v0.09

=====

May 8, 2015

Mail:

* Spam checking is now performed on messages larger than the previous limit of 64KB.
* POP3S is now enabled (port 995).
* Roundcube is updated to version 1.1.1.
* Minor security improvements (more mail headers with user agent info are anonymized; crypto settings were tightened).

ownCloud:

* Downloading files you uploaded to ownCloud broke because of a change in ownCloud 8.

DNS:

* Internationalized Domain Names (IDNs) should now work in email. If you had custom DNS or custom web settings for internationalized domains, check that they are still working.
* It is now possible to set multiple TXT and other types of records on the same domain in the control panel.
* The custom DNS API was completely rewritten to support setting multiple records of the same type on a domain. Any existing client code using the DNS API will have to be rewritten. (Existing code will just get 404s back.)
* On some systems the `nsd` service failed to start if network inferfaces were not ready.

System / Control Panel:

* In order to guard against misconfiguration that can lead to domain control validation hijacking, email addresses that begin with admin, administrator, postmaster, hostmaster, and webmaster can no longer be used for (new) mail user accounts, and aliases for these addresses may direct mail only to the box's administrator(s).
* Backups now use duplicity's built-in gpg symmetric AES256 encryption rather than my home-brewed encryption. Old backups will be incorporated inside the first backup after this update but then deleted from disk (i.e. your backups from the previous few days will be backed up).
* There was a race condition between backups and the new nightly status checks.
* The control panel would sometimes lock up with an unnecessary loading indicator.
* You can no longer delete your own account from the control panel.

Setup:

* All Mail-in-a-Box release tags are now signed on github, instructions for verifying the signature are added to the README, and the integrity of some packages downloaded during setup is now verified against a SHA1 hash stored in the tag itself.
* Bugs in first user account creation were fixed.

CHANGELOG.md

@@ -1,15 +1,15 @@
 CHANGELOG
 =========
 
-In Development
+v0.09 (May 8, 2015)
---------------
+-------------------
 
 Mail:
 
 * Spam checking is now performed on messages larger than the previous limit of 64KB.
 * POP3S is now enabled (port 995).
-* Roundcube updated to version 1.1.1.
+* Roundcube is updated to version 1.1.1.
-* More mail headers with user agent info are anonymized.
+* Minor security improvements (more mail headers with user agent info are anonymized; crypto settings were tightened).
 
 ownCloud:
 
@@ -20,6 +20,7 @@ DNS:
 * Internationalized Domain Names (IDNs) should now work in email. If you had custom DNS or custom web settings for internationalized domains, check that they are still working.
 * It is now possible to set multiple TXT and other types of records on the same domain in the control panel.
 * The custom DNS API was completely rewritten to support setting multiple records of the same type on a domain. Any existing client code using the DNS API will have to be rewritten. (Existing code will just get 404s back.)
+* On some systems the `nsd` service failed to start if network inferfaces were not ready.
 
 System / Control Panel:
 

keys/joshdata.asc

@@ -1,30 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1
-
-mQENBFN+hN4BCADARMfTK/kDWNz5tFVXXrLfY0QSF9CBO4+vor3MVUmq5ygMcyq4
-NX1FVDKoruzCo5hI/91o1QZuer5oZ716TACg46XivdgL66Y7rMZL5rVDmUKuDWit
-tpVrL0Gaw6xsu7/ZloFDyHI5yUvB1cdGe4HYZY1Xn/2CE0YJaXxO2JjkTNWSiutx
-LA0RV08nPeaiAt1KcCa2tO7RkG51uC0O3O67xr6xz6/q95Q2DBJpLYpoh+6yIoEY
-L736peHQKZfcFfCOPQKpxKW+SEsUTvJ8qzQipGYpugiGGhDHzXBYKJk1V77BbWAP
-3x4Ubj4UWFB54yhgPrBgvQajvoB08mzZEnopABEBAAG0IEpvc2h1YSBUYXViZXJl
-ciA8anRAb2NjYW1zLmluZm8+iQE5BBMBAgAjBQJTfoTeAhsDBwsJCAcDAgEGFQgC
-CQoLBBYCAwECHgECF4AACgkQuSBB9MEL3YFFOQgAkDfptbzC9Lq4zstIfUPl4by/
-NeoCpsYahaNwWLYiDpQEUZIOsJO1Qi2IFll4tXAyDTGAXYZCbf4+v1lzVyN49h5j
-70BuajISI6dcAb1IEZzIXx0vV1rMuu0iNYdwhFNi8KrP5iR3BHwZZ5Lql1UdkJNT
-xVrz4cmr5jPGdFRizD9MXrI4bvt+pSOeykJasuTeH7a3uHBMPyydAivtbNRbo+Zn
-IgV25FUADSFt6xD9AKfq6wLxN+P8P6PE/jZWDv9W4KtR5TqAhCq7D7Yvk8aJXubN
-P2xfjFl6TXa5bcuHuldkmx5lacpag2HSmivIT261W3pIVC3lrkxB8T6rdux8ErkB
-DQRTfoTeAQgAn5ijmVJtxPGvbdcaCsYD3+fCnAKNEdAJtJcy/e/lowKeEiIJZ9qV
-ATFIFmIG9VZunZ7nD5F/4KMj6ht0JTXuY458VjK9jO1bPU2YM7Xo7zjJi8bFI0B/
-2ya95M7polLUF/lhKHKUuxxANAW4guLahe5JotUnoRycxQkKWBhTF5VdayucSAZG
-XlmSBUjIGjHbmTI50dAMQZffNOIvDIkpeCEQjPVRObCvr18xKDHhBaEJhd+wfA2T
-6N4fMlwBgfeR1zdFrGt2SshVc28YvaoccWmP1xn6w/30J25swadeuDYZFckXjVv7
-HPLtvyzuNdf7pI0A9rnlGF5rNt6yKSqeiQARAQABiQEfBBgBAgAJBQJTfoTeAhsM
-AAoJELkgQfTBC92B0rAH/0hSoHcB5WIn4GLTz0D0wWQ6Y2wKDixOBGvH+S9aroSc
-0bKud7VphpFm/4CKWOZ0sphsnmRZ2Dsk/3996pXjLL5T1HWgAkltYmTdWEg9BiEj
-PlbcImF95tILJ7GC0QrXipUx+ktLayiT5LjcbZiYCGaWVdJM2hVdOLdHhh84dqNX
-xautvI8RDFI1lN0RdyFA5CQAvIWOSTLC1QdLAgkCf7+uQGwUo2ubgapPWptRJYk8
-rZuw6+Vi3NETYO0ExDxTFmVKRlMidsE0azMeY6JYpKb9jewKngfxa6oUSaygrhxQ
-9gESPA2XZUvx/3PWBAMskBZxjOH/Lhabls0AUxaOYf0=
-=SHsx
------END PGP PUBLIC KEY BLOCK-----

setup/bootstrap.sh

@@ -1,16 +1,13 @@
 #!/bin/bash
-################################################################
+#########################################################
-#
+# This script is intended to be run like this:
-# This script is posted on HTTPS to make first-time installation
-# super simple. Download and pipe to bash, e.g.:
 #
 #   curl https://.../bootstrap.sh | sudo bash
 #
-################################################################
+#########################################################
 
-# What is the current version?
 if [ -z "$TAG" ]; then
-	TAG=v0.08
+	TAG=v0.09
 fi
 
 # Are we running as root?
@@ -38,6 +35,17 @@ fi
 # Change directory to it.
 cd $HOME/mailinabox
 
-# Run the upgrade script, which in turn runs the setup script.
+# Update it.
-setup/upgrade.sh $TAG
+if [ "$TAG" != `git describe` ]; then
+	echo Updating Mail-in-a-Box to $TAG . . .
+	git fetch --depth 1 --force --prune origin tag $TAG
+	if ! git checkout -q $TAG; then
+		echo "Update failed. Did you modify something in `pwd`?"
+		exit
+	fi
+	echo
+fi
+
+# Start setup script.
+setup/start.sh
 

setup/mail-postfix.sh

@@ -65,6 +65,8 @@ tools/editconf.py /etc/postfix/main.cf \
 # * Do not add the OpenDMAC Authentication-Results header. That should only be added
 #   on incoming mail. Omit the OpenDMARC milter by re-setting smtpd_milters to the
 #   OpenDKIM milter only. See dkim.sh.
+# * Even though we dont allow auth over non-TLS connections (smtpd_tls_auth_only below, and without auth the client cant
+#   send outbound mail), don't allow non-TLS mail submission on this port anyway to prevent accidental misconfiguration.
 # * Require the best ciphers for incoming connections per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/.
 #   By putting this setting here we leave opportunistic TLS on incoming mail at default cipher settings (any cipher is better than none).
 # * Give it a different name in syslog to distinguish it from the port 25 smtpd server.
@@ -75,7 +77,8 @@ tools/editconf.py /etc/postfix/master.cf -s -w \
 	"submission=inet n       -       -       -       -       smtpd
 	  -o syslog_name=postfix/submission
 	  -o smtpd_milters=inet:127.0.0.1:8891
-	  -o smtpd_tls_ciphers=high -o smtpd_tls_protocols=!SSLv2,!SSLv3
+	  -o smtpd_tls_security_level=encrypt
+	  -o smtpd_tls_ciphers=high -o smtpd_tls_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4 -o smtpd_tls_protocols=!SSLv2,!SSLv3
 	  -o cleanup_service_name=authclean" \
 	"authclean=unix  n       -       -       -       0       cleanup
 	  -o header_checks=pcre:/etc/postfix/outgoing_mail_header_filters"
@@ -94,6 +97,8 @@ tools/editconf.py /etc/postfix/main.cf \
 	smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \
 	smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \
 	smtpd_tls_dh1024_param_file=$STORAGE_ROOT/ssl/dh2048.pem \
+	smtpd_tls_ciphers=medium \
+	smtpd_tls_exclude_ciphers=aNULL \
 	smtpd_tls_received_header=yes
 
 # Prevent non-authenticated users from sending mail that requires being

setup/system.sh

@@ -20,14 +20,13 @@ apt_get_quiet upgrade
 # * cron: Runs background processes periodically.
 # * ntp: keeps the system time correct
 # * fail2ban: scans log files for repeated failed login attempts and blocks the remote IP at the firewall
-# * gpg: used by upgrade.sh to verify the Mail-in-a-Box tag signature, also by duplicity to make backups
 # * git: we install some things directly from github
 # * sudo: allows privileged users to execute commands as root without being root
 # * coreutils: includes `nproc` tool to report number of processors
 # * bc: allows us to do math to compute sane defaults
 
 apt_install python3 python3-dev python3-pip \
-	wget curl gpg git sudo coreutils bc \
+	wget curl git sudo coreutils bc \
 	haveged unattended-upgrades cron ntp fail2ban
 
 # Allow apt to install system updates automatically every day.

setup/upgrade.sh

@@ -1,88 +0,0 @@
-#!/bin/bash
-# Updates an existing Mail-in-a-Box installation to a newer tag.
-################################################################
-
-# Are we running as root?
-if [[ $EUID -ne 0 ]]; then
-	echo "This script must be run as root. Did you leave out sudo?"
-	exit
-fi
-
-# Was a tag specified on the command line?
-TAG=$1
-if [ -z "$TAG" ]; then
-	echo "Usage: setup/upgrade.sh TAGNAME"
-	exit 1
-fi
-
-# Is Mail-in-a-Box already installed?
-if [ ! -d $HOME/mailinabox ]; then
-	echo Could not find your Mail-in-a-Box installation at $HOME/mailinabox.
-	exit 1
-fi
-
-# Change directory to it.
-cd $HOME/mailinabox
-
-# Are we on that tag?
-if [ "$TAG" == `git describe` ]; then
-	echo "You already have Mail-in-a-Box $TAG. Run"
-	echo "  sudo setup/start.sh"
-	echo "if there are any problems."
-	exit 1
-fi
-
-# Fetch that tag.
-# bootstrap.sh script makes a shallow clone of our repository,
-# which makes the download faster, but it also makes it harder
-# to switch to a different tag. This magic combination of options
-# to git seems to do the trick.
-echo Updating Mail-in-a-Box to $TAG . . .
-git fetch --depth 1 --force --prune origin tag $TAG
-
-# Check that the tag exists and we're moving to a later version, not backwards.
-CUR_VER_TIMESTAMP=$(git show -s --format="%ct") # commit time of HEAD
-NEW_VER_TIMESTAMP=$(git show -s --format="%ct" $TAG^{tag}^{commit}) # commit time of the commit that the tag tags
-if [ -z "$NEW_VER_TIMESTAMP" ]; then echo "$TAG is not a version of Mail-in-a-Box."; exit 1; fi
-if [ $CUR_VER_TIMESTAMP -gt $NEW_VER_TIMESTAMP ]; then
-	echo -n "$TAG is older than the version you currently have installed: "
-	git describe
-	exit 1
-fi
-
-# Set up a temporary GPG keyring specifically for holding the
-# Mail-in-a-Box maintainer's signing key. Load the keys found
-# in the Mail-in-a-Box installation path. These keys are trusted
-# in so far as the user has already gotten them. On first installs,
-# we just bootstrap by assuming whatever is in github is good.
-KEYRING=/tmp/miab-upgrade-keyring
-rm -rf $KEYRING
-mkdir -p $KEYRING
-for key in `find keys/ -type f`; do
-	GNUPGHOME=$KEYRING gpg --import $key
-done
-
-# Prior to checking out the tag, verify that it was signed by a
-# known key. gpg will return a success exit code if the tag is
-# signed by any key known to gpg, whether trusted or not, which
-# is why we establish a separate keyring for this purpose.
-if ! GNUPGHOME=$KEYRING git verify-tag $TAG 2>&1 > /dev/null; then
-	echo "$TAG was not signed by the Mail-in-a-Box authors. This could"
-	echo "indicate the github repository has been compromised. Check"
-	echo "https://twitter.com/mailinabox and https://mailinabox.email/"
-	echo "for further instructions, although keep in mind that those"
-	echo "resources could be compromised as well."
-	exit 1
-fi
-
-# Clean up.
-rm -rf $KEYRING
-
-# Checkout the tag.
-if ! git checkout -q $TAG; then
-	echo "Update failed. Did you modify something in `pwd`?"
-	exit
-fi
-
-# Start setup script.
-setup/start.sh