Commit Graph

2163 Commits

Author SHA1 Message Date
Michael Kroes 4db82d3d09 Caldav doesnt support sync tokens 2015-10-25 13:19:22 -04:00
Michael Kroes 5055ef060d Change configuration options for new version of z-push 2015-10-25 08:29:57 -04:00
Michael Kroes 35088a7cac Update Z-Push version to 80cbe53de4ab8dd598d1f2af6f0a23fa396c529a 2015-10-25 07:25:24 -04:00
Joshua Tauberer f046031b26 nginx-ssl.conf changes were partially incorrect, partial revert of 834c42bc50
My own /etc/nginx/nginx.conf was messed up, so what I thought were Ubuntu 14.04 defaults weren't, and we lost the ssl_protocols and ssl_prefer_server_ciphers settings. This puts those back.

https://discourse.mailinabox.email/t/dev-master-version-reported-as-poodle-attack-vulnerable-by-ssllabs/898
2015-10-24 11:36:18 +00:00
Joshua Tauberer 3b91bc2c0a if secondary nameservers are given, status checks now check they are serving the right info 2015-10-22 10:58:36 +00:00
Joshua Tauberer 4c4babd9e7 experimentally scanning the mail log to see if we can infer a good time to take a backup 2015-10-22 10:35:14 +00:00
Joshua Tauberer 53dc53bf8f changelog entries 2015-10-18 12:10:57 +00:00
Joshua Tauberer 274e5ca676 let dovecot automatically create mailbox folders rather than doing it manually in the management daemon, fixes #554 2015-10-18 11:55:27 +00:00
Joshua Tauberer 5e7b7835b7 Merge pull request #573 from ptimof/master
Added 'Sent' folder when creating user.
2015-10-12 10:05:52 -04:00
Peter Timofejew 1bdfdbee89 Added 'Sent' folder when creating user. 2015-10-12 09:43:35 -04:00
X O ebffaab16a Added wosign as a suggest free SSL provider. 2015-10-11 11:33:18 +10:30
Joshua Tauberer d6d4085809 munin setup may show '/bin/rm: missing operand', fixes #527 2015-10-10 16:48:49 +00:00
Joshua Tauberer 2a44b0cafb the new SSL certs routine requires cryptography>=1.0.2 to make RSAPublicNumbers hashable
an earlier problem about --upgrade (de34d0d337) seemed to be just a local problem on my box, so going back to unpinned >= requirement specs

https://discourse.mailinabox.email/t/upgrade-to-v0-13b-broke-admin/876
2015-10-08 12:24:22 +00:00
Joshua Tauberer 834c42bc50 move nginx-ssl to be a global configuration file rather than including it into each server block 2015-09-27 17:13:11 +00:00
Joshua Tauberer 6c8ee1862a use subresource integrity attributes to guard against CDNs being used as an attack vector; drop external resources that we can't protect this way (fonts); fixes #234 2015-09-18 19:04:28 +00:00
Joshua Tauberer 787beab63f choose the best SSL cert from among the installed certificates; use the server certificate instead of self-signed certificates
For HTTPS for the non-primary domains, instead of selecting an SSL certificate by expecting it to be in a directory named after the domain name (with special-case lookups
for www domains, and reusing the server certificate where possible), now scan all of the certificates that have been installed and just pick the best to use for each domain.

If no certificate is available, don't create a self-signed certificate anymore. This wasn't ever really necessary. Instead just use the server certificate.
2015-09-18 13:25:18 +00:00
Joshua Tauberer 58349a9410 when updating DNS, clear the local DNS cache 2015-09-18 13:00:53 +00:00
Joshua Tauberer 93c2258d23 let the HSTS header be controlled by the management daemon so some domains can choose to enable preload 2015-09-08 21:20:50 +00:00
Joshua Tauberer bd7a4dedc1 Merge pull request #551 from anoma/master
Revert two FAIL2BAN SSH jail changes
2015-09-07 06:49:48 -04:00
anoma ae3ae0b5ba Revert to default FAIL2BAN findtime for SSH jail
I propose that the default 600s/10minute find time is a better test duration for this ban. The altered 120s findtime sounds reasonable until you consider that attackers can simply throttle to 3 attempts per minute and never be banned.

The remaining non default jail settings of maxretry = 7 and bantime = 3600 I believe are good.
2015-09-07 08:36:59 +01:00
anoma 42d657eb54 Unnecessary config item, inherited from default jail.conf 2015-09-07 08:28:54 +01:00
Joshua Tauberer d60d73b7e0 status checks: dont error if there's a domain that dns_update hasn't been run yet on 2015-09-06 13:27:35 +00:00
Joshua Tauberer 6704da1446 silence errors in the admin if there is an invalid domain name in the database
see #531
2015-09-06 13:27:28 +00:00
Hoekynl d24a2f7cab Updated, mistype.
Removed :$HTML5_NOTIFIER_VERSION, which breaks it
2015-09-06 10:22:08 +02:00
Hoekynl ed31002cc6 Added commit version hash. Working now.
Added HTML5_NOTIFIER_VERSION
Updated git_clone to work.

Tested and working.
2015-09-06 10:20:36 +02:00
Hoekynl f8ac896795 Include html5_notifier by default
Include the roundcube plugin html_notifier by default
2015-09-05 23:33:19 +02:00
Joshua Tauberer 3e96de26dd server_names_hash_bucket_size=128 now, see #93 2015-09-05 20:24:17 +00:00
Joshua Tauberer 4f6fa40dbd warn in status checks if a custom DNS record has been set on a domain that would normally serve web and as a result that domain no longer is serving web 2015-09-05 20:07:51 +00:00
Joshua Tauberer 104b804059 if a custom DNS record exists for a web-serving domain and the record is just the box's IP address, don't skip this domain for serving web 2015-09-05 20:07:51 +00:00
Joshua Tauberer c545e46ebe Merge pull request #548 from NurdTurd/patch-1
Typo
2015-09-05 15:30:25 -04:00
Sheldon Rupp 52a216fbcb Typo
Change KB to MB due to typo.
2015-09-05 21:29:24 +02:00
Joshua Tauberer 2c29d59895 Merge pull request #478 from kri3v/patch-1
Added more bantime and lowered max retry attempts
2015-09-05 11:42:36 -04:00
Joshua Tauberer de34d0d337 pin pip versions of email_validator and cryptography so pip doesn't keep reinstalling them each upgrade even if nothing changed (and the ceffi depedency installation can be very slow and is prone to break under low memory) 2015-09-05 12:35:01 +00:00
Joshua Tauberer 2bb7a6fc27 changelog entries 2015-09-05 08:01:59 -04:00
Joshua Tauberer 1b84292c56 Merge pull request #544 from 0xFelix/master
Fix DKIM validation and spamassassin DNS/Pyzor checks
2015-09-05 06:59:00 -04:00
Felix 18efae9703 Remove direct dependencies as they get installed automatically 2015-09-05 09:08:47 +02:00
Joshua Tauberer 4b6d86ef89 trim the instructions at the end of an upgrade about the DNS-broken control panel login 2015-09-04 18:49:32 -04:00
Joshua Tauberer 75a75a6f84 admin: rename my ajax javascript function to ajax_with_indicator; see 79c57c2303 2015-09-04 18:40:56 -04:00
Joshua Tauberer 2e99589336 admin: fix jumpyness when a modal is shown (move overflow-y to body; make the navbar not fixed to top) 2015-09-04 22:21:10 +00:00
Joshua Tauberer 188b21dd36 bump bootstrap to 3.3.5 and jquery to 1.11.3 on the admin 2015-09-04 22:13:56 +00:00
Joshua Tauberer 0cf56e0aad add a random password generator to the users page of the admin 2015-09-04 22:12:07 +00:00
Felix bd7728ac94 Add documentation for additional packages, remove unneeded package libcrypt-openssl-random-perl 2015-09-04 15:45:47 +02:00
Felix b6f7a10569 Add missing dependencies for DKIM validation 2015-09-04 09:25:49 +02:00
Felix 53a9fc0e48 Set 'LOCALONLY' to 0 in /etc/default/spampd 2015-09-04 09:18:12 +02:00
Joshua Tauberer b05af6eecb v0.13b
ownCloud 8.1.1 trusted_domains autoconfiguration fix.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJV43ODAAoJELkgQfTBC92BAMEH/3DbsticgFhbPzMsCcmcjxkg
 1Dxw4e8YRgMPp3xuq4/5we6bL/KXSxioFc1488jfiLhAe6fHZGmSi4p6L8twnsxD
 exUd/pHZ8L1SC953JhBXLUWYfAQ/ozEZ8bNPVJ4NLx5T58FPWBSRouQHHZTMc/z1
 Pduc6RjZQ3o1dmTzbwt5hB/ZS61CFV2V9cr+aKmFSDKh7/qzBSaqGfiTOsWI43GE
 JfCN6hwnCUvvkGfaYmxJSY/emgiJETLkQCv0e1kZs5MfojkFUspqvmTQViE2HI4f
 y5FWmPXvhoHuMIgH0q0Rrw0xchXW44fJbK4SnT50z7do8F7KmSX6ztw5oxux/U0=
 =kcFy
 -----END PGP SIGNATURE-----

v0.13b - release & merge side-branch

ownCloud 8.1.1 trusted_domains autoconfiguration fix.
2015-08-30 17:21:36 -04:00
Joshua Tauberer 571171a0c6 ownCloud 8.1.1's autoconfig resets trusted_domains / update trusted_domains if PRIMARY_HOSTNAME changes
Seems like ownCloud 8.1.1 now doesn't play nice with trusted_domains. Whatever is put in ahead of time gets reset to an array containing 'localhost' only, probably because we invoke autoconfiguration from the command line where it doesn't know the hostname it's being accessed from. We now set this value after running autoconfig.

This has the added benefit of also fixing the problem that if PRIMARY_HOSTNAME changes, trusted_domains wasn't updated. Now it is. Fixes #503.

See #514.
2015-08-30 17:19:38 -04:00
Joshua Tauberer c5082498ab utils.py can't import non-standard modules because it is imported by migrate.py, which is run before anything is installed
closes #540
2015-08-30 13:50:34 -04:00
Joshua Tauberer d19c215bf1 Merge pull request #537 from elwebmaster/patch-1
Update nginx-primaryonly.conf
2015-08-28 15:10:49 -04:00
Stefan Dimitrov 42dd46e305 Update nginx-primaryonly.conf
Nginx should be connecting over the local interface, not to the IP the resolver gives it. Elsewhere in this file proxy_pass uses 127.0.0.1 as it should.
2015-08-28 15:07:47 -04:00
Joshua Tauberer a6496949f8 Merge pull request #536 from badsyntax/external-dns-txt-record-limit-info
Added a note about TXT record length limitations and how to construct the records to bypass the limitation
2015-08-28 15:00:23 -04:00