1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-12-26 07:57:05 +00:00
Commit Graph

808 Commits

Author SHA1 Message Date
github@kiekerjan.isdronken.nl
ded1b55ebd First steps in migrating to dkimpy-milter 2021-12-11 00:54:56 +01:00
KiekerJan
21fd62ef4f more elaborate logfile analysis 2021-11-22 07:05:10 +01:00
kiekerjan
d8dd4cb215
Merge pull request #9 from mail-in-a-box/main
Merge upstream
2021-11-04 00:31:43 +01:00
Joshua Tauberer
34017548d5 Don't crash if a custom DNS entry is not under a zone managed by the box, fixes #1961 2021-10-22 18:39:53 -04:00
github@kiekerjan.isdronken.nl
3ce59172cf remove ignoring MFA for munin 2021-10-19 23:23:49 +02:00
github@kiekerjan.isdronken.nl
eeada2b9b5 merge changes from V55 upstream 2021-10-19 23:07:02 +02:00
Richard Willis
1c3bca53bb
Fix broken link in external-dns.html (#2045) 2021-10-18 07:36:48 -04:00
ukfhVp0zms
b643cb3478
Update calendar/contacts android app info (#2044)
DAVdroid has been renamed to DAVx⁵ and price increased from $3.69 to $5.99.
CardDAV-Sync free is no longer in beta.
CalDAV-Sync price increased from $2.89 to $2.99.
2021-10-13 19:09:05 -04:00
Joshua Tauberer
113b7bd827 Disable SMTPUTF8 in Postfix because Dovecot LMTP doesn't support it and bounces messages that require SMTPUTF8
By not advertising SMTPUTF8 support at the start, senders may opt to transmit recipient internationalized domain names in IDNA form instead, which will be deliverable.

Incoming mail with internationalized domains was probably working prior to our move to Ubuntu 18.04 when postfix's SMTPUTF8 support became enabled by default.

The previous commit is retained because Mail-in-a-Box users might prefer to keep SMTPUTF8 on for outbound mail, if they are not using internationalized domains for email, in which case the previous commit fixes the 'relay access denied' error even if the emails aren't deliverable.
2021-09-24 08:11:36 -04:00
Joshua Tauberer
3e19f85fad Add domain maps from Unicode forms of internationalized domains to their ASCII forms
When an email is received by Postfix using SMTPUTF8 and the recipient domain is a Unicode internationalized domain, it was failing to be delivered (bouncing with 'relay access denied') because our users and aliases tables only store ASCII (IDNA) forms of internationalized domains. In this commit, domain maps are added to the auto_aliases table from the Unicode form of each mail domain to its IDNA form, if those forms are different. The Postfix domains query is updated to look at the auto_aliases table now as well, since it is the only table with Unicode forms of the mail domains.

However, mail delivery is still not working since the Dovecot LMTP server does not support SMTPUTF8, and mail still bounces but with an error that SMTPUTF8 is not supported.
2021-09-24 08:11:36 -04:00
Joshua Tauberer
11e84d0d40 Move automatically generated aliases to a separate database table
They really should never have been conflated with the user-provided aliases.

Update the postfix alias map to query the automatically generated aliases with lowest priority.
2021-09-24 08:11:36 -04:00
Joshua Tauberer
79966e36e3 Set a cookie for /admin/munin pages to grant access to Munin reports
The /admin/munin routes used the same Authorization: header logic as the other API routes, but they are browsed directly in the browser because they are handled as static pages or as a proxy to a CGI script.

This required users to enter their email username/password for HTTP basic authentication in the standard browser auth prompt, which wasn't ideal (and may leak the password in browser storage). It also stopped working when MFA was enabled for user accounts.

A token is now set in a cookie when visiting /admin/munin which is then checked in the routes that proxy the Munin pages. The cookie's lifetime is kept limited to limit the opportunity for any unknown CSRF attacks via the Munin CGI script.
2021-09-24 08:11:36 -04:00
drpixie
df46e1311b
Include NSD config files from /etc/nsd/nsd.conf.d/*.conf (#2035)
And write MIAB dns zone config into /etc/nsd/nsd.conf.d/zones.conf. Delete lingering old zones.conf file.

Co-authored-by: Joshua Tauberer <jt@occams.info>
2021-09-24 08:07:40 -04:00
KiekerJan
e54dc19854 slightly change dns resolver call 2021-09-21 22:17:10 +02:00
Elsie Hupp
353084ce67
Use "smart invert" for dark mode (#2038)
* Use "smart invert" for dark mode

Signed-off-by: Elsie Hupp <9206310+elsiehupp@users.noreply.github.com>

* Add more contrast to form controls

Co-authored-by: Joshua Tauberer <jt@occams.info>
2021-09-19 09:53:03 -04:00
mailinabox-contributor
91079ab934
add numeric flag value to DNSSEC DS status message (#2033)
Some registrars (e.g. Porkbun) accept Key Data when creating a DS RR,
but accept only a numeric flags value to indicate the key type (256 for KSK, 257 for ZSK).

https://datatracker.ietf.org/doc/html/rfc5910#section-4.3
2021-09-10 16:12:41 -04:00
Joshua Tauberer
e5909a6287 Allow non-admin login to the control panel and show/hide menu items depending on the login state
* When logged out, no menu items are shown.
* When logged in, Log Out is shown.
* When logged in as an admin, the remaining menu items are also shown.
* When logged in as a non-admin, the mail and contacts/calendar instruction pages are shown.

Fixes #1987
2021-09-06 09:23:58 -04:00
Joshua Tauberer
26932ecb10 Add a 'welcome' panel to the control panel and make it the default page instead of the status checks which take too long to load
Fixes #2014
2021-09-06 09:23:58 -04:00
Joshua Tauberer
e884c4774f Replace HMAC-based session API keys with tokens stored in memory in the daemon process
Since the session cache clears keys after a period of time, this fixes #1821.

Based on https://github.com/mail-in-a-box/mailinabox/pull/2012, and so:

Co-Authored-By: NewbieOrange <NewbieOrange@users.noreply.github.com>

Also fixes #2029 by not revealing through the login failure error message whether a user exists or not.
2021-09-06 09:23:58 -04:00
Joshua Tauberer
53ec0f39cb Use 'secrets' to generate the system API key and remove some debugging-related code
* Rename the 'master' API key to be called the 'system' API key
* Generate the key using the Python secrets module which is meant for this
* Remove some debugging helper code which will be obsoleted by the upcoming changes for session keys
2021-09-06 09:23:58 -04:00
kiekerjan
98c00d1c6a
Merge branch 'mail-in-a-box:main' into master 2021-08-28 13:38:15 +02:00
David Duque
ba80d9e72d
Show backup retention period form when configuring B2 backups (#2024) 2021-08-23 06:25:41 -04:00
Joshua Tauberer
67b5711c68 Recommend that DS records be updated to not use SHA1 and exclude MUST NOT methods (SHA1) and the unlikely option RSASHA1-NSEC3-SHA1 (7) + SHA-384 (4) from the DS record suggestions 2021-08-22 14:43:46 -04:00
myfirstnameispaul
20ccda8710 Re-order DS record algorithms by digest type and revise warning message.
Note that 7, 4 is printed last in the status checks page but does not appear in the file, and I couldn't figure out why.
2021-08-22 14:29:36 -04:00
lamkin
daad122236
Ignore bad encoding in email addresses when parsing maillog files (#2017)
local/domain parts of email address should be standard ASCII or
UTF-8. Some email addresses contain extended ASCII, leading to
decode failure by the UTF-8 codec (and thus failure of the
Usage-Report script)

This change allows maillog parsing to continue over lines
containing such addresses
2021-08-16 11:46:32 -04:00
kiekerjan
ea452d5441
Merge branch 'mail-in-a-box:main' into master 2021-08-16 11:49:46 +02:00
KiekerJan
87be897d36 update DH security to 4096 2021-08-01 21:52:37 +02:00
NewbieOrange
21ad26e452
Disable auto-complete for 2FA code in the control panel login form (#2013) 2021-07-28 16:39:40 -04:00
KiekerJan
fa66b767af add debugging info to email admin tool 2021-07-26 10:04:35 +02:00
KiekerJan
db612e91e5 do not generate dns zonefiles for www only websites with external DNS records 2021-06-25 00:36:12 +02:00
KiekerJan
eb36091d41 syntax error fix 2021-06-24 12:56:18 +02:00
github@kiekerjan.isdronken.nl
4f7957a5ab check presence of dnssec key file before reading it 2021-06-24 12:47:46 +02:00
KiekerJan
56f9df738f version recognition 2021-06-23 21:02:21 +02:00
KiekerJan
4323b5af01 simple fault catching email admin 2021-06-22 22:50:06 +02:00
github@kiekerjan.isdronken.nl
ca5fb3c2e0 Merge changes from upstream v0.54 2021-06-20 23:36:54 +02:00
github@kiekerjan.isdronken.nl
b007b74a89 try hide admin links 2021-05-31 23:29:00 +02:00
kiekerjan
c25bb085d6
Merge pull request #3 from kiekerjan/develop-dns-mods
Develop dns mods
2021-05-29 22:39:31 +02:00
KiekerJan
28b828be12 check service on ipv6 if it is not found on ipv4 2021-05-28 23:36:25 +02:00
github@kiekerjan.isdronken.nl
1d96be9ea9 take hidden master dns into account for the status checks 2021-05-24 21:32:13 +02:00
github@kiekerjan.isdronken.nl
d88d7d0371 Merge branch 'develop-dns-mods' of https://github.com/kiekerjan/mailinabox into develop-dns-mods 2021-05-24 14:24:18 +02:00
github@kiekerjan.isdronken.nl
ee87feb571 modify dns TTLs according to recommendations from zonemaster.iis.se 2021-05-24 14:24:09 +02:00
KiekerJan
e928b915f4 clean strings before comparing 2021-05-23 21:47:37 +02:00
KiekerJan
6be8ae1e4b correct use of Pyhton Booleans 2021-05-22 18:47:37 +02:00
github@kiekerjan.isdronken.nl
544f06b100 document DNS mods and make DNS options configurable per domain 2021-05-19 22:48:21 +02:00
github@kiekerjan.isdronken.nl
14394ef05b add missing . in nameserver definition 2021-05-19 22:01:25 +02:00
github@kiekerjan.isdronken.nl
856d94b74f use shorthand for ttl periods, more correct secondary ns list handling 2021-05-19 21:17:55 +02:00
github@kiekerjan.isdronken.nl
b9e7175d9f add principal functionality to act as hidden master 2021-05-18 22:51:29 +02:00
github@kiekerjan.isdronken.nl
8b13a3b177 short TTL for DNS entries if config file set 2021-05-18 13:28:09 +02:00
KiekerJan
1af0c58623 add daily ip blacklist check 2021-05-18 13:02:05 +02:00
Joshua Tauberer
d510c8ae2a Enable and recommend port 465 for mail submission instead of port 587 (fixes #1849)
Port 465 with "implicit" (i.e. always-on) TLS is a more secure approach than port 587 with explicit (i.e. optional and only on with STARTTLS). Although we reject credentials on port 587 without STARTTLS, by that point credentials have already been sent.
2021-05-15 16:42:14 -04:00