Commit Graph

162 Commits

Author SHA1 Message Date
Joshua Tauberer 93c2258d23 let the HSTS header be controlled by the management daemon so some domains can choose to enable preload 2015-09-08 21:20:50 +00:00
anoma ae3ae0b5ba Revert to default FAIL2BAN findtime for SSH jail
I propose that the default 600s/10minute find time is a better test duration for this ban. The altered 120s findtime sounds reasonable until you consider that attackers can simply throttle to 3 attempts per minute and never be banned.

The remaining non default jail settings of maxretry = 7 and bantime = 3600 I believe are good.
2015-09-07 08:36:59 +01:00
anoma 42d657eb54 Unnecessary config item, inherited from default jail.conf 2015-09-07 08:28:54 +01:00
Joshua Tauberer 2c29d59895 Merge pull request #478 from kri3v/patch-1
Added more bantime and lowered max retry attempts
2015-09-05 11:42:36 -04:00
Stefan Dimitrov 42dd46e305 Update nginx-primaryonly.conf
Nginx should be connecting over the local interface, not to the IP the resolver gives it. Elsewhere in this file proxy_pass uses 127.0.0.1 as it should.
2015-08-28 15:07:47 -04:00
Joshua Tauberer 5f17abc856 Merge pull request #463 from PortableTech/master
outgoing_mail_header_filters use local hostname and ip
2015-07-11 17:21:55 -04:00
anoma 593fd242bf Activate FAIL2BAN recidive jail
Recidive can be thought of as FAIL2BAN checking itself. This setup will monitor the FAIL2BAN log and if 10 bans are seen within one day activate a week long ban and email the mail in a box admin that it has been applied . These bans survive FAIL2BAN service restarts so are much stronger which obviously means we need to be careful with them.

Our current settings are relatively safe and definitely not easy to trigger by mistake e.g to activate a recidive IP jail by failed SSH logins a user would have to fail logging into SSH  6 times in 10 minutes, get banned, wait for the ban to expire and then repeat this process 9 further times within a 24 hour period.

The default maxretry of 5 is much saner but that can be applied once users are happy with this jail. I have been running a stronger version of this for months and it does a very good job of ejecting persistent abusers.
2015-07-07 12:37:42 +01:00
anoma e591d9082f Ultra safe dovecot findtime and maxretry settings
Explicitly set the timings and counts for the dovecot jail rather than change the global [DEFAULT] and inherit it for this one jail. These settings are far too safe so a future PR should increase security here.
2015-07-06 13:44:53 +01:00
anoma b6f26c0f1e Revert to defaults FAIL2BAN findtime and maxretry
Reverts the remaining FAIL2BAN settings to default: findtime 600 and maxretry 3. As jail settings override default settings this was hardly being used anyway so it is better to explicitly set it per jail as and when required.
2015-07-06 13:42:41 +01:00
PortableTech 07beef3db2 outgoing_mail_header_filters use local hostname and ip
Modify outgoing_mail_header_filters and mail-postfix.sh
files to result in the primary hostname, and the public
ip of the server showing in the first mail header route
instead of unknown and 127.0.0.1.  This could help lower
the spam score of mail sent from your server to some
public mail services.
2015-07-02 16:04:56 -04:00
kri3v dd0bdef640 Added more bantime and lowered max retry attempts
Ban time was too low for preventing ssh brute force attacks, this change also allows to keep the auth.log more clean and avoid wasting cpu and i/o on this. 

Bots eventually will flag your IP as secure and move along.
2015-07-02 12:55:43 -03:00
anoma b2eaaeca4b Revert to default 6 ssh/ddos login attempts
No legitimate admin will require 20 login attempts. The default 6 is a sane middle ground especially since in 10 minutes they can try again  or immediately from another IP anyway.
2015-07-02 10:23:48 +01:00
anoma e2d9a523c3 Cleanup blank lines, comments and whitespace to make it easier to follow 2015-07-02 10:19:37 +01:00
anoma 11df1e4680 Unnecessary config item, inherited from default jail.conf 2015-07-02 10:10:50 +01:00
anoma 53d5542402 Revert to default 600 second ban time
A 60 second/1 minute ban time is not long enough to counter brute force attacks which is the main purpose of fail2ban for mail in a box. The default bantime of 10 minutes is still sane and I think we have proven fail2ban is reliable enough not to cause problems in general. It is not worth sacrificing security for the rare case where an admin locks themselves out for 10 minutes.
2015-07-02 10:08:50 +01:00
anoma bfda3f40b9 Unnecessary config item, inherited from default jail.conf 2015-07-02 09:55:59 +01:00
Joshua Tauberer 53f84a8092 set ssl_stapling_verify back to on, reverts part of 47de93961e
The sslmate guidance changed. See #458.
2015-06-27 07:14:16 -04:00
Marc Schiller 0cc20cbb97 Fixed a bug where autoconfiguration for Z-Push fails due to case of URL. 2015-06-25 11:56:33 +02:00
Joshua Tauberer be2b5a62de ownCloud updated to version 8.0.4 2015-06-14 16:04:07 +00:00
bizonix 2c90c267bd fix loop redirecting
server is redirecting the request for this address in a way that will never complete
2015-06-07 21:50:41 +03:00
Joshua Tauberer 47de93961e OCSP improvements
* Set ssl_stapling_verify to off per https://sslmate.com/blog/post/ocsp_stapling_in_apache_and_nginx ('on' has no security benefits).
* Set resolver to 127.0.0.1, instead of Google Public DNS, because we might as well use our local nameserver anyway.
* Remove the commented line which per the link above would never be necessary anyway.

OCSP seems to work just fine after these changes.
2015-06-06 23:24:09 +00:00
Joshua Tauberer 5008cc603e merge - munin system monitoring 2015-06-06 12:52:22 +00:00
Joshua Tauberer 95173bb327 provide redirects from www subdomains of zones to their parent domain
* Split the nginx templates again so we have just the part needed to make a domain do a redirect separate from the rest.
* Add server blocks to the nginx config for these domains.
* List these domains in the SSL certificate install admin panel.
* Generate default 'www' records just for domains we provide default redirects for.

Fixes #321.
2015-06-04 12:19:01 +00:00
Joshua Tauberer a0e6c7ceb6 fix downloading dotfiles through ownCloud's webdav
fixes #414
2015-05-30 18:03:37 +00:00
Joshua Tauberer a9ed9ae936 more work on munin
* install the munin-node package
* don't install munin-plugins-extra (if the user wants it they can add it)
* expose the munin www directory via the management daemon so that it can handle authorization, rather than manintaining a separate password file
2015-05-25 17:03:52 +00:00
Joshua Tauberer ce94ef38b2 anonymize X-Pgp-Agent, Mime-Version outgoing mail headers; fixes #342
I don't have a mail client that sets Mime-Version with a user agent string so I couldn't really test.
2015-05-03 14:03:59 +00:00
Joshua Tauberer 6bb8f5d889 ownCloud 8 busted MOD_X_ACCEL_REDIRECT_ENABLED
see https://github.com/owncloud/core/issues/14976

We will need to update when ownCloud makes this better with MOD_X_ACCEL_REDIRECT_PREFIX.

See https://discourse.mailinabox.email/t/owncloud-can-not-read-uploaded-data/428.
2015-04-20 22:18:45 +00:00
H8H c443524ee2 Configure fail2ban jails to prevent dumb brute-force attacks against postfix, dovecot and ssh. See #319 2015-03-08 01:13:55 +01:00
BiZoNiX e14b2826e0 Disable viewing dotfiles (.htaccess, .svn, .git, etc.) 2015-02-09 19:41:42 +02:00
ikarus 3a09b04786 hide nginx version an OS information for better privacy. 2015-02-01 20:13:03 +01:00
ikarus e330abd587 do better redirection from http to https
Redirect using the 'return' directive and the built-in
variable '$request_uri' to avoid any capturing, matching
or evaluation of regular expressions.

It's best practice. See: http://wiki.nginx.org/Pitfalls#Taxing_Rewrites
2015-02-01 01:32:07 +01:00
Joshua Tauberer b9ca74c915 implement Mozilla (e.g. Thunderbird) autoconfiguration file
fixes #241
2015-01-31 21:33:18 +00:00
H8H 6efeff6fce [Z-Push] Owncloud doesnt't support CARDDAV_SUPPORTS_SYNC, so set it to false 2014-12-29 16:35:47 +01:00
Joshua Tauberer 31d6128a2b nginx: explicitly listen on both ipv4 and ipv6 (works even if ipv6 isn't present) 2014-11-30 14:41:30 +00:00
Joshua Tauberer 06f2477cfd the new iOS configuration profile also is used on OS X 10.10.1, see #261 2014-11-18 16:32:37 +00:00
Joshua Tauberer cdaa2c847d [merge] iOS Mobile Configuration Profile 2014-11-14 13:56:18 +00:00
Joshua Tauberer b04addda9a move the mobileconfig into the conf directory as a plain XML file and handle substitutions and copying to /var in web.sh 2014-11-14 13:52:29 +00:00
Norman 5775cab175 various fixes 2014-11-06 15:33:08 +01:00
David Piggott be9d97902f Disable encapsulation of spam and marking of it as seen 2014-10-28 15:15:21 +00:00
Joshua Tauberer 20c5471a89 expose the ownCloud API, fixes #240, fixes #242 2014-10-28 12:05:07 +00:00
Joshua Tauberer 6585384daa bring the max outgoing mail size via webmail and z-push in line with the limit set in postfix: 128 MB
The limit was previously the nginx default (2MB?).

fixes #236
2014-10-16 22:11:10 +00:00
Joshua Tauberer 8566b78202 drop webfinger, see #95 2014-10-07 20:30:36 +00:00
Joshua Tauberer d9ecc50119 since the management server binds to 127.0.0.1, must use that and not 'localhost' to connect to it because 'localhost' resolves to the IPv6 ::1 when it is available, see #224 2014-10-05 09:01:26 -04:00
h8h ba33669a62 generate the locales before change to it.
For my german box changing the locale failed:
´´´´/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
setup/functions.sh: line 6: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)´´´´

see #206 and 4e6d572de9
closes #220
commit modified by joshdata
2014-10-02 11:05:42 +00:00
jkaberg 68efef1164 dont log robots.txt and favicon.ico. we should REALLY consider creating seperate include files for *all* of our "apps", this is getting messy.. 2014-09-27 17:04:05 +00:00
Joshua Tauberer 6ecada7eed Merge commit '93a722f' 2014-09-27 16:56:38 +00:00
Joshua Tauberer 39bca053ed add 2048 bits of DH params for nginx, postfix, dovecot
nginx/postfix use a new pre-generated dh2048.pem file. dovecot generates the bits on its own.

ssllabs.com reports that TLS_DHE ciphers went from 1024 to 2048 bits as expected. The ECDHE ciphers remain at 256 bits --- no idea what that really means. (This tests nginx only. I haven't tested postfix/dovecot.)

see https://discourse.mailinabox.email/t/fips-ready-for-ssl-dhec-key-exchange/76/3
2014-09-26 22:09:22 +00:00
Joshua Tauberer 4e6d572de9 ensure Python operates in UTF-8 with a consistent locale for all users
fixes #206 (hopefully)
2014-09-26 08:26:09 -04:00
jkaberg 93a722f85b ownCloud (witch is based on SabreDAV) supports sync 2014-09-10 21:22:56 +02:00
Joshua Tauberer f77f1e656c split CardDAV instrctions into a new page and add CalDAV instructions; create nice redirects at /cloud/calendar and /cloud/contacts 2014-09-03 10:51:19 +00:00
Joshua Tauberer 24ff0e04b1 output/text tweaks 2014-08-27 14:42:00 +00:00
Joshua Tauberer aa3bc3225e expose the control panel only on PRIMARY_HOSTNAME since /admin might conflict with other stuff hosted on other domains 2014-08-27 02:38:43 +00:00
Joshua Tauberer df20d447a9 add an api for setting custom DNS records
Works like this:

```curl -d "" --user email:password https://.../admin/dns/set/qname/rtype/value```

where the rtype and value default to "A" and the remote IP address of the request, so that a simple, empty POST to

```https://.../admin/dns/set/desktop.mydomain.com```

will point desktop.mydomain.com to the caller's IPv4 address.

closes #140
2014-08-23 23:03:45 +00:00
Joshua Tauberer a0b056ae29 put a sterner warning in nginx local.conf about not modifying it 2014-08-23 12:35:59 +00:00
Joshua Tauberer a501256fb9 fix the include path for our second use of z-push 2014-08-19 15:07:55 +00:00
Joshua Tauberer 80a05c3bbf short_open_tag=Off was mistakenly left in the earlier merge (was a fix for my old autodiscover.php but not needed with z-push), also regrouping the nginx directive to be near the rest of Z-Push 2014-08-19 12:07:54 +00:00
Joshua Tauberer b6dd407aa7 z-push autodiscover should use the primary hostname for the mail server and not the domain part of the email address (both may work, but the primary hostname is more likely to have a signed SSL cert) 2014-08-19 11:49:20 +00:00
jkaberg 9a1989357c some makeup 2014-08-19 13:17:13 +02:00
jkaberg a0df18506b use z-push autodisover instead 2014-08-19 13:03:44 +02:00
jkaberg f7d2dfd1c0 xml generation fails when short_open_tag is on 2014-08-19 11:27:50 +02:00
Joshua Tauberer 92acef9b87 fix PHP path for Z-Push so it can see libawl-php
broken in 04454b35c6

fixes #143
2014-08-17 22:53:46 +00:00
Joshua Tauberer b30d7ad80a web-based administrative UI
closes #19
2014-08-17 22:46:06 +00:00
Joshua Tauberer 6e380ade17 owncloud will only let users access it from the PRIMARY_HOSTNAME (due to its trusted_domains option being set statically), so only include /cloud in the nginx configuration for PRIMARY_HOSTNAME 2014-08-16 12:33:10 +00:00
Joshua Tauberer 6fdef379ad owncloud: fix regex in nginx config
/cloud/index.php/apps/files/ajax/scan.php would not be parsed right because of two .php's
2014-08-15 23:17:16 +00:00
Joshua Tauberer 8c9f278166 owncloud: support MOD_X_ACCEL_REDIRECT_ENABLED
This lets downloads from the file app work.
2014-08-15 23:16:54 +00:00
jkaberg 59c1c670b5 x-accel-redirect dosn't need to process files in ownCloud data directory. TODO: fix for autogeneration 2014-08-13 08:10:53 +02:00
jkaberg 7024b428ad increased timeouts so that owncloud properly loads with larger db 2014-08-13 07:30:32 +02:00
Joshua Tauberer d03bc0cefa more owncloud configuration tweaks 2014-08-13 00:30:09 +00:00
Joshua Tauberer 05cc63b5d5 Merge branch 'owncloud' of github.com:jkaberg/mailinabox into owncloud
Conflicts:
	conf/nginx.conf
	setup/zpush.sh
2014-08-12 23:10:51 +00:00
Joshua Tauberer c9bf57eacd Merge branch 'master' into owncloud (php5-fpm) 2014-08-12 13:30:55 +00:00
Joshua Tauberer 9d6dc78b15 keep Roundcube working too, put owncloud at /cloud rather than at / 2014-08-12 13:29:43 +00:00
jkaberg 52c50621cd use x-accel-redirect for faster larg file downloads 2014-08-12 15:11:33 +02:00
jkaberg afb09a84b7 use tools/editconf.py to edit php.ini for large file uploads 2014-08-12 14:00:28 +02:00
Joshua Tauberer cf4f519cc0 zpush/owncloud: inject mail using 'sendmail' not SMTP 2014-08-12 11:18:45 +00:00
Joshua Tauberer 7b81ea1834 simplify zpush configuration files, no need to preserve copyright message 2014-08-12 11:12:10 +00:00
Joshua Tauberer 0eceb2012f use php5-fpm rather than our own custom launcher script for PHP+FastCGI 2014-08-12 11:00:54 +00:00
jkaberg d60abd0f92 bump (php) ram limit to 512MB 2014-08-12 09:11:55 +02:00
jkaberg 21d59862de typo 2014-08-12 00:49:33 +02:00
jkaberg 0bb257db2a forgot to commit 2014-08-12 00:32:56 +02:00
jkaberg ecfabd2dad use smtp for z-push 2014-08-12 00:32:16 +02:00
jkaberg 7f01146c3d enable large file uploads in nginx 2014-08-11 23:51:24 +02:00
jkaberg 54fe92615b include php-libawl and cleanup 2014-08-11 23:43:16 +02:00
jkaberg 64b1db4c30 include_path to include php-libawl and use php-fpm instead of cgi 2014-08-11 23:41:38 +02:00
jkaberg 44fcdc2066 owncloud properly working, but not in sub dir anymore 2014-08-11 20:17:38 +02:00
jkaberg b5928de740 use subdir 2014-08-11 19:43:27 +02:00
jkaberg a80c076d8f safe apphroach, sid dosnt like special characters like % 2014-08-11 19:42:52 +02:00
jkaberg d53cb88a92 update z-push with carddav and caldav support 2014-08-11 19:08:02 +02:00
jkaberg 20b494c3ac attempting to fix broken static files etc 2014-08-11 18:46:39 +02:00
jkaberg a801bf2a30 white spaces argh. 2014-08-11 16:30:39 +02:00
jkaberg 0899952fe1 initial owncloud port, untested and unfinished 2014-08-11 16:24:29 +02:00
Joshua Tauberer 2a7669a0d3 z-push: an Exchange ActiveSync server 2014-07-12 00:02:32 +00:00
Joshua Tauberer 85bd2c8804 use the Dovecot managesieve service to manage sieve scripts
This lets roundcube's manageseive plugin do cool things like vacation responses.

Also:

* Run the spam filtering sieve script out of a global sieve file that we'll place in /etc/dovecot. It is no longer necessary to create per-user sieve files for this. Remove them with a new migration. Remove the code that created them.

* Corrects the spam script. Backslashes were double-escaped probably because this script started embedded within the bash script. Not sure how this was working until now.

this adapts work by @h8h in #103
2014-07-10 23:09:07 +00:00
Joshua Tauberer 1a74b81f44 new nginx configuration yaml file to allow proxying of whole domains elsewhere 2014-07-09 12:31:32 +00:00
Joshua Tauberer 3bab63d4ce update to Roundcube 1.0.1 2014-07-08 00:37:53 +00:00
Joshua Tauberer 430b2dec11 update default www page to link to the website, fixes #96 2014-07-07 07:07:54 -04:00
Joshua Tauberer 49d5561933 when adding/removing mail addresses also update nginx's config 2014-07-06 12:16:50 +00:00
Joshua Tauberer 326cc2a451 obviously put our stuff in /usr/local and not /usr 2014-06-21 12:35:00 -04:00
Joshua Tauberer 85169dc960 preliminary support for webfinger
It just echos back the subject given to it.
2014-06-20 01:55:16 +00:00
Joshua Tauberer 5faa1cae71 manage the nginx conf in the management daemon too so we can have nginx operate on all domains that we serve mail for 2014-06-20 01:55:12 +00:00
Joshua Tauberer cd1802fecc Filter privacy-sensitive headers on outgoing mail
This re-implements part of PR #69 by @mkropat, who wrote:

By default, Postfix adds a Received header — on all mail that you send —
that lists the IP of the device you sent the mail from.  This feature is
great if you're a mail provider and you need to debug why one user is
having sending issues.  This feature is not so great if you run your own
mail server and you don't want every recipient of every email you send
to know the device and IP you sent the email from.

To limit this filtering to outgoing mail only, we apply the filters just
to the submission port.  See these guides [1] [2] for more context.

  [1] http://askubuntu.com/a/78168/11259
  [2] http://www.void.gr/kargig/blog/2013/11/24/anonymize-headers-in-postfix/
2014-06-08 18:35:09 -04:00