securely update to a newer version by verifying the signed git tag prior to checkout

CHANGELOG.md

@@ -1,15 +1,15 @@
 CHANGELOG
 =========
 
-v0.09 (May 8, 2015)
--------------------
+In Development
+--------------
 
 Mail:
 
 * Spam checking is now performed on messages larger than the previous limit of 64KB.
 * POP3S is now enabled (port 995).
-* Roundcube is updated to version 1.1.1.
-* Minor security improvements (more mail headers with user agent info are anonymized; crypto settings were tightened).
+* Roundcube updated to version 1.1.1.
+* More mail headers with user agent info are anonymized.
 
 ownCloud:
 
@@ -20,7 +20,6 @@ DNS:
 * Internationalized Domain Names (IDNs) should now work in email. If you had custom DNS or custom web settings for internationalized domains, check that they are still working.
 * It is now possible to set multiple TXT and other types of records on the same domain in the control panel.
 * The custom DNS API was completely rewritten to support setting multiple records of the same type on a domain. Any existing client code using the DNS API will have to be rewritten. (Existing code will just get 404s back.)
-* On some systems the `nsd` service failed to start if network inferfaces were not ready.
 
 System / Control Panel:
 

keys/joshdata.asc

@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQENBFN+hN4BCADARMfTK/kDWNz5tFVXXrLfY0QSF9CBO4+vor3MVUmq5ygMcyq4
+NX1FVDKoruzCo5hI/91o1QZuer5oZ716TACg46XivdgL66Y7rMZL5rVDmUKuDWit
+tpVrL0Gaw6xsu7/ZloFDyHI5yUvB1cdGe4HYZY1Xn/2CE0YJaXxO2JjkTNWSiutx
+LA0RV08nPeaiAt1KcCa2tO7RkG51uC0O3O67xr6xz6/q95Q2DBJpLYpoh+6yIoEY
+L736peHQKZfcFfCOPQKpxKW+SEsUTvJ8qzQipGYpugiGGhDHzXBYKJk1V77BbWAP
+3x4Ubj4UWFB54yhgPrBgvQajvoB08mzZEnopABEBAAG0IEpvc2h1YSBUYXViZXJl
+ciA8anRAb2NjYW1zLmluZm8+iQE5BBMBAgAjBQJTfoTeAhsDBwsJCAcDAgEGFQgC
+CQoLBBYCAwECHgECF4AACgkQuSBB9MEL3YFFOQgAkDfptbzC9Lq4zstIfUPl4by/
+NeoCpsYahaNwWLYiDpQEUZIOsJO1Qi2IFll4tXAyDTGAXYZCbf4+v1lzVyN49h5j
+70BuajISI6dcAb1IEZzIXx0vV1rMuu0iNYdwhFNi8KrP5iR3BHwZZ5Lql1UdkJNT
+xVrz4cmr5jPGdFRizD9MXrI4bvt+pSOeykJasuTeH7a3uHBMPyydAivtbNRbo+Zn
+IgV25FUADSFt6xD9AKfq6wLxN+P8P6PE/jZWDv9W4KtR5TqAhCq7D7Yvk8aJXubN
+P2xfjFl6TXa5bcuHuldkmx5lacpag2HSmivIT261W3pIVC3lrkxB8T6rdux8ErkB
+DQRTfoTeAQgAn5ijmVJtxPGvbdcaCsYD3+fCnAKNEdAJtJcy/e/lowKeEiIJZ9qV
+ATFIFmIG9VZunZ7nD5F/4KMj6ht0JTXuY458VjK9jO1bPU2YM7Xo7zjJi8bFI0B/
+2ya95M7polLUF/lhKHKUuxxANAW4guLahe5JotUnoRycxQkKWBhTF5VdayucSAZG
+XlmSBUjIGjHbmTI50dAMQZffNOIvDIkpeCEQjPVRObCvr18xKDHhBaEJhd+wfA2T
+6N4fMlwBgfeR1zdFrGt2SshVc28YvaoccWmP1xn6w/30J25swadeuDYZFckXjVv7
+HPLtvyzuNdf7pI0A9rnlGF5rNt6yKSqeiQARAQABiQEfBBgBAgAJBQJTfoTeAhsM
+AAoJELkgQfTBC92B0rAH/0hSoHcB5WIn4GLTz0D0wWQ6Y2wKDixOBGvH+S9aroSc
+0bKud7VphpFm/4CKWOZ0sphsnmRZ2Dsk/3996pXjLL5T1HWgAkltYmTdWEg9BiEj
+PlbcImF95tILJ7GC0QrXipUx+ktLayiT5LjcbZiYCGaWVdJM2hVdOLdHhh84dqNX
+xautvI8RDFI1lN0RdyFA5CQAvIWOSTLC1QdLAgkCf7+uQGwUo2ubgapPWptRJYk8
+rZuw6+Vi3NETYO0ExDxTFmVKRlMidsE0azMeY6JYpKb9jewKngfxa6oUSaygrhxQ
+9gESPA2XZUvx/3PWBAMskBZxjOH/Lhabls0AUxaOYf0=
+=SHsx
+-----END PGP PUBLIC KEY BLOCK-----

setup/bootstrap.sh

@@ -1,13 +1,16 @@
 #!/bin/bash
-#########################################################
-# This script is intended to be run like this:
+################################################################
+#
+# This script is posted on HTTPS to make first-time installation
+# super simple. Download and pipe to bash, e.g.:
 #
 #   curl https://.../bootstrap.sh | sudo bash
 #
-#########################################################
+################################################################
 
+# What is the current version?
 if [ -z "$TAG" ]; then
-	TAG=v0.09
+	TAG=v0.08
 fi
 
 # Are we running as root?
@@ -35,17 +38,6 @@ fi
 # Change directory to it.
 cd $HOME/mailinabox
 
-# Update it.
-if [ "$TAG" != `git describe` ]; then
-	echo Updating Mail-in-a-Box to $TAG . . .
-	git fetch --depth 1 --force --prune origin tag $TAG
-	if ! git checkout -q $TAG; then
-		echo "Update failed. Did you modify something in `pwd`?"
-		exit
-	fi
-	echo
-fi
-
-# Start setup script.
-setup/start.sh
+# Run the upgrade script, which in turn runs the setup script.
+setup/upgrade.sh $TAG
 

setup/mail-postfix.sh

@@ -65,8 +65,6 @@ tools/editconf.py /etc/postfix/main.cf \
 # * Do not add the OpenDMAC Authentication-Results header. That should only be added
 #   on incoming mail. Omit the OpenDMARC milter by re-setting smtpd_milters to the
 #   OpenDKIM milter only. See dkim.sh.
-# * Even though we dont allow auth over non-TLS connections (smtpd_tls_auth_only below, and without auth the client cant
-#   send outbound mail), don't allow non-TLS mail submission on this port anyway to prevent accidental misconfiguration.
 # * Require the best ciphers for incoming connections per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/.
 #   By putting this setting here we leave opportunistic TLS on incoming mail at default cipher settings (any cipher is better than none).
 # * Give it a different name in syslog to distinguish it from the port 25 smtpd server.
@@ -77,8 +75,7 @@ tools/editconf.py /etc/postfix/master.cf -s -w \
 	"submission=inet n       -       -       -       -       smtpd
 	  -o syslog_name=postfix/submission
 	  -o smtpd_milters=inet:127.0.0.1:8891
-	  -o smtpd_tls_security_level=encrypt
-	  -o smtpd_tls_ciphers=high -o smtpd_tls_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4 -o smtpd_tls_protocols=!SSLv2,!SSLv3
+	  -o smtpd_tls_ciphers=high -o smtpd_tls_protocols=!SSLv2,!SSLv3
 	  -o cleanup_service_name=authclean" \
 	"authclean=unix  n       -       -       -       0       cleanup
 	  -o header_checks=pcre:/etc/postfix/outgoing_mail_header_filters"
@@ -97,8 +94,6 @@ tools/editconf.py /etc/postfix/main.cf \
 	smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \
 	smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \
 	smtpd_tls_dh1024_param_file=$STORAGE_ROOT/ssl/dh2048.pem \
-	smtpd_tls_ciphers=medium \
-	smtpd_tls_exclude_ciphers=aNULL \
 	smtpd_tls_received_header=yes
 
 # Prevent non-authenticated users from sending mail that requires being

setup/system.sh

@@ -20,13 +20,14 @@ apt_get_quiet upgrade
 # * cron: Runs background processes periodically.
 # * ntp: keeps the system time correct
 # * fail2ban: scans log files for repeated failed login attempts and blocks the remote IP at the firewall
+# * gpg: used by upgrade.sh to verify the Mail-in-a-Box tag signature, also by duplicity to make backups
 # * git: we install some things directly from github
 # * sudo: allows privileged users to execute commands as root without being root
 # * coreutils: includes `nproc` tool to report number of processors
 # * bc: allows us to do math to compute sane defaults
 
 apt_install python3 python3-dev python3-pip \
-	wget curl git sudo coreutils bc \
+	wget curl gpg git sudo coreutils bc \
 	haveged unattended-upgrades cron ntp fail2ban
 
 # Allow apt to install system updates automatically every day.

setup/upgrade.sh

@@ -0,0 +1,88 @@
+#!/bin/bash
+# Updates an existing Mail-in-a-Box installation to a newer tag.
+################################################################
+
+# Are we running as root?
+if [[ $EUID -ne 0 ]]; then
+	echo "This script must be run as root. Did you leave out sudo?"
+	exit
+fi
+
+# Was a tag specified on the command line?
+TAG=$1
+if [ -z "$TAG" ]; then
+	echo "Usage: setup/upgrade.sh TAGNAME"
+	exit 1
+fi
+
+# Is Mail-in-a-Box already installed?
+if [ ! -d $HOME/mailinabox ]; then
+	echo Could not find your Mail-in-a-Box installation at $HOME/mailinabox.
+	exit 1
+fi
+
+# Change directory to it.
+cd $HOME/mailinabox
+
+# Are we on that tag?
+if [ "$TAG" == `git describe` ]; then
+	echo "You already have Mail-in-a-Box $TAG. Run"
+	echo "  sudo setup/start.sh"
+	echo "if there are any problems."
+	exit 1
+fi
+
+# Fetch that tag.
+# bootstrap.sh script makes a shallow clone of our repository,
+# which makes the download faster, but it also makes it harder
+# to switch to a different tag. This magic combination of options
+# to git seems to do the trick.
+echo Updating Mail-in-a-Box to $TAG . . .
+git fetch --depth 1 --force --prune origin tag $TAG
+
+# Check that the tag exists and we're moving to a later version, not backwards.
+CUR_VER_TIMESTAMP=$(git show -s --format="%ct") # commit time of HEAD
+NEW_VER_TIMESTAMP=$(git show -s --format="%ct" $TAG^{tag}^{commit}) # commit time of the commit that the tag tags
+if [ -z "$NEW_VER_TIMESTAMP" ]; then echo "$TAG is not a version of Mail-in-a-Box."; exit 1; fi
+if [ $CUR_VER_TIMESTAMP -gt $NEW_VER_TIMESTAMP ]; then
+	echo -n "$TAG is older than the version you currently have installed: "
+	git describe
+	exit 1
+fi
+
+# Set up a temporary GPG keyring specifically for holding the
+# Mail-in-a-Box maintainer's signing key. Load the keys found
+# in the Mail-in-a-Box installation path. These keys are trusted
+# in so far as the user has already gotten them. On first installs,
+# we just bootstrap by assuming whatever is in github is good.
+KEYRING=/tmp/miab-upgrade-keyring
+rm -rf $KEYRING
+mkdir -p $KEYRING
+for key in `find keys/ -type f`; do
+	GNUPGHOME=$KEYRING gpg --import $key
+done
+
+# Prior to checking out the tag, verify that it was signed by a
+# known key. gpg will return a success exit code if the tag is
+# signed by any key known to gpg, whether trusted or not, which
+# is why we establish a separate keyring for this purpose.
+if ! GNUPGHOME=$KEYRING git verify-tag $TAG 2>&1 > /dev/null; then
+	echo "$TAG was not signed by the Mail-in-a-Box authors. This could"
+	echo "indicate the github repository has been compromised. Check"
+	echo "https://twitter.com/mailinabox and https://mailinabox.email/"
+	echo "for further instructions, although keep in mind that those"
+	echo "resources could be compromised as well."
+	exit 1
+fi
+
+# Clean up.
+rm -rf $KEYRING
+
+# Checkout the tag.
+if ! git checkout -q $TAG; then
+	echo "Update failed. Did you modify something in `pwd`?"
+	exit
+fi
+
+# Start setup script.
+setup/start.sh