WebAuthn MFA for the control panel

Reorganize TOTP in the control panel templates to allow adding multiple devices and disabling individual devices
2026-03-12 17:07:23 +01:00 · 2021-10-18 20:15:08 -04:00 · 2021-10-18 20:14:25 -04:00
22 changed files with 261 additions and 290 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,54 +1,17 @@
 CHANGELOG
 =========

-Version 57 (June 12, 2022)
--------------------------
-
-Setup:
-
-* Fixed issue upgrading from Mail-in-a-Box v0.40-v0.50 because of a changed URL that Nextcloud is downloaded from.
-
-Backups:
-
-* Fixed S3 backups which broke with duplicity 0.8.23.
-* Fixed Backblaze backups which broke with latest b2sdk package by rolling back its version.
-
-Control panel:
-
-* Fixed spurious changes in system status checks messages by sorting DNSSEC DS records.
-* Fixed fail2ban lockout over IPv6 from excessive loads of the system status checks.
-* Fixed an incorrect IPv6 system status check message.
-
-Version 56 (January 19, 2022)
-----------------------------
-
-Software updates:
-
-* Roundcube updated to 1.5.2 (from 1.5.0), and the persistent_login and CardDAV (to 4.3.0 from 3.0.3) plugins are updated.
-* Nextcloud updated to 20.0.14 (from 20.0.8), contacts to 4.0.7 (from 3.5.1), and calendar to 3.0.4 (from 2.2.0).
-
-Setup:
-
-* Fixed failed setup if a previous attempt failed while updating Nextcloud.
-
-Control panel:
-
-* Fixed a crash if a custom DNS entry is not under a zone managed by the box.
-* Fix DNSSEC instructions typo.
-
-Other:
-
-* Set systemd journald log retention to 10 days (from no limit) to reduce disk usage.
-* Fixed log processing for submission lines that have a sasl_sender or other extra information.
-* Fix DNS secondary nameserver refesh failure retry period.
-
-Version 55 (October 18, 2021)
-----------------------------
+In Development
+--------------

 Mail:

 * "SMTPUTF8" is now disabled in Postfix. Because Dovecot still does not support SMTPUTF8, incoming mail to internationalized addresses was bouncing. This fixes incoming mail to internationalized domains (which was probably working prior to v0.40), but it will prevent sending outbound mail to addresses with internationalized local-parts.
-* Upgraded to Roundcube 1.5.
+* Upgraded to Roundcube 1.5 Release Candidate.
+
+Firewall:
+
+* Fail2ban's IPv6 support is enabled.

 Control panel:

@@ -64,7 +27,6 @@ Control panel:

 Other:

-* Fail2ban's IPv6 support is enabled.
 * The mail log tool now doesn't crash if there are email addresess in log messages with invalid UTF-8 characters.
 * Additional nsd.conf files can be placed in /etc/nsd.conf.d.

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -20,9 +20,9 @@ _If you're seeing an error message about your *IP address being listed in the Sp

 ### Modifying your `hosts` file

-After a while, Mail-in-a-Box will be available at `192.168.56.4` (unless you changed that in your `Vagrantfile`). To be able to use the web-based bits, we recommend to add a hostname to your `hosts` file:
+After a while, Mail-in-a-Box will be available at `192.168.50.4` (unless you changed that in your `Vagrantfile`). To be able to use the web-based bits, we recommend to add a hostname to your `hosts` file:

-    $ echo "192.168.56.4 mailinabox.lan" | sudo tee -a /etc/hosts
+    $ echo "192.168.50.4 mailinabox.lan" | sudo tee -a /etc/hosts

 You should now be able to navigate to https://mailinabox.lan/admin using your browser. There should be an initial admin user with the name `me@mailinabox.lan` and the password `12345678`.

--- a/README.md
+++ b/README.md
@@ -60,7 +60,7 @@ Clone this repository and checkout the tag corresponding to the most recent rele

 	$ git clone https://github.com/mail-in-a-box/mailinabox
 	$ cd mailinabox
-	$ git checkout v57
+	$ git checkout v0.54

 Begin the installation.

--- a/2
+++ b/2
@@ -9,7 +9,7 @@ Vagrant.configure("2") do |config|
  # the machine's box will let anyone log into it. So instead we'll put the
  # machine on a private network.
  config.vm.hostname = "mailinabox.lan"
-  config.vm.network "private_network", ip: "192.168.56.4"
+  config.vm.network "private_network", ip: "192.168.50.4"

  config.vm.provision :shell, :inline => <<-SH
    # Set environment variables so that the setup script does
--- a/api/mailinabox.yml
+++ b/api/mailinabox.yml
@@ -71,7 +71,7 @@ paths:
      x-codeSamples:
        - lang: curl
          source: |
-            curl -X POST "https://{host}/admin/login" \
+            curl -X GET "https://{host}/admin/login" \
              -u "<email>:<password>"
      responses:
        200:
@@ -103,15 +103,13 @@ paths:
      x-codeSamples:
        - lang: curl
          source: |
-            curl -X POST "https://{host}/admin/logout" \
+            curl -X GET "https://{host}/admin/logout" \
              -u "<email>:<session_key>"
      responses:
        200:
          description: Successful operation
          content:
            application/json:
-              schema:
-                $ref: '#/components/schemas/LogoutResponse'
  /system/status:
    post:
      tags:
@@ -1742,7 +1740,7 @@ paths:
            text/html:
              schema:
                type: string
-  /mfa/totp/enable:
+  /mfa/enable/totp:
    post:
      tags:
        - MFA
@@ -2725,8 +2723,3 @@ components:
          nullable: true
    MfaDisableSuccessResponse:
      type: string
-    LogoutResponse:
-      type: object
-      properties:
-        status:
-          type: string
--- a/conf/fail2ban/jails.conf
+++ b/conf/fail2ban/jails.conf
@@ -5,7 +5,7 @@
 # Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks
 # ping services over the public interface so we should whitelist that address of
 # ours too. The string is substituted during installation.
-ignoreip = 127.0.0.1/8 PUBLIC_IP ::1 PUBLIC_IPV6
+ignoreip = 127.0.0.1/8 PUBLIC_IP

 [dovecot]
 enabled = true
--- a/management/backup.py
+++ b/management/backup.py
@@ -14,6 +14,11 @@ from exclusiveprocess import Lock

 from utils import load_environment, shell, wait_for_service, fix_boto

+rsync_ssh_options = [
+	"--ssh-options= -i /root/.ssh/id_rsa_miab",
+	"--rsync-options= -e \"/usr/bin/ssh -oStrictHostKeyChecking=no -oBatchMode=yes -p 22 -i /root/.ssh/id_rsa_miab\"",
+]
+
 def backup_status(env):
 	# If backups are dissbled, return no status.
 	config = get_backup_config(env)
@@ -59,9 +64,9 @@ def backup_status(env):
 		"--archive-dir", backup_cache_dir,
 		"--gpg-options", "--cipher-algo=AES256",
 		"--log-fd", "1",
-		get_duplicity_target_url(config),
-		] + get_duplicity_additional_args(env),
-		get_duplicity_env_vars(env),
+		config["target"],
+		] + rsync_ssh_options,
+		get_env(env),
 		trap=True)
 	if code != 0:
 		# Command failed. This is likely due to an improperly configured remote
@@ -190,48 +195,7 @@ def get_passphrase(env):

 	return passphrase

-def get_duplicity_target_url(config):
-	target = config["target"]
-
-	if get_target_type(config) == "s3":
-		from urllib.parse import urlsplit, urlunsplit
-		target = list(urlsplit(target))
-
-		# Duplicity now defaults to boto3 as the backend for S3, but we have
-		# legacy boto installed (boto3 doesn't support Ubuntu 18.04) so
-		# we retarget for classic boto.
-		target[0] = "boto+" + target[0]
-
-		# In addition, although we store the S3 hostname in the target URL,
-		# duplicity no longer accepts it in the target URL. The hostname in
-		# the target URL must be the bucket name. The hostname is passed
-		# via get_duplicity_additional_args. Move the first part of the
-		# path (the bucket name) into the hostname URL component, and leave
-		# the rest for the path.
-		target[1], target[2] = target[2].lstrip('/').split('/', 1)
-
-		target = urlunsplit(target)
-
-	return target
-
-def get_duplicity_additional_args(env):
-	config = get_backup_config(env)
-
-	if get_target_type(config) == 'rsync':
-		return [
-			"--ssh-options= -i /root/.ssh/id_rsa_miab",
-			"--rsync-options= -e \"/usr/bin/ssh -oStrictHostKeyChecking=no -oBatchMode=yes -p 22 -i /root/.ssh/id_rsa_miab\"",
-		]
-	elif get_target_type(config) == 's3':
-		# See note about hostname in get_duplicity_target_url.
-		from urllib.parse import urlsplit, urlunsplit
-		target = urlsplit(config["target"])
-		endpoint_url = urlunsplit(("https", target.netloc, '', '', ''))
-		return ["--s3-endpoint-url",  endpoint_url]
-
-	return []
-
-def get_duplicity_env_vars(env):
+def get_env(env):
 	config = get_backup_config(env)

 	env = { "PASSPHRASE" : get_passphrase(env) }
@@ -309,10 +273,10 @@ def perform_backup(full_backup):
 			"--volsize", "250",
 			"--gpg-options", "--cipher-algo=AES256",
 			env["STORAGE_ROOT"],
-			get_duplicity_target_url(config),
+			config["target"],
 			"--allow-source-mismatch"
-			] + get_duplicity_additional_args(env),
-			get_duplicity_env_vars(env))
+			] + rsync_ssh_options,
+			get_env(env))
 	finally:
 		# Start services again.
 		service_command("dovecot", "start", quit=False)
@@ -328,9 +292,9 @@ def perform_backup(full_backup):
 		"--verbosity", "error",
 		"--archive-dir", backup_cache_dir,
 		"--force",
-		get_duplicity_target_url(config)
-		] + get_duplicity_additional_args(env),
-		get_duplicity_env_vars(env))
+		config["target"]
+		] + rsync_ssh_options,
+		get_env(env))

 	# From duplicity's manual:
 	# "This should only be necessary after a duplicity session fails or is
@@ -343,9 +307,9 @@ def perform_backup(full_backup):
 		"--verbosity", "error",
 		"--archive-dir", backup_cache_dir,
 		"--force",
-		get_duplicity_target_url(config)
-		] + get_duplicity_additional_args(env),
-		get_duplicity_env_vars(env))
+		config["target"]
+		] + rsync_ssh_options,
+		get_env(env))

 	# Change ownership of backups to the user-data user, so that the after-bcakup
 	# script can access them.
@@ -381,9 +345,9 @@ def run_duplicity_verification():
 		"--compare-data",
 		"--archive-dir", backup_cache_dir,
 		"--exclude", backup_root,
-		get_duplicity_target_url(config),
+		config["target"],
 		env["STORAGE_ROOT"],
-	] + get_duplicity_additional_args(env), get_duplicity_env_vars(env))
+	] + rsync_ssh_options, get_env(env))

 def run_duplicity_restore(args):
 	env = load_environment()
@@ -393,9 +357,9 @@ def run_duplicity_restore(args):
 		"/usr/bin/duplicity",
 		"restore",
 		"--archive-dir", backup_cache_dir,
-		get_duplicity_target_url(config),
-		] + get_duplicity_additional_args(env) + args,
-	get_duplicity_env_vars(env))
+		config["target"],
+		] + rsync_ssh_options + args,
+	get_env(env))

 def list_target_files(config):
 	import urllib.parse
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -21,7 +21,7 @@ import auth, utils
 from mailconfig import get_mail_users, get_mail_users_ex, get_admins, add_mail_user, set_mail_password, remove_mail_user
 from mailconfig import get_mail_user_privileges, add_remove_mail_user_privilege
 from mailconfig import get_mail_aliases, get_mail_aliases_ex, get_mail_domains, add_mail_alias, remove_mail_alias
-from mfa import get_public_mfa_state, provision_totp, validate_totp_secret, enable_mfa, disable_mfa
+from mfa import get_public_mfa_state, provision_totp, provision_webauthn, validate_totp_secret, enable_mfa, disable_mfa

 env = utils.load_environment()

@@ -330,7 +330,7 @@ def dns_get_records(qname=None, rtype=None):
 		r["sort-order"]["created"] = i
 	domain_sort_order = utils.sort_domains([r["qname"] for r in records], env)
 	for i, r in enumerate(sorted(records, key = lambda r : (
-			zones.index(r["zone"]) if r.get("zone") else 0, # record is not within a zone managed by the box
+			zones.index(r["zone"]),
 			domain_sort_order.index(r["qname"]),
 			r["rtype"]))):
 		r["sort-order"]["qname"] = i
@@ -468,7 +468,7 @@ def ssl_provision_certs():
 def mfa_get_status():
 	# Anyone accessing this route is an admin, and we permit them to
 	# see the MFA status for any user if they submit a 'user' form
-	# field. But we don't include provisioning info since a user can
+	# field. But we don't always include provisioning info since a user can
 	# only provision for themselves.
 	email = request.form.get('user', request.user_email) # user field if given, otherwise the user making the request
 	try:
@@ -478,14 +478,15 @@ def mfa_get_status():
 		if email == request.user_email:
 			resp.update({
 				"new_mfa": {
-					"totp": provision_totp(email, env)
+					"totp": provision_totp(email, env),
+					"webauthn": provision_webauthn(email, env)
 				}
 			})
 	except ValueError as e:
 		return (str(e), 400)
 	return json_response(resp)

-@app.route('/mfa/totp/enable', methods=['POST'])
+@app.route('/mfa/enable/totp', methods=['POST'])
@authorized_personnel_only
 def totp_post_enable():
 	secret = request.form.get('secret')
@@ -495,7 +496,20 @@ def totp_post_enable():
 		return ("Bad Input", 400)
 	try:
 		validate_totp_secret(secret)
-		enable_mfa(request.user_email, "totp", secret, token, label, env)
+		enable_mfa(request.user_email, "totp", env, secret, token, label)
+	except ValueError as e:
+		return (str(e), 400)
+	return "OK"
+
+@app.route('/mfa/enable/webauthn', methods=['POST'])
+@authorized_personnel_only
+def webauthn_post_enable():
+	attestationObject = request.form.get('attestationObject')
+	clientDataJSON = request.form.get('clientDataJSON')
+	if type(attestationObject) != str or type(clientDataJSON) != str:
+		return ("Bad Input", 400)
+	try:
+		enable_mfa(request.user_email, "webauthn", env, attestationObject, clientDataJSON)
 	except ValueError as e:
 		return (str(e), 400)
 	return "OK"
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -484,7 +484,7 @@ def write_nsd_zone(domain, zonefile, records, env, force):
 	# @ the PRIMARY_HOSTNAME. Hopefully that's legit.
 	#
 	# For the refresh through TTL fields, a good reference is:
-	# https://www.ripe.net/publications/docs/ripe-203
+	# http://www.peerwisdom.org/2013/05/15/dns-understanding-the-soa-record/
 	#
 	# A hash of the available DNSSEC keys are added in a comment so that when
 	# the keys change we force a re-generation of the zone which triggers
@@ -497,7 +497,7 @@ $TTL 86400          ; default time to live
@ IN SOA ns1.{primary_domain}. hostmaster.{primary_domain}. (
           __SERIAL__     ; serial number
           7200     ; Refresh (secondary nameserver update interval)
-           3600     ; Retry (when refresh fails, how often to try again, should be lower than the refresh)
+           86400    ; Retry (when refresh fails, how often to try again)
           1209600  ; Expire (when refresh fails, how long secondary nameserver will keep records around anyway)
           86400    ; Negative TTL (how long negative responses are cached)
           )
--- a/management/mail_log.py
+++ b/management/mail_log.py
@@ -549,9 +549,8 @@ def scan_postfix_submission_line(date, log, collector):
    """

    # Match both the 'plain' and 'login' sasl methods, since both authentication methods are
-    # allowed by Dovecot. Exclude trailing comma after the username when additional fields 
-	# follow after.
-    m = re.match("([A-Z0-9]+): client=(\S+), sasl_method=(PLAIN|LOGIN), sasl_username=(\S+)(?<!,)", log)
+    # allowed by Dovecot
+    m = re.match("([A-Z0-9]+): client=(\S+), sasl_method=(PLAIN|LOGIN), sasl_username=(\S+)", log)

    if m:
        _, client, method, user = m.groups()
--- a/management/mfa.py
+++ b/management/mfa.py
@@ -1,9 +1,12 @@
 import base64
 import hmac
 import io
+import json
 import os
 import pyotp
 import qrcode
+import pywarp
+import pywarp.backends

 from mailconfig import open_database

@@ -29,25 +32,44 @@ def get_public_mfa_state(email, env):
 	]

 def get_hash_mfa_state(email, env):
-	mfa_state = get_mfa_state(email, env)
-	return [
-		{ "id": s["id"], "type": s["type"], "secret": s["secret"] }
-		for s in mfa_state
-	]
+	# Get the current MFA credential secrets from which we form a hash
+	# so that we can reset user logins when any authentication information
+	# changes.
+	mfa_state = []
+	for s in get_mfa_state(email, env):
+		# Add TOTP id and secret to the state.
+		# Skip WebAuthn state if it's just a challenge.
+		if s["type"] == "webauthn":
+			try:
+				# Get the credential and only include it (not challenges) in the state.
+				s["secret"] = json.loads(s["secret"])["cred_pub_key"]
+			except:
+				# Skip this one --- there is no cred_pub_key.
+				continue
+		mfa_state.append({ "id": s["id"], "type": s["type"], "secret": s["secret"] })
+	return mfa_state

-def enable_mfa(email, type, secret, token, label, env):
+def enable_mfa(email, type, env, *args):
 	if type == "totp":
+		secret, token, label = args
 		validate_totp_secret(secret)
 		# Sanity check with the provide current token.
 		totp = pyotp.TOTP(secret)
 		if not totp.verify(token, valid_window=1):
 			raise ValueError("Invalid token.")
+		conn, c = open_database(env, with_connection=True)
+		c.execute('INSERT INTO mfa (user_id, type, secret, label) VALUES (?, ?, ?, ?)', (get_user_id(email, c), type, secret, label))
+		conn.commit()
+	elif type == "webauthn":
+		attestationObject, clientDataJSON = args
+		rp = pywarp.RelyingPartyManager(
+			get_relying_party_name(env),
+			rp_id=env["PRIMARY_HOSTNAME"], # must match hostname the control panel is served from
+			credential_storage_backend=WebauthnStorageBackend(env))
+		rp.register(attestation_object=base64.b64decode(attestationObject), client_data_json=base64.b64decode(clientDataJSON), email=email.encode("utf8")) # encoding of email is a little funky here, pywarp calls .decode() with no args?
 	else:
 		raise ValueError("Invalid MFA type.")

-	conn, c = open_database(env, with_connection=True)
-	c.execute('INSERT INTO mfa (user_id, type, secret, label) VALUES (?, ?, ?, ?)', (get_user_id(email, c), type, secret, label))
-	conn.commit()

 def set_mru_token(email, mfa_id, token, env):
 	conn, c = open_database(env, with_connection=True)
@@ -71,6 +93,9 @@ def validate_totp_secret(secret):
 	if len(secret) != 32:
 		raise ValueError("Secret should be a 32 characters base32 string")

+def get_relying_party_name(env):
+	return env["PRIMARY_HOSTNAME"] + " Mail-in-a-Box Control Panel"
+
 def provision_totp(email, env):
 	# Make a new secret.
 	secret = base64.b32encode(os.urandom(20)).decode('utf-8')
@@ -79,7 +104,7 @@ def provision_totp(email, env):
 	# Make a URI that we encode within a QR code.
 	uri = pyotp.TOTP(secret).provisioning_uri(
 		name=email,
-		issuer_name=env["PRIMARY_HOSTNAME"] + " Mail-in-a-Box Control Panel"
+		issuer_name=get_relying_party_name(env)
 	)

 	# Generate a QR code as a base64-encode PNG image.
@@ -94,6 +119,55 @@ def provision_totp(email, env):
 		"qr_code_base64": png_b64
 	}

+class WebauthnStorageBackend(pywarp.backends.CredentialStorageBackend):
+	def __init__(self, env):
+		self.env = env
+	def get_record(self, email, conn=None, c=None):
+		# Get an existing record and parse the 'secret' column as JSON.
+		if conn is None: conn, c = open_database(self.env, with_connection=True)
+		c.execute('SELECT secret FROM mfa WHERE user_id=? AND type="webauthn"', (get_user_id(email, c),))
+		config = c.fetchone()
+		if config:
+			try:
+				return json.loads(config[0])
+			except:
+				pass
+		return { }
+	def update_record(self, email, fields):
+		# Update the webauthn record in the database for this user by
+		# merging the fields with the existing fields in the database.
+		conn, c = open_database(self.env, with_connection=True)
+		config = self.get_record(email, conn=conn, c=c)
+		if config:
+			# Merge and update.
+			config.update(fields)
+			config = json.dumps(config)
+			c.execute('UPDATE mfa SET secret=? WHERE user_id=? AND type="webauthn"', (config, get_user_id(email, c),))
+			conn.commit()
+			return
+
+		# Either there's no existing webauthn record or it's corrupted. Delete any existing record.
+		# Then add a new record.
+		c.execute('DELETE FROM mfa WHERE user_id=? AND type="webauthn"', (get_user_id(email, c),))
+		c.execute('INSERT INTO mfa (user_id, type, secret, label) VALUES (?, ?, ?, ?)', (
+			get_user_id(email, c), "webauthn",
+			json.dumps(fields),
+			"WebAuthn"))
+		conn.commit()
+	def save_challenge_for_user(self, email, challenge, type):
+		self.update_record(email, { type + "challenge": base64.b64encode(challenge).decode("ascii") })
+	def get_challenge_for_user(self, email, type):
+		challenge = self.get_record(email).get(type + "challenge")
+		if challenge: challenge = base64.b64decode(challenge.encode("ascii"))
+		return challenge
+
+def provision_webauthn(email, env):
+	rp = pywarp.RelyingPartyManager(
+		get_relying_party_name(env),
+		rp_id=env["PRIMARY_HOSTNAME"], # must match hostname the control panel is served from
+		credential_storage_backend=WebauthnStorageBackend(env))
+	return rp.get_registration_options(email=email)
+
 def validate_auth_mfa(email, request, env):
 	# Validates that a login request satisfies any MFA modes
 	# that have been enabled for the user's account. Returns
--- a/management/status_checks.py
+++ b/management/status_checks.py
@@ -135,7 +135,7 @@ def check_service(i, service, env):

 			# IPv4 ok but IPv6 failed. Try the PRIVATE_IPV6 address to see if the service is bound to the interface.
 			elif service["port"] != 53 and try_connect(env["PRIVATE_IPV6"]):
-				output.print_error("%s is running (and available over IPv4 and the local IPv6 address), but it is not publicly accessible at %s:%d." % (service['name'], env['PUBLIC_IPV6'], service['port']))
+				output.print_error("%s is running (and available over IPv4 and the local IPv6 address), but it is not publicly accessible at %s:%d." % (service['name'], env['PUBLIC_IP'], service['port']))
 			else:
 				output.print_error("%s is running and available over IPv4 but is not accessible over IPv6 at %s port %d." % (service['name'], env['PUBLIC_IPV6'], service['port']))

@@ -253,18 +253,6 @@ def check_free_disk_space(rounded_values, env, output):
 		if rounded_values: disk_msg = "The disk has less than 15% free space."
 		output.print_error(disk_msg)

-	# Check that there's only one duplicity cache. If there's more than one,
-	# it's probably no longer in use, and we can recommend clearing the cache
-	# to save space. The cache directory may not exist yet, which is OK.
-	backup_cache_path = os.path.join(env['STORAGE_ROOT'], 'backup/cache')
-	try:
-		backup_cache_count = len(os.listdir(backup_cache_path))
-	except:
-		backup_cache_count = 0
-	if backup_cache_count > 1:
-		output.print_warning("The backup cache directory {} has more than one backup target cache. Consider clearing this directory to save disk space."
-			.format(backup_cache_path))
-
 def check_free_memory(rounded_values, env, output):
 	# Check free memory.
 	percent_free = 100 - psutil.virtual_memory().percent
@@ -658,7 +646,7 @@ def check_dnssec(domain, env, output, dns_zonefiles, is_checking_primary=False):
 		output.print_line("Option " + str(i+1) + ":")
 		output.print_line("----------")
 		output.print_line("Key Tag: " + ds_suggestion['keytag'])
-		output.print_line("Key Flags: KSK / 257")
+		output.print_line("Key Flags: KSK (256)")
 		output.print_line("Algorithm: %s / %s" % (ds_suggestion['alg'], ds_suggestion['alg_name']))
 		output.print_line("Digest Type: %s / %s" % (ds_suggestion['digalg'], ds_suggestion['digalg_name']))
 		output.print_line("Digest: " + ds_suggestion['digest'])
@@ -670,7 +658,7 @@ def check_dnssec(domain, env, output, dns_zonefiles, is_checking_primary=False):
 	if len(ds) > 0:
 		output.print_line("")
 		output.print_line("The DS record is currently set to:")
-		for rr in sorted(ds):
+		for rr in ds:
 			output.print_line("Key Tag: {0}, Algorithm: {1}, Digest Type: {2}, Digest: {3}".format(*rr))

 def check_mail_domain(domain, env, output):
--- a/management/templates/external-dns.html
+++ b/management/templates/external-dns.html
@@ -38,7 +38,7 @@
 <p class="alert" role="alert">
 	<span class="glyphicon glyphicon-info-sign"></span>
 	You may encounter zone file errors when attempting to create a TXT record with a long string.
-	<a href="https://tools.ietf.org/html/rfc4408#section-3.1.3">RFC 4408</a> states a TXT record is allowed to contain multiple strings, and this technique can be used to construct records that would exceed the 255-byte maximum length.
+	<a href="http://tools.ietf.org/html/rfc4408#section-3.1.3">RFC 4408</a> states a TXT record is allowed to contain multiple strings, and this technique can be used to construct records that would exceed the 255-byte maximum length.
 	You may need to adopt this technique when adding DomainKeys. Use a tool like <code>named-checkzone</code> to validate your zone file.
 </p>

--- a/management/templates/mfa.html
+++ b/management/templates/mfa.html
@@ -1,34 +1,10 @@
 <style>
-    .twofactor #totp-setup,
-    .twofactor #disable-2fa,
-    .twofactor #output-2fa {
-        display: none;
-    }
-
-    .twofactor.loaded .loading-indicator {
-        display: none;
-    }
-
-    .twofactor.disabled #disable-2fa,
-    .twofactor.enabled #totp-setup {
-        display: none;
-    }
-
-    .twofactor.disabled #totp-setup,
-    .twofactor.enabled #disable-2fa {
-        display: block;
-    }
-
    .twofactor #totp-setup-qr img {
        display: block;
        width: 256px;
        max-width: 100%;
        height: auto;
    }
-
-    .twofactor #output-2fa.visible {
-        display: block;
-    }
 </style>

 <h2>Two-Factor Authentication</h2>
@@ -51,10 +27,11 @@ and ensure every administrator account for this control panel does the same.</st
 </div>

 <div class="twofactor">
-    <div class="loading-indicator">Loading...</div>
+    <div id="mfa-devices">
+    </div>

-    <form id="totp-setup">
-        <h3>Setup Instructions</h3>
+    <form id="totp-setup" style="display: none">
+        <h3>Add a TOTP Device</h3>

        <div class="form-group">
            <p>1. Install <a href="https://freeotp.github.io/">FreeOTP</a> or <a href="https://www.pcworld.com/article/3225913/what-is-two-factor-authentication-and-which-2fa-apps-are-best.html">any
@@ -85,24 +62,32 @@ and ensure every administrator account for this control panel does the same.</st
        </div>
    </form>

-    <form id="disable-2fa">
-        <div class="form-group">
-            <p>Two-factor authentication is active for your account<span id="mfa-device-label"></span>.</p>
-            <p>You will have to log into the admin panel again after disabling two-factor authentication.</p>
-        </div>
-        <div class="form-group">
-            <button type="submit" class="btn btn-danger">Disable Two-Factor Authentication</button>
-        </div>
+    <form id="webauthn-setup" style="display: none">
+        <h3>Add a WebAuthn Device</h3>
+        <p>If you have a WebAuthn device such as a YubiKey, plug it in and click Add WebAuthn Device.</p>
+        <button type="submit" class="btn" onclick="return do_enable_webauthn()">Add WebAuthn Device</button>
    </form>

-    <div id="output-2fa" class="panel panel-danger">
+    <div id="webauthn-setup" style="display: none">
+    </div>
+
+    <div id="output-2fa" class="panel panel-danger hidden">
        <div class="panel-body"></div>
    </div>
+
+    <div id="mfa-device-templates" style="display: none">
+      <form class="totp" style="margin: 1em 0; border: 1px solid #AAA; padding: 10px;">
+          <p>Two-factor authentication is active for your account<span class="mfa-device-label"></span>.</p>
+          <div class="form-group">
+              <button type="submit" class="btn btn-danger">Disable TOTP Device</button>
+          </div>
+          <p style="margin-bottom: 0">You will have to log into the admin panel again after disabling two-factor authentication.</p>
+      </form>
+    </div>
 </div>

 <script>
    var el = {
-        disableForm: document.getElementById('disable-2fa'),
        output: document.getElementById('output-2fa'),
        totpSetupForm: document.getElementById('totp-setup'),
        totpSetupToken: document.getElementById('totp-setup-token'),
@@ -110,6 +95,7 @@ and ensure every administrator account for this control panel does the same.</st
        totpSetupLabel: document.getElementById('totp-setup-label'),
        totpQr: document.getElementById('totp-setup-qr'),
        totpSetupSubmit: document.querySelector('#totp-setup-submit'),
+        webauthnSetupForm: document.getElementById('webauthn-setup'),
        wrapper: document.querySelector('.twofactor')
    }

@@ -130,6 +116,8 @@ and ensure every administrator account for this control panel does the same.</st
    }

    function render_totp_setup(provisioned_totp) {
+        $(el.totpSetupForm).show();
+
        var img = document.createElement('img');
        img.src = "data:image/png;base64," + provisioned_totp.qr_code_base64;

@@ -147,38 +135,50 @@ and ensure every administrator account for this control panel does the same.</st
        el.wrapper.classList.add('disabled');
    }

+    function arrayBufferToBase64(a) { return btoa(String.fromCharCode(...new Uint8Array(a))); }
+    function base64ToArrayBuffer(b) { return Uint8Array.from(atob(b), c => c.charCodeAt(0)); }
+
+    function render_webauthn_setup(provisioning) {
+        $(el.webauthnSetupForm).show();
+        provisioning.challenge = base64ToArrayBuffer(provisioning.challenge);
+        provisioning.user.id = new TextEncoder().encode(provisioning.user.name);
+        window.mailinabix_mfa_webauthn_provision = provisioning;
+    }
+
    function render_disable(mfa) {
-        el.disableForm.addEventListener('submit', do_disable);
-        el.wrapper.classList.add('enabled');
+        var panel = $('#mfa-device-templates .' + mfa.type).clone();
+        $('#mfa-devices').append(panel);
+        panel.attr('data-mfa-id', mfa.id);
+        panel.on('submit', do_disable);
        if (mfa.label)
-          $("#mfa-device-label").text(" on device '" + mfa.label + "'");
+          panel.find(".mfa-device-label").text(" on device '" + mfa.label + "'");
    }

    function hide_error() {
        el.output.querySelector('.panel-body').innerHTML = '';
-        el.output.classList.remove('visible');
+        el.output.classList.add('hidden');
    }

    function render_error(msg) {
        el.output.querySelector('.panel-body').innerHTML = msg;
-        el.output.classList.add('visible');
+        el.output.classList.remove('hidden');
    }

    function reset_view() {
        el.wrapper.classList.remove('loaded', 'disabled', 'enabled');
-
-        el.disableForm.removeEventListener('submit', do_disable);
+        $('#mfa-devices > *').remove();

        hide_error();

+        $(el.totpSetupForm).hide();
        el.totpSetupForm.reset();
        el.totpSetupForm.removeEventListener('submit', do_enable_totp);
-
        el.totpSetupSecret.setAttribute('value', '');
        el.totpSetupToken.removeEventListener('input', update_setup_disabled);
-
        el.totpSetupSubmit.setAttribute('disabled', '');
        el.totpQr.innerHTML = '';
+
+        $(el.webauthnSetupForm).hide();
    }

    function show_mfa() {
@@ -191,16 +191,16 @@ and ensure every administrator account for this control panel does the same.</st
            function(res) {
                el.wrapper.classList.add('loaded');

-                var has_mfa = false;
                res.enabled_mfa.forEach(function(mfa) {
                    if (mfa.type == "totp") {
                        render_disable(mfa);
-                        has_mfa = true;
                    }
                });

-                if (!has_mfa)
-                  render_totp_setup(res.new_mfa.totp);
+                if (res.new_mfa.totp)
+                    render_totp_setup(res.new_mfa.totp);
+                if (res.new_mfa.webauthn && 'credentials' in navigator)
+                    render_webauthn_setup(res.new_mfa.webauthn);
            }
        );
    }
@@ -212,7 +212,7 @@ and ensure every administrator account for this control panel does the same.</st
        api(
            '/mfa/disable',
            'POST',
-            { type: 'totp' },
+            { id: $(this).attr('data-mfa-id') },
            function() {
                do_logout();
            }
@@ -226,7 +226,7 @@ and ensure every administrator account for this control panel does the same.</st
        hide_error();

        api(
-            '/mfa/totp/enable',
+            '/mfa/enable/totp',
            'POST',
            {
                token: $(el.totpSetupToken).val(),
@@ -239,4 +239,22 @@ and ensure every administrator account for this control panel does the same.</st

        return false;
    }
+
+    function do_enable_webauthn() {
+        navigator.credentials.create({ publicKey: window.mailinabix_mfa_webauthn_provision })
+        .then(function(creds) {
+            api(
+                '/mfa/enable/webauthn',
+                'POST',
+                {
+                    attestationObject: arrayBufferToBase64(creds.response['attestationObject']),
+                    clientDataJSON: arrayBufferToBase64(creds.response['clientDataJSON'])
+                },
+                function(res) { do_logout(); },
+                function(res) { render_error(res); }
+            );
+        });
+        return false;
+    }
+
 </script>
--- a/management/templates/sync-guide.html
+++ b/management/templates/sync-guide.html
@@ -30,9 +30,9 @@

 			<table class="table">
 			<thead><tr><th>For...</th> <th>Use...</th></tr></thead>
-			<tr><td>Contacts and Calendar</td> <td><a href="https://play.google.com/store/apps/details?id=at.bitfire.davdroid">DAVx⁵</a> ($5.99; free <a href="https://f-droid.org/packages/at.bitfire.davdroid/">here</a>)</td></tr>
-			<tr><td>Only Contacts</td> <td><a href="https://play.google.com/store/apps/details?id=org.dmfs.carddav.sync">CardDAV-Sync free</a> (free)</td></tr>
-			<tr><td>Only Calendar</td> <td><a href="https://play.google.com/store/apps/details?id=org.dmfs.caldav.lib">CalDAV-Sync</a> ($2.99)</td></tr>
+			<tr><td>Contacts and Calendar</td> <td><a href="https://play.google.com/store/apps/details?id=at.bitfire.davdroid">DAVdroid</a> ($3.69; free <a href="https://f-droid.org/packages/at.bitfire.davdroid/">here</a>)</td></tr>
+			<tr><td>Only Contacts</td> <td><a href="https://play.google.com/store/apps/details?id=org.dmfs.carddav.sync">CardDAV-Sync free beta</a> (free)</td></tr>
+			<tr><td>Only Calendar</td> <td><a href="https://play.google.com/store/apps/details?id=org.dmfs.caldav.lib">CalDAV-Sync</a> ($2.89)</td></tr>
 			</table>

 			<p>Use the following settings:</p>
--- a/management/templates/system-backup.html
+++ b/management/templates/system-backup.html
@@ -5,7 +5,7 @@

 <h2>Backup Status</h2>

-<p>The box makes an incremental backup each night. By default the backup is stored on the machine itself, but you can also store it on S3-compatible services like Amazon Web Services (AWS).</p>
+<p>The box makes an incremental backup each night. By default the backup is stored on the machine itself, but you can also store in on S3-compatible services like Amazon Web Services (AWS).</p>

 <h3>Configuration</h3>

--- a/security.md
+++ b/security.md
@@ -3,12 +3,7 @@ Mail-in-a-Box Security Guide

 Mail-in-a-Box turns a fresh Ubuntu 18.04 LTS 64-bit machine into a mail server appliance by installing and configuring various components.

-This page documents the security posture of Mail-in-a-Box. The term “box” is used below to mean a configured Mail-in-a-Box.
-
-Reporting Security Vulnerabilities
----------------------------------
-
-Security vulnerabilities should be reported to the [project's maintainer](https://joshdata.me) via email.
+This page documents the security features of Mail-in-a-Box. The term “box” is used below to mean a configured Mail-in-a-Box.

 Threat Model
 ------------
@@ -54,7 +49,9 @@ Additionally:

 ### Password Storage

-The passwords for mail users are stored on disk using the [SHA512-CRYPT](http://man7.org/linux/man-pages/man3/crypt.3.html) hashing scheme. ([source](management/mailconfig.py)) Password changes (as well as changes to control panel two-factor authentication settings) expire any control panel login sessions.
+The passwords for mail users are stored on disk using the [SHA512-CRYPT](http://man7.org/linux/man-pages/man3/crypt.3.html) hashing scheme. ([source](management/mailconfig.py))
+
+When using the web-based administrative control panel, after logging in an API key is placed in the browser's local storage (rather than, say, the user's actual password). The API key is an HMAC based on the user's email address and current password, and it is keyed by a secret known only to the control panel service. By resetting an administrator's password, any HMACs previously generated for that user will expire.

 ### Console access

@@ -68,7 +65,7 @@ If DNSSEC is enabled at the box's domain name's registrar, the SSHFP record that

 `fail2ban` provides some protection from brute-force login attacks (repeated logins that guess account passwords) by blocking offending IP addresses at the network level.

-The following services are protected: SSH, IMAP (dovecot), SMTP submission (postfix), webmail (roundcube), Nextcloud/CalDAV/CardDAV (over HTTP), and the Mail-in-a-Box control panel (over HTTP).
+The following services are protected: SSH, IMAP (dovecot), SMTP submission (postfix), webmail (roundcube), Nextcloud/CalDAV/CardDAV (over HTTP), and the Mail-in-a-Box control panel & munin (over HTTP).

 Some other services running on the box may be missing fail2ban filters.

--- a/setup/bootstrap.sh
+++ b/setup/bootstrap.sh
@@ -20,7 +20,7 @@ if [ -z "$TAG" ]; then
 	# want to display in status checks.
 	if [ "$(lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' )" == "Ubuntu 18.04 LTS" ]; then
 		# This machine is running Ubuntu 18.04.
-		TAG=v57
+		TAG=v0.54

 	elif [ "$(lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' )" == "Ubuntu 14.04 LTS" ]; then
 		# This machine is running Ubuntu 14.04.
--- a/setup/management.sh
+++ b/setup/management.sh
@@ -25,12 +25,12 @@ done
 #
 # certbot installs EFF's certbot which we use to
 # provision free TLS certificates.
-apt_install duplicity python-pip virtualenv certbot rsync
+apt_install duplicity python-pip virtualenv certbot

 # b2sdk is used for backblaze backups.
 # boto is used for amazon aws backups.
 # Both are installed outside the pipenv, so they can be used by duplicity
-hide_output pip3 install --upgrade b2sdk==1.14.1 boto
+hide_output pip3 install --upgrade b2sdk boto

 # Create a virtualenv for the installation of Python 3 packages
 # used by the management daemon.
@@ -50,7 +50,7 @@ hide_output $venv/bin/pip install --upgrade pip
 hide_output $venv/bin/pip install --upgrade \
 	rtyaml "email_validator>=1.0.0" "exclusiveprocess" \
 	flask dnspython python-dateutil expiringdict \
-	qrcode[pil] pyotp \
+	qrcode[pil] pyotp pywarp \
 	"idna>=2.0.0" "cryptography==2.2.2" boto psutil postfix-mta-sts-resolver b2sdk

 # CONFIGURATION
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -9,39 +9,6 @@ source /etc/mailinabox.conf # load global vars

 echo "Installing Nextcloud (contacts/calendar)..."

-# Nextcloud core and app (plugin) versions to install.
-# With each version we store a hash to ensure we install what we expect.
-
-# Nextcloud core
-# --------------
-# * See https://nextcloud.com/changelog for the latest version.
-# * Check https://docs.nextcloud.com/server/latest/admin_manual/installation/system_requirements.html
-#   for whether it supports the version of PHP available on this machine.
-# * Since Nextcloud only supports upgrades from consecutive major versions,
-#   we automatically install intermediate versions as needed.
-# * The hash is the SHA1 hash of the ZIP package, which you can find by just running this script and
-#   copying it from the error message when it doesn't match what is below.
-nextcloud_ver=20.0.14
-nextcloud_hash=92cac708915f51ee2afc1787fd845476fd090c81
-
-# Nextcloud apps
-# --------------
-# * Find the most recent tag that is compatible with the Nextcloud version above by
-#   consulting the <dependencies>...<nextcloud> node at:
-#   https://github.com/nextcloud-releases/contacts/blob/master/appinfo/info.xml
-#   https://github.com/nextcloud-releases/calendar/blob/master/appinfo/info.xml
-#   https://github.com/nextcloud/user_external/blob/master/appinfo/info.xml
-# * The hash is the SHA1 hash of the ZIP package, which you can find by just running this script and
-#   copying it from the error message when it doesn't match what is below.
-contacts_ver=4.0.7
-contacts_hash=45e7cf4bfe99cd8d03625cf9e5a1bb2e90549136
-calendar_ver=3.0.4
-calendar_hash=d0284b68135777ec9ca713c307216165b294d0fe
-user_external_ver=1.0.0
-user_external_hash=3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
-
-# Clear prior packages and install dependencies from apt.
-
 apt-get purge -qq -y owncloud* # we used to use the package manager

 apt_install php php-fpm \
@@ -79,11 +46,11 @@ InstallNextcloud() {
 	# their github repositories.
 	mkdir -p /usr/local/lib/owncloud/apps

-	wget_verify https://github.com/nextcloud-releases/contacts/archive/refs/tags/v$version_contacts.tar.gz $hash_contacts /tmp/contacts.tgz
+	wget_verify https://github.com/nextcloud/contacts/releases/download/v$version_contacts/contacts.tar.gz $hash_contacts /tmp/contacts.tgz
 	tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/contacts.tgz

-	wget_verify https://github.com/nextcloud-releases/calendar/archive/refs/tags/v$version_calendar.tar.gz $hash_calendar /tmp/calendar.tgz
+	wget_verify https://github.com/nextcloud/calendar/releases/download/v$version_calendar/calendar.tar.gz $hash_calendar /tmp/calendar.tgz
 	tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/calendar.tgz

@@ -129,6 +96,16 @@ InstallNextcloud() {
 	fi
 }

+# Nextcloud Version to install. Checks are done down below to step through intermediate versions.
+nextcloud_ver=20.0.8
+nextcloud_hash=372b0b4bb07c7984c04917aff86b280e68fbe761
+contacts_ver=3.5.1
+contacts_hash=d2ffbccd3ed89fa41da20a1dff149504c3b33b93
+calendar_ver=2.2.0
+calendar_hash=673ad72ca28adb8d0f209015ff2dca52ffad99af
+user_external_ver=1.0.0
+user_external_hash=3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
+
 # Current Nextcloud Version, #1623
 # Checking /usr/local/lib/owncloud/version.php shows version of the Nextcloud application, not the DB
 # $STORAGE_ROOT/owncloud is kept together even during a backup.  It is better to rely on config.php than
@@ -183,25 +160,24 @@ if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextc
 			# During the upgrade from Nextcloud 14 to 15, user_external may cause the upgrade to fail.
 			# We will disable it here before the upgrade and install it again after the upgrade.
 			hide_output sudo -u www-data php /usr/local/lib/owncloud/console.php app:disable user_external
-			InstallNextcloud 15.0.8 4129d8d4021c435f2e86876225fb7f15adf764a3 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 a1f3835c752929e3598eb94f22300516867ac6ab 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
+			InstallNextcloud 15.0.8 4129d8d4021c435f2e86876225fb7f15adf764a3 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
 			CURRENT_NEXTCLOUD_VER="15.0.8"
 		fi
 		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^15 ]]; then
-                        InstallNextcloud 16.0.6 0bb3098455ec89f5af77a652aad553ad40a88819 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 a1f3835c752929e3598eb94f22300516867ac6ab 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
+                        InstallNextcloud 16.0.6 0bb3098455ec89f5af77a652aad553ad40a88819 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
                        CURRENT_NEXTCLOUD_VER="16.0.6"
        	fi
 	        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^16 ]]; then
-                        InstallNextcloud 17.0.6 50b98d2c2f18510b9530e558ced9ab51eb4f11b0 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 a1f3835c752929e3598eb94f22300516867ac6ab 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
+                        InstallNextcloud 17.0.6 50b98d2c2f18510b9530e558ced9ab51eb4f11b0 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
                        CURRENT_NEXTCLOUD_VER="17.0.6"
 	        fi
 	        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^17 ]]; then
-			# Don't exit the install if this column already exists (see #2076)
-			(echo "ALTER TABLE oc_flow_operations ADD COLUMN entity VARCHAR;" | sqlite3 $STORAGE_ROOT/owncloud/owncloud.db 2>/dev/null) || true
-                        InstallNextcloud 18.0.10 39c0021a8b8477c3f1733fddefacfa5ebf921c68 3.4.1 8f685e7dc99758636d660d595e389c324e51e9d1 2.0.3 a1f3835c752929e3598eb94f22300516867ac6ab 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
+			echo "ALTER TABLE oc_flow_operations ADD COLUMN entity VARCHAR;" | sqlite3 $STORAGE_ROOT/owncloud/owncloud.db
+                        InstallNextcloud 18.0.10 39c0021a8b8477c3f1733fddefacfa5ebf921c68 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
                        CURRENT_NEXTCLOUD_VER="18.0.10"
 	        fi
 	        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^18 ]]; then
-                        InstallNextcloud 19.0.4 01e98791ba12f4860d3d4047b9803f97a1b55c60 3.4.1 8f685e7dc99758636d660d595e389c324e51e9d1 2.0.3 a1f3835c752929e3598eb94f22300516867ac6ab 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
+                        InstallNextcloud 19.0.4 01e98791ba12f4860d3d4047b9803f97a1b55c60 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
                        CURRENT_NEXTCLOUD_VER="19.0.4"
 	        fi
 	fi
--- a/setup/system.sh
+++ b/setup/system.sh
@@ -75,13 +75,6 @@ then
 	fi
 fi

-# ### Set log retention policy.
-
-# Set the systemd journal log retention from infinite to 10 days,
-# since over time the logs take up a large amount of space.
-# (See https://discourse.mailinabox.email/t/journalctl-reclaim-space-on-small-mailinabox/6728/11.)
-tools/editconf.py /etc/systemd/journald.conf MaxRetentionSec=10day
-
 # ### Add PPAs.

 # We install some non-standard Ubuntu packages maintained by other
@@ -363,7 +356,6 @@ systemctl restart systemd-resolved
 rm -f /etc/fail2ban/jail.local # we used to use this file but don't anymore
 rm -f /etc/fail2ban/jail.d/defaults-debian.conf # removes default config so we can manage all of fail2ban rules in one config
 cat conf/fail2ban/jails.conf \
-    | sed "s/PUBLIC_IPV6/$PUBLIC_IPV6/g" \
 	| sed "s/PUBLIC_IP/$PUBLIC_IP/g" \
 	| sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \
 	> /etc/fail2ban/jail.d/mailinabox.conf
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@@ -28,19 +28,13 @@ apt_install \
 # Install Roundcube from source if it is not already present or if it is out of date.
 # Combine the Roundcube version number with the commit hash of plugins to track
 # whether we have the latest version of everything.
-# For the latest versions, see:
-#   https://github.com/roundcube/roundcubemail/releases
-#   https://github.com/mfreiholz/persistent_login/commits/master
-#   https://github.com/stremlau/html5_notifier/commits/master
-#   https://github.com/mstilkerich/rcmcarddav/releases
-# The easiest way to get the package hashes is to run this script and get the hash from
-# the error message.
-VERSION=1.5.2
-HASH=208ce4ca0be423cc0f7070ff59bd03588b4439bf
-PERSISTENT_LOGIN_VERSION=59ca1b0d3a02cff5fa621c1ad581d15f9d642fe8
+
+VERSION=1.5-rc
+HASH=a7cb2a39702536d769c7ff93f716e27f0b93f9d9
+PERSISTENT_LOGIN_VERSION=6b3fc450cae23ccb2f393d0ef67aa319e877e435 # version 5.2.0
 HTML5_NOTIFIER_VERSION=68d9ca194212e15b3c7225eb6085dbcf02fd13d7 # version 0.6.4+
-CARDDAV_VERSION=4.3.0
-CARDDAV_HASH=4ad7df8843951062878b1375f77c614f68bc5c61
+CARDDAV_VERSION=3.0.3
+CARDDAV_HASH=d1e3b0d851ffa2c6bd42bf0c04f70d0e1d0d78f8

 UPDATE_KEY=$VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:$CARDDAV_VERSION

@@ -83,13 +77,13 @@ if [ $needs_update == 1 ]; then

 	# download and verify the full release of the carddav plugin
 	wget_verify \
-		https://github.com/blind-coder/rcmcarddav/releases/download/v${CARDDAV_VERSION}/carddav-v${CARDDAV_VERSION}.tar.gz \
+		https://github.com/blind-coder/rcmcarddav/releases/download/v${CARDDAV_VERSION}/carddav-${CARDDAV_VERSION}.zip \
 		$CARDDAV_HASH \
-		/tmp/carddav.tar.gz
+		/tmp/carddav.zip

 	# unzip and cleanup
-	tar -C ${RCM_PLUGIN_DIR} -zxf /tmp/carddav.tar.gz
-	rm -f /tmp/carddav.tar.gz
+	unzip -q /tmp/carddav.zip -d ${RCM_PLUGIN_DIR}
+	rm -f /tmp/carddav.zip

 	# record the version we've installed
 	echo $UPDATE_KEY > ${RCM_DIR}/version
Author	SHA1	Message	Date
Joshua Tauberer	d4428e1c67	WebAuthn MFA for the control panel	2021-10-18 20:15:08 -04:00
Joshua Tauberer	30f067bc72	Reorganize TOTP in the control panel templates to allow adding multiple devices and disabling individual devices	2021-10-18 20:14:25 -04:00