05 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							eac349187d 
							
						 
					 
					
						
						
							
							whats_next: move the admin alias check to the system section  
						
						
						
					 
					
						2014-07-16 09:36:56 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							9c7d476915 
							
						 
					 
					
						
						
							
							re-do catch-all aliases,  fixes   #107  (originally  #104 )  
						
						... 
						
						
						
						This reverts pull request #105  from jonessen96/master (84d2023f94 
						
					 
					
						2014-07-13 12:29:43 +00:00 
						 
				 
			
				
					
						
							
							
								Jonas Platte 
							
						 
					 
					
						
						
						
						
							
						
						
							c35252720f 
							
						 
					 
					
						
						
							
							Prohibited usage of empty local part for validate_email(email, strict = true)  
						
						
						
					 
					
						2014-07-12 22:57:38 +02:00 
						 
				 
			
				
					
						
							
							
								Jonas Platte 
							
						 
					 
					
						
						
						
						
							
						
						
							70e4e7f7be 
							
						 
					 
					
						
						
							
							Fixed validate_email not accepting catchalls (empty local part of the address)  
						
						
						
					 
					
						2014-07-12 03:22:55 +02:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							85bd2c8804 
							
						 
					 
					
						
						
							
							use the Dovecot managesieve service to manage sieve scripts  
						
						... 
						
						
						
						This lets roundcube's manageseive plugin do cool things like vacation responses.
Also:
* Run the spam filtering sieve script out of a global sieve file that we'll place in /etc/dovecot. It is no longer necessary to create per-user sieve files for this. Remove them with a new migration. Remove the code that created them.
* Corrects the spam script. Backslashes were double-escaped probably because this script started embedded within the bash script. Not sure how this was working until now.
this adapts work by @h8h in #103  
						
					 
					
						2014-07-10 23:09:07 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							41b3df6d78 
							
						 
					 
					
						
						
							
							manage hostmaster@ and postmaster@ automatically, create administrator@ during setup instead  
						
						... 
						
						
						
						closes  #94  
					
						2014-07-09 19:30:17 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							22a010ecb9 
							
						 
					 
					
						
						
							
							say that certificates are valid too in output  
						
						
						
					 
					
						2014-07-09 16:38:56 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							659b5c8aa3 
							
						 
					 
					
						
						
							
							if the server certificate can be used for a non-primary domain, use it  
						
						
						
					 
					
						2014-07-09 16:38:42 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							6c70b10c15 
							
						 
					 
					
						
						
							
							tell users to restart nginx after plugging in a new cert  
						
						
						
					 
					
						2014-07-09 14:05:59 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							deebda06e1 
							
						 
					 
					
						
						
							
							utils.sort_domains wasn't right  
						
						
						
					 
					
						2014-07-09 12:35:12 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							1a74b81f44 
							
						 
					 
					
						
						
							
							new nginx configuration yaml file to allow proxying of whole domains elsewhere  
						
						
						
					 
					
						2014-07-09 12:31:32 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							04e30ffa78 
							
						 
					 
					
						
						
							
							check that the installed certificate corresponds to the private key  
						
						
						
					 
					
						2014-07-08 15:47:54 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							59a9d02fa5 
							
						 
					 
					
						
						
							
							check that installed certificates are for the domains we are using the certificates for  
						
						
						
					 
					
						2014-07-07 12:06:11 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							65fb65ada7 
							
						 
					 
					
						
						
							
							an mx record may be missing if the A record matches the A record of PRIMARY_HOSTNAME  
						
						
						
					 
					
						2014-07-07 02:35:45 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							28e254fb84 
							
						 
					 
					
						
						
							
							whats_next: Allow the PRIMARY_HOSTNAME to not have an MX because the default value means the domain itself, which is what we want anyway  
						
						
						
					 
					
						2014-07-07 02:35:45 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							e898cd5d2a 
							
						 
					 
					
						
						
							
							whats_next: wrap output to the actual width of the terminal  
						
						
						
					 
					
						2014-07-07 02:35:45 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							6a231d4409 
							
						 
					 
					
						
						
							
							clarify that an SSL cert can remain self-signed on the non-primary domains if the domain isn't being used for web  
						
						
						
					 
					
						2014-07-07 02:35:45 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							49d5561933 
							
						 
					 
					
						
						
							
							when adding/removing mail addresses also update nginx's config  
						
						
						
					 
					
						2014-07-06 12:16:50 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							c8856f107d 
							
						 
					 
					
						
						
							
							migrate the SSL certificates path for non-primary certs to a new layout using a new migration script  
						
						
						
					 
					
						2014-06-30 20:41:29 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							06ba25151f 
							
						 
					 
					
						
						
							
							get_domain_ssl_files returned the wrong path for the CSR for PRIMARY_HOSTNAME  
						
						
						
					 
					
						2014-06-30 19:49:41 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							b5aa1b0f31 
							
						 
					 
					
						
						
							
							walk the user through choosing the PRIMARY_HOSTNAME by first asking for their email address  
						
						
						
					 
					
						2014-06-30 10:20:58 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							fed5959288 
							
						 
					 
					
						
						
							
							s/PUBLIC_HOSTNAME/PRIMARY_HOSTNAME/ throughout  
						
						
						
					 
					
						2014-06-30 09:15:36 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							87f001a5d5 
							
						 
					 
					
						
						
							
							some comments  
						
						
						
					 
					
						2014-06-24 03:24:41 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							1dec8c65ce 
							
						 
					 
					
						
						
							
							move the SSH password login check into whats_next.py (it used to be in start.sh and then moved to an unused script when it became a problem for Vagrant)  
						
						
						
					 
					
						2014-06-23 19:39:20 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							d4ce50de86 
							
						 
					 
					
						
						
							
							new tool to purchase and install a SSL certificate using Gandi.net's API  
						
						
						
					 
					
						2014-06-23 10:53:29 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							30c416ff6e 
							
						 
					 
					
						
						
							
							rename the new checklist script to whats_next.py  
						
						
						
					 
					
						2014-06-23 00:11:24 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							5aa09c3f9b 
							
						 
					 
					
						
						
							
							let the user override some DNS records in a different way  
						
						... 
						
						
						
						Moved the configuration to a single YAML file, rather than one per domain, to be clearer.
re-does 33f06f29c1 
						
					 
					
						2014-06-22 19:33:30 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							343886d818 
							
						 
					 
					
						
						
							
							add mail alias checks and other cleanup  
						
						
						
					 
					
						2014-06-22 16:28:55 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							deab8974ec 
							
						 
					 
					
						
						
							
							if we handle mail for both a domain and any subdomain, only create a zone for the domain and put the subdomain's DNS records in the main domain's zone file  
						
						
						
					 
					
						2014-06-22 16:24:15 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							4668367420 
							
						 
					 
					
						
						
							
							first pass at a management tool for checking what the user must do to finish his configuration: set NS records, DS records, sign his certificates, etc.  
						
						
						
					 
					
						2014-06-22 15:54:22 +00:00 
						 
				 
			
				
					
						
							
							
								Michael Kropat 
							
						 
					 
					
						
						
						
						
							
						
						
							9e63ec62fb 
							
						 
					 
					
						
						
							
							Cleanup: remove env dependency  
						
						
						
					 
					
						2014-06-22 08:55:19 -04:00 
						 
				 
			
				
					
						
							
							
								Michael Kropat 
							
						 
					 
					
						
						
						
						
							
						
						
							d100a790a0 
							
						 
					 
					
						
						
							
							Remove API_KEY_FILE setting  
						
						
						
					 
					
						2014-06-22 08:45:29 -04:00 
						 
				 
			
				
					
						
							
							
								Michael Kropat 
							
						 
					 
					
						
						
						
						
							
						
						
							554a28479f 
							
						 
					 
					
						
						
							
							Merge remote-tracking branch 'upstream/master' into mgmt-auth  
						
						... 
						
						
						
						Conflicts:
	management/daemon.py 
						
					 
					
						2014-06-21 21:29:25 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							064d75e261 
							
						 
					 
					
						
						
							
							Merge pull request  #73  from mkropat/syslog-logging  
						
						... 
						
						
						
						Tell Flask to log to syslog 
						
					 
					
						2014-06-21 21:22:27 -04:00 
						 
				 
			
				
					
						
							
							
								Michael Kropat 
							
						 
					 
					
						
						
						
						
							
						
						
							067052d4ea 
							
						 
					 
					
						
						
							
							Add key-based authentication to management service  
						
						... 
						
						
						
						Intended to be the simplest auth possible: every time the service
starts, a random key is written to `/var/lib/mailinabox/api.key`. In
order to authenticate to the service, the client must pass the contents
of `api.key` in an HTTP basic auth header. In this way, users who do not
have read access to that file are not able to communicate with the
service. 
						
					 
					
						2014-06-21 23:42:48 +00:00 
						 
				 
			
				
					
						
							
							
								Michael Kropat 
							
						 
					 
					
						
						
						
						
							
						
						
							53e15eae15 
							
						 
					 
					
						
						
							
							Tell Flask to log to syslog  
						
						... 
						
						
						
						- Writes Flask warnings and errors to `/var/log/syslog`
- Helps to debug issues when running in production 
						
					 
					
						2014-06-21 23:25:35 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							67d31ed998 
							
						 
					 
					
						
						
							
							move the SSL setup into its own bash script since it is used for much more than email now  
						
						
						
					 
					
						2014-06-21 22:16:46 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							5faa1cae71 
							
						 
					 
					
						
						
							
							manage the nginx conf in the management daemon too so we can have nginx operate on all domains that we serve mail for  
						
						
						
					 
					
						2014-06-20 01:55:12 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							126ea94ccf 
							
						 
					 
					
						
						
							
							drop support for ADSP which since last November is no longer recommended per  http://datatracker.ietf.org/doc/status-change-adsp-rfc5617-to-historic/  
						
						
						
					 
					
						2014-06-18 22:56:55 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							95e61bc110 
							
						 
					 
					
						
						
							
							add DANE TLSA records to the PUBLIC_HOSTNAME's DNS  
						
						... 
						
						
						
						Postfix has a tls_security_level called "dane" which uses DNS-Based Authentication of Named Entities (DANE)
to require, if specified in the DNS of the MX host, an encrpyted connection with a known certificate.
This commit adds TLSA records. 
						
					 
					
						2014-06-19 01:39:27 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							699bccad80 
							
						 
					 
					
						
						
							
							missing spaces in nsd.conf (has no effect but looks proper)  
						
						
						
					 
					
						2014-06-18 23:53:52 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							afb6c26c8b 
							
						 
					 
					
						
						
							
							run bind9 on the loopback interface for ensuring we are using a DNSSEC-aware nameserver to resolve our own DNS queries (i.e. when sending mail) since we can't trust that the network configuration provided for us gives us a DNSSEC-aware DNS server  
						
						... 
						
						
						
						see #71  
						
					 
					
						2014-06-18 19:45:47 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							761fac729b 
							
						 
					 
					
						
						
							
							nsd.conf wasn't properly using the signed zone files  
						
						
						
					 
					
						2014-06-18 23:30:35 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							dd15bf4384 
							
						 
					 
					
						
						
							
							use a better sort order for records in DNS zone files  
						
						
						
					 
					
						2014-06-17 23:34:06 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							14396e58f8 
							
						 
					 
					
						
						
							
							dont create a separate zone for PUBLIC_HOSTNAME if it is a subdomain of another zone (hmm, this is a general principle that could apply to any two domains the box is serving)  
						
						
						
					 
					
						2014-06-17 23:30:00 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							33f06f29c1 
							
						 
					 
					
						
						
							
							let the user override some DNS records  
						
						
						
					 
					
						2014-06-17 22:21:51 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							88709506f8 
							
						 
					 
					
						
						
							
							add DNSSEC  
						
						... 
						
						
						
						* sign zones
* in a cron job, periodically re-sign zones because they expire (not tested) 
						
					 
					
						2014-06-17 22:21:12 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							aaa735dbfe 
							
						 
					 
					
						
						
							
							write nsd.conf zones in a predictable order so that we don't keep rewriting it  
						
						
						
					 
					
						2014-06-12 22:28:37 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							e9cde52a48 
							
						 
					 
					
						
						
							
							two more cases of shelling out external programs in a more secure way, see  cecda9cec5 
						
						
						
					 
					
						2014-06-12 21:06:04 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							8bd62aa3bc 
							
						 
					 
					
						
						
							
							increase duplicity's volume size from the default of 25MB to 100MB so we create fewer files  
						
						
						
					 
					
						2014-06-09 13:47:41 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							5490142df5 
							
						 
					 
					
						
						
							
							re-do the backup script to use the duplicity program  
						
						... 
						
						
						
						Duplicity will manage the process of creating incremental backups for us.
Although duplicity can both encrypt & copy files to a remote host, I really
don't like PGP and so I don't want to use that.
Instead, we'll back up to a local directory unencrypted, then manually
encrypt the full & incremental backup files. Synchronizing the encrypted
backup directory to a remote host is a TODO. 
						
					 
					
						2014-06-09 09:34:52 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							cecda9cec5 
							
						 
					 
					
						
						
							
							management: shell out external programs in a more secure way  
						
						
						
					 
					
						2014-06-09 08:09:45 -04:00 
						 
				 
			
				
					
						
							
							
								Michael Kropat 
							
						 
					 
					
						
						
						
						
							
						
						
							ae67409603 
							
						 
					 
					
						
						
							
							Support dual-stack IPv4/IPv6 mail servers  
						
						... 
						
						
						
						Addresses #3 
Added support by adding parallel code wherever `$PUBLIC_IP` was used.
Providing an IPv6 address is completely optional.
Playing around on my IPv6-enabled mail server revealed that — before
this change — mailinabox might try to use an IPv6 address as the value
for `$PUBLIC_IP`, which wouldn't work out well. 
						
					 
					
						2014-06-08 18:32:52 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							242cadebc8 
							
						 
					 
					
						
						
							
							allow dashes in emails during validation, and for aliases allow a much wider range of characters,  fixes   #64  
						
						... 
						
						
						
						* for local mail users, also disallows periods at the beginning or end of the local or domain parts
* Dovecot gets confused if the string contains any unusual characters, so local mail users are restricted to a narrow regex
* for mail aliases Postfix is not confused so use a regex based on RFC 2822 
						
					 
					
						2014-06-06 10:51:36 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							f1dac1fe13 
							
						 
					 
					
						
						
							
							show less output when updating DNS configuration  
						
						
						
					 
					
						2014-06-06 10:51:36 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							6194c63f76 
							
						 
					 
					
						
						
							
							add management comments for checking for updated Ubuntu packages and applying updates  
						
						
						
					 
					
						2014-06-05 20:57:30 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							295981828f 
							
						 
					 
					
						
						
							
							Vagrantize  
						
						... 
						
						
						
						* adding a Vagrantfile
* in a non-interactive setup like this, create the user's first email account for them
* let the machine auto-detect its IP address using http://icanhazip.com/ 
* use our own justtesting.email domain to provision a subdomain for users so they can quickly get started 
						
					 
					
						2014-06-04 19:39:58 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							7fa4862f1a 
							
						 
					 
					
						
						
							
							refactor dns_update so that the zone is first generated in a file-format agnostic way  
						
						
						
					 
					
						2014-06-04 19:00:31 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							8ed15168c0 
							
						 
					 
					
						
						
							
							the new dns_update totally forgot to write the OpenDKIM tables  
						
						
						
					 
					
						2014-06-04 18:44:13 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							89730bd643 
							
						 
					 
					
						
						
							
							new backup script, see  #11  
						
						
						
					 
					
						2014-06-03 21:16:38 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							c54b0cbefc 
							
						 
					 
					
						
						
							
							move management into a daemon service running as root  
						
						... 
						
						
						
						* Created a new Python/flask-based management daemon.
* Moved the mail user management core code from tools/mail.py to the new daemon.
* tools/mail.py is a wrapper around the daemon and can be run as a non-root user.
* Adding a new initscript for the management daemon.
* Moving dns_update.sh to the management daemon, called via curl'ing the daemon's API.
This also now runs the DNS update after mail users and aliases are added/removed,
which sets up new domains' DNS as needed. 
						
					 
					
						2014-06-03 13:56:40 +00:00