Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							c7c3bd33cf 
							
						 
					 
					
						
						
							
							DNS API should reject qnames that aren't in a zone managed by the box  
						
						... 
						
						
						
						see https://discourse.mailinabox.email/t/set-www-a-and-other-dns-records-after-install/63/10  
						
					 
					
						2014-09-21 13:37:30 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							16e2350fef 
							
						 
					 
					
						
						
							
							revise the description of A records on domains: the A record must be present for good deliverability so that the envelope domain resolves, but it doesn't have to resolve to this machine  
						
						
						
					 
					
						2014-09-15 06:00:50 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							110e0f90d9 
							
						 
					 
					
						
						
							
							dns: move the quoting of TXT records to when we write the zone file so that we can display it unquoted in the External DNS instructions  
						
						
						
					 
					
						2014-09-07 11:42:20 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							7a449c76a1 
							
						 
					 
					
						
						
							
							set the DNS TTL to 30 minutes rather than 1 day  
						
						... 
						
						
						
						Also updating the values for secondary DNS, but we're not set up
for secondary DNS so it won't matter.
see #172  
						
					 
					
						2014-09-01 23:06:55 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							10a37cd033 
							
						 
					 
					
						
						
							
							add SSHFP records to DNS  
						
						
						
					 
					
						2014-08-27 12:59:40 +00:00 
						 
				 
			
				
					
						
							
							
								Ben Schumacher 
							
						 
					 
					
						
						
						
						
							
						
						
							d5efb05f31 
							
						 
					 
					
						
						
							
							Fix typo in dns_update.py.  
						
						
						
					 
					
						2014-08-26 15:58:34 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							ed8ce16fb5 
							
						 
					 
					
						
						
							
							show custom DNS records in the control panel too,  fixes   #155  
						
						
						
					 
					
						2014-08-25 23:35:44 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							df20d447a9 
							
						 
					 
					
						
						
							
							add an api for setting custom DNS records  
						
						... 
						
						
						
						Works like this:
```curl -d "" --user email:password https://.../admin/dns/set/qname/rtype/value ```
where the rtype and value default to "A" and the remote IP address of the request, so that a simple, empty POST to
```https://.../admin/dns/set/desktop.mydomain.com ```
will point desktop.mydomain.com to the caller's IPv4 address.
closes  #140  
						
					 
					
						2014-08-23 23:03:45 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							b30d7ad80a 
							
						 
					 
					
						
						
							
							web-based administrative UI  
						
						... 
						
						
						
						closes  #19  
					
						2014-08-17 22:46:06 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							ba8e015795 
							
						 
					 
					
						
						
							
							dns_update: dont restart the opendkim process if nothing changed  
						
						
						
					 
					
						2014-08-17 20:42:17 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							6d4fab1e6a 
							
						 
					 
					
						
						
							
							whats_next: offer DNSSEC DS parameters rather than the full record and in validation allow for other digests than the one we suggest using  
						
						... 
						
						
						
						fixes  #120  (hopefully), in which Gandi generates a SHA1 digest but we were only checking against a SHA256 digest
Also see http://discourse.mailinabox.email/t/how-to-set-ds-record-for-gandi-net/24/1  in which a user asks about the DS parameters that Gandi asks for. 
					
						2014-08-01 12:15:05 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							30178ef019 
							
						 
					 
					
						
						
							
							add a --force flag to dns_update  
						
						
						
					 
					
						2014-08-01 12:05:34 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							168c06939d 
							
						 
					 
					
						
						
							
							have nsd bind to the network interaface that is connected to the Internet, rather than all non-loopback network interfaces  
						
						... 
						
						
						
						hopefully fixes  #121 ; thanks for the help @sfPlayer1 
						
					 
					
						2014-07-29 20:07:26 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							8042ab66ac 
							
						 
					 
					
						
						
							
							dont serve web for domains with custom DNS records that point A/AAAA elsewhere, and in whats_next only check that an A record exists on a domain if we are serving web on the domain  
						
						
						
					 
					
						2014-07-20 15:23:17 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							8354d9732a 
							
						 
					 
					
						
						
							
							in the custom DNS yaml config, treat 'local' as an alias for the box's own IP/IPv6 addresses  
						
						
						
					 
					
						2014-07-20 14:53:55 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							1ad9c70887 
							
						 
					 
					
						
						
							
							refactor custom DNS records  
						
						
						
					 
					
						2014-07-20 14:48:20 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							2e0680de4f 
							
						 
					 
					
						
						
							
							the check for whether a custom DNS setting is valid was in the wrong place  
						
						
						
					 
					
						2014-07-20 14:41:02 +00:00 
						 
				 
			
				
					
						
							
							
								sfPlayer1 
							
						 
					 
					
						
						
						
						
							
						
						
							89acbe4127 
							
						 
					 
					
						
						
							
							Update dns_update.py  
						
						... 
						
						
						
						Add new extra bool parameter. 
						
					 
					
						2014-07-18 13:05:32 +02:00 
						 
				 
			
				
					
						
							
							
								sfPlayer1 
							
						 
					 
					
						
						
						
						
							
						
						
							0e893626c8 
							
						 
					 
					
						
						
							
							Add IPv6 glue records as well  
						
						... 
						
						
						
						The dns_update script didn't generate IPv6 (AAAA) glue records for the name servers.
This caused http://dnscheck.pingdom.com  to complain about a mismatch between the glue records reported by the parent name server and mailinabox nsd.
Here's the failing dnscheck output for reference:
> Checking glue for ns1.my.domain.tld (1.2.3.4).
> Child glue for bgwe.eu found: ns1.my.domain.tld (1.2.3.4)
> Checking glue for ns1.my.domain.tld (1234::1).
> Missing glue at child: ns1.my.domain.tld
> Checking glue for ns2.my.domain.tld (1.2.3.4).
> Child glue for bgwe.eu found: ns2.my.domain.tld (1.2.3.4)
> Checking glue for ns2.my.domain.tld (1234::1).
> Missing glue at child: ns2.my.domain.tld
I'm not very familiar with Python and DNS, please verify ;) 
						
					 
					
						2014-07-18 13:03:09 +02:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							42c891032d 
							
						 
					 
					
						
						
							
							don't create a www. subdomain on any domains that are themselves subdomains within a zone, i.e. don't create www.PUBLIC_HOSTNAME if PUBLIC_HOSTNAME is a subdomain of another domain, which is what we normally recommend  
						
						
						
					 
					
						2014-07-17 13:08:05 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							d7a9e7cc17 
							
						 
					 
					
						
						
							
							run management/dns_update.py from the console to dump the DNS records, with explanations, in case the user wants to host DNS off of the box  
						
						
						
					 
					
						2014-07-17 13:08:05 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							7803ac9ca4 
							
						 
					 
					
						
						
							
							write explanatory text as we build DNS zones so we can help the user manage DNS off of the box  
						
						
						
					 
					
						2014-07-17 13:08:05 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							49d5561933 
							
						 
					 
					
						
						
							
							when adding/removing mail addresses also update nginx's config  
						
						
						
					 
					
						2014-07-06 12:16:50 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							fed5959288 
							
						 
					 
					
						
						
							
							s/PUBLIC_HOSTNAME/PRIMARY_HOSTNAME/ throughout  
						
						
						
					 
					
						2014-06-30 09:15:36 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							87f001a5d5 
							
						 
					 
					
						
						
							
							some comments  
						
						
						
					 
					
						2014-06-24 03:24:41 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							5aa09c3f9b 
							
						 
					 
					
						
						
							
							let the user override some DNS records in a different way  
						
						... 
						
						
						
						Moved the configuration to a single YAML file, rather than one per domain, to be clearer.
re-does 33f06f29c1 
						
					 
					
						2014-06-22 19:33:30 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							343886d818 
							
						 
					 
					
						
						
							
							add mail alias checks and other cleanup  
						
						
						
					 
					
						2014-06-22 16:28:55 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							deab8974ec 
							
						 
					 
					
						
						
							
							if we handle mail for both a domain and any subdomain, only create a zone for the domain and put the subdomain's DNS records in the main domain's zone file  
						
						
						
					 
					
						2014-06-22 16:24:15 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							4668367420 
							
						 
					 
					
						
						
							
							first pass at a management tool for checking what the user must do to finish his configuration: set NS records, DS records, sign his certificates, etc.  
						
						
						
					 
					
						2014-06-22 15:54:22 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							67d31ed998 
							
						 
					 
					
						
						
							
							move the SSL setup into its own bash script since it is used for much more than email now  
						
						
						
					 
					
						2014-06-21 22:16:46 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							5faa1cae71 
							
						 
					 
					
						
						
							
							manage the nginx conf in the management daemon too so we can have nginx operate on all domains that we serve mail for  
						
						
						
					 
					
						2014-06-20 01:55:12 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							126ea94ccf 
							
						 
					 
					
						
						
							
							drop support for ADSP which since last November is no longer recommended per  http://datatracker.ietf.org/doc/status-change-adsp-rfc5617-to-historic/  
						
						
						
					 
					
						2014-06-18 22:56:55 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							95e61bc110 
							
						 
					 
					
						
						
							
							add DANE TLSA records to the PUBLIC_HOSTNAME's DNS  
						
						... 
						
						
						
						Postfix has a tls_security_level called "dane" which uses DNS-Based Authentication of Named Entities (DANE)
to require, if specified in the DNS of the MX host, an encrpyted connection with a known certificate.
This commit adds TLSA records. 
						
					 
					
						2014-06-19 01:39:27 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							699bccad80 
							
						 
					 
					
						
						
							
							missing spaces in nsd.conf (has no effect but looks proper)  
						
						
						
					 
					
						2014-06-18 23:53:52 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							afb6c26c8b 
							
						 
					 
					
						
						
							
							run bind9 on the loopback interface for ensuring we are using a DNSSEC-aware nameserver to resolve our own DNS queries (i.e. when sending mail) since we can't trust that the network configuration provided for us gives us a DNSSEC-aware DNS server  
						
						... 
						
						
						
						see #71  
						
					 
					
						2014-06-18 19:45:47 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							761fac729b 
							
						 
					 
					
						
						
							
							nsd.conf wasn't properly using the signed zone files  
						
						
						
					 
					
						2014-06-18 23:30:35 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							dd15bf4384 
							
						 
					 
					
						
						
							
							use a better sort order for records in DNS zone files  
						
						
						
					 
					
						2014-06-17 23:34:06 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							14396e58f8 
							
						 
					 
					
						
						
							
							dont create a separate zone for PUBLIC_HOSTNAME if it is a subdomain of another zone (hmm, this is a general principle that could apply to any two domains the box is serving)  
						
						
						
					 
					
						2014-06-17 23:30:00 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							33f06f29c1 
							
						 
					 
					
						
						
							
							let the user override some DNS records  
						
						
						
					 
					
						2014-06-17 22:21:51 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							88709506f8 
							
						 
					 
					
						
						
							
							add DNSSEC  
						
						... 
						
						
						
						* sign zones
* in a cron job, periodically re-sign zones because they expire (not tested) 
						
					 
					
						2014-06-17 22:21:12 +00:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							aaa735dbfe 
							
						 
					 
					
						
						
							
							write nsd.conf zones in a predictable order so that we don't keep rewriting it  
						
						
						
					 
					
						2014-06-12 22:28:37 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							e9cde52a48 
							
						 
					 
					
						
						
							
							two more cases of shelling out external programs in a more secure way, see  cecda9cec5 
						
						
						
					 
					
						2014-06-12 21:06:04 -04:00 
						 
				 
			
				
					
						
							
							
								Michael Kropat 
							
						 
					 
					
						
						
						
						
							
						
						
							ae67409603 
							
						 
					 
					
						
						
							
							Support dual-stack IPv4/IPv6 mail servers  
						
						... 
						
						
						
						Addresses #3 
Added support by adding parallel code wherever `$PUBLIC_IP` was used.
Providing an IPv6 address is completely optional.
Playing around on my IPv6-enabled mail server revealed that — before
this change — mailinabox might try to use an IPv6 address as the value
for `$PUBLIC_IP`, which wouldn't work out well. 
						
					 
					
						2014-06-08 18:32:52 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							f1dac1fe13 
							
						 
					 
					
						
						
							
							show less output when updating DNS configuration  
						
						
						
					 
					
						2014-06-06 10:51:36 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							295981828f 
							
						 
					 
					
						
						
							
							Vagrantize  
						
						... 
						
						
						
						* adding a Vagrantfile
* in a non-interactive setup like this, create the user's first email account for them
* let the machine auto-detect its IP address using http://icanhazip.com/ 
* use our own justtesting.email domain to provision a subdomain for users so they can quickly get started 
						
					 
					
						2014-06-04 19:39:58 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							7fa4862f1a 
							
						 
					 
					
						
						
							
							refactor dns_update so that the zone is first generated in a file-format agnostic way  
						
						
						
					 
					
						2014-06-04 19:00:31 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							8ed15168c0 
							
						 
					 
					
						
						
							
							the new dns_update totally forgot to write the OpenDKIM tables  
						
						
						
					 
					
						2014-06-04 18:44:13 -04:00 
						 
				 
			
				
					
						
							
							
								Joshua Tauberer 
							
						 
					 
					
						
						
						
						
							
						
						
							c54b0cbefc 
							
						 
					 
					
						
						
							
							move management into a daemon service running as root  
						
						... 
						
						
						
						* Created a new Python/flask-based management daemon.
* Moved the mail user management core code from tools/mail.py to the new daemon.
* tools/mail.py is a wrapper around the daemon and can be run as a non-root user.
* Adding a new initscript for the management daemon.
* Moving dns_update.sh to the management daemon, called via curl'ing the daemon's API.
This also now runs the DNS update after mail users and aliases are added/removed,
which sets up new domains' DNS as needed. 
						
					 
					
						2014-06-03 13:56:40 +00:00