v0.23

Updated the setup file to use roundcube's 'larry' theme as the default.

CHANGELOG.md

@@ -1,6 +1,30 @@
 CHANGELOG
 =========
 
+v0.23 (May 30, 2017)
+--------------------
+
+Mail:
+
+* The default theme for Roundcube was changed to the nicer Larry theme.
+* Exchange/ActiveSync support has been replaced with z-push 2.3.6 from z-push.org (rather than z-push-contrib).
+
+ownCloud (now Nextcloud):
+
+* ownCloud is replaced with Nextcloud 10.0.5.
+* Fixed an error in Owncloud/Nextcloud setup not updating domain when changing hostname.
+
+Control Panel/Management:
+
+* Fix an error in the control panel showing rsync backup status.
+* Fix an error in the control panel related to IPv6 addresses.
+* TLS certificates for internationalized domain names can now be provisioned from Let's Encrypt automatically.
+* Third-party assets used in the control panel (jQuery/Bootstrap) are now downloaded during setup and served from the box rather than from a CDN.
+
+DNS:
+
+* Add support for custom CAA records.
+
 v0.22 (April 2, 2017)
 ---------------------
 

README.md

@@ -28,7 +28,7 @@ It is a one-click email appliance. There are no user-configurable setup options.
 
 The components installed are:
 
-* SMTP ([postfix](http://www.postfix.org/)), IMAP ([dovecot](http://dovecot.org/)), CardDAV/CalDAV ([ownCloud](https://owncloud.org/)), Exchange ActiveSync ([z-push](https://github.com/fmbiete/Z-Push-contrib))
+* SMTP ([postfix](http://www.postfix.org/)), IMAP ([dovecot](http://dovecot.org/)), CardDAV/CalDAV ([Nextcloud](https://nextcloud.com/)), Exchange ActiveSync ([z-push](http://z-push.org/))
 * Webmail ([Roundcube](http://roundcube.net/)), static website hosting ([nginx](http://nginx.org/))
 * Spam filtering ([spamassassin](https://spamassassin.apache.org/)), greylisting ([postgrey](http://postgrey.schweikert.ch/))
 * DNS ([nsd4](https://www.nlnetlabs.nl/projects/nsd/)) with [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework), DKIM ([OpenDKIM](http://www.opendkim.org/)), [DMARC](https://en.wikipedia.org/wiki/DMARC), [DNSSEC](https://en.wikipedia.org/wiki/DNSSEC), [DANE TLSA](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities), and [SSHFP](https://tools.ietf.org/html/rfc4255) records automatically set
@@ -59,7 +59,7 @@ by me:
 	$ curl -s https://keybase.io/joshdata/key.asc | gpg --import
 	gpg: key C10BDD81: public key "Joshua Tauberer <jt@occams.info>" imported
 
-	$ git verify-tag v0.22
+	$ git verify-tag v0.23
 	gpg: Signature made ..... using RSA key ID C10BDD81
 	gpg: Good signature from "Joshua Tauberer <jt@occams.info>"
 	gpg: WARNING: This key is not certified with a trusted signature!
@@ -72,7 +72,7 @@ and on my [personal homepage](https://razor.occams.info/). (Of course, if this r
 
 Checkout the tag corresponding to the most recent release:
 
-	$ git checkout v0.22
+	$ git checkout v0.23
 
 Begin the installation.
 

conf/fail2ban/jails.conf

@@ -34,7 +34,7 @@ findtime = 30
 enabled  = true
 port     = http,https
 filter   = miab-owncloud
-logpath  = STORAGE_ROOT/owncloud/owncloud.log
+logpath  = STORAGE_ROOT/owncloud/nextcloud.log
 maxretry = 20
 findtime = 120
 

conf/nginx-alldomains.conf

@@ -70,7 +70,7 @@
 	# takes precedence over all non-regex matches and only regex matches that
 	# come after it (i.e. none of those, since this is the last one.) That means
 	# we're blocking dotfiles in the static hosted sites but not the FastCGI-
-	# handled locations for ownCloud (which serves user-uploaded files that might
+	# handled locations for Nextcloud (which serves user-uploaded files that might
 	# have this pattern, see #414) or some of the other services.
 	location ~ /\.(ht|svn|git|hg|bzr) {
 		log_not_found off;

conf/nginx-primaryonly.conf

@@ -1,6 +1,9 @@
 	# Control Panel
 	# Proxy /admin to our Python based control panel daemon. It is
 	# listening on IPv4 only so use an IP address and not 'localhost'.
+	location /admin/assets {
+		alias /usr/local/lib/mailinabox/vendor/assets;
+	}
 	rewrite ^/admin$ /admin/;
 	rewrite ^/admin/munin$ /admin/munin/ redirect;
 	location /admin/ {
@@ -12,7 +15,7 @@
 		add_header Strict-Transport-Security max-age=31536000;
 	}
 
-	# ownCloud configuration.
+	# Nextcloud configuration.
 	rewrite ^/cloud$ /cloud/ redirect;
 	rewrite ^/cloud/$ /cloud/index.php;
 	rewrite ^/cloud/(contacts|calendar|files)$ /cloud/index.php/apps/$1/ redirect;
@@ -41,13 +44,11 @@
 		fastcgi_param MOD_X_ACCEL_REDIRECT_PREFIX /owncloud-xaccel;
 		fastcgi_read_timeout 630;
 		fastcgi_pass php-fpm;
-		error_page 403 /cloud/core/templates/403.php;
-		error_page 404 /cloud/core/templates/404.php;
 		client_max_body_size 1G;
 		fastcgi_buffers 64 4K;
 	}
 	location ^~ /owncloud-xaccel/ {
-		# This directory is for MOD_X_ACCEL_REDIRECT_ENABLED. ownCloud sends the full file
+		# This directory is for MOD_X_ACCEL_REDIRECT_ENABLED. Nextcloud sends the full file
 		# path on disk as a subdirectory under this virtual path.
 		# We must only allow 'internal' redirects within nginx so that the filesystem
 		# is not exposed to the world.

conf/zpush/autodiscover_config.php

@@ -5,11 +5,12 @@
 * Descr     :   Autodiscover configuration file
 ************************************************/
 
+define('TIMEZONE', '');
+
 // Defines the base path on the server
 define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/');
 
-// The Z-Push server location for the autodiscover response
-define('SERVERURL', 'https://PRIMARY_HOSTNAME/Microsoft-Server-ActiveSync');
+define('ZPUSH_HOST', 'PRIMARY_HOSTNAME');
 
 define('USE_FULLEMAIL_FOR_LOGIN', true);
 
@@ -18,6 +19,7 @@ define('LOGFILE', LOGFILEDIR . 'autodiscover.log');
 define('LOGERRORFILE', LOGFILEDIR . 'autodiscover-error.log');
 define('LOGLEVEL', LOGLEVEL_INFO);
 define('LOGUSERLEVEL', LOGLEVEL);
+$specialLogUsers = array();
 
 // the backend data provider
 define('BACKEND_PROVIDER', 'BackendCombined');

conf/zpush/backend_carddav.php

@@ -17,7 +17,7 @@ define('CARDDAV_CONTACTS_FOLDER_NAME', '%u Addressbook');
 define('CARDDAV_SUPPORTS_SYNC', false);
 
 // If the CardDAV server supports the FN attribute for searches
-// DAViCal supports it, but SabreDav, Owncloud and SOGo don't
+// DAViCal supports it, but SabreDav, Nextcloud and SOGo don't
 // Setting this to true will search by FN. If false will search by sn, givenName and email
 // It's safe to leave it as false
 define('CARDDAV_SUPPORTS_FN_SEARCH', false);

conf/zpush/backend_imap.php

@@ -23,6 +23,9 @@ define('IMAP_FOLDER_TRASH', 'TRASH');
 define('IMAP_FOLDER_SPAM', 'SPAM');
 define('IMAP_FOLDER_ARCHIVE', 'ARCHIVE');
 
+define('IMAP_INLINE_FORWARD', true);
+define('IMAP_EXCLUDED_FOLDERS', '');
+
 define('IMAP_FROM_SQL_DSN', 'sqlite:STORAGE_ROOT/mail/roundcube/roundcube.sqlite');
 define('IMAP_FROM_SQL_USER', '');
 define('IMAP_FROM_SQL_PASSWORD', '');
@@ -49,5 +52,6 @@ global $imap_smtp_params;
 $imap_smtp_params = array('host' => 'ssl://127.0.0.1', 'port' => 587, 'auth' => true, 'username' => 'imap_username', 'password' => 'imap_password');
 
 define('MAIL_MIMEPART_CRLF', "\r\n");
+define('IMAP_MEETING_USE_CALDAV', true);
 
 ?>

management/backup.py

@@ -115,7 +115,7 @@ def backup_status(env):
 	# full backup. That full backup frees up this one to be deleted. But, the backup
 	# must also be at least min_age_in_days old too.
 	deleted_in = None
-	if incremental_count > 0 and first_full_size is not None:
+	if incremental_count > 0 and incremental_size > 0 and first_full_size is not None:
 		# How many days until the next incremental backup? First, the part of
 		# the algorithm based on increment sizes:
 		est_days_to_next_full = (.5 * first_full_size - incremental_size) / (incremental_size/incremental_count)
@@ -399,10 +399,11 @@ def list_target_files(config):
 		rsync_fn_size_re = re.compile(r'.*    ([^ ]*) [^ ]* [^ ]* (.*)')
 		rsync_target = '{host}:{path}'
 
-		if not target.path.endswith('/'):
-			target_path = target.path + '/'
-		if target.path.startswith('/'):
-			target_path = target.path[1:]
+		target_path = target.path
+		if not target_path.endswith('/'):
+			target_path = target_path + '/'
+		if target_path.startswith('/'):
+			target_path = target_path[1:]
 
 		rsync_command = [ 'rsync',
 					'-e',

management/dns_update.py

@@ -767,7 +767,7 @@ def set_custom_dns_record(qname, rtype, value, action, env):
 				v = ipaddress.ip_address(value) # raises a ValueError if there's a problem
 				if rtype == "A" and not isinstance(v, ipaddress.IPv4Address): raise ValueError("That's an IPv6 address.")
 				if rtype == "AAAA" and not isinstance(v, ipaddress.IPv6Address): raise ValueError("That's an IPv4 address.")
-		elif rtype in ("CNAME", "TXT", "SRV", "MX", "SSHFP"):
+		elif rtype in ("CNAME", "TXT", "SRV", "MX", "SSHFP", "CAA"):
 			# anything goes
 			pass
 		else:

management/ssl_certificates.py

@@ -214,12 +214,6 @@ def get_certificates_to_provision(env, show_extended_problems=True, force_domain
 	# Filter out domains that we can't provision a certificate for.
 	def can_provision_for_domain(domain):
 		from status_checks import normalize_ip
-		# Let's Encrypt doesn't yet support IDNA domains.
-		# We store domains in IDNA (ASCII). To see if this domain is IDNA,
-		# we'll see if its IDNA-decoded form is different.
-		if idna.decode(domain.encode("ascii")) != domain:
-			problems[domain] = "Let's Encrypt does not yet support provisioning certificates for internationalized domains."
-			return False
 
 		# Does the domain resolve to this machine in public DNS? If not,
 		# we can't do domain control validation. For IPv6 is configured,

management/status_checks.py

@@ -894,7 +894,10 @@ def run_and_output_changes(env, pool):
 def normalize_ip(ip):
 	# Use ipaddress module to normalize the IPv6 notation and ensure we are matching IPv6 addresses written in different representations according to rfc5952.
 	import ipaddress
-	return str(ipaddress.ip_address(ip))
+	try:
+		return str(ipaddress.ip_address(ip))
+	except:
+		return ip
 
 class FileOutput:
 	def __init__(self, buf, width):

management/templates/custom-dns.html

@@ -33,6 +33,7 @@
       <select id="customdnsType" class="form-control" style="max-width: 400px" onchange="show_customdns_rtype_hint()">
         <option value="A" data-hint="Enter an IPv4 address (i.e. a dotted quad, such as 123.456.789.012).">A (IPv4 address)</option>
         <option value="AAAA" data-hint="Enter an IPv6 address.">AAAA (IPv6 address)</option>
+        <option value="CAA" data-hint="Enter a CA that can issue certificates for this domain in the form of FLAG TAG VALUE. (0 issuewild &quot;letsencrypt.org&quot;)">CAA (Certificate Authority Authorization)</option>
         <option value="CNAME" data-hint="Enter another domain name followed by a period at the end (e.g. mypage.github.io.).">CNAME (DNS forwarding)</option>
         <option value="TXT" data-hint="Enter arbitrary text.">TXT (text record)</option>
         <option value="MX" data-hint="Enter record in the form of PRIORITY DOMAIN., including trailing period (e.g. 20 mx.example.com.).">MX (mail exchanger)</option>
@@ -125,7 +126,7 @@
 <tr><td>email</td> <td>The email address of any administrative user here.</td></tr>
 <tr><td>password</td> <td>That user&rsquo;s password.</td></tr>
 <tr><td>qname</td> <td>The fully qualified domain name for the record you are trying to set. It must be one of the domain names or a subdomain of one of the domain names hosted on this box. (Add mail users or aliases to add new domains.)</td></tr>
-<tr><td>rtype</td> <td>The resource type. Defaults to <code>A</code> if omitted. Possible values: <code>A</code> (an IPv4 address), <code>AAAA</code> (an IPv6 address), <code>TXT</code> (a text string), <code>CNAME</code> (an alias, which is a fully qualified domain name &mdash; don&rsquo;t forget the final period), <code>MX</code>, <code>SRV</code>, or <code>SSHFP</code>.</td></tr>
+<tr><td>rtype</td> <td>The resource type. Defaults to <code>A</code> if omitted. Possible values: <code>A</code> (an IPv4 address), <code>AAAA</code> (an IPv6 address), <code>TXT</code> (a text string), <code>CNAME</code> (an alias, which is a fully qualified domain name &mdash; don&rsquo;t forget the final period), <code>MX</code>, <code>SRV</code>, <code>SSHFP</code> or <code>CAA</code>.</td></tr>
 <tr><td>value</td> <td>For PUT, POST, and DELETE, the record&rsquo;s value. If the <code>rtype</code> is <code>A</code> or <code>AAAA</code> and <code>value</code> is empty or omitted, the IPv4 or IPv6 address of the remote host is used (be sure to use the <code>-4</code> or <code>-6</code> options to curl). This is handy for dynamic DNS!</td></tr>
 </table>
 

management/templates/index.html

@@ -9,7 +9,7 @@
 
         <meta name="robots" content="noindex, nofollow">
 
-        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
+        <link rel="stylesheet" href="/admin/assets/bootstrap.min.css">
         <style>
 	    body {
 		overflow-y: scroll;
@@ -63,7 +63,7 @@
 	       margin-bottom: 1em;
 	    }
         </style>
-        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css" integrity="sha384-rHyoN1iRsVXV4nD0JutlnGaslCJuC7uwjduW9SVrLvRYooPp2bWYgmgJQIXwl/Sp" crossorigin="anonymous">
+        <link rel="stylesheet" href="/admin/assets/bootstrap-theme.min.css">
     </head>
     <body>
 
@@ -191,8 +191,8 @@
           </div>
         </div>
 
-        <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js" integrity="sha256-rsPUGdUPBXgalvIj4YKJrrUlmLXbOb6Cp7cdxn1qeUc=" crossorigin="anonymous"></script>
-        <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>
+        <script src="/admin/assets/jquery.min.js"></script>
+        <script src="/admin/assets/bootstrap.min.js"></script>
 
         <script>
 var global_modal_state = null;

security.md

@@ -73,7 +73,7 @@ If DNSSEC is enabled at the box's domain name's registrar, the SSHFP record that
 
 `fail2ban` provides some protection from brute-force login attacks (repeated logins that guess account passwords) by blocking offending IP addresses at the network level.
 
-The following services are protected: SSH, IMAP (dovecot), SMTP submission (postfix), webmail (roundcube), ownCloud/CalDAV/CardDAV (over HTTP), and the Mail-in-a-Box control panel & munin (over HTTP).
+The following services are protected: SSH, IMAP (dovecot), SMTP submission (postfix), webmail (roundcube), Nextcloud/CalDAV/CardDAV (over HTTP), and the Mail-in-a-Box control panel & munin (over HTTP).
 
 Some other services running on the box may be missing fail2ban filters.
 

setup/bootstrap.sh

@@ -7,7 +7,7 @@
 #########################################################
 
 if [ -z "$TAG" ]; then
-	TAG=v0.22
+	TAG=v0.23
 fi
 
 # Are we running as root?

setup/dns.sh

@@ -23,7 +23,7 @@ apt_install nsd ldnsutils openssh-client
 mkdir -p /var/run/nsd
 
 cat > /etc/nsd/nsd.conf << EOF;
-# No not edit. Overwritten by Mail-in-a-Box setup.
+# Do not edit. Overwritten by Mail-in-a-Box setup.
 server:
   hide-version: yes
 

setup/management.sh

@@ -61,6 +61,32 @@ if [ ! -f $STORAGE_ROOT/backup/secret_key.txt ]; then
 	$(umask 077; openssl rand -base64 2048 > $STORAGE_ROOT/backup/secret_key.txt)
 fi
 
+
+# Download jQuery and Bootstrap local files
+
+# Make sure we have the directory to save to.
+assets_dir=/usr/local/lib/mailinabox/vendor/assets
+mkdir -p $assets_dir
+
+# jQuery CDN URL
+jquery_version=2.1.4
+jquery_url=https://code.jquery.com
+
+# Get jQuery
+wget_verify $jquery_url/jquery-$jquery_version.min.js 43dc554608df885a59ddeece1598c6ace434d747 $assets_dir/jquery.min.js
+
+# Bootstrap CDN URL
+bootstrap_version=3.3.7
+bootstrap_url=https://maxcdn.bootstrapcdn.com/bootstrap/$bootstrap_version
+
+# Get Bootstrap
+wget_verify $bootstrap_url/js/bootstrap.min.js 430a443d74830fe9be26efca431f448c1b3740f9 $assets_dir/bootstrap.min.js
+wget_verify $bootstrap_url/css/bootstrap-theme.min.css 8256575374f430476bdcd49de98c77990229ce31 $assets_dir/bootstrap-theme.min.css
+wget_verify $bootstrap_url/css/bootstrap-theme.min.css.map 87f7dfd79d77051ac2eca7d093d961fbd1c8f6eb $assets_dir/bootstrap-theme.min.css.map
+wget_verify $bootstrap_url/css/bootstrap.min.css 6527d8bf3e1e9368bab8c7b60f56bc01fa3afd68 $assets_dir/bootstrap.min.css
+wget_verify $bootstrap_url/css/bootstrap.min.css.map e0d7b2bde55a0bac1b658a507e8ca491a6729e06 $assets_dir/bootstrap.min.css.map
+
+
 # Link the management server daemon into a well known location.
 rm -f /usr/local/bin/mailinabox-daemon
 ln -s `pwd`/management/daemon.py /usr/local/bin/mailinabox-daemon

setup/owncloud.sh

@@ -1,13 +1,13 @@
 #!/bin/bash
-# Owncloud
+# Nextcloud
 ##########################
 
 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars
 
-# ### Installing ownCloud
+# ### Installing Nextcloud
 
-echo "Installing ownCloud (contacts/calendar)..."
+echo "Installing Nextcloud (contacts/calendar)..."
 
 apt_install \
 	dbconfig-common \
@@ -32,29 +32,48 @@ InstallOwncloud() {
 
 	version=$1
 	hash=$2
+	flavor=$3
 
 	echo
-	echo "Upgrading to ownCloud version $version"
+	echo "Upgrading to $flavor version $version"
 	echo
 
-	# Remove the current owncloud
+	# Remove the current owncloud/Nextcloud
 	rm -rf /usr/local/lib/owncloud
 
 	# Download and verify
-	wget_verify https://download.owncloud.org/community/owncloud-$version.zip $hash /tmp/owncloud.zip
+	if [ "$flavor" = "Nextcloud" ]; then
+		wget_verify https://download.nextcloud.com/server/releases/nextcloud-$version.zip $hash /tmp/owncloud.zip
+	else
+		wget_verify https://download.owncloud.org/community/owncloud-$version.zip $hash /tmp/owncloud.zip
+	fi
 
-	# Extract ownCloud
+	# Extract ownCloud/Nextcloud
 	unzip -q /tmp/owncloud.zip -d /usr/local/lib
+	if [ "$flavor" = "Nextcloud" ]; then
+		mv /usr/local/lib/nextcloud /usr/local/lib/owncloud
+	fi
 	rm -f /tmp/owncloud.zip
 
-	# The two apps we actually want are not in ownCloud core. Download the releases from
+	# The two apps we actually want are not in Nextcloud core. Download the releases from
 	# their github repositories.
 	mkdir -p /usr/local/lib/owncloud/apps
-	wget_verify https://github.com/owncloud/contacts/releases/download/v1.4.0.0/contacts.tar.gz c1c22d29699456a45db447281682e8bc3f10e3e7 /tmp/contacts.tgz
+
+	if [ "$flavor" = "Nextcloud" ]; then
+		wget_verify https://github.com/nextcloud/contacts/releases/download/v1.5.3/contacts.tar.gz 78c4d49e73f335084feecd4853bd8234cf32615e /tmp/contacts.tgz
+	else
+		wget_verify https://github.com/owncloud/contacts/releases/download/v1.4.0.0/contacts.tar.gz c1c22d29699456a45db447281682e8bc3f10e3e7 /tmp/contacts.tgz
+	fi
+
 	tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/contacts.tgz
 
-        wget_verify https://github.com/nextcloud/calendar/releases/download/v1.4.0/calendar.tar.gz c84f3170efca2a99ea6254de34b0af3cb0b3a821 /tmp/calendar.tgz
+	if [ "$flavor" = "Nextcloud" ]; then
+		wget_verify https://github.com/nextcloud/calendar/releases/download/v1.5.2/calendar.tar.gz 7b8a94e01fe740c5c23017ed5bc211983c780fce /tmp/calendar.tgz
+	else
+    wget_verify https://github.com/nextcloud/calendar/releases/download/v1.4.0/calendar.tar.gz c84f3170efca2a99ea6254de34b0af3cb0b3a821 /tmp/calendar.tgz
+	fi
+
 	tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/calendar.tgz
 
@@ -86,22 +105,23 @@ InstallOwncloud() {
 	fi
 }
 
-owncloud_ver=9.1.4
-owncloud_hash=e637cab7b2ca3346164f3506b1a0eb812b4e841a
+owncloud_ver=10.0.5
+owncloud_hash=686f6a8e9d7867c32e3bf3ca63b3cc2020564bf6
+owncloud_flavor=Nextcloud
 
-# Check if ownCloud dir exist, and check if version matches owncloud_ver (if either doesn't - install/upgrade)
+# Check if Nextcloud dir exist, and check if version matches owncloud_ver (if either doesn't - install/upgrade)
 if [ ! -d /usr/local/lib/owncloud/ ] \
         || ! grep -q $owncloud_ver /usr/local/lib/owncloud/version.php; then
 
 	# Stop php-fpm
 	hide_output service php5-fpm stop
 
-        # Backup the existing ownCloud.
+	# Backup the existing ownCloud/Nextcloud.
 	# Create a backup directory to store the current installation and database to
 	BACKUP_DIRECTORY=$STORAGE_ROOT/owncloud-backup/`date +"%Y-%m-%d-%T"`
 	mkdir -p "$BACKUP_DIRECTORY"
 	if [ -d /usr/local/lib/owncloud/ ]; then
-		echo "upgrading ownCloud to $owncloud_ver (backing up existing ownCloud installation, configuration and database to directory to $BACKUP_DIRECTORY..."
+		echo "upgrading ownCloud/Nextcloud to $owncloud_flavor $owncloud_ver (backing up existing installation, configuration and database to directory to $BACKUP_DIRECTORY..."
 		cp -r /usr/local/lib/owncloud "$BACKUP_DIRECTORY/owncloud-install"
 	fi
 	if [ -e /home/user-data/owncloud/owncloud.db ]; then
@@ -111,11 +131,11 @@ if [ ! -d /usr/local/lib/owncloud/ ] \
                 cp /home/user-data/owncloud/config.php $BACKUP_DIRECTORY
         fi
 
-	# We only need to check if we do upgrades when owncloud was previously installed
+	# We only need to check if we do upgrades when owncloud/Nextcloud was previously installed
 	if [ -e /usr/local/lib/owncloud/version.php ]; then
 		if grep -q "8\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then
 			echo "We are running 8.1.x, upgrading to 8.2.3 first"
-			InstallOwncloud 8.2.3 bfdf6166fbf6fc5438dc358600e7239d1c970613
+			InstallOwncloud 8.2.3 bfdf6166fbf6fc5438dc358600e7239d1c970613 ownCloud
 		fi
 
 		# If we are upgrading from 8.2.x we should go to 9.0 first. Owncloud doesn't support skipping minor versions
@@ -139,7 +159,7 @@ EOF
 			chown www-data.www-data $STORAGE_ROOT/owncloud/config.php
 
 			# We can now install owncloud 9.0.2
-			InstallOwncloud 9.0.2 72a3d15d09f58c06fa8bee48b9e60c9cd356f9c5
+			InstallOwncloud 9.0.2 72a3d15d09f58c06fa8bee48b9e60c9cd356f9c5 ownCloud
 
 			# The owncloud 9 migration doesn't migrate calendars and contacts
 			# The option to migrate these are removed in 9.1
@@ -152,14 +172,21 @@ EOF
 			done
 			sudo -u www-data php /usr/local/lib/owncloud/occ dav:sync-birthday-calendar
 		fi
+
+		# If we are upgrading from 9.0.x we should go to 9.1 first.
+		if grep -q "9\.0\.[0-9]" /usr/local/lib/owncloud/version.php; then
+			echo "We are running ownCloud 9.0.x, upgrading to ownCloud 9.1.4 first"
+			InstallOwncloud 9.1.4 e637cab7b2ca3346164f3506b1a0eb812b4e841a ownCloud
+		fi
+
 	fi
 
-	InstallOwncloud $owncloud_ver $owncloud_hash
+	InstallOwncloud $owncloud_ver $owncloud_hash Nextcloud
 fi
 
-# ### Configuring ownCloud
+# ### Configuring Nextcloud
 
-# Setup ownCloud if the ownCloud database does not yet exist. Running setup when
+# Setup Nextcloud if the Nextcloud database does not yet exist. Running setup when
 # the database does exist wipes the database and user data.
 if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then
 	# Create user data directory
@@ -174,7 +201,7 @@ if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then
 
   'instanceid' => '$instanceid',
 
-  'forcessl' => true, # if unset/false, ownCloud sends a HSTS=0 header, which conflicts with nginx config
+  'forcessl' => true, # if unset/false, Nextcloud sends a HSTS=0 header, which conflicts with nginx config
 
   'overwritewebroot' => '/cloud',
   'overwrite.cli.url' => '/cloud',
@@ -194,7 +221,6 @@ if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then
   'mail_smtpname' => '',
   'mail_smtppassword' => '',
   'mail_from_address' => 'owncloud',
-  'mail_domain' => '$PRIMARY_HOSTNAME',
 );
 ?>
 EOF
@@ -211,7 +237,7 @@ EOF
   'dbtype' => 'sqlite3',
 
   # create an administrator account with a random password so that
-  # the user does not have to enter anything on first load of ownCloud
+  # the user does not have to enter anything on first load of Nextcloud
   'adminlogin'    => 'root',
   'adminpass'     => '$adminpassword',
 );
@@ -221,7 +247,7 @@ EOF
 	# Set permissions
 	chown -R www-data.www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud
 
-	# Execute ownCloud's setup step, which creates the ownCloud sqlite database.
+	# Execute Nextcloud's setup step, which creates the Nextcloud sqlite database.
 	# It also wipes it if it exists. And it updates config.php with database
 	# settings and deletes the autoconfig.php file.
 	(cd /usr/local/lib/owncloud; sudo -u www-data php /usr/local/lib/owncloud/index.php;)
@@ -235,6 +261,8 @@ fi
 # * We need to set the timezone to the system timezone to allow fail2ban to ban
 #   users within the proper timeframe
 # * We need to set the logdateformat to something that will work correctly with fail2ban
+# * mail_domain' needs to be set every time we run the setup. Making sure we are setting 
+#   the correct domain name if the domain is being change from the previous setup.
 # Use PHP to read the settings file, modify it, and write out the new settings array.
 TIMEZONE=$(cat /etc/timezone)
 CONFIG_TEMP=$(/bin/mktemp)
@@ -251,6 +279,8 @@ include("$STORAGE_ROOT/owncloud/config.php");
 \$CONFIG['logtimezone'] = '$TIMEZONE';
 \$CONFIG['logdateformat'] = 'Y-m-d H:i:s';
 
+\$CONFIG['mail_domain'] = '$PRIMARY_HOSTNAME';
+
 echo "<?php\n\\\$CONFIG = ";
 var_export(\$CONFIG);
 echo ";";
@@ -258,9 +288,9 @@ echo ";";
 EOF
 chown www-data.www-data $STORAGE_ROOT/owncloud/config.php
 
-# Enable/disable apps. Note that this must be done after the ownCloud setup.
+# Enable/disable apps. Note that this must be done after the Nextcloud setup.
 # The firstrunwizard gave Josh all sorts of problems, so disabling that.
-# user_external is what allows ownCloud to use IMAP for login. The contacts
+# user_external is what allows Nextcloud to use IMAP for login. The contacts
 # and calendar apps are the extensions we really care about here.
 hide_output sudo -u www-data php /usr/local/lib/owncloud/console.php app:disable firstrunwizard
 hide_output sudo -u www-data php /usr/local/lib/owncloud/console.php app:enable user_external
@@ -289,7 +319,7 @@ if grep -q apc.enabled=0 /etc/php5/mods-available/apcu.ini; then
 		apc.enabled=1
 fi
 
-# Set up a cron job for owncloud.
+# Set up a cron job for Nextcloud.
 cat > /etc/cron.hourly/mailinabox-owncloud << EOF;
 #!/bin/bash
 # Mail-in-a-Box
@@ -297,8 +327,8 @@ sudo -u www-data php -f /usr/local/lib/owncloud/cron.php
 EOF
 chmod +x /etc/cron.hourly/mailinabox-owncloud
 
-# There's nothing much of interest that a user could do as an admin for ownCloud,
-# and there's a lot they could mess up, so we don't make any users admins of ownCloud.
+# There's nothing much of interest that a user could do as an admin for Nextcloud,
+# and there's a lot they could mess up, so we don't make any users admins of Nextcloud.
 # But if we wanted to, we would do this:
 # ```
 # for user in $(tools/mail.py user admins); do

setup/webmail.sh

@@ -121,7 +121,7 @@ cat > $RCM_CONFIG <<EOF;
 \$config['product_name'] = '$PRIMARY_HOSTNAME Webmail';
 \$config['des_key'] = '$SECRET_KEY';
 \$config['plugins'] = array('html5_notifier', 'archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'vacation_sieve', 'persistent_login', 'carddav');
-\$config['skin'] = 'classic';
+\$config['skin'] = 'larry';
 \$config['login_autocomplete'] = 2;
 \$config['password_charset'] = 'UTF-8';
 \$config['junk_mbox'] = 'Spam';

setup/zpush.sh

@@ -22,7 +22,8 @@ apt_install \
 php5enmod imap
 
 # Copy Z-Push into place.
-TARGETHASH=80cbe53de4ab8dd598d1f2af6f0a23fa396c529a
+TARGETHASH=131229a8feda09782dfd06449adce3d5a219183f
+VERSION=2.3.6
 needs_update=0 #NODOC
 if [ ! -f /usr/local/lib/z-push/version ]; then
 	needs_update=1 #NODOC
@@ -31,7 +32,13 @@ elif [[ $TARGETHASH != `cat /usr/local/lib/z-push/version` ]]; then
 	needs_update=1 #NODOC
 fi
 if [ $needs_update == 1 ]; then
-	git_clone https://github.com/fmbiete/Z-Push-contrib $TARGETHASH '' /usr/local/lib/z-push
+	wget_verify http://download.z-push.org/final/2.3/z-push-$VERSION.tar.gz $TARGETHASH /tmp/z-push.tar.gz
+
+	rm -rf /usr/local/lib/z-push
+	tar -xzf /tmp/z-push.tar.gz -C /usr/local/lib/
+	rm /tmp/z-push.tar.gz
+	mv /usr/local/lib/z-push-$VERSION /usr/local/lib/z-push
+
 	rm -f /usr/sbin/z-push-{admin,top}
 	ln -s /usr/local/lib/z-push/z-push-admin.php /usr/sbin/z-push-admin
 	ln -s /usr/local/lib/z-push/z-push-top.php /usr/sbin/z-push-top
@@ -67,6 +74,7 @@ cp conf/zpush/backend_caldav.php /usr/local/lib/z-push/backend/caldav/config.php
 rm -f /usr/local/lib/z-push/autodiscover/config.php
 cp conf/zpush/autodiscover_config.php /usr/local/lib/z-push/autodiscover/config.php
 sed -i "s/PRIMARY_HOSTNAME/$PRIMARY_HOSTNAME/" /usr/local/lib/z-push/autodiscover/config.php
+sed -i "s^define('TIMEZONE', .*^define('TIMEZONE', '$(cat /etc/timezone)');^" /usr/local/lib/z-push/autodiscover/config.php
 
 # Some directories it will use.
 
@@ -93,3 +101,7 @@ EOF
 # Restart service.
 
 restart_service php5-fpm
+
+# Fix states after upgrade
+
+hide_output z-push-admin -a fixstates

tools/owncloud-restore.sh

@@ -28,9 +28,9 @@ fi
 echo "Restoring backup from $1"
 service php5-fpm stop
 
-# remove the current owncloud installation
+# remove the current ownCloud/Nextcloud installation
 rm -rf /usr/local/lib/owncloud/
-# restore the current owncloud application
+# restore the current ownCloud/Nextcloud application
 cp -r  "$1/owncloud-install" /usr/local/lib/owncloud
 
 # restore access rights

tools/owncloud-unlockadmin.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# This script will give you administrative access to the ownCloud
+# This script will give you administrative access to the Nextcloud
 # instance running here.
 #
 # Run this at your own risk. This is for testing & experimentation
@@ -14,7 +14,7 @@ test -z "$1" || ADMIN=$1
 echo I am going to unlock admin features for $ADMIN.
 echo You can provide another user to unlock as the first argument of this script.
 echo
-echo WARNING: you could break mail-in-a-box when fiddling around with owncloud\'s admin interface
+echo WARNING: you could break mail-in-a-box when fiddling around with Nextcloud\'s admin interface
 echo If in doubt, press CTRL-C to cancel.
 echo 
 echo Press enter to continue.