Commit Graph

174 Commits

Author SHA1 Message Date
Chad Furman e9feefa5d3 Merge remote-tracking branch 'upstream/main' into chad/resolve-merge-conflicts 2024-04-27 10:41:39 -04:00
KiekerJan 1a239c55bb
More robust reading of sshd configuration (#2330)
Use sshd -T instead of directly reading the configuration files
2024-03-23 11:16:40 -04:00
KiekerJan 0b1d92388a
Take spamhaus return codes into account in status check and postfix config (#2332) 2024-03-10 08:09:36 -04:00
Teal Dulcet 618c466b84 Fixed SIM114 (if-with-same-arms): Combine `if` branches using logical `or` operator 2024-03-10 07:56:49 -04:00
Teal Dulcet a32354fd91 Fixed PLR5501 (collapsible-else-if): Use `elif` instead of `else` then `if`, to reduce indentation 2024-03-10 07:56:49 -04:00
Teal Dulcet e466b9bb53 Fixed RUF005 (collection-literal-concatenation) 2024-03-10 07:56:49 -04:00
Teal Dulcet 0e9193651d Fixed PLW1514 (unspecified-encoding): `open` in text mode without explicit `encoding` argument 2024-03-10 07:56:49 -04:00
Teal Dulcet a02b59d4e4 Fixed F401 (unused-import): `socket.timeout` imported but unused 2024-03-10 07:56:49 -04:00
Teal Dulcet c719fce40a Fixed UP032 (f-string): Use f-string instead of `format` call 2024-03-10 07:56:49 -04:00
Teal Dulcet 922c59ddaf Fixed SIM212 (if-expr-with-twisted-arms): Use `with_lines if with_lines else []` instead of `[] if not with_lines else with_lines` 2024-03-10 07:56:49 -04:00
Teal Dulcet 20a99c0ab8 Fixed UP041 (timeout-error-alias): Replace aliased errors with `TimeoutError` 2024-03-10 07:56:49 -04:00
Teal Dulcet 54af4725f9 Fixed C404 (unnecessary-list-comprehension-dict): Unnecessary `list` comprehension (rewrite as a `dict` comprehension) 2024-03-10 07:56:49 -04:00
Teal Dulcet fd4fcdaf53 Fixed E712 (true-false-comparison): Comparison to `False` should be `cond is False` or `if not cond:` 2024-03-10 07:56:49 -04:00
Teal Dulcet 57d05c1ab2 Fixed B007 (unused-loop-control-variable) 2024-03-10 07:54:51 -04:00
Teal Dulcet c953e5784d Fixed C401 (unnecessary-generator-set): Unnecessary generator (rewrite as a `set` comprehension) 2024-03-10 07:54:51 -04:00
Teal Dulcet 99d3929f99 Fixed E711 (none-comparison) 2024-03-10 07:54:51 -04:00
Teal Dulcet e8d1c037cb Fixed SIM102 (collapsible-if): Use a single `if` statement instead of nested `if` statements 2024-03-10 07:54:51 -04:00
Teal Dulcet 3d72c32b1d Fixed W605 (invalid-escape-sequence) 2024-03-10 07:54:51 -04:00
Teal Dulcet 14a5613dc8 Fixed UP031 (printf-string-formatting): Use format specifiers instead of percent format 2024-03-10 07:54:51 -04:00
Teal Dulcet eefc0514b2 Fixed UP030 (format-literals): Use implicit references for positional format fields 2024-03-10 07:54:51 -04:00
Teal Dulcet 13b38cc04d Fixed F841 (unused-variable) 2024-03-10 07:54:51 -04:00
Teal Dulcet 2b426851f9 Fixed UP032 (f-string): Use f-string instead of `format` call 2024-03-10 07:54:51 -04:00
Teal Dulcet b7f70b17ac Fixed RET504 (unnecessary-assign) 2024-03-10 07:54:51 -04:00
Teal Dulcet 49124cc9ca Fixed PLR6201 (literal-membership): Use a `set` literal when testing for membership 2024-03-10 07:54:51 -04:00
Teal Dulcet cb922ec286 Fixed UP015 (redundant-open-modes): Unnecessary open mode parameters 2024-03-10 07:54:49 -04:00
Teal Dulcet 0ee64f2fe8 Fixed F401 (unused-import) 2024-03-10 07:54:21 -04:00
KiekerJan 785c337fb3
Make reading of previous status check result more robust (#2347) 2024-03-10 07:27:04 -04:00
Michael Heuberger 81866de229
Amend --always option to all git describe commands (#2275) 2023-09-02 06:59:39 -04:00
Joshua Tauberer b3743a31e9 Add a status checks check that fail2ban is running using fail2ban-client 2023-01-15 10:17:10 -05:00
Hugh Secker-Walker 820a39b865
chore(python open): Refactor open and gzip.open to use context manager (#2203)
Co-authored-by: Hugh Secker-Walker <hsw+miac@hodain.net>
2023-01-15 08:28:43 -05:00
KiekerJan 0fc5105da5
Fixes to DNS lookups during status checks when there are timeouts, enforce timeouts better (#2191)
* add dns query handling changes

* replace exception pass with error message

* simplify dns exception catching

* Add not set case to blacklist lookup result handling
2023-01-15 08:20:08 -05:00
John R. Supplee d8f44b38a2 Merge tag 'v57a' of https://github.com/mail-in-a-box/mailinabox
Version 57a (June 19, 2022)

* The Backblaze backups fix posted in Version 57 was incomplete. It's
now fixed.
2022-11-23 13:20:24 +02:00
Steve Hay 7cda439c80
Port boto to boto3 and fix asyncio issue in the management daemon (#2156)
Co-authored-by: Steve Hay <hay.steve@gmail.com>
2022-09-17 07:57:12 -04:00
Rauno Moisto 78569e9a88 Fix DeprecationWarning in dnspython query vs resolve method
The resolve method disables resolving relative names by default. This change probably makes a7710e90 unnecessary. @JoshData added some additional changes from query to resolve.
2022-07-28 14:02:46 -04:00
Joshua Tauberer 99474b348f Update backup to be compatible with duplicity 0.8.23
We were using duplicity 0.8.21-ppa202111091602~ubuntu1 from the duplicity PPA probably until June 5, which is when my box automatically updated to 0.8.23-ppa202205151528~ubuntu18.04.1. Starting with that version, two changes broke backups:

* The default s3 backend was changed to boto3. But boto3 depends on the AWS SDK which does not support Ubuntu 18.04, so we can't install it. Instead, we map s3: backup target URLs to the boto+s3 scheme which tells duplicity to use legacy boto. This should be reverted when we can switch to boto3.
* Contrary to the documentation, the s3 target no longer accepts a S3 hostname in the URL. It now reads the bucket from the hostname part of the URL. So we now drop the hostname from our target URL before passing it to duplicity and we pass the endpoint URL in a separate command-line argument. (The boto backend was dropped from duplicity's "uses_netloc" in 74d4cf44b1 (f5a07610d36bd242c3e5b98f8348879a468b866a_37_34), but other changes may be related.)

The change of target URL (due to both changes) seems to also cause duplicity to store cached data in a different directory within $STORAGE_ROOT/backup/cache, so on the next backup it will re-download cached manifest/signature files. Since the cache directory will still hold the prior data which is no longer needed, it might be a good idea to clear out the cache directory to save space. A system status checks message is added about that.

Fixes #2123
2022-06-12 08:17:48 -04:00
lamberete 6e40c69cb5
Error message using IPv4 instead of failing IPv6.
One of the error messages around IPv6 was using the IPv4 for the output, making the error message confusing.
2022-03-26 13:50:24 +01:00
lamberete c0e54f87d7
Sorting ds records on report.
When building the part of the report about the current DS records founded, they are added in the same order as they were received when calling query_dns(), which can differ from run to run. This was making the difflib.SequenceMatcher() method to find the same line removed and added one line later, and sending an Status Checks Change Notice email with the same line added and removed when there was actually no real changes.
2022-03-26 13:45:49 +01:00
John Supplee f05b262ffc Merge tag 'v56' of github.com:mail-in-a-box/mailinabox
Version 56 (January 19, 2022)

Software updates:

* Roundcube updated to 1.5.2 (from 1.5.0), and the persistent_login and
CardDAV (to 4.3.0 from 3.0.3) plugins are updated.
* Nextcloud updated to 20.0.14 (from 20.0.8), contacts to 4.0.7 (from
3.5.1), and calendar to 3.0.4 (from 2.2.0).

Setup:

* Fixed failed setup if a previous attempt failed while updating
Nextcloud.

Control panel:

* Fixed a crash if a custom DNS entry is not under a zone managed by the
box.
* Fix DNSSEC instructions typo.

Other:

* Set systemd journald log retention to 10 days (from no limit) to
reduce disk usage.
* Fixed log processing for submission lines that have a sasl_sender or
other extra information.
* Fix DNS secondary nameserver refesh failure retry period.
2022-03-16 07:42:45 -04:00
steadfasterX aac878dce5
fix: key flag id for KSK, fix format (#2063)
as mentioned (https://github.com/mail-in-a-box/mailinabox/pull/2033#issuecomment-976365087) KSK is 257, not 256
2021-11-23 11:06:17 -05:00
John R. Supplee 894df240cb Merge tag 'v55' of https://github.com/mail-in-a-box/mailinabox
Version 55 (October 18, 2021)
-----------------------------

Mail:

* "SMTPUTF8" is now disabled in Postfix. Because Dovecot still does not
support SMTPUTF8, incoming mail to internationalized addresses was
bouncing. This fixes incoming mail to internationalized domains (which
was probably working prior to v0.40), but it will prevent sending
outbound mail to addresses with internationalized local-parts.
* Upgraded to Roundcube 1.5.

Control panel:

* The control panel menus are now hidden before login, but now
non-admins can log in to access the mail and contacts/calendar
instruction pages.
* The login form now disables browser autocomplete in the two-factor
authentication code field.
* After logging in, the default page is now a fast-loading welcome page
rather than the slow-loading system status checks page.
* The backup retention period option now displays for B2 backup targets.
* The DNSSEC DS record recommendations are cleaned up and now recommend
changing records that use SHA1.
* The Munin monitoring pages no longer require a separate HTTP basic
authentication login and can be used if two-factor authentication is
turned on.
* Control panel logins are now tied to a session backend that allows
true logouts (rather than an encrypted cookie).
* Failed logins no longer directly reveal whether the email address
corresponds to a user account.
* Browser dark mode now inverts the color scheme.

Other:

* Fail2ban's IPv6 support is enabled.
* The mail log tool now doesn't crash if there are email addresess in
log messages with invalid UTF-8 characters.
* Additional nsd.conf files can be placed in /etc/nsd.conf.d.
2021-10-30 11:58:47 +02:00
John R. Supplee 8993ebd3a8 Merge tag 'v0.53' of https://github.com/mail-in-a-box/mailinabox
v0.53 (April 12, 2021)
----------------------

Software updates:

* Upgraded Roundcube to version 1.4.11 addressing a security issue, and
its desktop notifications plugin.
* Upgraded Z-Push (for Exchange/ActiveSync) to version 2.6.2.

Control panel:

* Backblaze B2 is now a supported backup protocol.
* Fixed an issue in the daily mail reports.
* Sort the Custom DNS by zone and qname, and add an option to go back to
the old sort order (creation order).

Mail:

* Enable sending DMARC failure reports to senders that request them.

Setup:

* Fixed error when upgrading from Nextcloud 13.
2021-10-30 11:40:57 +02:00
mailinabox-contributor 91079ab934
add numeric flag value to DNSSEC DS status message (#2033)
Some registrars (e.g. Porkbun) accept Key Data when creating a DS RR,
but accept only a numeric flags value to indicate the key type (256 for KSK, 257 for ZSK).

https://datatracker.ietf.org/doc/html/rfc5910#section-4.3
2021-09-10 16:12:41 -04:00
Joshua Tauberer 67b5711c68 Recommend that DS records be updated to not use SHA1 and exclude MUST NOT methods (SHA1) and the unlikely option RSASHA1-NSEC3-SHA1 (7) + SHA-384 (4) from the DS record suggestions 2021-08-22 14:43:46 -04:00
myfirstnameispaul 20ccda8710 Re-order DS record algorithms by digest type and revise warning message.
Note that 7, 4 is printed last in the status checks page but does not appear in the file, and I couldn't figure out why.
2021-08-22 14:29:36 -04:00
Joshua Tauberer d510c8ae2a Enable and recommend port 465 for mail submission instead of port 587 (fixes #1849)
Port 465 with "implicit" (i.e. always-on) TLS is a more secure approach than port 587 with explicit (i.e. optional and only on with STARTTLS). Although we reject credentials on port 587 without STARTTLS, by that point credentials have already been sent.
2021-05-15 16:42:14 -04:00
Joshua Tauberer aaa81ec879 Fix indentation issue in bc4ae51c2d 2021-05-08 09:06:18 -04:00
Hala Alajlan bc4ae51c2d
Handle query dns timeout unhandled error (#1950)
Co-authored-by: hala alajlan <halalajlan@gmail.com>
2021-05-08 08:26:40 -04:00
Joshua Tauberer 178c587654 Migrate to the ECDSAP256SHA256 (13) DNSSEC algorithm
* Stop generating RSASHA1-NSEC3-SHA1 keys on new installs since it is no longer recommended, but preserve the key on existing installs so that we continue to sign zones with existing keys to retain the chain of trust with existing DS records.
* Start generating ECDSAP256SHA256 keys during setup, the current best practice (in addition to RSASHA256 which is also ok). See https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1 and https://www.cloudflare.com/dns/dnssec/ecdsa-and-dnssec/.
* Sign zones using all available keys rather than choosing just one based on the TLD to enable rotation/migration to the new key and to give the user some options since not every registrar/TLD supports every algorithm.
* Allow a user to drop a key from signing specific domains using DOMAINS= in our key configuration file. Signing the zones with extraneous keys may increase the size of DNS responses, which isn't ideal, although I don't know if this is a problem in practice. (Although a user can delete the RSASHA1-NSEC3-SHA1 key file, the other keys will be re-generated on upgrade.)
* When generating zonefiles, add a hash of all of the DNSSEC signing keys so that when the keys change the zone is definitely regenerated and re-signed.
* In status checks, if DNSSEC is not active (or not valid), offer to use all of the keys that have been generated (for RSASHA1-NSEC3-SHA1 on existing installs, RSASHA256, and now ECDSAP256SHA256) with all digest types, since not all registers support everything, but list them in an order that guides users to the best practice.
* In status checks, if the deployed DS record doesn't use a ECDSAP256SHA256 key, prompt the user to update their DS record.
* In status checks, if multiple DS records are set, only fail if none are valid. If some use ECDSAP256SHA256 and some don't, remind the user to delete the DS records that don't.
* Don't fail if the DS record uses the SHA384 digest (by pre-generating a DS record with that digest type) but don't recommend it because it is not in the IANA mandatory list yet (https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml).

See #1953
2021-04-12 19:42:12 -04:00
Felix Spöttel e3d98b781e
Warn when connection to Spamhaus times out (#1817) 2021-01-28 18:22:43 -05:00
John Supplee 38ac127344 v0.50 (September 25, 2020)
--------------------------
 
 Setup:
 
 * When upgrading from versions before v0.40, setup will now warn that ownCloud/Nextcloud data cannot be migrated rather than failing the installation.
 
 Mail:
 
 * An MTA-STS policy for incoming mail is now published (in DNS and over HTTPS) when the primary hostname and email address domain both have a signed TLS certificate installed, allowing senders to know that an encrypted connection should be enforced.
 * The per-IP connection limit to the IMAP server has been doubled to allow more devices to connect at once, especially with multiple users behind a NAT.
 
 DNS:
 
 * autoconfig and autodiscover subdomains and CalDAV/CardDAV SRV records are no longer generated for domains that don't have user accounts since they are unnecessary.
 * IPv6 addresses can now be specified for secondary DNS nameservers in the control panel.
 
 TLS:
 
 * TLS certificates are now provisioned in groups by parent domain to limit easy domain enumeration and make provisioning more resilient to errors for particular domains.
 
 Control Panel:
 
 * The control panel API is now fully documented at https://mailinabox.email/api-docs.html.
 * User passwords can now have spaces.
 * Status checks for automatic subdomains have been moved into the section for the parent domain.
 * Typo fixed.
 
 Web:
 
 * The default web page served on fresh installations now adds the `noindex` meta tag.
 * The HSTS header is revised to also be sent on non-success responses.
 -----BEGIN PGP SIGNATURE-----
 
 iQFDBAABCgAtFiEEX0wOcxPM10RpOyrquSBB9MEL3YEFAl9t2AgPHGp0QG9jY2Ft
 cy5pbmZvAAoJELkgQfTBC92BZNkH/1jIGoWTz0xlS+e+TeXpHoCp/7zYAvQq/a/y
 vj9t1N1+bBg6Ywbd8UxyvOHwuL/UQU/5LTq6hk3gD+2ARfJUvDRbb047Xzlisg3N
 LhNoVhVbsxqKP1X2ZjeIBq9DgzMavuB64Bwd5UNdceM0Addi8KuCDOMF+FNY2t8k
 xytGjYdBi1/BG6SLBX+FAm5yrJghmkUJs2FnJjebSyyeV2HP3L1iBrk2N8UBd6PU
 fVjde534lgygFZK/8yXJpY2olfLMYJv7CaOMxvaW6RpbMI8VeLwDLfRt5LcrQZqq
 YXkuEnUI0eygbQYkeK/Vr1Vey6uQAWzIfbImEglHfvOXsZSYFXs=
 =SJNM
 -----END PGP SIGNATURE-----

Merge tag 'v0.50' of https://github.com/mail-in-a-box/mailinabox into master

v0.50 (September 25, 2020)
--------------------------

Setup:

* When upgrading from versions before v0.40, setup will now warn that ownCloud/Nextcloud data cannot be migrated rather than failing the installation.

Mail:

* An MTA-STS policy for incoming mail is now published (in DNS and over HTTPS) when the primary hostname and email address domain both have a signed TLS certificate installed, allowing senders to know that an encrypted connection should be enforced.
* The per-IP connection limit to the IMAP server has been doubled to allow more devices to connect at once, especially with multiple users behind a NAT.

DNS:

* autoconfig and autodiscover subdomains and CalDAV/CardDAV SRV records are no longer generated for domains that don't have user accounts since they are unnecessary.
* IPv6 addresses can now be specified for secondary DNS nameservers in the control panel.

TLS:

* TLS certificates are now provisioned in groups by parent domain to limit easy domain enumeration and make provisioning more resilient to errors for particular domains.

Control Panel:

* The control panel API is now fully documented at https://mailinabox.email/api-docs.html.
* User passwords can now have spaces.
* Status checks for automatic subdomains have been moved into the section for the parent domain.
* Typo fixed.

Web:

* The default web page served on fresh installations now adds the `noindex` meta tag.
* The HSTS header is revised to also be sent on non-success responses.

# gpg verification failed.

# Conflicts:
#	.gitignore
#	setup/bootstrap.sh
2020-10-11 18:16:36 +02:00