v0.27

Our wget_verify function uses wget to download a file and then check
the file's hash. If wget fails, i.e. because of a 404 or other HTTP
or network error, we exited setup without displaying any output because
normally there are no errors and -q keeps the setup output clean.

Wrapping wget with our hide_output function, and dropping -q, captures
wget's output and shows it and exits setup just if wget fails.

see #1297

CHANGELOG.md

@@ -1,6 +1,128 @@
 CHANGELOG
 =========
 
+v0.27 (June 14, 2018)
+---------------------
+
+* A report of box activity, including sent/received mail totals and logins by user, is now emailed to the box's administrator user each week.
+* Update Roundcube to version 1.3.6 and Z-Push to version 2.3.9.
+* The undocumented feature for proxying web requests to another server now sets X-Forwarded-For.
+
+v0.26c (February 13, 2018)
+--------------------------
+
+Setup:
+
+* Upgrades from v0.21c (February 1, 2017) or earlier were broken because the intermediate versions of ownCloud used in setup were no longer available from ownCloud.
+* Some download errors had no output --- there is more output on error now.
+
+Control Panel:
+
+* The background service for the control panel was not restarting on updates, leaving the old version running. This was broken in v0.26 and is now fixed.
+* Installing your own TLS/SSL certificate had been broken since v0.24 because the new version of openssl became stricter about CSR generation parameters.
+* Fixed password length help text.
+
+Contacts/Calendar:
+
+* Upgraded Nextcloud from 12.0.3 to 12.0.5.
+
+v0.26b (January 25, 2018)
+-------------------------
+
+* Fix new installations which broke at the step of asking for the user's desired email address, which was broken by v0.26's changes related to the control panel.
+* Fix the provisioning of TLS certificates by pinning a Python package we rely on (acme) to an earlier version because our code isn't yet compatible with its current version.
+* Reduce munin's log_level from debug to warning to prevent massive log files.
+
+v0.26 (January 18, 2018)
+------------------------
+
+Security:
+
+* HTTPS, IMAP, and POP's TLS settings have been updated to Mozilla's intermediate cipher list recommendation. Some extremely old devices that use less secure TLS ciphers may no longer be able to connect to IMAP/POP.
+* Updated web HSTS header to use longer six month duration.
+
+Mail:
+
+* Adding attachments in Roundcube broke after the last update for some users after rebooting because a temporary directory was deleted on reboot. The temporary directory is now moved from /tmp to /var so that it is persistent.
+* `X-Spam-Score` header is added to incoming mail.
+
+Control panel:
+
+* RSASHA256 is now used for DNSSEC for .lv domains.
+* Some documentation/links improvements.
+
+Installer:
+
+* We now run `apt-get autoremove` at the start of setup to clear out old packages, especially old kernels that take up a lot of space. On the first run, this step may take a long time.
+* We now fetch Z-Push from its tagged git repository, fixing an installation problem.
+* Some old PHP5 packages are removed from setup, fixing an installation bug where Apache would get installed.
+* Python 3 packages for the control panel are now installed using a virtualenv to prevent installation errors due to conflicts in the cryptography/openssl packages between OS-installed packages and pip-installed packages.
+
+v0.25 (November 15, 2017)
+-------------------------
+
+This update is a security update addressing [CVE-2017-16651, a vulnerability in Roundcube webmail that allows logged-in users to access files on the local filesystem](https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10).
+
+Mail:
+
+* Update to Roundcube 1.3.3.
+
+Control Panel:
+
+* Allow custom DNS records to be set for DNS wildcard subdomains (i.e. `*`).
+
+v0.24 (October 3, 2017)
+-----------------------
+
+System:
+
+* Install PHP7 via a PPA. Switch to the on-demand process manager.
+
+Mail:
+
+* Updated to [Roundcube 1.3.1](https://roundcube.net/news/2017/06/26/roundcube-webmail-1.3.0-released), but unfortunately dropping the Vacation plugin because it has not been supported by its author and is not compatible with Roundcube 1.3, and updated the persistent login plugin.
+* Updated to [Z-Push 2.3.8](http://download.z-push.org/final/2.3/z-push-2.3.8.txt).
+* Dovecot now uses stronger 2048 bit DH params for better forward secrecy.
+
+Nextcloud:
+
+* Nextcloud updated to 12.0.3, using PHP7.
+
+Control Panel:
+
+* Nameserver (NS) records can now be set on custom domains.
+* Fix an erroneous status check error due to IPv6 address formatting.
+* Aliases for administrative addresses can now be set to send mail to +tag administrative addresses.
+
+v0.23a (May 31, 2017)
+---------------------
+
+Corrects a problem in the new way third-party assets are downloaded during setup for the control panel, since v0.23.
+
+v0.23 (May 30, 2017)
+--------------------
+
+Mail:
+
+* The default theme for Roundcube was changed to the nicer Larry theme.
+* Exchange/ActiveSync support has been replaced with z-push 2.3.6 from z-push.org (rather than z-push-contrib).
+
+ownCloud (now Nextcloud):
+
+* ownCloud is replaced with Nextcloud 10.0.5.
+* Fixed an error in Owncloud/Nextcloud setup not updating domain when changing hostname.
+
+Control Panel/Management:
+
+* Fix an error in the control panel showing rsync backup status.
+* Fix an error in the control panel related to IPv6 addresses.
+* TLS certificates for internationalized domain names can now be provisioned from Let's Encrypt automatically.
+* Third-party assets used in the control panel (jQuery/Bootstrap) are now downloaded during setup and served from the box rather than from a CDN.
+
+DNS:
+
+* Add support for custom CAA records.
+
 v0.22 (April 2, 2017)
 ---------------------
 
@@ -142,7 +264,7 @@ v0.18 (May 15, 2016)
 
 ownCloud:
 
-* Updated to ownCloud to 8.2.3 
+* Updated to ownCloud to 8.2.3
 
 Mail:
 

CONTRIBUTING.md

@@ -1,3 +1,50 @@
+# Contributing
+
+Mail-in-a-Box is an open source project. Your contributions and pull requests are welcome.
+
+## Development
+
+To start developing Mail-in-a-Box, [clone the repository](https://github.com/mail-in-a-box/mailinabox) and familiarize yourself with the code.
+
+    $ git clone https://github.com/mail-in-a-box/mailinabox
+
+### Vagrant and VirtualBox
+
+We recommend you use [Vagrant](https://www.vagrantup.com/intro/getting-started/install.html) and [VirtualBox](https://www.virtualbox.org/wiki/Downloads) for development. Please install them first.
+
+With Vagrant set up, the following should boot up Mail-in-a-Box inside a virtual machine:
+
+    $ vagrant up --provision
+
+_If you're seeing an error message about your *IP address being listed in the Spamhaus Block List*, simply uncomment the `export SKIP_NETWORK_CHECKS=1` line in `Vagrantfile`. It's normal, you're probably using a dynamic IP address assigned by your Internet provider–they're almost all listed._
+
+### Modifying your `hosts` file
+
+After a while, Mail-in-a-Box will be available at `192.168.50.4` (unless you changed that in your `Vagrantfile`). To be able to use the web-based bits, we recommend to add a hostname to your `hosts` file:
+
+    $ echo "192.168.50.4 mailinabox.lan" | sudo tee -a /etc/hosts
+
+You should now be able to navigate to https://mailinabox.lan/admin using your browser. There should be an initial admin user with the name `me@mailinabox.lan` and the password `12345678`.
+
+### Making changes
+
+Your working copy of Mail-in-a-Box will be mounted inside your VM at `/vagrant`. Any change you make locally will appear inside your VM automatically.
+
+Running `vagrant up --provision` again will repeat the installation with your modifications.
+
+Alternatively, you can also ssh into the VM using:
+
+    $ vagrant ssh
+
+Once inside the VM, you can re-run individual parts of the setup like in this example:
+
+    vm$ cd /vagrant
+    vm$ sudo setup/owncloud.sh # replace with script you'd like to re-run
+
+### Tests
+
+Mail-in-a-Box needs more tests. If you're still looking for a way to help out, writing and contributing tests would be a great start!
+
 ## Public domain
 
 This project is in the public domain. Copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication][CC0]. See the LICENSE file in this directory.

README.md

@@ -28,7 +28,7 @@ It is a one-click email appliance. There are no user-configurable setup options.
 
 The components installed are:
 
-* SMTP ([postfix](http://www.postfix.org/)), IMAP ([dovecot](http://dovecot.org/)), CardDAV/CalDAV ([ownCloud](https://owncloud.org/)), Exchange ActiveSync ([z-push](https://github.com/fmbiete/Z-Push-contrib))
+* SMTP ([postfix](http://www.postfix.org/)), IMAP ([dovecot](http://dovecot.org/)), CardDAV/CalDAV ([Nextcloud](https://nextcloud.com/)), Exchange ActiveSync ([z-push](http://z-push.org/))
 * Webmail ([Roundcube](http://roundcube.net/)), static website hosting ([nginx](http://nginx.org/))
 * Spam filtering ([spamassassin](https://spamassassin.apache.org/)), greylisting ([postgrey](http://postgrey.schweikert.ch/))
 * DNS ([nsd4](https://www.nlnetlabs.nl/projects/nsd/)) with [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework), DKIM ([OpenDKIM](http://www.opendkim.org/)), [DMARC](https://en.wikipedia.org/wiki/DMARC), [DNSSEC](https://en.wikipedia.org/wiki/DNSSEC), [DANE TLSA](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities), and [SSHFP](https://tools.ietf.org/html/rfc4255) records automatically set
@@ -59,7 +59,7 @@ by me:
 	$ curl -s https://keybase.io/joshdata/key.asc | gpg --import
 	gpg: key C10BDD81: public key "Joshua Tauberer <jt@occams.info>" imported
 
-	$ git verify-tag v0.22
+	$ git verify-tag v0.27
 	gpg: Signature made ..... using RSA key ID C10BDD81
 	gpg: Good signature from "Joshua Tauberer <jt@occams.info>"
 	gpg: WARNING: This key is not certified with a trusted signature!
@@ -72,7 +72,7 @@ and on my [personal homepage](https://razor.occams.info/). (Of course, if this r
 
 Checkout the tag corresponding to the most recent release:
 
-	$ git checkout v0.22
+	$ git checkout v0.27
 
 Begin the installation.
 
@@ -82,6 +82,12 @@ For help, DO NOT contact me directly --- I don't do tech support by email or twe
 
 Post your question on the [discussion forum](https://discourse.mailinabox.email/) instead, where me and other Mail-in-a-Box users may be able to help you.
 
+Contributing and Development
+----------------------------
+
+Mail-in-a-Box is an open source project. Your contributions and pull requests are welcome. See [CONTRIBUTING](CONTRIBUTING.md) to get started. 
+
+
 The Acknowledgements
 --------------------
 

conf/fail2ban/jails.conf

@@ -34,7 +34,7 @@ findtime = 30
 enabled  = true
 port     = http,https
 filter   = miab-owncloud
-logpath  = STORAGE_ROOT/owncloud/owncloud.log
+logpath  = STORAGE_ROOT/owncloud/nextcloud.log
 maxretry = 20
 findtime = 120
 

conf/management-initscript

@@ -14,7 +14,7 @@
 PATH=/sbin:/usr/sbin:/bin:/usr/bin
 DESC="Mail-in-a-Box Management Daemon"
 NAME=mailinabox
-DAEMON=/usr/local/bin/mailinabox-daemon
+DAEMON=/usr/local/lib/mailinabox/start
 PIDFILE=/var/run/$NAME.pid
 SCRIPTNAME=/etc/init.d/$NAME
 

conf/nginx-alldomains.conf

@@ -70,7 +70,7 @@
 	# takes precedence over all non-regex matches and only regex matches that
 	# come after it (i.e. none of those, since this is the last one.) That means
 	# we're blocking dotfiles in the static hosted sites but not the FastCGI-
-	# handled locations for ownCloud (which serves user-uploaded files that might
+	# handled locations for Nextcloud (which serves user-uploaded files that might
 	# have this pattern, see #414) or some of the other services.
 	location ~ /\.(ht|svn|git|hg|bzr) {
 		log_not_found off;

conf/nginx-primaryonly.conf

@@ -1,6 +1,9 @@
 	# Control Panel
 	# Proxy /admin to our Python based control panel daemon. It is
 	# listening on IPv4 only so use an IP address and not 'localhost'.
+	location /admin/assets {
+		alias /usr/local/lib/mailinabox/vendor/assets;
+	}
 	rewrite ^/admin$ /admin/;
 	rewrite ^/admin/munin$ /admin/munin/ redirect;
 	location /admin/ {
@@ -9,10 +12,9 @@
 		add_header X-Frame-Options "DENY";
 		add_header X-Content-Type-Options nosniff;
 		add_header Content-Security-Policy "frame-ancestors 'none';";
-		add_header Strict-Transport-Security max-age=31536000;
 	}
 
-	# ownCloud configuration.
+	# Nextcloud configuration.
 	rewrite ^/cloud$ /cloud/ redirect;
 	rewrite ^/cloud/$ /cloud/index.php;
 	rewrite ^/cloud/(contacts|calendar|files)$ /cloud/index.php/apps/$1/ redirect;
@@ -41,13 +43,11 @@
 		fastcgi_param MOD_X_ACCEL_REDIRECT_PREFIX /owncloud-xaccel;
 		fastcgi_read_timeout 630;
 		fastcgi_pass php-fpm;
-		error_page 403 /cloud/core/templates/403.php;
-		error_page 404 /cloud/core/templates/404.php;
 		client_max_body_size 1G;
 		fastcgi_buffers 64 4K;
 	}
 	location ^~ /owncloud-xaccel/ {
-		# This directory is for MOD_X_ACCEL_REDIRECT_ENABLED. ownCloud sends the full file
+		# This directory is for MOD_X_ACCEL_REDIRECT_ENABLED. Nextcloud sends the full file
 		# path on disk as a subdirectory under this virtual path.
 		# We must only allow 'internal' redirects within nginx so that the filesystem
 		# is not exposed to the world.

conf/nginx-ssl.conf

@@ -1,5 +1,5 @@
-# from: https://gist.github.com/konklone/6532544
-###################################################################################
+# from https://gist.github.com/konklone/6532544 and https://mozilla.github.io/server-side-tls/ssl-config-generator/
+###################################################################################################################
 
 # Basically the nginx configuration I use at konklone.com. 
 # I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
@@ -27,17 +27,17 @@
 # 
 # Reference client: https://www.ssllabs.com/ssltest/analyze.html
 ssl_prefer_server_ciphers on;
-ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
+ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
 
 # Cut out (the old, broken) SSLv3 entirely. 
 # This **excludes IE6 users** and (apparently) Yandexbot.
 # Just comment out if you need to support IE6, bless your soul.
 ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
 
-# Turn on session resumption, using a 10 min cache shared across nginx processes,
+# Turn on session resumption, using a cache shared across nginx processes,
 # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
-ssl_session_cache   shared:SSL:10m;
-ssl_session_timeout 10m;
+ssl_session_cache shared:SSL:50m;
+ssl_session_timeout 1d;
 #keepalive_timeout   70; # in Ubuntu 14.04/nginx 1.4.6 the default is 65, so plenty good
 
 # Buffer size of 1400 bytes fits in one MTU.

conf/nginx-top.conf

@@ -7,6 +7,6 @@
 ##       your own --- please do not ask for help from us.
 
 upstream php-fpm {
-	server unix:/var/run/php5-fpm.sock;
+	server unix:/var/run/php/php7.0-fpm.sock;
 }
 

conf/zpush/autodiscover_config.php

@@ -5,11 +5,12 @@
 * Descr     :   Autodiscover configuration file
 ************************************************/
 
+define('TIMEZONE', '');
+
 // Defines the base path on the server
 define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/');
 
-// The Z-Push server location for the autodiscover response
-define('SERVERURL', 'https://PRIMARY_HOSTNAME/Microsoft-Server-ActiveSync');
+define('ZPUSH_HOST', 'PRIMARY_HOSTNAME');
 
 define('USE_FULLEMAIL_FOR_LOGIN', true);
 
@@ -18,6 +19,7 @@ define('LOGFILE', LOGFILEDIR . 'autodiscover.log');
 define('LOGERRORFILE', LOGFILEDIR . 'autodiscover-error.log');
 define('LOGLEVEL', LOGLEVEL_INFO);
 define('LOGUSERLEVEL', LOGLEVEL);
+$specialLogUsers = array();
 
 // the backend data provider
 define('BACKEND_PROVIDER', 'BackendCombined');

conf/zpush/backend_carddav.php

@@ -17,7 +17,7 @@ define('CARDDAV_CONTACTS_FOLDER_NAME', '%u Addressbook');
 define('CARDDAV_SUPPORTS_SYNC', false);
 
 // If the CardDAV server supports the FN attribute for searches
-// DAViCal supports it, but SabreDav, Owncloud and SOGo don't
+// DAViCal supports it, but SabreDav, Nextcloud and SOGo don't
 // Setting this to true will search by FN. If false will search by sn, givenName and email
 // It's safe to leave it as false
 define('CARDDAV_SUPPORTS_FN_SEARCH', false);

conf/zpush/backend_imap.php

@@ -23,6 +23,9 @@ define('IMAP_FOLDER_TRASH', 'TRASH');
 define('IMAP_FOLDER_SPAM', 'SPAM');
 define('IMAP_FOLDER_ARCHIVE', 'ARCHIVE');
 
+define('IMAP_INLINE_FORWARD', true);
+define('IMAP_EXCLUDED_FOLDERS', '');
+
 define('IMAP_FROM_SQL_DSN', 'sqlite:STORAGE_ROOT/mail/roundcube/roundcube.sqlite');
 define('IMAP_FROM_SQL_USER', '');
 define('IMAP_FROM_SQL_PASSWORD', '');
@@ -49,5 +52,6 @@ global $imap_smtp_params;
 $imap_smtp_params = array('host' => 'ssl://127.0.0.1', 'port' => 587, 'auth' => true, 'username' => 'imap_username', 'password' => 'imap_password');
 
 define('MAIL_MIMEPART_CRLF', "\r\n");
+define('IMAP_MEETING_USE_CALDAV', true);
 
 ?>

management/backup.py

@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/local/lib/mailinabox/env/bin/python
 
 # This script performs a backup of all user data:
 # 1) System services are stopped.
@@ -115,7 +115,7 @@ def backup_status(env):
 	# full backup. That full backup frees up this one to be deleted. But, the backup
 	# must also be at least min_age_in_days old too.
 	deleted_in = None
-	if incremental_count > 0 and first_full_size is not None:
+	if incremental_count > 0 and incremental_size > 0 and first_full_size is not None:
 		# How many days until the next incremental backup? First, the part of
 		# the algorithm based on increment sizes:
 		est_days_to_next_full = (.5 * first_full_size - incremental_size) / (incremental_size/incremental_count)
@@ -267,7 +267,7 @@ def perform_backup(full_backup):
 			if quit:
 				sys.exit(code)
 
-	service_command("php5-fpm", "stop", quit=True)
+	service_command("php7.0-fpm", "stop", quit=True)
 	service_command("postfix", "stop", quit=True)
 	service_command("dovecot", "stop", quit=True)
 
@@ -301,7 +301,7 @@ def perform_backup(full_backup):
 		# Start services again.
 		service_command("dovecot", "start", quit=False)
 		service_command("postfix", "start", quit=False)
-		service_command("php5-fpm", "start", quit=False)
+		service_command("php7.0-fpm", "start", quit=False)
 
 	# Once the migrated backup is included in a new backup, it can be deleted.
 	if os.path.isdir(migrated_unencrypted_backup_dir):
@@ -399,10 +399,11 @@ def list_target_files(config):
 		rsync_fn_size_re = re.compile(r'.*    ([^ ]*) [^ ]* [^ ]* (.*)')
 		rsync_target = '{host}:{path}'
 
-		if not target.path.endswith('/'):
-			target_path = target.path + '/'
-		if target.path.startswith('/'):
-			target_path = target.path[1:]
+		target_path = target.path
+		if not target_path.endswith('/'):
+			target_path = target_path + '/'
+		if target_path.startswith('/'):
+			target_path = target_path[1:]
 
 		rsync_command = [ 'rsync',
 					'-e',

management/daemon.py

@@ -1,5 +1,3 @@
-#!/usr/bin/python3
-
 import os, os.path, re, json, time
 import subprocess
 

management/daily_tasks.sh

@@ -9,6 +9,12 @@ export LC_ALL=en_US.UTF-8
 export LANG=en_US.UTF-8
 export LC_TYPE=en_US.UTF-8
 
+# On Mondays, i.e. once a week, send the administrator a report of total emails
+# sent and received so the admin might notice server abuse.
+if [ `date "+%u"` -eq 1 ]; then
+    management/mail_log.py -t week | management/email_administrator.py "Mail-in-a-Box Usage Report"
+fi
+
 # Take a backup.
 management/backup.py | management/email_administrator.py "Backup Status"
 

management/dns_update.py

@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/local/lib/mailinabox/env/bin/python
 
 # Creates DNS zone files for all of the domains of all of the mail users
 # and mail aliases and restarts nsd.
@@ -12,6 +12,12 @@ import dns.resolver
 from mailconfig import get_mail_domains
 from utils import shell, load_env_vars_from_file, safe_domain_name, sort_domains
 
+# From https://stackoverflow.com/questions/3026957/how-to-validate-a-domain-name-using-regex-php/16491074#16491074
+# This regular expression matches domain names according to RFCs, it also accepts fqdn with an leading dot,
+# underscores, as well as asteriks which are allowed in domain names but not hostnames (i.e. allowed in
+# DNS but not in URLs), which are common in certain record types like for DKIM.
+DOMAIN_RE = "^(?!\-)(?:[*][.])?(?:[a-zA-Z\d\-_]{0,62}[a-zA-Z\d_]\.){1,126}(?!\d+)[a-zA-Z\d_]{1,63}(\.?)$"
+
 def get_dns_domains(env):
 	# Add all domain names in use by email users and mail aliases and ensure
 	# PRIMARY_HOSTNAME is in the list.
@@ -144,7 +150,7 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
 		# Define ns2.PRIMARY_HOSTNAME or whatever the user overrides.
 		# User may provide one or more additional nameservers
 		secondary_ns_list = get_secondary_dns(additional_records, mode="NS") \
-			or ["ns2." + env["PRIMARY_HOSTNAME"]] 
+			or ["ns2." + env["PRIMARY_HOSTNAME"]]
 		for secondary_ns in secondary_ns_list:
 			records.append((None,  "NS", secondary_ns+'.', False))
 
@@ -522,12 +528,13 @@ zone:
 
 def dnssec_choose_algo(domain, env):
 	if '.' in domain and domain.rsplit('.')[-1] in \
-		("email", "guide", "fund", "be"):
+		("email", "guide", "fund", "be", "lv"):
 		# At GoDaddy, RSASHA256 is the only algorithm supported
 		# for .email and .guide.
 		# A variety of algorithms are supported for .fund. This
 		# is preferred.
 		# Gandi tells me that .be does not support RSASHA1-NSEC3-SHA1
+        # Nic.lv does not support RSASHA1-NSEC3-SHA1 for .lv tld's
 		return "RSASHA256"
 
 	# For any domain we were able to sign before, don't change the algorithm
@@ -762,12 +769,25 @@ def set_custom_dns_record(qname, rtype, value, action, env):
 	# validate rtype
 	rtype = rtype.upper()
 	if value is not None and qname != "_secondary_nameserver":
+		if not re.search(DOMAIN_RE, qname):
+			raise ValueError("Invalid name.")
+
 		if rtype in ("A", "AAAA"):
 			if value != "local": # "local" is a special flag for us
 				v = ipaddress.ip_address(value) # raises a ValueError if there's a problem
 				if rtype == "A" and not isinstance(v, ipaddress.IPv4Address): raise ValueError("That's an IPv6 address.")
 				if rtype == "AAAA" and not isinstance(v, ipaddress.IPv6Address): raise ValueError("That's an IPv4 address.")
-		elif rtype in ("CNAME", "TXT", "SRV", "MX", "SSHFP"):
+		elif rtype in ("CNAME", "NS"):
+			if rtype == "NS" and qname == zone:
+				raise ValueError("NS records can only be set for subdomains.")
+
+			# ensure value has a trailing dot
+			if not value.endswith("."):
+				value = value + "."
+
+			if not re.search(DOMAIN_RE, value):
+				raise ValueError("Invalid value.")
+		elif rtype in ("CNAME", "TXT", "SRV", "MX", "SSHFP", "CAA"):
 			# anything goes
 			pass
 		else:

management/email_administrator.py

@@ -1,11 +1,17 @@
-#!/usr/bin/python3
+#!/usr/local/lib/mailinabox/env/bin/python
 
 # Reads in STDIN. If the stream is not empty, mail it to the system administrator.
 
 import sys
 
+import html
 import smtplib
-from email.message import Message
+
+from email.mime.multipart import MIMEMultipart
+from email.mime.text import MIMEText
+
+# In Python 3.6:
+#from email.message import Message
 
 from utils import load_environment
 
@@ -26,11 +32,23 @@ if content == "":
 	sys.exit(0)
 
 # create MIME message
-msg = Message()
+msg = MIMEMultipart('alternative')
+
+# In Python 3.6:
+#msg = Message()
+
 msg['From'] = "\"%s\" <%s>" % (env['PRIMARY_HOSTNAME'], admin_addr)
 msg['To'] = admin_addr
 msg['Subject'] = "[%s] %s" % (env['PRIMARY_HOSTNAME'], subject)
-msg.set_payload(content, "UTF-8")
+
+content_html = "<html><body><pre>{}</pre></body></html>".format(html.escape(content))
+
+msg.attach(MIMEText(content, 'plain'))
+msg.attach(MIMEText(content_html, 'html'))
+
+# In Python 3.6:
+#msg.set_content(content)
+#msg.add_alternative(content_html, "html")
 
 # send
 smtpclient = smtplib.SMTP('127.0.0.1', 25)

management/mail_log.py

@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/local/lib/mailinabox/env/bin/python
 import argparse
 import datetime
 import gzip
@@ -53,10 +53,10 @@ VERBOSE = False
 # List of strings to filter users with
 FILTERS = None
 
-# What to show by default
+# What to show (with defaults)
 SCAN_OUT = True  # Outgoing email
 SCAN_IN = True  # Incoming email
-SCAN_CONN = False  # IMAP and POP3 logins
+SCAN_DOVECOT_LOGIN = True  # Dovecot Logins
 SCAN_GREY = False  # Greylisted email
 SCAN_BLOCKED = False  # Rejected email
 
@@ -76,7 +76,8 @@ def scan_files(collector):
             tmp_file = tempfile.NamedTemporaryFile()
             shutil.copyfileobj(gzip.open(fn), tmp_file)
 
-        print("Processing file", fn, "...")
+        if VERBOSE:
+            print("Processing file", fn, "...")
         fn = tmp_file.name if tmp_file else fn
 
         for line in reverse_readline(fn):
@@ -105,7 +106,7 @@ def scan_mail_log(env):
         "scan_time": time.time(),  # The time in seconds the scan took
         "sent_mail": OrderedDict(),  # Data about email sent by users
         "received_mail": OrderedDict(),  # Data about email received by users
-        "dovecot": OrderedDict(),  # Data about Dovecot activity
+        "logins": OrderedDict(),  # Data about login activity
         "postgrey": {},  # Data about greylisting of email addresses
         "rejected": OrderedDict(),  # Emails that were blocked
         "known_addresses": None,  # Addresses handled by the Miab installation
@@ -119,8 +120,8 @@ def scan_mail_log(env):
     except ImportError:
         pass
 
-    print("Scanning from {:%Y-%m-%d %H:%M:%S} back to {:%Y-%m-%d %H:%M:%S}".format(
-        START_DATE, END_DATE)
+    print("Scanning logs from {:%Y-%m-%d %H:%M:%S} to {:%Y-%m-%d %H:%M:%S}".format(
+        END_DATE, START_DATE)
     )
 
     # Scan the lines in the log files until the date goes out of range
@@ -138,8 +139,8 @@ def scan_mail_log(env):
     # Print Sent Mail report
 
     if collector["sent_mail"]:
-        msg = "Sent email between {:%Y-%m-%d %H:%M:%S} and {:%Y-%m-%d %H:%M:%S}"
-        print_header(msg.format(END_DATE, START_DATE))
+        msg = "Sent email"
+        print_header(msg)
 
         data = OrderedDict(sorted(collector["sent_mail"].items(), key=email_sort))
 
@@ -173,8 +174,8 @@ def scan_mail_log(env):
     # Print Received Mail report
 
     if collector["received_mail"]:
-        msg = "Received email between {:%Y-%m-%d %H:%M:%S} and {:%Y-%m-%d %H:%M:%S}"
-        print_header(msg.format(END_DATE, START_DATE))
+        msg = "Received email"
+        print_header(msg)
 
         data = OrderedDict(sorted(collector["received_mail"].items(), key=email_sort))
 
@@ -199,43 +200,55 @@ def scan_mail_log(env):
             [accum]
         )
 
-    # Print Dovecot report
+    # Print login report
 
-    if collector["dovecot"]:
-        msg = "Email client logins between {:%Y-%m-%d %H:%M:%S} and {:%Y-%m-%d %H:%M:%S}"
-        print_header(msg.format(END_DATE, START_DATE))
+    if collector["logins"]:
+        msg = "User logins per hour"
+        print_header(msg)
 
-        data = OrderedDict(sorted(collector["dovecot"].items(), key=email_sort))
+        data = OrderedDict(sorted(collector["logins"].items(), key=email_sort))
+
+        # Get a list of all of the protocols seen in the logs in reverse count order.
+        all_protocols = defaultdict(int)
+        for u in data.values():
+            for protocol_name, count in u["totals_by_protocol"].items():
+                all_protocols[protocol_name] += count
+        all_protocols = [k for k, v in sorted(all_protocols.items(), key=lambda kv : -kv[1])]
 
         print_user_table(
             data.keys(),
             data=[
-                ("imap", [u["imap"] for u in data.values()]),
-                ("pop3", [u["pop3"] for u in data.values()]),
+                (protocol_name, [
+                    round(u["totals_by_protocol"][protocol_name] / (u["latest"]-u["earliest"]).total_seconds() * 60*60, 1)
+                    if (u["latest"]-u["earliest"]).total_seconds() > 0
+                    else 0 # prevent division by zero
+                  for u in data.values()])
+                for protocol_name in all_protocols
             ],
             sub_data=[
-                ("IMAP IP addresses", [[k + " (%d)" % v for k, v in u["imap-logins"].items()]
-                                       for u in data.values()]),
-                ("POP3 IP addresses", [[k + " (%d)" % v for k, v in u["pop3-logins"].items()]
-                                       for u in data.values()]),
+                ("Protocol and Source", [[
+                    "{} {}: {} times".format(protocol_name, host, count)
+                    for (protocol_name, host), count
+                    in sorted(u["totals_by_protocol_and_host"].items(), key=lambda kv:-kv[1])
+                  ] for u in data.values()])
             ],
             activity=[
-                ("imap", [u["activity-by-hour"]["imap"] for u in data.values()]),
-                ("pop3", [u["activity-by-hour"]["pop3"] for u in data.values()]),
+                (protocol_name, [u["activity-by-hour"][protocol_name] for u in data.values()])
+                for protocol_name in all_protocols
             ],
             earliest=[u["earliest"] for u in data.values()],
             latest=[u["latest"] for u in data.values()],
+            numstr=lambda n : str(round(n, 1)),
         )
 
-        accum = {"imap": defaultdict(int), "pop3": defaultdict(int), "both": defaultdict(int)}
+        accum = { protocol_name: defaultdict(int) for protocol_name in all_protocols }
         for h in range(24):
-            accum["imap"][h] = sum(d["activity-by-hour"]["imap"][h] for d in data.values())
-            accum["pop3"][h] = sum(d["activity-by-hour"]["pop3"][h] for d in data.values())
-            accum["both"][h] = accum["imap"][h] + accum["pop3"][h]
+            for protocol_name in all_protocols:
+              accum[protocol_name][h] = sum(d["activity-by-hour"][protocol_name][h] for d in data.values())
 
         print_time_table(
-            ["imap", "pop3", "   +"],
-            [accum["imap"], accum["pop3"], accum["both"]]
+            all_protocols,
+            [accum[protocol_name] for protocol_name in all_protocols]
         )
 
     if collector["postgrey"]:
@@ -348,9 +361,9 @@ def scan_mail_log_line(line, collector):
     elif service == "postfix/lmtp":
         if SCAN_IN:
             scan_postfix_lmtp_line(date, log, collector)
-    elif service in ("imap-login", "pop3-login"):
-        if SCAN_CONN:
-            scan_dovecot_line(date, log, collector, service[:4])
+    elif service.endswith("-login"):
+        if SCAN_DOVECOT_LOGIN:
+            scan_dovecot_login_line(date, log, collector, service[:4])
     elif service == "postgrey":
         if SCAN_GREY:
             scan_postgrey_line(date, log, collector)
@@ -448,44 +461,43 @@ def scan_postfix_smtpd_line(date, log, collector):
                 collector["rejected"][user] = data
 
 
-def scan_dovecot_line(date, log, collector, prot):
-    """ Scan a dovecot log line and extract interesting data """
+def scan_dovecot_login_line(date, log, collector, protocol_name):
+    """ Scan a dovecot login log line and extract interesting data """
 
     m = re.match("Info: Login: user=<(.*?)>, method=PLAIN, rip=(.*?),", log)
 
     if m:
         # TODO: CHECK DIT
-        user, rip = m.groups()
+        user, host = m.groups()
 
         if user_match(user):
+            add_login(user, date, protocol_name, host, collector)
+
+
+def add_login(user, date, protocol_name, host, collector):
             # Get the user data, or create it if the user is new
-            data = collector["dovecot"].get(
+            data = collector["logins"].get(
                 user,
                 {
-                    "imap": 0,
-                    "pop3": 0,
                     "earliest": None,
                     "latest": None,
-                    "imap-logins": defaultdict(int),
-                    "pop3-logins": defaultdict(int),
-                    "activity-by-hour": {
-                        "imap": defaultdict(int),
-                        "pop3": defaultdict(int),
-                    },
+                    "totals_by_protocol": defaultdict(int),
+                    "totals_by_protocol_and_host": defaultdict(int),
+                    "activity-by-hour": defaultdict(lambda : defaultdict(int)),
                 }
             )
 
-            data[prot] += 1
-            data["activity-by-hour"][prot][date.hour] += 1
-
             if data["latest"] is None:
                 data["latest"] = date
             data["earliest"] = date
 
-            if rip not in ("127.0.0.1", "::1") or True:
-                data["%s-logins" % prot][rip] += 1
+            data["totals_by_protocol"][protocol_name] += 1
+            data["totals_by_protocol_and_host"][(protocol_name, host)] += 1
 
-            collector["dovecot"][user] = data
+            if host not in ("127.0.0.1", "::1") or True:
+                data["activity-by-hour"][protocol_name][date.hour] += 1
+
+            collector["logins"][user] = data
 
 
 def scan_postfix_lmtp_line(date, log, collector):
@@ -561,6 +573,8 @@ def scan_postfix_submission_line(date, log, collector):
 
             collector["sent_mail"][user] = data
 
+            # Also log this as a login.
+            add_login(user, date, "smtp", client, collector)
 
 # Utility functions
 
@@ -640,7 +654,7 @@ def print_time_table(labels, data, do_print=True):
         for i, d in enumerate(data):
             lines[i] += base.format(d[h])
 
-    lines.insert(0, "┬")
+    lines.insert(0, "┬ totals by time of day:")
     lines.append("└" + (len(lines[-1]) - 2) * "─")
 
     if do_print:
@@ -650,7 +664,7 @@ def print_time_table(labels, data, do_print=True):
 
 
 def print_user_table(users, data=None, sub_data=None, activity=None, latest=None, earliest=None,
-                     delimit=False):
+                     delimit=False, numstr=str):
     str_temp = "{:<32} "
     lines = []
     data = data or []
@@ -764,7 +778,7 @@ def print_user_table(users, data=None, sub_data=None, activity=None, latest=None
 
     # Print totals
 
-    data_accum = [str(a) for a in data_accum]
+    data_accum = [numstr(a) for a in data_accum]
     footer = str_temp.format("Totals:" if do_accum else " ")
     for row, (l, _) in enumerate(data):
         temp = "{:>%d}" % max(5, len(l) + 1)
@@ -818,7 +832,7 @@ if __name__ == "__main__":
                         action="store_true")
     parser.add_argument("-s", "--sent", help="Scan for sent emails.",
                         action="store_true")
-    parser.add_argument("-l", "--logins", help="Scan for IMAP/POP logins.",
+    parser.add_argument("-l", "--logins", help="Scan for user logins to IMAP/POP3.",
                         action="store_true")
     parser.add_argument("-g", "--grey", help="Scan for greylisted emails.",
                         action="store_true")
@@ -863,8 +877,8 @@ if __name__ == "__main__":
         if not SCAN_OUT:
             print("Ignoring sent emails")
 
-        SCAN_CONN = args.logins
-        if not SCAN_CONN:
+        SCAN_DOVECOT_LOGIN = args.logins
+        if not SCAN_DOVECOT_LOGIN:
             print("Ignoring logins")
 
         SCAN_GREY = args.grey

management/mailconfig.py

@@ -1,4 +1,13 @@
-#!/usr/bin/python3
+#!/usr/local/lib/mailinabox/env/bin/python
+
+# NOTE:
+# This script is run both using the system-wide Python 3
+# interpreter (/usr/bin/python3) as well as through the
+# virtualenv (/usr/local/lib/mailinabox/env). So only
+# import packages at the top level of this script that
+# are installed in *both* contexts. We use the system-wide
+# Python 3 in setup/questions.sh to validate the email
+# address entered by the user.
 
 import subprocess, shutil, os, sqlite3, re
 import utils
@@ -435,9 +444,11 @@ def add_mail_alias(address, forwards_to, permitted_senders, env, update_if_exist
 				email = email.strip()
 				if email == "": continue
 				email = sanitize_idn_email_address(email) # Unicode => IDNA
+				# Strip any +tag from email alias and check privileges
+				privileged_email = re.sub(r"(?=\+)[^@]*(?=@)",'',email)
 				if not validate_email(email):
 					return ("Invalid receiver email address (%s)." % email, 400)
-				if is_dcv_source and not is_dcv_address(email) and "admin" not in get_mail_user_privileges(email, env, empty_on_error=True):
+				if is_dcv_source and not is_dcv_address(email) and "admin" not in get_mail_user_privileges(privileged_email, env, empty_on_error=True):
 					# Make domain control validation hijacking a little harder to mess up by
 					# requiring aliases for email addresses typically used in DCV to forward
 					# only to accounts that are administrators on this system.

management/ssl_certificates.py

@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/local/lib/mailinabox/env/bin/python
 # Utilities for installing and selecting SSL certificates.
 
 import os, os.path, re, shutil
@@ -214,12 +214,6 @@ def get_certificates_to_provision(env, show_extended_problems=True, force_domain
 	# Filter out domains that we can't provision a certificate for.
 	def can_provision_for_domain(domain):
 		from status_checks import normalize_ip
-		# Let's Encrypt doesn't yet support IDNA domains.
-		# We store domains in IDNA (ASCII). To see if this domain is IDNA,
-		# we'll see if its IDNA-decoded form is different.
-		if idna.decode(domain.encode("ascii")) != domain:
-			problems[domain] = "Let's Encrypt does not yet support provisioning certificates for internationalized domains."
-			return False
 
 		# Does the domain resolve to this machine in public DNS? If not,
 		# we can't do domain control validation. For IPv6 is configured,
@@ -562,7 +556,7 @@ def create_csr(domain, ssl_key, country_code, env):
                 "openssl", "req", "-new",
                 "-key", ssl_key,
                 "-sha256",
-                "-subj", "/C=%s/ST=/L=/O=/CN=%s" % (country_code, domain)])
+                "-subj", "/C=%s/CN=%s" % (country_code, domain)])
 
 def install_cert(domain, ssl_cert, ssl_chain, env, raw=False):
 	# Write the combined cert+chain to a temporary path and validate that it is OK.

management/status_checks.py

@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/local/lib/mailinabox/env/bin/python
 #
 # Checks that the upstream DNS has been set correctly and that
 # TLS certificates have been signed, etc., and if not tells the user
@@ -640,7 +640,7 @@ def check_web_domain(domain, rounded_time, ssl_certificates, env, output):
 		for (rtype, expected) in (("A", env['PUBLIC_IP']), ("AAAA", env.get('PUBLIC_IPV6'))):
 			if not expected: continue # IPv6 is not configured
 			value = query_dns(domain, rtype)
-			if value == expected:
+			if normalize_ip(value) == normalize_ip(expected):
 				ok_values.append(value)
 			else:
 				output.print_error("""This domain should resolve to your box's IP address (%s %s) if you would like the box to serve
@@ -894,7 +894,10 @@ def run_and_output_changes(env, pool):
 def normalize_ip(ip):
 	# Use ipaddress module to normalize the IPv6 notation and ensure we are matching IPv6 addresses written in different representations according to rfc5952.
 	import ipaddress
-	return str(ipaddress.ip_address(ip))
+	try:
+		return str(ipaddress.ip_address(ip))
+	except:
+		return ip
 
 class FileOutput:
 	def __init__(self, buf, width):

management/templates/custom-dns.html

@@ -31,13 +31,15 @@
     <label for="customdnsType" class="col-sm-1 control-label">Type</label>
     <div class="col-sm-10">
       <select id="customdnsType" class="form-control" style="max-width: 400px" onchange="show_customdns_rtype_hint()">
-        <option value="A" data-hint="Enter an IPv4 address (i.e. a dotted quad, such as 123.456.789.012).">A (IPv4 address)</option>
-        <option value="AAAA" data-hint="Enter an IPv6 address.">AAAA (IPv6 address)</option>
+        <option value="A" data-hint="Enter an IPv4 address (i.e. a dotted quad, such as 123.456.789.012).  The 'local' alias sets the record to this box's public IPv4 address.">A (IPv4 address)</option>
+        <option value="AAAA" data-hint="Enter an IPv6 address.  The 'local' alias sets the record to this box's public IPv6 address.">AAAA (IPv6 address)</option>
+        <option value="CAA" data-hint="Enter a CA that can issue certificates for this domain in the form of FLAG TAG VALUE. (0 issuewild &quot;letsencrypt.org&quot;)">CAA (Certificate Authority Authorization)</option>
         <option value="CNAME" data-hint="Enter another domain name followed by a period at the end (e.g. mypage.github.io.).">CNAME (DNS forwarding)</option>
         <option value="TXT" data-hint="Enter arbitrary text.">TXT (text record)</option>
         <option value="MX" data-hint="Enter record in the form of PRIORITY DOMAIN., including trailing period (e.g. 20 mx.example.com.).">MX (mail exchanger)</option>
         <option value="SRV" data-hint="Enter record in the form of PRIORITY WEIGHT PORT TARGET., including trailing period (e.g. 10 10 5060 sip.example.com.).">SRV (service record)</option>
         <option value="SSHFP" data-hint="Enter record in the form of ALGORITHM TYPE FINGERPRINT.">SSHFP (SSH fingerprint record)</option>
+        <option value="NS" data-hint="Enter a hostname to which this subdomain should be delegated to">NS (DNS subdomain delegation)</option>
       </select>
     </div>
   </div>
@@ -125,7 +127,7 @@
 <tr><td>email</td> <td>The email address of any administrative user here.</td></tr>
 <tr><td>password</td> <td>That user&rsquo;s password.</td></tr>
 <tr><td>qname</td> <td>The fully qualified domain name for the record you are trying to set. It must be one of the domain names or a subdomain of one of the domain names hosted on this box. (Add mail users or aliases to add new domains.)</td></tr>
-<tr><td>rtype</td> <td>The resource type. Defaults to <code>A</code> if omitted. Possible values: <code>A</code> (an IPv4 address), <code>AAAA</code> (an IPv6 address), <code>TXT</code> (a text string), <code>CNAME</code> (an alias, which is a fully qualified domain name &mdash; don&rsquo;t forget the final period), <code>MX</code>, <code>SRV</code>, or <code>SSHFP</code>.</td></tr>
+<tr><td>rtype</td> <td>The resource type. Defaults to <code>A</code> if omitted. Possible values: <code>A</code> (an IPv4 address), <code>AAAA</code> (an IPv6 address), <code>TXT</code> (a text string), <code>CNAME</code> (an alias, which is a fully qualified domain name &mdash; don&rsquo;t forget the final period), <code>MX</code>, <code>SRV</code>, <code>SSHFP</code>, <code>CAA</code> or <code>NS</code>.</td></tr>
 <tr><td>value</td> <td>For PUT, POST, and DELETE, the record&rsquo;s value. If the <code>rtype</code> is <code>A</code> or <code>AAAA</code> and <code>value</code> is empty or omitted, the IPv4 or IPv6 address of the remote host is used (be sure to use the <code>-4</code> or <code>-6</code> options to curl). This is handy for dynamic DNS!</td></tr>
 </table>
 

management/templates/index.html

@@ -9,7 +9,7 @@
 
         <meta name="robots" content="noindex, nofollow">
 
-        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
+        <link rel="stylesheet" href="/admin/assets/bootstrap/css/bootstrap.min.css">
         <style>
 	    body {
 		overflow-y: scroll;
@@ -63,7 +63,7 @@
 	       margin-bottom: 1em;
 	    }
         </style>
-        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css" integrity="sha384-rHyoN1iRsVXV4nD0JutlnGaslCJuC7uwjduW9SVrLvRYooPp2bWYgmgJQIXwl/Sp" crossorigin="anonymous">
+        <link rel="stylesheet" href="/admin/assets/bootstrap/css/bootstrap-theme.min.css">
     </head>
     <body>
 
@@ -108,7 +108,7 @@
             <li><a href="#web" onclick="return show_panel(this);">Web</a></li>
           </ul>
           <ul class="nav navbar-nav navbar-right">
-            <li><a href="#" onclick="do_logout(); return false;" style="color: white">Log out?</a></li>
+            <li><a href="#" onclick="do_logout(); return false;" style="color: white">Log out</a></li>
           </ul>
         </div><!--/.navbar-collapse -->
       </div>
@@ -191,8 +191,8 @@
           </div>
         </div>
 
-        <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js" integrity="sha256-rsPUGdUPBXgalvIj4YKJrrUlmLXbOb6Cp7cdxn1qeUc=" crossorigin="anonymous"></script>
-        <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>
+        <script src="/admin/assets/jquery.min.js"></script>
+        <script src="/admin/assets/bootstrap/js/bootstrap.min.js"></script>
 
         <script>
 var global_modal_state = null;
@@ -218,7 +218,7 @@ $(function() {
     if (global_modal_state == null) global_modal_state = 1; // cancel if the user hit ESC or clicked outside of the modal
     if (global_modal_funcs && global_modal_funcs[global_modal_state])
       global_modal_funcs[global_modal_state]();
-  })  
+  })
 })
 
 function show_modal_error(title, message, callback) {
@@ -281,7 +281,7 @@ function ajax_with_indicator(options) {
   };
   options.error = function(jqxhr) {
     hide_loading_indicator();
-    if (!old_error) 
+    if (!old_error)
       show_modal_error("Error", "Something went wrong, sorry.")
     else
       old_error(jqxhr.responseText, jqxhr);

management/templates/ssl.html

@@ -159,7 +159,11 @@ function ssl_install(elem) {
 }
 
 function show_csr() {
+ // Can't show a CSR until both inputs are entered.
  if ($('#ssldomain').val() == "") return;
+ if ($('#sslcc').val() == "") return;
+
+ // Scroll to it and fetch.
  $('#csr_info').slideDown();
  $('#ssl_csr').text('Loading...');
  api(

management/templates/sync-guide.html

@@ -30,7 +30,7 @@
 
 			<table class="table">
 			<thead><tr><th>For...</th> <th>Use...</th></tr></thead>
-			<tr><td>Contacts and Calendar</td> <td><a href="https://play.google.com/store/apps/details?id=at.bitfire.davdroid">DAVdroid</a> ($3.69; free <a href="https://f-droid.org/repository/browse/?fdfilter=dav&fdid=at.bitfire.davdroid">here</a>)</td></tr>
+			<tr><td>Contacts and Calendar</td> <td><a href="https://play.google.com/store/apps/details?id=at.bitfire.davdroid">DAVdroid</a> ($3.69; free <a href="https://f-droid.org/packages/at.bitfire.davdroid/">here</a>)</td></tr>
 			<tr><td>Only Contacts</td> <td><a href="https://play.google.com/store/apps/details?id=org.dmfs.carddav.sync">CardDAV-Sync free beta</a> (free)</td></tr>
 			<tr><td>Only Calendar</td> <td><a href="https://play.google.com/store/apps/details?id=org.dmfs.caldav.lib">CalDAV-Sync</a> ($2.89)</td></tr>
 			</table>

management/templates/users.html

@@ -213,7 +213,7 @@ function users_set_password(elem) {
 
   show_modal_confirm(
     "Set Password",
-    $("<p>Set a new password for <b>" + email + "</b>?</p> <p><label for='users_set_password_pw' style='display: block; font-weight: normal'>New Password:</label><input type='password' id='users_set_password_pw'></p><p><small>Passwords must be at least four characters and may not contain spaces.</small>" + yourpw + "</p>"),
+    $("<p>Set a new password for <b>" + email + "</b>?</p> <p><label for='users_set_password_pw' style='display: block; font-weight: normal'>New Password:</label><input type='password' id='users_set_password_pw'></p><p><small>Passwords must be at least eight characters and may not contain spaces.</small>" + yourpw + "</p>"),
     "Set Password",
     function() {
       api(

management/web_update.py

@@ -149,7 +149,10 @@ def make_domain_config(domain, templates, ssl_certificates, env):
 
 			# any proxy or redirect here?
 			for path, url in yaml.get("proxies", {}).items():
-				nginx_conf_extra += "\tlocation %s {\n\t\tproxy_pass %s;\n\t}\n" % (path, url)
+				nginx_conf_extra += "\tlocation %s {" % path
+				nginx_conf_extra += "\n\t\tproxy_pass %s;" % url
+				nginx_conf_extra += "\n\t\tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
+				nginx_conf_extra += "\n\t}\n"
 			for path, url in yaml.get("redirects", {}).items():
 				nginx_conf_extra += "\trewrite %s %s permanent;\n" % (path, url)
 
@@ -158,9 +161,9 @@ def make_domain_config(domain, templates, ssl_certificates, env):
 
 	# Add the HSTS header.
 	if hsts == "yes":
-		nginx_conf_extra += "add_header Strict-Transport-Security max-age=31536000;\n"
+		nginx_conf_extra += "add_header Strict-Transport-Security max-age=15768000;\n"
 	elif hsts == "preload":
-		nginx_conf_extra += "add_header Strict-Transport-Security \"max-age=10886400; includeSubDomains; preload\";\n"
+		nginx_conf_extra += "add_header Strict-Transport-Security \"max-age=15768000; includeSubDomains; preload\";\n"
 
 	# Add in any user customizations in the includes/ folder.
 	nginx_conf_custom_include = os.path.join(env["STORAGE_ROOT"], "www", safe_domain_name(domain) + ".conf")

ppa/Makefile

@@ -14,7 +14,7 @@ build_postgrey: clean
 	git clone git://git.debian.org/git/collab-maint/postgrey.git /tmp/build/postgrey
 
 	# Download the corresponding upstream package.
-	wget -O /tmp/build/postgrey_1.35.orig.tar.gz http://postgrey.schweikert.ch/pub/postgrey-1.35.tar.gz
+	wget -O /tmp/build/postgrey_1.35.orig.tar.gz http://postgrey.schweikert.ch/pub/old/postgrey-1.35.tar.gz
 
 	# Add our source patch to the debian packaging listing.
 	cp postgrey_sources.diff /tmp/build/postgrey/debian/patches/mailinabox

security.md

@@ -40,21 +40,14 @@ The services all follow these rules:
 
 * TLS certificates are generated with 2048-bit RSA keys and SHA-256 fingerprints. The box provides a self-signed certificate by default. The [setup guide](https://mailinabox.email/guide.html) explains how to verify the certificate fingerprint on first login. Users are encouraged to replace the certificate with a proper CA-signed one. ([source](setup/ssl.sh))
 * Only TLSv1, TLSv1.1 and TLSv1.2 are offered (the older SSL protocols are not offered).
-* Export-grade ciphers, the anonymous DH/ECDH algorithms (aNULL), and clear-text ciphers (eNULL) are not offered.
-* The minimum cipher key length offered is 112 bits. The maximum is 256 bits. Diffie-Hellman ciphers use a 2048-bit key for forward secrecy.
+* HTTPS, IMAP, and POP track the [Mozilla Intermediate Ciphers Recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS), balancing security with supporting a wide range of mail clients. Diffie-Hellman ciphers use a 2048-bit key for forward secrecy. For more details, see the [output of SSLyze for these ports](tests/tls_results.txt).
+* SMTP (port 25) uses the Postfix medium grade ciphers and SMTP Submission (port 587) uses the Postfix high grade ciphers ([more info](http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_ciphers)).
 
 Additionally:
 
 * SMTP Submission (port 587) will not accept user credentials without STARTTLS (true also of SMTP on port 25 in case of client misconfiguration), and the submission port won't accept mail without encryption. The minimum cipher key length is 128 bits. (The box is of course configured not to be an open relay. User credentials are required to send outbound mail.) ([source](setup/mail-postfix.sh))
 * HTTPS (port 443): The HTTPS Strict Transport Security header is set. A redirect from HTTP to HTTPS is offered. The [Qualys SSL Labs test](https://www.ssllabs.com/ssltest) should report an A+ grade. ([source 1](conf/nginx-ssl.conf), [source 2](conf/nginx.conf))
 
-For more details, see the [output of SSLyze for these ports](tests/tls_results.txt).
-
-The cipher and protocol selection are chosen to support the following clients:
-
-* For HTTPS: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7.
-* For other protocols: TBD.
-
 ### Password Storage
 
 The passwords for mail users are stored on disk using the [SHA512-CRYPT](http://man7.org/linux/man-pages/man3/crypt.3.html) hashing scheme. ([source](management/mailconfig.py))
@@ -73,7 +66,7 @@ If DNSSEC is enabled at the box's domain name's registrar, the SSHFP record that
 
 `fail2ban` provides some protection from brute-force login attacks (repeated logins that guess account passwords) by blocking offending IP addresses at the network level.
 
-The following services are protected: SSH, IMAP (dovecot), SMTP submission (postfix), webmail (roundcube), ownCloud/CalDAV/CardDAV (over HTTP), and the Mail-in-a-Box control panel & munin (over HTTP).
+The following services are protected: SSH, IMAP (dovecot), SMTP submission (postfix), webmail (roundcube), Nextcloud/CalDAV/CardDAV (over HTTP), and the Mail-in-a-Box control panel & munin (over HTTP).
 
 Some other services running on the box may be missing fail2ban filters.
 

setup/bootstrap.sh

@@ -7,7 +7,7 @@
 #########################################################
 
 if [ -z "$TAG" ]; then
-	TAG=v0.22
+	TAG=v0.27
 fi
 
 # Are we running as root?

setup/dns.sh

@@ -23,7 +23,7 @@ apt_install nsd ldnsutils openssh-client
 mkdir -p /var/run/nsd
 
 cat > /etc/nsd/nsd.conf << EOF;
-# No not edit. Overwritten by Mail-in-a-Box setup.
+# Do not edit. Overwritten by Mail-in-a-Box setup.
 server:
   hide-version: yes
 

setup/functions.sh

@@ -48,6 +48,15 @@ function apt_install {
 	apt_get_quiet install $PACKAGES
 }
 
+function apt_add_repository_to_unattended_upgrades {
+	if [ -f /etc/apt/apt.conf.d/50unattended-upgrades ]; then
+		if ! grep -q "$1" /etc/apt/apt.conf.d/50unattended-upgrades; then
+			sed -i "/Allowed-Origins/a \
+	    \"$1\";" /etc/apt/apt.conf.d/50unattended-upgrades
+		fi
+	fi
+}
+
 function get_default_hostname {
 	# Guess the machine's hostname. It should be a fully qualified
 	# domain name suitable for DNS. None of these calls may provide
@@ -170,7 +179,7 @@ function wget_verify {
 	DEST=$3
 	CHECKSUM="$HASH  $DEST"
 	rm -f $DEST
-	wget -q -O $DEST $URL || exit 1
+	hide_output wget -O $DEST $URL
 	if ! echo "$CHECKSUM" | sha1sum --check --strict > /dev/null; then
 		echo "------------------------------------------------------------"
 		echo "Download of $URL did not match expected checksum."

setup/mail-dovecot.sh

@@ -46,7 +46,7 @@ apt_install \
 # - https://www.dovecot.org/list/dovecot/2011-December/132455.html
 tools/editconf.py /etc/dovecot/conf.d/10-master.conf \
 	default_process_limit=$(echo "`nproc` * 250" | bc) \
-	default_vsz_limit=$(echo "`free -tom  | tail -1 | awk '{print $2}'` / 3" | bc)M \
+	default_vsz_limit=$(echo "`free -tm  | tail -1 | awk '{print $2}'` / 3" | bc)M \
 	log_path=/var/log/mail.log
 
 # The inotify `max_user_instances` default is 128, which constrains
@@ -79,12 +79,15 @@ tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \
 
 # Enable SSL, specify the location of the SSL certificate and private key files.
 # Disable obsolete SSL protocols and allow only good ciphers per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/.
+# Enable strong ssl dh parameters
 tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
 	ssl=required \
 	"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
 	"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
 	"ssl_protocols=!SSLv3 !SSLv2" \
-	"ssl_cipher_list=TLSv1+HIGH !SSLv2 !RC4 !aNULL !eNULL !3DES @STRENGTH"
+	"ssl_cipher_list=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" \
+	"ssl_prefer_server_ciphers = yes" \
+	"ssl_dh_parameters_length = 2048"
 
 # Disable in-the-clear IMAP/POP because there is no reason for a user to transmit
 # login credentials outside of an encrypted connection. Only the over-TLS versions

setup/management.sh

@@ -6,21 +6,33 @@ echo "Installing Mail-in-a-Box system management daemon..."
 
 # DEPENDENCIES
 
-# Install Python packages that are available from the Ubuntu
-# apt repository:
-# flask, yaml, dnspython, and dateutil are all for our Python 3 management daemon itself.
-# duplicity does backups. python-pip is so we can 'pip install boto' for Python 2, for duplicity, so it can do backups to AWS S3.
-apt_install python3-flask links duplicity libyaml-dev python3-dnspython python3-dateutil python-pip
+# duplicity is used to make backups of user data. It uses boto
+# (via Python 2) to do backups to AWS S3. boto from the Ubuntu
+# package manager is too out-of-date -- it doesn't support the newer
+# S3 api used in some regions, which breaks backups to those regions.
+# See #627, #653.
+apt_install duplicity python-pip
+hide_output pip2 install --upgrade boto
 
-# These are required to pip install cryptography.
-apt_install build-essential libssl-dev libffi-dev python3-dev
+# These are required to build/install the cryptography Python package
+# used by our management daemon.
+apt_install python-virtualenv build-essential libssl-dev libffi-dev python3-dev
 
-# pip<6.1 + setuptools>=34 have a problem with packages that
+# Create a virtualenv for the installation of Python 3 packages
+# used by the management daemon.
+inst_dir=/usr/local/lib/mailinabox
+mkdir -p $inst_dir
+venv=$inst_dir/env
+if [ ! -d $venv ]; then
+	virtualenv -ppython3 $venv
+fi
+
+# pip<6.1 + setuptools>=34 had a problem with packages that
 # try to update setuptools during installation, like cryptography.
 # See https://github.com/pypa/pip/issues/4253. The Ubuntu 14.04
-# package versions are pip 1.5.4 and setuptools 3.3. When we
-# install cryptography under those versions, it tries to update
-# setuptools to version 34, which now creates the conflict, and
+# package versions are pip 1.5.4 and setuptools 3.3. When we used to
+# instal cryptography system-wide under those versions, it updated
+# setuptools to version 34, which created the conflict, and
 # then pip gets permanently broken with errors like
 # "ImportError: No module named 'packaging'".
 #
@@ -35,8 +47,8 @@ fi
 # The easiest work-around on systems that aren't already broken is
 # to upgrade pip (to >=9.0.1) and setuptools (to >=34.1) individually
 # before we install any package that tries to update setuptools.
-hide_output pip3 install --upgrade pip
-hide_output pip3 install --upgrade setuptools
+hide_output $venv/bin/pip install --upgrade pip
+hide_output $venv/bin/pip install --upgrade setuptools
 
 # Install other Python 3 packages used by the management daemon.
 # The first line is the packages that Josh maintains himself!
@@ -44,14 +56,10 @@ hide_output pip3 install --upgrade setuptools
 # Force acme to be updated because it seems to need it after the
 # pip/setuptools breakage (see above) and the ACME protocol may
 # have changed (I got an error on one of my systems).
-hide_output pip3 install --upgrade \
+hide_output $venv/bin/pip install --upgrade \
 	rtyaml "email_validator>=1.0.0" "free_tls_certificates>=0.1.3" "exclusiveprocess" \
-	"idna>=2.0.0" "cryptography>=1.0.2" acme boto psutil
-
-# duplicity uses python 2 so we need to get the python 2 package of boto to have backups to S3.
-# boto from the Ubuntu package manager is too out-of-date -- it doesn't support the newer
-# S3 api used in some regions, which breaks backups to those regions.  See #627, #653.
-hide_output pip2 install --upgrade boto
+	flask dnspython python-dateutil \
+	"idna>=2.0.0" "cryptography>=1.0.2" "acme==0.20.0" boto psutil
 
 # CONFIGURATION
 
@@ -61,12 +69,40 @@ if [ ! -f $STORAGE_ROOT/backup/secret_key.txt ]; then
 	$(umask 077; openssl rand -base64 2048 > $STORAGE_ROOT/backup/secret_key.txt)
 fi
 
-# Link the management server daemon into a well known location.
-rm -f /usr/local/bin/mailinabox-daemon
-ln -s `pwd`/management/daemon.py /usr/local/bin/mailinabox-daemon
+
+# Download jQuery and Bootstrap local files
+
+# Make sure we have the directory to save to.
+assets_dir=$inst_dir/vendor/assets
+rm -rf $assets_dir
+mkdir -p $assets_dir
+
+# jQuery CDN URL
+jquery_version=2.1.4
+jquery_url=https://code.jquery.com
+
+# Get jQuery
+wget_verify $jquery_url/jquery-$jquery_version.min.js 43dc554608df885a59ddeece1598c6ace434d747 $assets_dir/jquery.min.js
+
+# Bootstrap CDN URL
+bootstrap_version=3.3.7
+bootstrap_url=https://github.com/twbs/bootstrap/releases/download/v$bootstrap_version/bootstrap-$bootstrap_version-dist.zip
+
+# Get Bootstrap
+wget_verify $bootstrap_url e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a /tmp/bootstrap.zip
+unzip -q /tmp/bootstrap.zip -d $assets_dir
+mv $assets_dir/bootstrap-$bootstrap_version-dist $assets_dir/bootstrap
+rm -f /tmp/bootstrap.zip
 
 # Create an init script to start the management daemon and keep it
 # running after a reboot.
+rm -f /usr/local/bin/mailinabox-daemon # old path
+cat > $inst_dir/start <<EOF;
+#!/bin/bash
+source $venv/bin/activate
+exec python `pwd`/management/daemon.py
+EOF
+chmod +x $inst_dir/start
 rm -f /etc/init.d/mailinabox
 ln -s $(pwd)/conf/management-initscript /etc/init.d/mailinabox
 hide_output update-rc.d mailinabox defaults

setup/munin.sh

@@ -38,8 +38,10 @@ chown munin. /var/log/munin/munin-cgi-html.log
 chown munin. /var/log/munin/munin-cgi-graph.log
 
 # ensure munin-node knows the name of this machine
+# and reduce logging level to warning
 tools/editconf.py /etc/munin/munin-node.conf -s \
-	host_name=$PRIMARY_HOSTNAME
+	host_name=$PRIMARY_HOSTNAME \
+	log_level=1
 
 # Update the activated plugins through munin's autoconfiguration.
 munin-node-configure --shell --remove-also 2>/dev/null | sh

setup/owncloud.sh

@@ -1,14 +1,15 @@
 #!/bin/bash
-# Owncloud
+# Nextcloud
 ##########################
 
 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars
 
-# ### Installing ownCloud
+# ### Installing Nextcloud
 
-echo "Installing ownCloud (contacts/calendar)..."
+echo "Installing Nextcloud (contacts/calendar)..."
 
+# Keep the php5 dependancies for the owncloud upgrades
 apt_install \
 	dbconfig-common \
 	php5-cli php5-sqlite php5-gd php5-imap php5-curl php-pear php-apc curl libapr1 libtool libcurl4-openssl-dev php-xml-parser \
@@ -16,6 +17,10 @@ apt_install \
 
 apt-get purge -qq -y owncloud*
 
+apt_install php7.0 php7.0-fpm \
+	php7.0-cli php7.0-sqlite php7.0-gd php7.0-imap php7.0-curl php-pear php-apc curl \
+        php7.0-dev php7.0-gd memcached php7.0-memcached php7.0-xml php7.0-mbstring php7.0-zip php7.0-apcu
+
 # Migrate <= v0.10 setups that stored the ownCloud config.php in /usr/local rather than
 # in STORAGE_ROOT. Move the file to STORAGE_ROOT.
 if [ ! -f $STORAGE_ROOT/owncloud/config.php ] \
@@ -28,33 +33,35 @@ if [ ! -f $STORAGE_ROOT/owncloud/config.php ] \
 	ln -sf $STORAGE_ROOT/owncloud/config.php /usr/local/lib/owncloud/config/config.php
 fi
 
-InstallOwncloud() {
+InstallNextcloud() {
 
 	version=$1
 	hash=$2
 
 	echo
-	echo "Upgrading to ownCloud version $version"
+	echo "Upgrading to Nextcloud version $version"
 	echo
 
-	# Remove the current owncloud
+	# Remove the current owncloud/Nextcloud
 	rm -rf /usr/local/lib/owncloud
 
 	# Download and verify
-	wget_verify https://download.owncloud.org/community/owncloud-$version.zip $hash /tmp/owncloud.zip
+	wget_verify https://download.nextcloud.com/server/releases/nextcloud-$version.zip $hash /tmp/nextcloud.zip
 
-	# Extract ownCloud
-	unzip -q /tmp/owncloud.zip -d /usr/local/lib
-	rm -f /tmp/owncloud.zip
+	# Extract ownCloud/Nextcloud
+	unzip -q /tmp/nextcloud.zip -d /usr/local/lib
+	mv /usr/local/lib/nextcloud /usr/local/lib/owncloud
+	rm -f /tmp/nextcloud.zip
 
-	# The two apps we actually want are not in ownCloud core. Download the releases from
+	# The two apps we actually want are not in Nextcloud core. Download the releases from
 	# their github repositories.
 	mkdir -p /usr/local/lib/owncloud/apps
-	wget_verify https://github.com/owncloud/contacts/releases/download/v1.4.0.0/contacts.tar.gz c1c22d29699456a45db447281682e8bc3f10e3e7 /tmp/contacts.tgz
+
+	wget_verify https://github.com/nextcloud/contacts/releases/download/v1.5.3/contacts.tar.gz 78c4d49e73f335084feecd4853bd8234cf32615e /tmp/contacts.tgz
 	tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/contacts.tgz
 
-        wget_verify https://github.com/nextcloud/calendar/releases/download/v1.4.0/calendar.tar.gz c84f3170efca2a99ea6254de34b0af3cb0b3a821 /tmp/calendar.tgz
+	wget_verify https://github.com/nextcloud/calendar/releases/download/v1.5.3/calendar.tar.gz b370352d1f280805cc7128f78af4615f623827f8 /tmp/calendar.tgz
 	tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/calendar.tgz
 
@@ -86,22 +93,84 @@ InstallOwncloud() {
 	fi
 }
 
-owncloud_ver=9.1.4
-owncloud_hash=e637cab7b2ca3346164f3506b1a0eb812b4e841a
+# We only install ownCloud intermediate versions to be able to seemlesly upgrade to Nextcloud
+InstallOwncloud() {
 
-# Check if ownCloud dir exist, and check if version matches owncloud_ver (if either doesn't - install/upgrade)
+	version=$1
+	hash=$2
+
+	echo
+	echo "Upgrading to OwnCloud version $version"
+	echo
+
+	# Remove the current owncloud/Nextcloud
+	rm -rf /usr/local/lib/owncloud
+
+	# Download and verify
+	wget_verify https://download.owncloud.org/community/owncloud-$version.tar.bz2 $hash /tmp/owncloud.tar.bz2
+
+
+	# Extract ownCloud
+	tar xjf /tmp/owncloud.tar.bz2 -C /usr/local/lib
+	rm -f /tmp/owncloud.tar.bz2
+
+	# The two apps we actually want are not in Nextcloud core. Download the releases from
+	# their github repositories.
+	mkdir -p /usr/local/lib/owncloud/apps
+
+	wget_verify https://github.com/owncloud/contacts/releases/download/v1.4.0.0/contacts.tar.gz c1c22d29699456a45db447281682e8bc3f10e3e7 /tmp/contacts.tgz
+	tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/
+	rm /tmp/contacts.tgz
+
+	wget_verify https://github.com/nextcloud/calendar/releases/download/v1.4.0/calendar.tar.gz c84f3170efca2a99ea6254de34b0af3cb0b3a821 /tmp/calendar.tgz
+	tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/
+	rm /tmp/calendar.tgz
+
+	# Fix weird permissions.
+	chmod 750 /usr/local/lib/owncloud/{apps,config}
+
+	# Create a symlink to the config.php in STORAGE_ROOT (for upgrades we're restoring the symlink we previously
+	# put in, and in new installs we're creating a symlink and will create the actual config later).
+	ln -sf $STORAGE_ROOT/owncloud/config.php /usr/local/lib/owncloud/config/config.php
+
+	# Make sure permissions are correct or the upgrade step won't run.
+	# $STORAGE_ROOT/owncloud may not yet exist, so use -f to suppress
+	# that error.
+	chown -f -R www-data.www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud
+
+	# If this isn't a new installation, immediately run the upgrade script.
+	# Then check for success (0=ok and 3=no upgrade needed, both are success).
+	if [ -e $STORAGE_ROOT/owncloud/owncloud.db ]; then
+		# ownCloud 8.1.1 broke upgrades. It may fail on the first attempt, but
+		# that can be OK.
+		sudo -u www-data php5 /usr/local/lib/owncloud/occ upgrade
+		if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then
+			echo "Trying ownCloud upgrade again to work around ownCloud upgrade bug..."
+			sudo -u www-data php5 /usr/local/lib/owncloud/occ upgrade
+			if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi
+			sudo -u www-data php5 /usr/local/lib/owncloud/occ maintenance:mode --off
+			echo "...which seemed to work."
+		fi
+	fi
+}
+
+owncloud_ver=12.0.5
+owncloud_hash=d25afbac977a4e331f5e38df50aed0844498ca86
+
+# Check if Nextcloud dir exist, and check if version matches owncloud_ver (if either doesn't - install/upgrade)
 if [ ! -d /usr/local/lib/owncloud/ ] \
         || ! grep -q $owncloud_ver /usr/local/lib/owncloud/version.php; then
 
-	# Stop php-fpm
-	hide_output service php5-fpm stop
+	# Stop php-fpm if running. If theyre not running (which happens on a previously failed install), dont bail.
+	service php7.0-fpm stop &> /dev/null || /bin/true
+	service php5-fpm stop &> /dev/null || /bin/true
 
-        # Backup the existing ownCloud.
+	# Backup the existing ownCloud/Nextcloud.
 	# Create a backup directory to store the current installation and database to
 	BACKUP_DIRECTORY=$STORAGE_ROOT/owncloud-backup/`date +"%Y-%m-%d-%T"`
 	mkdir -p "$BACKUP_DIRECTORY"
 	if [ -d /usr/local/lib/owncloud/ ]; then
-		echo "upgrading ownCloud to $owncloud_ver (backing up existing ownCloud installation, configuration and database to directory to $BACKUP_DIRECTORY..."
+		echo "upgrading ownCloud/Nextcloud to $owncloud_flavor $owncloud_ver (backing up existing installation, configuration and database to directory to $BACKUP_DIRECTORY..."
 		cp -r /usr/local/lib/owncloud "$BACKUP_DIRECTORY/owncloud-install"
 	fi
 	if [ -e /home/user-data/owncloud/owncloud.db ]; then
@@ -111,16 +180,16 @@ if [ ! -d /usr/local/lib/owncloud/ ] \
                 cp /home/user-data/owncloud/config.php $BACKUP_DIRECTORY
         fi
 
-	# We only need to check if we do upgrades when owncloud was previously installed
+	# We only need to check if we do upgrades when owncloud/Nextcloud was previously installed
 	if [ -e /usr/local/lib/owncloud/version.php ]; then
-		if grep -q "8\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then
-			echo "We are running 8.1.x, upgrading to 8.2.3 first"
-			InstallOwncloud 8.2.3 bfdf6166fbf6fc5438dc358600e7239d1c970613
+		if grep -q "OC_VersionString = '8\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then
+			echo "We are running 8.1.x, upgrading to 8.2.11 first"
+			InstallOwncloud 8.2.11 e4794938fc2f15a095018ba9d6ee18b53f6f299c
 		fi
 
 		# If we are upgrading from 8.2.x we should go to 9.0 first. Owncloud doesn't support skipping minor versions
-		if grep -q "8\.2\.[0-9]" /usr/local/lib/owncloud/version.php; then
-			echo "We are running version 8.2.x, upgrading to 9.0.2 first"
+		if grep -q "OC_VersionString = '8\.2\.[0-9]" /usr/local/lib/owncloud/version.php; then
+			echo "We are running version 8.2.x, upgrading to 9.0.11 first"
 
 			# We need to disable memcached. The upgrade and install fails
 			# with memcached
@@ -129,7 +198,7 @@ if [ ! -d /usr/local/lib/owncloud/ ] \
 			<?php
 				include("$STORAGE_ROOT/owncloud/config.php");
 
-				\$CONFIG['memcache.local'] = '\OC\Memcache\APC';
+				\$CONFIG['memcache.local'] = '\OC\Memcache\APCu';
 
 				echo "<?php\n\\\$CONFIG = ";
 				var_export(\$CONFIG);
@@ -138,28 +207,52 @@ if [ ! -d /usr/local/lib/owncloud/ ] \
 EOF
 			chown www-data.www-data $STORAGE_ROOT/owncloud/config.php
 
-			# We can now install owncloud 9.0.2
-			InstallOwncloud 9.0.2 72a3d15d09f58c06fa8bee48b9e60c9cd356f9c5
+			# We can now install owncloud 9.0.11
+			InstallOwncloud 9.0.11 fc8bad8a62179089bc58c406b28997fb0329337b
 
 			# The owncloud 9 migration doesn't migrate calendars and contacts
 			# The option to migrate these are removed in 9.1
 			# So the migrations should be done when we have 9.0 installed
-			sudo -u www-data php /usr/local/lib/owncloud/occ dav:migrate-addressbooks
+			sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:migrate-addressbooks
 			# The following migration has to be done for each owncloud user
 			for directory in $STORAGE_ROOT/owncloud/*@*/ ; do
 				username=$(basename "${directory}")
-				sudo -u www-data php /usr/local/lib/owncloud/occ dav:migrate-calendar $username
+				sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:migrate-calendar $username
 			done
-			sudo -u www-data php /usr/local/lib/owncloud/occ dav:sync-birthday-calendar
+			sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:sync-birthday-calendar
+		fi
+
+		# If we are upgrading from 9.0.x we should go to 9.1 first.
+		if grep -q "OC_VersionString = '9\.0\.[0-9]" /usr/local/lib/owncloud/version.php; then
+			echo "We are running ownCloud 9.0.x, upgrading to ownCloud 9.1.7 first"
+			InstallOwncloud 9.1.7 1307d997d0b23dc42742d315b3e2f11423a9c808
+		fi
+
+		# Newer ownCloud 9.1.x versions cannot be upgraded to Nextcloud 10 and have to be
+		# upgraded to Nextcloud 11 straight away, see:
+		# https://github.com/nextcloud/server/issues/2203
+		# However, for some reason, upgrading to the latest Nextcloud 11.0.7 doesn't
+		# work either. Therefore, we're upgrading to Nextcloud 11.0.0 in the interim.
+		# This should not be a problem since we're upgrading to the latest Nextcloud 12
+		# in the next step.
+		if grep -q "OC_VersionString = '9\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then
+			echo "We are running ownCloud 9.1.x, upgrading to Nextcloud 11.0.0 first"
+			InstallNextcloud 11.0.0 e8c9ebe72a4a76c047080de94743c5c11735e72e
+		fi
+
+		# If we are upgrading from 10.0.x we should go to Nextcloud 11.0 first.
+		if grep -q "OC_VersionString = '10\.0\.[0-9]" /usr/local/lib/owncloud/version.php; then
+			echo "We are running Nextcloud 10.0.x, upgrading to Nextcloud 11.0.7 first"
+			InstallNextcloud 11.0.7 f936ddcb2ae3dbb66ee4926eb8b2ebbddc3facbe
 		fi
 	fi
 
-	InstallOwncloud $owncloud_ver $owncloud_hash
+	InstallNextcloud $owncloud_ver $owncloud_hash
 fi
 
-# ### Configuring ownCloud
+# ### Configuring Nextcloud
 
-# Setup ownCloud if the ownCloud database does not yet exist. Running setup when
+# Setup Nextcloud if the Nextcloud database does not yet exist. Running setup when
 # the database does exist wipes the database and user data.
 if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then
 	# Create user data directory
@@ -174,7 +267,7 @@ if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then
 
   'instanceid' => '$instanceid',
 
-  'forcessl' => true, # if unset/false, ownCloud sends a HSTS=0 header, which conflicts with nginx config
+  'forcessl' => true, # if unset/false, Nextcloud sends a HSTS=0 header, which conflicts with nginx config
 
   'overwritewebroot' => '/cloud',
   'overwrite.cli.url' => '/cloud',
@@ -184,7 +277,7 @@ if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then
       'arguments'=>array('{127.0.0.1:993/imap/ssl/novalidate-cert}')
     )
   ),
-  'memcache.local' => '\OC\Memcache\APC',
+  'memcache.local' => '\OC\Memcache\APCu',
   'mail_smtpmode' => 'sendmail',
   'mail_smtpsecure' => '',
   'mail_smtpauthtype' => 'LOGIN',
@@ -194,7 +287,6 @@ if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then
   'mail_smtpname' => '',
   'mail_smtppassword' => '',
   'mail_from_address' => 'owncloud',
-  'mail_domain' => '$PRIMARY_HOSTNAME',
 );
 ?>
 EOF
@@ -211,7 +303,7 @@ EOF
   'dbtype' => 'sqlite3',
 
   # create an administrator account with a random password so that
-  # the user does not have to enter anything on first load of ownCloud
+  # the user does not have to enter anything on first load of Nextcloud
   'adminlogin'    => 'root',
   'adminpass'     => '$adminpassword',
 );
@@ -221,7 +313,7 @@ EOF
 	# Set permissions
 	chown -R www-data.www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud
 
-	# Execute ownCloud's setup step, which creates the ownCloud sqlite database.
+	# Execute Nextcloud's setup step, which creates the Nextcloud sqlite database.
 	# It also wipes it if it exists. And it updates config.php with database
 	# settings and deletes the autoconfig.php file.
 	(cd /usr/local/lib/owncloud; sudo -u www-data php /usr/local/lib/owncloud/index.php;)
@@ -235,6 +327,8 @@ fi
 # * We need to set the timezone to the system timezone to allow fail2ban to ban
 #   users within the proper timeframe
 # * We need to set the logdateformat to something that will work correctly with fail2ban
+# * mail_domain' needs to be set every time we run the setup. Making sure we are setting 
+#   the correct domain name if the domain is being change from the previous setup.
 # Use PHP to read the settings file, modify it, and write out the new settings array.
 TIMEZONE=$(cat /etc/timezone)
 CONFIG_TEMP=$(/bin/mktemp)
@@ -244,13 +338,15 @@ include("$STORAGE_ROOT/owncloud/config.php");
 
 \$CONFIG['trusted_domains'] = array('$PRIMARY_HOSTNAME');
 
-\$CONFIG['memcache.local'] = '\OC\Memcache\APC';
+\$CONFIG['memcache.local'] = '\OC\Memcache\APCu';
 \$CONFIG['overwrite.cli.url'] = '/cloud';
 \$CONFIG['mail_from_address'] = 'administrator'; # just the local part, matches our master administrator address
 
 \$CONFIG['logtimezone'] = '$TIMEZONE';
 \$CONFIG['logdateformat'] = 'Y-m-d H:i:s';
 
+\$CONFIG['mail_domain'] = '$PRIMARY_HOSTNAME';
+
 echo "<?php\n\\\$CONFIG = ";
 var_export(\$CONFIG);
 echo ";";
@@ -258,9 +354,9 @@ echo ";";
 EOF
 chown www-data.www-data $STORAGE_ROOT/owncloud/config.php
 
-# Enable/disable apps. Note that this must be done after the ownCloud setup.
+# Enable/disable apps. Note that this must be done after the Nextcloud setup.
 # The firstrunwizard gave Josh all sorts of problems, so disabling that.
-# user_external is what allows ownCloud to use IMAP for login. The contacts
+# user_external is what allows Nextcloud to use IMAP for login. The contacts
 # and calendar apps are the extensions we really care about here.
 hide_output sudo -u www-data php /usr/local/lib/owncloud/console.php app:disable firstrunwizard
 hide_output sudo -u www-data php /usr/local/lib/owncloud/console.php app:enable user_external
@@ -275,7 +371,7 @@ if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi
 
 # Set PHP FPM values to support large file uploads
 # (semicolon is the comment character in this file, hashes produce deprecation warnings)
-tools/editconf.py /etc/php5/fpm/php.ini -c ';' \
+tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \
 	upload_max_filesize=16G \
 	post_max_size=16G \
 	output_buffering=16384 \
@@ -283,13 +379,27 @@ tools/editconf.py /etc/php5/fpm/php.ini -c ';' \
 	max_execution_time=600 \
 	short_open_tag=On
 
+# Set Nextcloud recommended opcache settings
+tools/editconf.py /etc/php/7.0/cli/conf.d/10-opcache.ini -c ';' \
+	opcache.enable=1 \
+	opcache.enable_cli=1 \
+	opcache.interned_strings_buffer=8 \
+	opcache.max_accelerated_files=10000 \
+	opcache.memory_consumption=128 \
+	opcache.save_comments=1 \
+	opcache.revalidate_freq=1
+
+# Configure the path environment for php-fpm
+tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \
+        env[PATH]=/usr/local/bin:/usr/bin:/bin
+
 # If apc is explicitly disabled we need to enable it
-if grep -q apc.enabled=0 /etc/php5/mods-available/apcu.ini; then
-	tools/editconf.py /etc/php5/mods-available/apcu.ini -c ';' \
+if grep -q apc.enabled=0 /etc/php/7.0/mods-available/apcu.ini; then
+	tools/editconf.py /etc/php/7.0/mods-available/apcu.ini -c ';' \
 		apc.enabled=1
 fi
 
-# Set up a cron job for owncloud.
+# Set up a cron job for Nextcloud.
 cat > /etc/cron.hourly/mailinabox-owncloud << EOF;
 #!/bin/bash
 # Mail-in-a-Box
@@ -297,8 +407,8 @@ sudo -u www-data php -f /usr/local/lib/owncloud/cron.php
 EOF
 chmod +x /etc/cron.hourly/mailinabox-owncloud
 
-# There's nothing much of interest that a user could do as an admin for ownCloud,
-# and there's a lot they could mess up, so we don't make any users admins of ownCloud.
+# There's nothing much of interest that a user could do as an admin for Nextcloud,
+# and there's a lot they could mess up, so we don't make any users admins of Nextcloud.
 # But if we wanted to, we would do this:
 # ```
 # for user in $(tools/mail.py user admins); do
@@ -307,5 +417,4 @@ chmod +x /etc/cron.hourly/mailinabox-owncloud
 # ```
 
 # Enable PHP modules and restart PHP.
-php5enmod imap
-restart_service php5-fpm
+restart_service php7.0-fpm

setup/questions.sh

@@ -12,7 +12,9 @@ if [ -z "$NONINTERACTIVE" ]; then
 		apt_get_quiet install dialog python3 python3-pip  || exit 1
 	fi
 
-	# email_validator is repeated in setup/management.sh
+	# Installing email_validator is repeated in setup/management.sh, but in setup/management.sh
+	# we install it inside a virtualenv. In this script, we don't have the virtualenv yet
+	# so we install the python package globally.
 	hide_output pip3 install "email_validator>=1.0.0" || exit 1
 
 	message_box "Mail-in-a-Box Installation" \
@@ -49,7 +51,7 @@ you really want.
 			# user hit ESC/cancel
 			exit
 		fi
-		while ! management/mailconfig.py validate-email "$EMAIL_ADDR"
+		while ! python3 management/mailconfig.py validate-email "$EMAIL_ADDR"
 		do
 			input_box "Your Email Address" \
 				"That's not a valid email address.\n\nWhat email address are you setting this box up to manage?" \

setup/spamassassin.sh

@@ -61,10 +61,11 @@ tools/editconf.py /etc/default/spampd \
 # content or execute scripts, and it is probably confusing to most users.
 #
 # Tell Spamassassin not to modify the original message except for adding
-# the X-Spam-Status mail header and related headers.
+# the X-Spam-Status & X-Spam-Score mail headers and related headers.
 tools/editconf.py /etc/spamassassin/local.cf -s \
 	report_safe=0 \
-	add_header="all Report _REPORT_"
+	add_header="all Report _REPORT_" \
+    add_header="all Score _SCORE_"
 
 # Bayesean learning
 # -----------------

setup/ssl.sh

@@ -74,7 +74,7 @@ if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
 	CSR=/tmp/ssl_cert_sign_req-$$.csr
 	hide_output \
 	openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $CSR \
-	  -sha256 -subj "/C=/ST=/L=/O=/CN=$PRIMARY_HOSTNAME"
+	  -sha256 -subj "/CN=$PRIMARY_HOSTNAME"
 
 	# Generate the self-signed certificate.
 	CERT=$STORAGE_ROOT/ssl/$PRIMARY_HOSTNAME-selfsigned-$(date --rfc-3339=date | sed s/-//g).pem

setup/system.sh

@@ -96,6 +96,12 @@ echo Updating system packages...
 hide_output apt-get update
 apt_get_quiet upgrade
 
+# Old kernels pile up over time and take up a lot of disk space, and because of Mail-in-a-Box
+# changes there may be other packages that are no longer needed. Clear out anything apt knows
+# is safe to delete.
+
+apt_get_quiet autoremove
+
 # ### Install System Packages
 
 # Install basic utilities.
@@ -119,6 +125,18 @@ apt_install python3 python3-dev python3-pip \
 	haveged pollinate unzip \
 	unattended-upgrades cron ntp fail2ban
 
+# ### Add PHP7 PPA
+
+# Nextcloud requires PHP7, we will install the ppa from ubuntu php maintainer Ondřej Surý
+# The PPA is located here https://launchpad.net/%7Eondrej/+archive/ubuntu/php
+# Unattended upgrades are activated for the repository If it appears it's already
+# installed, don't do it again so we can avoid an unnecessary call to apt-get update.
+if [ ! -f /etc/apt/sources.list.d/ondrej-php-trusty.list ]; then
+hide_output add-apt-repository -y ppa:ondrej/php
+apt_add_repository_to_unattended_upgrades LP-PPA-ondrej-php:trusty
+hide_output apt-get update
+fi
+
 # ### Suppress Upgrade Prompts
 # Since Mail-in-a-Box might jump straight to 18.04 LTS, there's no need
 # to be reminded about 16.04 on every login.
@@ -230,7 +248,7 @@ cat > /etc/apt/apt.conf.d/02periodic <<EOF;
 APT::Periodic::MaxAge "7";
 APT::Periodic::Update-Package-Lists "1";
 APT::Periodic::Unattended-Upgrade "1";
-APT::Periodic::Verbose "1";
+APT::Periodic::Verbose "0";
 EOF
 
 # ### Firewall

setup/web.sh

@@ -18,7 +18,11 @@ fi
 # Turn off nginx's default website.
 
 echo "Installing Nginx (web server)..."
-apt_install nginx php5-fpm
+
+apt_install nginx php7.0-cli php7.0-fpm
+
+# Set PHP7 as the default
+update-alternatives --set php /usr/bin/php7.0
 
 rm -f /etc/nginx/sites-enabled/default
 
@@ -40,15 +44,19 @@ tools/editconf.py /etc/nginx/nginx.conf -s \
 	server_names_hash_bucket_size="128;"
 
 # Tell PHP not to expose its version number in the X-Powered-By header.
-tools/editconf.py /etc/php5/fpm/php.ini -c ';' \
+tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \
 	expose_php=Off
 
 # Set PHPs default charset to UTF-8, since we use it. See #367.
-tools/editconf.py /etc/php5/fpm/php.ini -c ';' \
+tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \
         default_charset="UTF-8"
 
+# Switch from the dynamic process manager to the ondemand manager see #1216
+tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \
+	pm=ondemand
+
 # Bump up PHP's max_children to support more concurrent connections
-tools/editconf.py /etc/php5/fpm/pool.d/www.conf -c ';' \
+tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \
 	pm.max_children=8
 
 # Other nginx settings will be configured by the management service
@@ -103,7 +111,7 @@ done #NODOC
 
 # Start services.
 restart_service nginx
-restart_service php5-fpm
+restart_service php7.0-fpm
 
 # Open ports.
 ufw_allow http

setup/webmail.sh

@@ -22,8 +22,9 @@ source /etc/mailinabox.conf # load global vars
 echo "Installing Roundcube (webmail)..."
 apt_install \
 	dbconfig-common \
-	php5 php5-sqlite php5-mcrypt php5-intl php5-json php5-common php-auth php-net-smtp php-net-socket php-net-sieve php-mail-mime php-crypt-gpg php5-gd php5-pspell \
-	tinymce libjs-jquery libjs-jquery-mousewheel libmagic1
+	php7.0-cli php7.0-sqlite php7.0-mcrypt php7.0-intl php7.0-json php7.0-common \
+	php7.0-gd php7.0-pspell tinymce libjs-jquery libjs-jquery-mousewheel libmagic1 php7.0-mbstring
+
 apt_get_quiet remove php-mail-mimedecode # no longer needed since Roundcube 1.1.3
 
 # We used to install Roundcube from Ubuntu, without triggering the dependencies #NODOC
@@ -32,17 +33,16 @@ apt_get_quiet remove php-mail-mimedecode # no longer needed since Roundcube 1.1.
 apt-get purge -qq -y roundcube* #NODOC
 
 # Install Roundcube from source if it is not already present or if it is out of date.
-# Combine the Roundcube version number with the commit hash of vacation_sieve to track
-# whether we have the latest version.
-VERSION=1.2.4
-HASH=e2091ea775b80eda43ab225130d5a2e888c3789a
-VACATION_SIEVE_VERSION=91ea6f52216390073d1f5b70b5f6bea0bfaee7e5
-PERSISTENT_LOGIN_VERSION=c4516c4be37d12ef653de86497304e073a863c2a
+# Combine the Roundcube version number with the commit hash of plugins to track
+# whether we have the latest version of everything.
+VERSION=1.3.6
+HASH=ece5cfc9c7af0cbe90c0065ef33e85ed42991830
+PERSISTENT_LOGIN_VERSION=dc5ca3d3f4415cc41edb2fde533c8a8628a94c76
 HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5
 CARDDAV_VERSION=2.0.4
 CARDDAV_HASH=d93f3cfb3038a519e71c7c3212c1d16f5da609a4
 
-UPDATE_KEY=$VERSION:$VACATION_SIEVE_VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:$CARDDAV_VERSION:a
+UPDATE_KEY=$VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:$CARDDAV_VERSION
 
 # paths that are often reused.
 RCM_DIR=/usr/local/lib/roundcubemail
@@ -60,7 +60,7 @@ fi
 if [ $needs_update == 1 ]; then
 	# install roundcube
 	wget_verify \
-		https://github.com/roundcube/roundcubemail/releases/download/$VERSION/roundcubemail-$VERSION.tar.gz \
+		https://github.com/roundcube/roundcubemail/releases/download/$VERSION/roundcubemail-$VERSION-complete.tar.gz \
 		$HASH \
 		/tmp/roundcube.tgz
 	tar -C /usr/local/lib --no-same-owner -zxf /tmp/roundcube.tgz
@@ -68,9 +68,6 @@ if [ $needs_update == 1 ]; then
 	mv /usr/local/lib/roundcubemail-$VERSION/ $RCM_DIR
 	rm -f /tmp/roundcube.tgz
 
-	# install roundcube autoreply/vacation plugin
-	git_clone https://github.com/arodier/Roundcube-Plugins.git $VACATION_SIEVE_VERSION plugins/vacation_sieve ${RCM_PLUGIN_DIR}/vacation_sieve
-
 	# install roundcube persistent_login plugin
 	git_clone https://github.com/mfreiholz/Roundcube-Persistent-Login-Plugin.git $PERSISTENT_LOGIN_VERSION '' ${RCM_PLUGIN_DIR}/persistent_login
 
@@ -108,20 +105,32 @@ cat > $RCM_CONFIG <<EOF;
  */
 \$config = array();
 \$config['log_dir'] = '/var/log/roundcubemail/';
-\$config['temp_dir'] = '/tmp/roundcubemail/';
+\$config['temp_dir'] = '/var/tmp/roundcubemail/';
 \$config['db_dsnw'] = 'sqlite:///$STORAGE_ROOT/mail/roundcube/roundcube.sqlite?mode=0640';
 \$config['default_host'] = 'ssl://localhost';
 \$config['default_port'] = 993;
+\$config['imap_conn_options'] = array(
+  'ssl'         => array(
+     'verify_peer'  => false,
+     'verify_peer_name'  => false,
+   ),
+ );
 \$config['imap_timeout'] = 15;
 \$config['smtp_server'] = 'tls://127.0.0.1';
 \$config['smtp_port'] = 587;
 \$config['smtp_user'] = '%u';
 \$config['smtp_pass'] = '%p';
+\$config['smtp_conn_options'] = array(
+  'ssl'         => array(
+     'verify_peer'  => false,
+     'verify_peer_name'  => false,
+   ),
+ );
 \$config['support_url'] = 'https://mailinabox.email/';
 \$config['product_name'] = '$PRIMARY_HOSTNAME Webmail';
 \$config['des_key'] = '$SECRET_KEY';
-\$config['plugins'] = array('html5_notifier', 'archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'vacation_sieve', 'persistent_login', 'carddav');
-\$config['skin'] = 'classic';
+\$config['plugins'] = array('html5_notifier', 'archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'persistent_login', 'carddav');
+\$config['skin'] = 'larry';
 \$config['login_autocomplete'] = 2;
 \$config['password_charset'] = 'UTF-8';
 \$config['junk_mbox'] = 'Spam';
@@ -148,29 +157,9 @@ cat > ${RCM_PLUGIN_DIR}/carddav/config.inc.php <<EOF;
 );
 EOF
 
-# Configure vaction_sieve.
-cat > /usr/local/lib/roundcubemail/plugins/vacation_sieve/config.inc.php <<EOF;
-<?php
-/* Do not edit. Written by Mail-in-a-Box. Regenerated on updates. */
-\$rcmail_config['vacation_sieve'] = array(
-    'date_format' => 'd/m/Y',
-    'working_hours' => array(8,18),
-    'msg_format' => 'text',
-    'logon_transform' => array('#([a-z])[a-z]+(\.|\s)([a-z])#i', '\$1\$3'),
-    'transfer' => array(
-        'mode' =>  'managesieve',
-        'ms_activate_script' => true,
-        'host'   => '127.0.0.1',
-        'port'   => '4190',
-        'usetls' => false,
-        'path' => 'vacation',
-    )
-);
-EOF
-
 # Create writable directories.
-mkdir -p /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
-chown -R www-data.www-data /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
+mkdir -p /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
+chown -R www-data.www-data /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
 
 # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
 sudo -u www-data touch /var/log/roundcubemail/errors
@@ -210,5 +199,5 @@ chown www-data:www-data $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
 chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
 
 # Enable PHP modules.
-php5enmod mcrypt
-restart_service php5-fpm
+phpenmod -v php7.0 mcrypt imap
+restart_service php7.0-fpm

setup/zpush.sh

@@ -17,25 +17,32 @@ source /etc/mailinabox.conf # load global vars
 
 echo "Installing Z-Push (Exchange/ActiveSync server)..."
 apt_install \
-	php-soap php5-imap libawl-php php5-xsl
+	php7.0-soap php7.0-imap libawl-php php7.0-xsl
 
-php5enmod imap
+phpenmod -v php7.0 imap
 
 # Copy Z-Push into place.
-TARGETHASH=80cbe53de4ab8dd598d1f2af6f0a23fa396c529a
+VERSION=2.3.9
 needs_update=0 #NODOC
 if [ ! -f /usr/local/lib/z-push/version ]; then
 	needs_update=1 #NODOC
-elif [[ $TARGETHASH != `cat /usr/local/lib/z-push/version` ]]; then
+elif [[ $VERSION != `cat /usr/local/lib/z-push/version` ]]; then
 	# checks if the version
 	needs_update=1 #NODOC
 fi
 if [ $needs_update == 1 ]; then
-	git_clone https://github.com/fmbiete/Z-Push-contrib $TARGETHASH '' /usr/local/lib/z-push
+	rm -rf /usr/local/lib/z-push
+
+	git_clone https://stash.z-hub.io/scm/zp/z-push.git $VERSION '' /tmp/z-push
+
+	mkdir /usr/local/lib/z-push
+	cp -r /tmp/z-push/src/* /usr/local/lib/z-push
+	rm -rf /tmp/z-push
+
 	rm -f /usr/sbin/z-push-{admin,top}
 	ln -s /usr/local/lib/z-push/z-push-admin.php /usr/sbin/z-push-admin
 	ln -s /usr/local/lib/z-push/z-push-top.php /usr/sbin/z-push-top
-	echo $TARGETHASH > /usr/local/lib/z-push/version
+	echo $VERSION > /usr/local/lib/z-push/version
 fi
 
 # Configure default config.
@@ -67,6 +74,7 @@ cp conf/zpush/backend_caldav.php /usr/local/lib/z-push/backend/caldav/config.php
 rm -f /usr/local/lib/z-push/autodiscover/config.php
 cp conf/zpush/autodiscover_config.php /usr/local/lib/z-push/autodiscover/config.php
 sed -i "s/PRIMARY_HOSTNAME/$PRIMARY_HOSTNAME/" /usr/local/lib/z-push/autodiscover/config.php
+sed -i "s^define('TIMEZONE', .*^define('TIMEZONE', '$(cat /etc/timezone)');^" /usr/local/lib/z-push/autodiscover/config.php
 
 # Some directories it will use.
 
@@ -92,4 +100,8 @@ EOF
 
 # Restart service.
 
-restart_service php5-fpm
+restart_service php7.0-fpm
+
+# Fix states after upgrade
+
+hide_output z-push-admin -a fixstates

tests/tls.py

@@ -61,9 +61,9 @@ common_opts = ["--sslv2", "--sslv3", "--tlsv1", "--tlsv1_1", "--tlsv1_2", "--ren
 # Assumes TLSv1, TLSv1.1, TLSv1.2.
 #
 # The 'old' ciphers bring compatibility back to Win XP IE 6.
-MOZILLA_CIPHERS_MODERN = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
-MOZILLA_CIPHERS_INTERMEDIATE = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
-MOZILLA_CIPHERS_OLD = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
+MOZILLA_CIPHERS_MODERN = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
+MOZILLA_CIPHERS_INTERMEDIATE = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
+MOZILLA_CIPHERS_OLD = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP"
 
 ######################################################################
 

tests/tls_results.txt

@@ -93,9 +93,9 @@ PORT 25
   * SSLV3 Cipher Suites:
       Server rejected all cipher suites.
 
-  Should Not Offer: DHE-RSA-SEED-SHA, EDH-RSA-DES-CBC3-SHA, SEED-SHA
-  Could Also Offer: DH-DSS-AES128-GCM-SHA256, DH-DSS-AES128-SHA, DH-DSS-AES128-SHA256, DH-DSS-AES256-GCM-SHA384, DH-DSS-AES256-SHA, DH-DSS-AES256-SHA256, DH-DSS-CAMELLIA128-SHA, DH-DSS-CAMELLIA256-SHA, DH-DSS-DES-CBC3-SHA, DH-RSA-AES128-GCM-SHA256, DH-RSA-AES128-SHA, DH-RSA-AES128-SHA256, DH-RSA-AES256-GCM-SHA384, DH-RSA-AES256-SHA, DH-RSA-AES256-SHA256, DH-RSA-CAMELLIA128-SHA, DH-RSA-CAMELLIA256-SHA, DH-RSA-DES-CBC3-SHA, DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-DSS-AES256-SHA256, DHE-DSS-CAMELLIA128-SHA, DHE-DSS-CAMELLIA256-SHA, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-DES-CBC3-SHA, SRP-3DES-EDE-CBC-SHA, SRP-AES-128-CBC-SHA, SRP-AES-256-CBC-SHA, SRP-DSS-3DES-EDE-CBC-SHA, SRP-DSS-AES-128-CBC-SHA, SRP-DSS-AES-256-CBC-SHA, SRP-RSA-3DES-EDE-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-RSA-AES-256-CBC-SHA
-  Supported Clients: OpenSSL/1.0.2, OpenSSL/1.0.1l, BingPreview/Jan 2015, Yahoo Slurp/Jan 2015, YandexBot/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/OS X 10.10, Safari/8/iOS 8.1.2, Safari/7/OS X 10.9, Safari/6/iOS 6.0.1, Firefox/31.3.0 ESR/Win 7, Baidu/Jan 2015, IE/11/Win 8.1, IE/11/Win 7, IE Mobile/11/Win Phone 8.1, Android/5.0.0, Java/8u31, Chrome/42/OS X, Googlebot/Feb 2015, Android/4.1.1, Android/4.0.4, Safari/6.0.4/OS X 10.8.4, Android/4.2.2, Android/4.3, Safari/5.1.9/OS X 10.6.8, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE/8-10/Win 7, IE/7/Vista, IE Mobile/10/Win Phone 8.0, Android/2.3.7, Java/6u45, IE/8/XP
+  Should Not Offer: (none -- good)
+  Could Also Offer: DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-DSS-AES256-SHA256, DHE-DSS-CAMELLIA128-SHA, DHE-DSS-CAMELLIA256-SHA, DHE-DSS-SEED-SHA, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-DES-CBC3-SHA
+  Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, Yahoo Slurp/Jan 2015, OpenSSL/1.0.1l, YandexBot/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, Baidu/Jan 2015, Firefox/31.3.0 ESR/Win 7, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Chrome/42/OS X, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Android/2.3.7, Java/6u45, IE/8/XP
 
 PORT 587
 --------
@@ -183,9 +183,9 @@ PORT 587
   * SSLV3 Cipher Suites:
       Server rejected all cipher suites.
 
-  Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, CAMELLIA128-SHA, CAMELLIA256-SHA, DHE-RSA-CAMELLIA128-SHA, DHE-RSA-CAMELLIA256-SHA, DHE-RSA-SEED-SHA, SEED-SHA
-  Could Also Offer: DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384
-  Supported Clients: OpenSSL/1.0.2, OpenSSL/1.0.1l, BingPreview/Jan 2015, Yahoo Slurp/Jan 2015, YandexBot/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, IE/11/Win 8.1, Safari/8/iOS 8.1.2, IE/11/Win 7, IE Mobile/11/Win Phone 8.1, Safari/8/OS X 10.10, Safari/7/OS X 10.9, Safari/6/iOS 6.0.1, Firefox/31.3.0 ESR/Win 7, Baidu/Jan 2015, Chrome/42/OS X, Android/5.0.0, Java/8u31, Googlebot/Feb 2015, Firefox/37/OS X, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, Android/4.2.2, Android/4.3, Safari/5.1.9/OS X 10.6.8, IE/8-10/Win 7, IE/7/Vista, IE Mobile/10/Win Phone 8.0, OpenSSL/0.9.8y, Java/7u25, Java/6u45, Android/2.3.7
+  Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, CAMELLIA128-SHA, CAMELLIA256-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, DHE-RSA-CAMELLIA128-SHA, DHE-RSA-CAMELLIA256-SHA, DHE-RSA-SEED-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, SEED-SHA
+  Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384
+  Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, Yahoo Slurp/Jan 2015, OpenSSL/1.0.1l, YandexBot/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, IE/11/Win 7, IE/11/Win 8.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, IE Mobile/11/Win Phone 8.1, Safari/8/OS X 10.10, Baidu/Jan 2015, Firefox/31.3.0 ESR/Win 7, Java/8u31, Android/5.0.0, Chrome/42/OS X, Googlebot/Feb 2015, Firefox/37/OS X, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, OpenSSL/0.9.8y, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/7u25, Android/2.3.7, Java/6u45
 
 PORT 443
 --------
@@ -200,16 +200,16 @@ PORT 443
   * OpenSSL Heartbleed:
       OK - Not vulnerable to Heartbleed  
 
-  * Session Resumption:
-      With Session IDs:                  OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
-      With TLS Session Tickets:          OK - Supported
-
   * HTTP Strict Transport Security:
-      OK - HSTS header received:         max-age=31536000
+      OK - HSTS header received:         max-age=15768000
 
 Unhandled exception when processing --chrome_sha1: 
 exceptions.TypeError - Incorrect padding
 
+  * Session Resumption:
+      With Session IDs:                  OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
+      With TLS Session Tickets:          OK - Supported
+
   * SSLV2 Cipher Suites:
       Server rejected all cipher suites.
 
@@ -223,12 +223,20 @@ exceptions.TypeError - Incorrect padding
                  DHE-RSA-AES256-SHA256         DH-2048 bits   256 bits      HTTP 200 OK                        
                  DHE-RSA-AES256-SHA            DH-2048 bits   256 bits      HTTP 200 OK                        
                  DHE-RSA-AES256-GCM-SHA384     DH-2048 bits   256 bits      HTTP 200 OK                        
+                 AES256-SHA256                 -              256 bits      HTTP 200 OK                        
+                 AES256-SHA                    -              256 bits      HTTP 200 OK                        
+                 AES256-GCM-SHA384             -              256 bits      HTTP 200 OK                        
                  ECDHE-RSA-AES128-SHA256       ECDH-256 bits  128 bits      HTTP 200 OK                        
                  ECDHE-RSA-AES128-SHA          ECDH-256 bits  128 bits      HTTP 200 OK                        
                  ECDHE-RSA-AES128-GCM-SHA256   ECDH-256 bits  128 bits      HTTP 200 OK                        
                  DHE-RSA-AES128-SHA256         DH-2048 bits   128 bits      HTTP 200 OK                        
                  DHE-RSA-AES128-SHA            DH-2048 bits   128 bits      HTTP 200 OK                        
                  DHE-RSA-AES128-GCM-SHA256     DH-2048 bits   128 bits      HTTP 200 OK                        
+                 AES128-SHA256                 -              128 bits      HTTP 200 OK                        
+                 AES128-SHA                    -              128 bits      HTTP 200 OK                        
+                 AES128-GCM-SHA256             -              128 bits      HTTP 200 OK                        
+                 ECDHE-RSA-DES-CBC3-SHA        ECDH-256 bits  112 bits      HTTP 200 OK                        
+                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits      HTTP 200 OK                        
                  DES-CBC3-SHA                  -              112 bits      HTTP 200 OK                        
 
   * TLSV1_1 Cipher Suites:
@@ -237,8 +245,12 @@ exceptions.TypeError - Incorrect padding
       Accepted:                        
                  ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      HTTP 200 OK                        
                  DHE-RSA-AES256-SHA            DH-2048 bits   256 bits      HTTP 200 OK                        
+                 AES256-SHA                    -              256 bits      HTTP 200 OK                        
                  ECDHE-RSA-AES128-SHA          ECDH-256 bits  128 bits      HTTP 200 OK                        
                  DHE-RSA-AES128-SHA            DH-2048 bits   128 bits      HTTP 200 OK                        
+                 AES128-SHA                    -              128 bits      HTTP 200 OK                        
+                 ECDHE-RSA-DES-CBC3-SHA        ECDH-256 bits  112 bits      HTTP 200 OK                        
+                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits      HTTP 200 OK                        
                  DES-CBC3-SHA                  -              112 bits      HTTP 200 OK                        
 
   * TLSV1 Cipher Suites:
@@ -247,16 +259,20 @@ exceptions.TypeError - Incorrect padding
       Accepted:                        
                  ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      HTTP 200 OK                        
                  DHE-RSA-AES256-SHA            DH-2048 bits   256 bits      HTTP 200 OK                        
+                 AES256-SHA                    -              256 bits      HTTP 200 OK                        
                  ECDHE-RSA-AES128-SHA          ECDH-256 bits  128 bits      HTTP 200 OK                        
                  DHE-RSA-AES128-SHA            DH-2048 bits   128 bits      HTTP 200 OK                        
+                 AES128-SHA                    -              128 bits      HTTP 200 OK                        
+                 ECDHE-RSA-DES-CBC3-SHA        ECDH-256 bits  112 bits      HTTP 200 OK                        
+                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits      HTTP 200 OK                        
                  DES-CBC3-SHA                  -              112 bits      HTTP 200 OK                        
 
   * SSLV3 Cipher Suites:
       Server rejected all cipher suites.
 
   Should Not Offer: (none -- good)
-  Could Also Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, CAMELLIA128-SHA, CAMELLIA256-SHA, DH-DSS-AES128-GCM-SHA256, DH-DSS-AES128-SHA, DH-DSS-AES128-SHA256, DH-DSS-AES256-GCM-SHA384, DH-DSS-AES256-SHA, DH-DSS-AES256-SHA256, DH-DSS-CAMELLIA128-SHA, DH-DSS-CAMELLIA256-SHA, DH-RSA-AES128-GCM-SHA256, DH-RSA-AES128-SHA, DH-RSA-AES128-SHA256, DH-RSA-AES256-GCM-SHA384, DH-RSA-AES256-SHA, DH-RSA-AES256-SHA256, DH-RSA-CAMELLIA128-SHA, DH-RSA-CAMELLIA256-SHA, DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-DSS-AES256-SHA256, DHE-DSS-CAMELLIA128-SHA, DHE-DSS-CAMELLIA256-SHA, DHE-RSA-CAMELLIA128-SHA, DHE-RSA-CAMELLIA256-SHA, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, SRP-AES-128-CBC-SHA, SRP-AES-256-CBC-SHA, SRP-DSS-AES-128-CBC-SHA, SRP-DSS-AES-256-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-RSA-AES-256-CBC-SHA
-  Supported Clients: OpenSSL/1.0.2, OpenSSL/1.0.1l, BingPreview/Jan 2015, YandexBot/Jan 2015, Yahoo Slurp/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/OS X 10.10, Safari/8/iOS 8.1.2, Safari/7/OS X 10.9, Safari/6/iOS 6.0.1, Chrome/42/OS X, IE/11/Win 8.1, IE/11/Win 7, Android/5.0.0, Java/8u31, IE Mobile/11/Win Phone 8.1, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Firefox/37/OS X, Android/4.1.1, Android/4.0.4, Baidu/Jan 2015, Safari/6.0.4/OS X 10.8.4, Android/4.2.2, Android/4.3, Safari/5.1.9/OS X 10.6.8, IE/8-10/Win 7, IE/7/Vista, OpenSSL/0.9.8y, IE Mobile/10/Win Phone 8.0, Java/7u25, Android/2.3.7, Java/6u45, IE/8/XP
+  Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-DES-CBC3-SHA
+  Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, OpenSSL/1.0.1l, Yahoo Slurp/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Chrome/42/OS X, Baidu/Jan 2015, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/6u45, Android/2.3.7, IE/8/XP
 
 PORT 993
 --------
@@ -270,64 +286,73 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec
   * OpenSSL Heartbleed:
       OK - Not vulnerable to Heartbleed  
 
+  * SSLV2 Cipher Suites:
+      Server rejected all cipher suites.
+
   * Session Resumption:
       With Session IDs:                  NOT SUPPORTED (0 successful, 5 failed, 0 errors, 5 total attempts).
       With TLS Session Tickets:          NOT SUPPORTED - TLS ticket assigned but not accepted.
 
-  * SSLV2 Cipher Suites:
-      Server rejected all cipher suites.
-
   * TLSV1_2 Cipher Suites:
       Preferred:                       
-                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
+                 ECDHE-RSA-AES128-GCM-SHA256   ECDH-384 bits  128 bits                                         
       Accepted:                        
+                 ECDHE-RSA-AES256-SHA384       ECDH-384 bits  256 bits                                         
                  ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
-                 DHE-RSA-CAMELLIA256-SHA       DH-1024 bits   256 bits                                         
-                 DHE-RSA-AES256-SHA            DH-1024 bits   256 bits                                         
-                 CAMELLIA256-SHA               -              256 bits                                         
+                 ECDHE-RSA-AES256-GCM-SHA384   ECDH-384 bits  256 bits                                         
+                 DHE-RSA-AES256-SHA256         DH-2048 bits   256 bits                                         
+                 DHE-RSA-AES256-SHA            DH-2048 bits   256 bits                                         
+                 DHE-RSA-AES256-GCM-SHA384     DH-2048 bits   256 bits                                         
+                 AES256-SHA256                 -              256 bits                                         
                  AES256-SHA                    -              256 bits                                         
+                 AES256-GCM-SHA384             -              256 bits                                         
+                 ECDHE-RSA-AES128-SHA256       ECDH-384 bits  128 bits                                         
                  ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
-                 DHE-RSA-CAMELLIA128-SHA       DH-1024 bits   128 bits                                         
-                 DHE-RSA-AES128-SHA            DH-1024 bits   128 bits                                         
-                 CAMELLIA128-SHA               -              128 bits                                         
+                 ECDHE-RSA-AES128-GCM-SHA256   ECDH-384 bits  128 bits                                         
+                 DHE-RSA-AES128-SHA256         DH-2048 bits   128 bits                                         
+                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits                                         
+                 DHE-RSA-AES128-GCM-SHA256     DH-2048 bits   128 bits                                         
+                 AES128-SHA256                 -              128 bits                                         
                  AES128-SHA                    -              128 bits                                         
+                 AES128-GCM-SHA256             -              128 bits                                         
+                 ECDHE-RSA-DES-CBC3-SHA        ECDH-384 bits  112 bits                                         
+                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits                                         
+                 DES-CBC3-SHA                  -              112 bits                                         
 
   * TLSV1_1 Cipher Suites:
       Preferred:                       
-                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
+                 ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
       Accepted:                        
                  ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
-                 DHE-RSA-CAMELLIA256-SHA       DH-1024 bits   256 bits                                         
-                 DHE-RSA-AES256-SHA            DH-1024 bits   256 bits                                         
-                 CAMELLIA256-SHA               -              256 bits                                         
+                 DHE-RSA-AES256-SHA            DH-2048 bits   256 bits                                         
                  AES256-SHA                    -              256 bits                                         
                  ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
-                 DHE-RSA-CAMELLIA128-SHA       DH-1024 bits   128 bits                                         
-                 DHE-RSA-AES128-SHA            DH-1024 bits   128 bits                                         
-                 CAMELLIA128-SHA               -              128 bits                                         
+                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits                                         
                  AES128-SHA                    -              128 bits                                         
+                 ECDHE-RSA-DES-CBC3-SHA        ECDH-384 bits  112 bits                                         
+                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits                                         
+                 DES-CBC3-SHA                  -              112 bits                                         
 
   * TLSV1 Cipher Suites:
       Preferred:                       
-                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
+                 ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
       Accepted:                        
                  ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
-                 DHE-RSA-CAMELLIA256-SHA       DH-1024 bits   256 bits                                         
-                 DHE-RSA-AES256-SHA            DH-1024 bits   256 bits                                         
-                 CAMELLIA256-SHA               -              256 bits                                         
+                 DHE-RSA-AES256-SHA            DH-2048 bits   256 bits                                         
                  AES256-SHA                    -              256 bits                                         
                  ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
-                 DHE-RSA-CAMELLIA128-SHA       DH-1024 bits   128 bits                                         
-                 DHE-RSA-AES128-SHA            DH-1024 bits   128 bits                                         
-                 CAMELLIA128-SHA               -              128 bits                                         
+                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits                                         
                  AES128-SHA                    -              128 bits                                         
+                 ECDHE-RSA-DES-CBC3-SHA        ECDH-384 bits  112 bits                                         
+                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits                                         
+                 DES-CBC3-SHA                  -              112 bits                                         
 
   * SSLV3 Cipher Suites:
       Server rejected all cipher suites.
 
-  Should Not Offer: AES128-SHA, AES256-SHA, CAMELLIA128-SHA, CAMELLIA256-SHA, DHE-RSA-CAMELLIA128-SHA, DHE-RSA-CAMELLIA256-SHA
-  Could Also Offer: DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA384
-  Supported Clients: OpenSSL/1.0.2, Firefox/31.3.0 ESR/Win 7, OpenSSL/1.0.1l, BingPreview/Jan 2015, Yahoo Slurp/Jan 2015, Baidu/Jan 2015, Safari/7/iOS 7.1, Chrome/42/OS X, Googlebot/Feb 2015, Android/4.0.4, Safari/8/iOS 8.1.2, Android/4.1.1, Android/5.0.0, Safari/6/iOS 6.0.1, YandexBot/Jan 2015, Safari/6.0.4/OS X 10.8.4, Android/4.2.2, Safari/8/OS X 10.10, Firefox/37/OS X, Safari/7/OS X 10.9, Android/4.3, Safari/5.1.9/OS X 10.6.8, Android/4.4.2, IE/8-10/Win 7, IE/7/Vista, IE/11/Win 8.1, IE/11/Win 7, OpenSSL/0.9.8y, IE Mobile/10/Win Phone 8.0, IE Mobile/11/Win Phone 8.1, Java/7u25, Java/8u31, Java/6u45, Android/2.3.7
+  Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, DES-CBC3-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA
+  Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384
+  Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, OpenSSL/1.0.1l, Yahoo Slurp/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Chrome/42/OS X, Baidu/Jan 2015, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/6u45, Android/2.3.7, IE/8/XP
 
 PORT 995
 --------
@@ -341,62 +366,71 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec
   * OpenSSL Heartbleed:
       OK - Not vulnerable to Heartbleed  
 
+  * SSLV2 Cipher Suites:
+      Server rejected all cipher suites.
+
   * Session Resumption:
       With Session IDs:                  NOT SUPPORTED (0 successful, 5 failed, 0 errors, 5 total attempts).
       With TLS Session Tickets:          NOT SUPPORTED - TLS ticket assigned but not accepted.
 
-  * SSLV2 Cipher Suites:
-      Server rejected all cipher suites.
-
   * TLSV1_2 Cipher Suites:
       Preferred:                       
-                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
+                 ECDHE-RSA-AES128-GCM-SHA256   ECDH-384 bits  128 bits                                         
       Accepted:                        
+                 ECDHE-RSA-AES256-SHA384       ECDH-384 bits  256 bits                                         
                  ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
-                 DHE-RSA-CAMELLIA256-SHA       DH-1024 bits   256 bits                                         
-                 DHE-RSA-AES256-SHA            DH-1024 bits   256 bits                                         
-                 CAMELLIA256-SHA               -              256 bits                                         
+                 ECDHE-RSA-AES256-GCM-SHA384   ECDH-384 bits  256 bits                                         
+                 DHE-RSA-AES256-SHA256         DH-2048 bits   256 bits                                         
+                 DHE-RSA-AES256-SHA            DH-2048 bits   256 bits                                         
+                 DHE-RSA-AES256-GCM-SHA384     DH-2048 bits   256 bits                                         
+                 AES256-SHA256                 -              256 bits                                         
                  AES256-SHA                    -              256 bits                                         
+                 AES256-GCM-SHA384             -              256 bits                                         
+                 ECDHE-RSA-AES128-SHA256       ECDH-384 bits  128 bits                                         
                  ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
-                 DHE-RSA-CAMELLIA128-SHA       DH-1024 bits   128 bits                                         
-                 DHE-RSA-AES128-SHA            DH-1024 bits   128 bits                                         
-                 CAMELLIA128-SHA               -              128 bits                                         
+                 ECDHE-RSA-AES128-GCM-SHA256   ECDH-384 bits  128 bits                                         
+                 DHE-RSA-AES128-SHA256         DH-2048 bits   128 bits                                         
+                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits                                         
+                 DHE-RSA-AES128-GCM-SHA256     DH-2048 bits   128 bits                                         
+                 AES128-SHA256                 -              128 bits                                         
                  AES128-SHA                    -              128 bits                                         
+                 AES128-GCM-SHA256             -              128 bits                                         
+                 ECDHE-RSA-DES-CBC3-SHA        ECDH-384 bits  112 bits                                         
+                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits                                         
+                 DES-CBC3-SHA                  -              112 bits                                         
 
   * TLSV1_1 Cipher Suites:
       Preferred:                       
-                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
+                 ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
       Accepted:                        
                  ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
-                 DHE-RSA-CAMELLIA256-SHA       DH-1024 bits   256 bits                                         
-                 DHE-RSA-AES256-SHA            DH-1024 bits   256 bits                                         
-                 CAMELLIA256-SHA               -              256 bits                                         
+                 DHE-RSA-AES256-SHA            DH-2048 bits   256 bits                                         
                  AES256-SHA                    -              256 bits                                         
                  ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
-                 DHE-RSA-CAMELLIA128-SHA       DH-1024 bits   128 bits                                         
-                 DHE-RSA-AES128-SHA            DH-1024 bits   128 bits                                         
-                 CAMELLIA128-SHA               -              128 bits                                         
+                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits                                         
                  AES128-SHA                    -              128 bits                                         
+                 ECDHE-RSA-DES-CBC3-SHA        ECDH-384 bits  112 bits                                         
+                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits                                         
+                 DES-CBC3-SHA                  -              112 bits                                         
 
   * TLSV1 Cipher Suites:
       Preferred:                       
-                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
+                 ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
       Accepted:                        
                  ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
-                 DHE-RSA-CAMELLIA256-SHA       DH-1024 bits   256 bits                                         
-                 DHE-RSA-AES256-SHA            DH-1024 bits   256 bits                                         
-                 CAMELLIA256-SHA               -              256 bits                                         
+                 DHE-RSA-AES256-SHA            DH-2048 bits   256 bits                                         
                  AES256-SHA                    -              256 bits                                         
                  ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
-                 DHE-RSA-CAMELLIA128-SHA       DH-1024 bits   128 bits                                         
-                 DHE-RSA-AES128-SHA            DH-1024 bits   128 bits                                         
-                 CAMELLIA128-SHA               -              128 bits                                         
+                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits                                         
                  AES128-SHA                    -              128 bits                                         
+                 ECDHE-RSA-DES-CBC3-SHA        ECDH-384 bits  112 bits                                         
+                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits                                         
+                 DES-CBC3-SHA                  -              112 bits                                         
 
   * SSLV3 Cipher Suites:
       Server rejected all cipher suites.
 
-  Should Not Offer: AES128-SHA, AES256-SHA, CAMELLIA128-SHA, CAMELLIA256-SHA, DHE-RSA-CAMELLIA128-SHA, DHE-RSA-CAMELLIA256-SHA
-  Could Also Offer: DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA384
-  Supported Clients: OpenSSL/1.0.2, Firefox/31.3.0 ESR/Win 7, OpenSSL/1.0.1l, BingPreview/Jan 2015, Yahoo Slurp/Jan 2015, Baidu/Jan 2015, Safari/7/iOS 7.1, Chrome/42/OS X, Googlebot/Feb 2015, Android/4.0.4, Safari/8/iOS 8.1.2, Android/4.1.1, Android/5.0.0, Safari/6/iOS 6.0.1, YandexBot/Jan 2015, Safari/6.0.4/OS X 10.8.4, Android/4.2.2, Safari/8/OS X 10.10, Firefox/37/OS X, Safari/7/OS X 10.9, Android/4.3, Safari/5.1.9/OS X 10.6.8, Android/4.4.2, IE/8-10/Win 7, IE/7/Vista, IE/11/Win 8.1, IE/11/Win 7, OpenSSL/0.9.8y, IE Mobile/10/Win Phone 8.0, IE Mobile/11/Win Phone 8.1, Java/7u25, Java/8u31, Java/6u45, Android/2.3.7
+  Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, DES-CBC3-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA
+  Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384
+  Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, OpenSSL/1.0.1l, Yahoo Slurp/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Chrome/42/OS X, Baidu/Jan 2015, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/6u45, Android/2.3.7, IE/8/XP
 

tools/owncloud-restore.sh

@@ -27,10 +27,11 @@ fi
 
 echo "Restoring backup from $1"
 service php5-fpm stop
+service php7.0-fpm stop
 
-# remove the current owncloud installation
+# remove the current ownCloud/Nextcloud installation
 rm -rf /usr/local/lib/owncloud/
-# restore the current owncloud application
+# restore the current ownCloud/Nextcloud application
 cp -r  "$1/owncloud-install" /usr/local/lib/owncloud
 
 # restore access rights
@@ -46,4 +47,5 @@ chown www-data.www-data $STORAGE_ROOT/owncloud/config.php
 sudo -u www-data php /usr/local/lib/owncloud/occ maintenance:mode --off
 
 service php5-fpm start
+service php7.0-fpm start
 echo "Done"

tools/owncloud-unlockadmin.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# This script will give you administrative access to the ownCloud
+# This script will give you administrative access to the Nextcloud
 # instance running here.
 #
 # Run this at your own risk. This is for testing & experimentation
@@ -13,8 +13,8 @@ test -z "$1" || ADMIN=$1
 
 echo I am going to unlock admin features for $ADMIN.
 echo You can provide another user to unlock as the first argument of this script.
-echo 
-echo WARNING: you could break mail-in-a-box when fiddling around with owncloud\'s admin interface
+echo
+echo WARNING: you could break mail-in-a-box when fiddling around with Nextcloud\'s admin interface
 echo If in doubt, press CTRL-C to cancel.
 echo 
 echo Press enter to continue.

tools/update-subresource-integrity.py

@@ -1,24 +0,0 @@
-#!/usr/bin/python3
-# Updates subresource integrity attributes in management/templates/index.html
-# to prevent CDN-hosted resources from being used as an attack vector. Run this
-# after updating the Bootstrap and jQuery <link> and <script> to compute the
-# appropriate hash and insert it into the template.
-
-import re, urllib.request, hashlib, base64
-
-fn = "management/templates/index.html"
-
-with open(fn, 'r') as f:
-	content = f.read()
-
-def make_integrity(url):
-	resource = urllib.request.urlopen(url).read()
-	return "sha256-" + base64.b64encode(hashlib.sha256(resource).digest()).decode('ascii')
-
-content = re.sub(
-	r'<(link rel="stylesheet" href|script src)="(.*?)" integrity="(.*?)"',
-	lambda m : '<' + m.group(1) + '="' + m.group(2) + '" integrity="' + make_integrity(m.group(2)) + '"',
-	content)
-
-with open(fn, 'w') as f:
-	f.write(content)