Commit Graph

51 Commits

Author SHA1 Message Date
Chad Furman e9feefa5d3 Merge remote-tracking branch 'upstream/main' into chad/resolve-merge-conflicts 2024-04-27 10:41:39 -04:00
Teal Dulcet 55a8be4aa9 Removed unnecessary bc commands. 2024-04-03 09:22:50 -04:00
Teal Dulcet bdf4155bed Fixed SC2046: Quote to prevent word splitting. 2024-04-03 09:21:34 -04:00
Teal Dulcet 30c4681e80 Fixed SC2086: Double quote to prevent globbing and word splitting. 2024-04-03 09:20:20 -04:00
Hugh Secker-Walker 57047d96e9
chore(setup): Update obsolete chown group syntax (#2202)
Co-authored-by: Hugh Secker-Walker <hsw+miac@hodain.net>
2023-01-15 08:25:36 -05:00
Steve Hay 84da4e6000 Update dovecot to use same DH parameters file as the other services
Originally from #2157.
2022-09-17 09:07:54 -04:00
Joshua Tauberer 0a7b9d5089 Update dovecot, spampd settings for Ubuntu 22.04
* dovecot's ssl_protocols became ssl_min_protocol in 2.3
* spampd fixed a bug so we can remove lmtp_destination_recipient_limit=1 in postfix
2022-07-28 14:34:45 -04:00
John R. Supplee 894df240cb Merge tag 'v55' of https://github.com/mail-in-a-box/mailinabox
Version 55 (October 18, 2021)
-----------------------------

Mail:

* "SMTPUTF8" is now disabled in Postfix. Because Dovecot still does not
support SMTPUTF8, incoming mail to internationalized addresses was
bouncing. This fixes incoming mail to internationalized domains (which
was probably working prior to v0.40), but it will prevent sending
outbound mail to addresses with internationalized local-parts.
* Upgraded to Roundcube 1.5.

Control panel:

* The control panel menus are now hidden before login, but now
non-admins can log in to access the mail and contacts/calendar
instruction pages.
* The login form now disables browser autocomplete in the two-factor
authentication code field.
* After logging in, the default page is now a fast-loading welcome page
rather than the slow-loading system status checks page.
* The backup retention period option now displays for B2 backup targets.
* The DNSSEC DS record recommendations are cleaned up and now recommend
changing records that use SHA1.
* The Munin monitoring pages no longer require a separate HTTP basic
authentication login and can be used if two-factor authentication is
turned on.
* Control panel logins are now tied to a session backend that allows
true logouts (rather than an encrypted cookie).
* Failed logins no longer directly reveal whether the email address
corresponds to a user account.
* Browser dark mode now inverts the color scheme.

Other:

* Fail2ban's IPv6 support is enabled.
* The mail log tool now doesn't crash if there are email addresess in
log messages with invalid UTF-8 characters.
* Additional nsd.conf files can be placed in /etc/nsd.conf.d.
2021-10-30 11:58:47 +02:00
Thomas Urban 3701e05d92
Rewrite envelope from address in sieve forwards (#1949)
Fixes #1946.
2021-05-08 08:30:53 -04:00
Joshua Tauberer 9b07d86bf7 Use $(...) notation instead of legacy backtick notation for embedded shell commands
shellcheck reported

    SC2006: Use $(...) notation instead of legacy backticked `...`.

Fixed by applying shellcheck's diff output as a patch.
2021-05-03 19:28:23 -04:00
John Supplee 38ac127344 v0.50 (September 25, 2020)
--------------------------
 
 Setup:
 
 * When upgrading from versions before v0.40, setup will now warn that ownCloud/Nextcloud data cannot be migrated rather than failing the installation.
 
 Mail:
 
 * An MTA-STS policy for incoming mail is now published (in DNS and over HTTPS) when the primary hostname and email address domain both have a signed TLS certificate installed, allowing senders to know that an encrypted connection should be enforced.
 * The per-IP connection limit to the IMAP server has been doubled to allow more devices to connect at once, especially with multiple users behind a NAT.
 
 DNS:
 
 * autoconfig and autodiscover subdomains and CalDAV/CardDAV SRV records are no longer generated for domains that don't have user accounts since they are unnecessary.
 * IPv6 addresses can now be specified for secondary DNS nameservers in the control panel.
 
 TLS:
 
 * TLS certificates are now provisioned in groups by parent domain to limit easy domain enumeration and make provisioning more resilient to errors for particular domains.
 
 Control Panel:
 
 * The control panel API is now fully documented at https://mailinabox.email/api-docs.html.
 * User passwords can now have spaces.
 * Status checks for automatic subdomains have been moved into the section for the parent domain.
 * Typo fixed.
 
 Web:
 
 * The default web page served on fresh installations now adds the `noindex` meta tag.
 * The HSTS header is revised to also be sent on non-success responses.
 -----BEGIN PGP SIGNATURE-----
 
 iQFDBAABCgAtFiEEX0wOcxPM10RpOyrquSBB9MEL3YEFAl9t2AgPHGp0QG9jY2Ft
 cy5pbmZvAAoJELkgQfTBC92BZNkH/1jIGoWTz0xlS+e+TeXpHoCp/7zYAvQq/a/y
 vj9t1N1+bBg6Ywbd8UxyvOHwuL/UQU/5LTq6hk3gD+2ARfJUvDRbb047Xzlisg3N
 LhNoVhVbsxqKP1X2ZjeIBq9DgzMavuB64Bwd5UNdceM0Addi8KuCDOMF+FNY2t8k
 xytGjYdBi1/BG6SLBX+FAm5yrJghmkUJs2FnJjebSyyeV2HP3L1iBrk2N8UBd6PU
 fVjde534lgygFZK/8yXJpY2olfLMYJv7CaOMxvaW6RpbMI8VeLwDLfRt5LcrQZqq
 YXkuEnUI0eygbQYkeK/Vr1Vey6uQAWzIfbImEglHfvOXsZSYFXs=
 =SJNM
 -----END PGP SIGNATURE-----

Merge tag 'v0.50' of https://github.com/mail-in-a-box/mailinabox into master

v0.50 (September 25, 2020)
--------------------------

Setup:

* When upgrading from versions before v0.40, setup will now warn that ownCloud/Nextcloud data cannot be migrated rather than failing the installation.

Mail:

* An MTA-STS policy for incoming mail is now published (in DNS and over HTTPS) when the primary hostname and email address domain both have a signed TLS certificate installed, allowing senders to know that an encrypted connection should be enforced.
* The per-IP connection limit to the IMAP server has been doubled to allow more devices to connect at once, especially with multiple users behind a NAT.

DNS:

* autoconfig and autodiscover subdomains and CalDAV/CardDAV SRV records are no longer generated for domains that don't have user accounts since they are unnecessary.
* IPv6 addresses can now be specified for secondary DNS nameservers in the control panel.

TLS:

* TLS certificates are now provisioned in groups by parent domain to limit easy domain enumeration and make provisioning more resilient to errors for particular domains.

Control Panel:

* The control panel API is now fully documented at https://mailinabox.email/api-docs.html.
* User passwords can now have spaces.
* Status checks for automatic subdomains have been moved into the section for the parent domain.
* Typo fixed.

Web:

* The default web page served on fresh installations now adds the `noindex` meta tag.
* The HSTS header is revised to also be sent on non-success responses.

# gpg verification failed.

# Conflicts:
#	.gitignore
#	setup/bootstrap.sh
2020-10-11 18:16:36 +02:00
Marcus Bointon cd518e6820
Raise Dovecot per user connection limit (#1799) 2020-07-27 06:37:52 -04:00
John R. Supplee 9b96b93260 Merge v0.44
# Conflicts:
#	setup/bootstrap.sh
2020-03-02 21:54:27 +02:00
Joshua Tauberer f53b18ebb9 Upgrade TLS settings 2019-12-01 17:49:36 -05:00
jvolkenant 81176c8e4b Fix to prevent multiple commented entries in dovecot conf (#1642) 2019-12-01 16:22:17 -05:00
John R. Supplee fa3c3236d8 v0.43 (September 1, 2019)
-------------------------
 
 Security fixes:
 
 * A security issue was discovered in rsync backups. If you have enabled rsync backups, the file `id_rsa_miab` may have been copied to your backup destination. This file can be used to access your backup destination. If the file was copied to your backup destination, we recommend that you delete the file on your backup destination, delete `/root/.ssh/id_rsa_miab` on your Mail-in-a-Box, then re-run Mail-in-a-Box setup, and re-configure your SSH public key at your backup destination according to the instructions in the Mail-in-a-Box control panel.
 * Brute force attack prevention was missing for the managesieve service.
 
 Setup:
 
 * Nextcloud was not upgraded properly after restoring Mail-in-a-Box from a backup from v0.40 or earlier.
 
 Mail:
 
 * Upgraded Roundcube to 1.3.10.
 * Fetch an updated whitelist for greylisting on a monthly basis to reduce the number of delayed incoming emails.
 
 Control panel:
 
 * When using secondary DNS, it is now possible to specify a subnet range with the `xfr:` option.
 * Fixed an issue when the secondary DNS option is used and the secondary DNS hostname resolves to multiple IP addresses.
 * Fix a bug in how a backup configuration error is shown.
 -----BEGIN PGP SIGNATURE-----
 
 iQFDBAABCgAtFiEEX0wOcxPM10RpOyrquSBB9MEL3YEFAl1rrwIPHGp0QG9jY2Ft
 cy5pbmZvAAoJELkgQfTBC92BgckIALFnDFxhQ18MtClpi79+rnl1aA5DqbToCuI2
 MHIAOmxIVSavnd5MZZ3efXWAzIniEpbq0X+6Rlzas5lkreT1mHoJsKdkt0bOqy1a
 ZF2vT5UnUM9cwPHkU1ak/TaD9v97wbHpWWGwAK+/zTL6w1ReCVfQ2QzCzoDaY7xh
 OZFXE+YsaI7qZeG3Q4jfFr0IYDowLgjgBpdWvO71QKzWjIIvBNX1ZGt2r+cuKmQ5
 JOXIAR4fdri0p8dMd2sqq0FatBBCfjHDBykA/+GzJJDBX7MNoZsQT3bowrhj8XPS
 f5cKUKm7zlDsm02bfCtDD6nvYYUxvOdQx7yfdL8RYSdy71Chs20=
 =7M/i
 -----END PGP SIGNATURE-----

Merge tag 'v0.43' of https://github.com/mail-in-a-box/mailinabox

v0.43 (September 1, 2019)
-------------------------

Security fixes:

* A security issue was discovered in rsync backups. If you have enabled
rsync backups, the file `id_rsa_miab` may have been copied to your
backup destination. This file can be used to access your backup
destination. If the file was copied to your backup destination, we
recommend that you delete the file on your backup destination, delete
`/root/.ssh/id_rsa_miab` on your Mail-in-a-Box, then re-run
Mail-in-a-Box setup, and re-configure your SSH public key at your backup
destination according to the instructions in the Mail-in-a-Box control
panel.
* Brute force attack prevention was missing for the managesieve service.

Setup:

* Nextcloud was not upgraded properly after restoring Mail-in-a-Box from
a backup from v0.40 or earlier.

Mail:

* Upgraded Roundcube to 1.3.10.
* Fetch an updated whitelist for greylisting on a monthly basis to
reduce the number of delayed incoming emails.

Control panel:

* When using secondary DNS, it is now possible to specify a subnet range
with the `xfr:` option.
* Fixed an issue when the secondary DNS option is used and the secondary
DNS hostname resolves to multiple IP addresses.
* Fix a bug in how a backup configuration error is shown.

5F4C0E7313CCD744693B2AEAB92041F4C10BDD81
2019-09-02 18:33:26 -04:00
jvolkenant 193763f8f0 Update to Nextcloud 15.0.8, Contacts to 3.1.1, and Calendar to 1.6.5 (#1577)
* Update to Nextcloud 15.0.7, Contacts to 3.1.1, and Calendar to 1.6.5
* Enabled localhost-only insecure IMAP login for localhost Nextcloud auth
* Add package php-imagick and BigInt conversion
* added support for /cloud/oc[sm]-provider/ endpoint
2019-06-16 11:10:52 -04:00
jvolkenant 4232a1205c fix dovecot message about SSLv2 not supported by OpenSSL (#1580) 2019-05-15 11:46:52 -07:00
John Supplee d443135155 changes to users.sqlite
* add quota column
* modify users_query to return quota_rule
2019-01-28 11:23:49 +02:00
John Supplee 0b68bf8760 put roundcube config change in the right place 2019-01-28 09:38:32 +02:00
John Supplee 907c05299c Add quota support 2019-01-28 09:24:09 +02:00
Christopher A. DeFlumeri d96613b8fe minimal changeset to get things working on 18.04
@joshdata squashed pull request #1398, removed some comments, and added these notes:

* The old init.d script for the management daemon is replaced with a systemd service.
* A systemd service configuration is added to configure permissions for munin on startup.
* nginx SSL settings are updated because nginx's options and defaults have changed, and we now enable http2.
* Automatic SSHFP record generation is updated to know that 22 is the default SSH daemon port, since it is no longer explicit in sshd_config.
* The dovecot-lucene package is dropped because the Mail-in-a-Box PPA where we built the package has not been updated for Ubuntu 18.04.
* The stock postgrey package is installed instead of the one from our PPA (which we no longer support), which loses the automatic whitelisting of DNSWL.org-whitelisted senders.
* Drop memcached and the status check for memcached, which we used to use with ownCloud long ago but are no longer installing.
* Other minor changes.
2018-10-03 13:00:06 -04:00
Joshua Tauberer e924459140 revert f25801e/#1233 - use Mozilla intermediate ciphers for IMAP/POP not modern ciphers
fixes #1300
2017-12-24 14:41:41 -05:00
sam-banks 88604074d6 Bugfix for free command (#1278)
A quick fix - there's no "o" option for free.
2017-12-18 08:21:28 -05:00
Joshua Tauberer f25801e88d Merge #1233 - Limit Dovecot ciphers to the Mozilla modern set 2017-10-03 11:55:16 -04:00
Lloyd Smart 81258e2189 Implement upstream issue #1228 for stronger dh parameters in Dovecot. (#1232) 2017-08-30 13:04:22 -04:00
Lloyd Smart 4dd4b4232a Limited ciphers to the Mozilla modern set from https://mozilla.github.io/server-side-tls/ssl-config-generator/ as requested in issue #1228. 2017-08-29 15:02:58 +01:00
Jan Schulz-Hofen 3830facf78 set dovecot vsz_limit to 1/3 of available memory (#1096)
The `default_vsz_limit` is the maximum amount of virtual memory that can be allocated. It should be set *reasonably high* to avoid allocation issues with larger mailboxes. We're setting it to 1/3 of the total available memory (physical mem + swap) to be sure.

See here for discussion:
- https://www.dovecot.org/list/dovecot/2012-August/137569.html
- https://www.dovecot.org/list/dovecot/2011-December/132455.html
2017-03-01 07:59:48 -05:00
Chris Blankenship fac8477ba1 Configured Dovecot to log into its own logfile 2016-06-06 08:21:44 -04:00
Ralph J.Mayer afd401c3d4 Allow remote client for Sieve 2015-12-31 18:22:31 +01:00
Scott Bronson 6336cc6452 tiny tweaks to make the bash slightly more readable 2015-12-22 12:33:26 -08:00
Michael Kroes fd9287a0fd Add Archive folder to comment in mail-dovecot.sh 2015-10-27 07:58:07 -04:00
Joshua Tauberer 274e5ca676 let dovecot automatically create mailbox folders rather than doing it manually in the management daemon, fixes #554 2015-10-18 11:55:27 +00:00
Michael Long 732a6922de Allow global sieve scripts for before or after user sieve scripts. This allows defining custom system-wide sieve rules. 2015-08-24 19:55:34 -04:00
Joshua Tauberer 73fbcd7fa3 silence all of the installing/already installed package messages on installation
Querying dpkg for each package is slow, and we have way too much output on installation because of it.
2015-08-19 15:58:35 -04:00
Joshua Tauberer b23ba6f75e simplify build/setup of dovecot-lucene package 2015-06-03 15:48:35 -04:00
Joshua Tauberer c38bdbb0c5 mistake in 31eec9fa1c #300 2015-04-11 15:24:15 -04:00
Joshua Tauberer d11be61d94 Add POP3S support (merge w/ adjustments)
* Add pop3s to the ufw firewall rules.
* Updated some comments.
* Updated CHANGELOG.

Merge branch 'master' of https://github.com/pichak/mailinabox
2015-04-09 08:19:20 -04:00
Morteza Milani 916063a79b Better documentation for POP3 settings, UIDL.
UIDL assigns a unique string to each email. This allows emails to
be left on the server after a client downloads them.
2015-04-08 21:32:14 -07:00
Morteza Milani 31eec9fa1c Add POP3s support 2015-01-25 23:37:01 -08:00
Joshua Tauberer c75950125d set dovecot default_process_limit and fs.inotify.max_user_instances to better defaults
See https://discourse.mailinabox.email/t/mailserver-limits/228.
2015-01-02 23:25:52 +00:00
Joshua Tauberer 0b5bf602aa various improvements in bash comments 2014-10-15 11:46:20 -04:00
Joshua Tauberer 06e074bd32 disable SSLv3 in dovecot now that it is known to be insecure (POODLE)
SSLv3 is already disabled in Postfix (45e93f7dcc) and Nginx (51dd2ed70b).
2014-10-15 15:39:05 +00:00
Joshua Tauberer 5fd107cae5 more work on making the bash scripts readable 2014-10-04 17:57:26 -04:00
Joshua Tauberer a4c70f7a92 revert dovecot part of 39bca053ed because dovecot started behaving weird and I don't have time to debug it 2014-09-26 22:41:59 +00:00
Joshua Tauberer 39bca053ed add 2048 bits of DH params for nginx, postfix, dovecot
nginx/postfix use a new pre-generated dh2048.pem file. dovecot generates the bits on its own.

ssllabs.com reports that TLS_DHE ciphers went from 1024 to 2048 bits as expected. The ECDHE ciphers remain at 256 bits --- no idea what that really means. (This tests nginx only. I haven't tested postfix/dovecot.)

see https://discourse.mailinabox.email/t/fips-ready-for-ssl-dhec-key-exchange/76/3
2014-09-26 22:09:22 +00:00
Joshua Tauberer 9d40a12f44 first pass at making readable documentation by parsing the bash scripts 2014-09-21 13:43:31 -04:00
Joshua Tauberer 140c508ff6 increase dovecot imap_idle_notify_interval to 4 minutes
Doesn't seem like 2 minutes is a problem, but 4 minutes seems better. A little less bandwidth, possibly less battery usage (though we don't have evidence that's actually true), and the interval should be shorter than any peer timeouts that might occur due to inactivity

fixes #129
2014-08-10 11:39:29 +00:00
Joshua Tauberer 023cd12e1a hide lots of unnecessary and scary output during setup 2014-07-16 09:36:56 -04:00
Joshua Tauberer 85bd2c8804 use the Dovecot managesieve service to manage sieve scripts
This lets roundcube's manageseive plugin do cool things like vacation responses.

Also:

* Run the spam filtering sieve script out of a global sieve file that we'll place in /etc/dovecot. It is no longer necessary to create per-user sieve files for this. Remove them with a new migration. Remove the code that created them.

* Corrects the spam script. Backslashes were double-escaped probably because this script started embedded within the bash script. Not sure how this was working until now.

this adapts work by @h8h in #103
2014-07-10 23:09:07 +00:00