Merge 32cfd1ed52 into 18b8f9ab4b

In case that no static AWS credentials are specified, we try to create the boto3 client without explicitly passing static credentials. This way, we can benedit from dynamic credentials in AWS environments (e.g. using EC2 instance roles)

CHANGELOG.md

@@ -1,31 +1,6 @@
 CHANGELOG
 =========
 
-Version 68 (April 1, 2024)
---------------------------
-
-Package updates:
-
-* Roundcube updated to version 1.6.6.
-* Nextcloud is updated to version 26.0.12.
-
-Mail:
-
-* Updated postfix's configuration to guard against SMTP smuggling to the long-term fix (https://www.postfix.org/smtp-smuggling.html).
-
-Control Panel:
-
-* Improved reporting of Spamhaus response codes.
-* Improved detection of SSH port.
-* Fixed an error if last saved status check results were corrupted.
-* Other minor fixes.
-
-Other:
-
-* fail2ban is updated to see "HTTP/2.0" requests to munin also.
-* Internal improvements to the code to make it more reliable and readable.
-
-
 Version 67 (December 22, 2023)
 ------------------------------
 

README.md

@@ -60,7 +60,7 @@ Clone this repository and checkout the tag corresponding to the most recent rele
 
 	$ git clone https://github.com/mail-in-a-box/mailinabox
 	$ cd mailinabox
-	$ git checkout v68
+	$ git checkout v67
 
 Begin the installation.
 

management/backup.py

@@ -512,10 +512,13 @@ def list_target_files(config):
 
 		# connect to the region & bucket
 		try:
-			s3 = boto3.client('s3', \
-				endpoint_url=f'https://{target.hostname}', \
-				aws_access_key_id=config['target_user'], \
-				aws_secret_access_key=config['target_pass'])
+			if config['target_user'] == "" and config['target_pass'] == "":
+				s3 = boto3.client('s3', endpoint_url=f'https://{target.hostname}')
+			else:
+				s3 = boto3.client('s3', \
+					endpoint_url=f'https://{target.hostname}', \
+					aws_access_key_id=config['target_user'], \
+					aws_secret_access_key=config['target_pass'])
 			bucket_objects = s3.list_objects_v2(Bucket=bucket, Prefix=path)['Contents']
 			backup_list = [(key['Key'][len(path):], key['Size']) for key in bucket_objects]
 		except ClientError as e:

management/dns_update.py

@@ -9,7 +9,7 @@ import ipaddress
 import rtyaml
 import dns.resolver
 
-from utils import shell, load_env_vars_from_file, safe_domain_name, sort_domains, get_ssh_port
+from utils import shell, load_env_vars_from_file, safe_domain_name, sort_domains
 from ssl_certificates import get_ssl_certificates, check_certificate
 import contextlib
 
@@ -448,11 +448,14 @@ def build_sshfp_records():
 	# if SSH has been configured to listen on a nonstandard port, we must
 	# specify that port to sshkeyscan.
 
-	port = get_ssh_port()
-
-	# If nothing returned, SSH is probably not installed.
-	if not port:
-		return
+	port = 22
+	with open('/etc/ssh/sshd_config', encoding="utf-8") as f:
+		for line in f:
+			s = line.rstrip().split()
+			if len(s) == 2 and s[0] == 'Port':
+				with contextlib.suppress(ValueError):
+					port = int(s[1])
+				break
 
 	keys = shell("check_output", ["ssh-keyscan", "-4", "-t", "rsa,dsa,ecdsa,ed25519", "-p", str(port), "localhost"])
 	keys = sorted(keys.split("\n"))

management/status_checks.py

@@ -17,7 +17,7 @@ from web_update import get_web_domains, get_domains_with_a_records
 from ssl_certificates import get_ssl_certificates, get_domain_ssl_files, check_certificate
 from mailconfig import get_mail_domains, get_mail_aliases
 
-from utils import shell, sort_domains, load_env_vars_from_file, load_settings, get_ssh_port, get_ssh_config_value
+from utils import shell, sort_domains, load_env_vars_from_file, load_settings
 
 def get_services():
 	return [
@@ -65,6 +65,24 @@ def run_checks(rounded_values, env, output, pool, domains_to_check=None):
 	run_network_checks(env, output)
 	run_domain_checks(rounded_values, env, output, pool, domains_to_check=domains_to_check)
 
+def get_ssh_port():
+	# Returns ssh port
+	try:
+		output = shell('check_output', ['sshd', '-T'])
+	except FileNotFoundError:
+		# sshd is not installed. That's ok.
+		return None
+
+	returnNext = False
+	for e in output.split():
+		if returnNext:
+			return int(e)
+		if e == "port":
+			returnNext = True
+
+	# Did not find port!
+	return None
+
 def run_services_checks(env, output, pool):
 	# Check that system services are running.
 	all_running = True
@@ -188,15 +206,21 @@ def is_port_allowed(ufw, port):
 	return any(re.match(str(port) +"[/ \t].*", item) for item in ufw)
 
 def check_ssh_password(env, output):
-	config_value = get_ssh_config_value("passwordauthentication")
-	if config_value:
-		if config_value == "no":
-			output.print_ok("SSH disallows password-based login.")
-		else:
-			output.print_error("""The SSH server on this machine permits password-based login. A more secure
-				way to log in is using a public key. Add your SSH public key to $HOME/.ssh/authorized_keys, check
-				that you can log in without a password, set the option 'PasswordAuthentication no' in
-				/etc/ssh/sshd_config, and then restart the openssh via 'sudo service ssh restart'.""")
+	# Check that SSH login with password is disabled. The openssh-server
+	# package may not be installed so check that before trying to access
+	# the configuration file.
+	if not os.path.exists("/etc/ssh/sshd_config"):
+		return
+	with open("/etc/ssh/sshd_config", encoding="utf-8") as f:
+		sshd = f.read()
+	if re.search("\nPasswordAuthentication\\s+yes", sshd) \
+		or not re.search("\nPasswordAuthentication\\s+no", sshd):
+		output.print_error("""The SSH server on this machine permits password-based login. A more secure
+			way to log in is using a public key. Add your SSH public key to $HOME/.ssh/authorized_keys, check
+			that you can log in without a password, set the option 'PasswordAuthentication no' in
+			/etc/ssh/sshd_config, and then restart the openssh via 'sudo service ssh restart'.""")
+	else:
+		output.print_ok("SSH disallows password-based login.")
 
 def is_reboot_needed_due_to_package_installation():
 	return os.path.exists("/var/run/reboot-required")

management/templates/mail-guide.html

@@ -16,7 +16,7 @@
 
 				<h4>Automatic configuration</h4>
 
-					<p>iOS and macOS only: Open <a style="font-weight: bold" href="https://{{hostname}}/mailinabox.mobileconfig">this configuration link</a> on your iOS device or on your Mac desktop to easily set up mail (IMAP/SMTP), Contacts, and Calendar. Your username is your whole email address.</p>
+					<p>iOS and OS X only: Open <a style="font-weight: bold" href="https://{{hostname}}/mailinabox.mobileconfig">this configuration link</a> on your iOS device or on your Mac desktop to easily set up mail (IMAP/SMTP), Contacts, and Calendar. Your username is your whole email address.</p>
 	
 				<h4>Manual configuration</h4>
 

management/utils.py

@@ -179,34 +179,6 @@ def wait_for_service(port, public, env, timeout):
 				return False
 		time.sleep(min(timeout/4, 1))
 
-def get_ssh_port():
-	port_value = get_ssh_config_value("port")
-
-	if port_value:
-		return int(port_value)
-
-	return None
-
-def get_ssh_config_value(parameter_name):
-	# Returns ssh configuration value for the provided parameter
-	try:
-		output = shell('check_output', ['sshd', '-T'])
-	except FileNotFoundError:
-		# sshd is not installed. That's ok.
-		return None
-	except subprocess.CalledProcessError:
-		# error while calling shell command
-		return None
-
-	for line in output.split("\n"):
-		if " " not in line: continue # there's a blank line at the end
-		key, values = line.split(" ", 1)
-		if key == parameter_name:
-			return values # space-delimited if there are multiple values
-
-	# Did not find the parameter!
-	return None
-
 if __name__ == "__main__":
 	from web_update import get_web_domains
 	env = load_environment()

setup/bootstrap.sh

@@ -23,7 +23,7 @@ if [ -z "$TAG" ]; then
 	if [ "$UBUNTU_VERSION" == "Ubuntu 22.04 LTS" ]; then
 		# This machine is running Ubuntu 22.04, which is supported by
 		# Mail-in-a-Box versions 60 and later.
-		TAG=v68
+		TAG=v67
 	elif [ "$UBUNTU_VERSION" == "Ubuntu 18.04 LTS" ]; then
 		# This machine is running Ubuntu 18.04, which is supported by
 		# Mail-in-a-Box versions 0.40 through 5x.

setup/mail-postfix.sh

@@ -70,16 +70,10 @@ tools/editconf.py /etc/postfix/main.cf \
 	bounce_queue_lifetime=1d
 
 # Guard against SMTP smuggling
-# This "long-term" fix is recommended at https://www.postfix.org/smtp-smuggling.html.
-# This beecame supported in a backported fix in package version 3.6.4-1ubuntu1.3. It is
-# unnecessary in Postfix 3.9+ where this is the default. The "short-term" workarounds
-# that we previously had are reverted to postfix defaults (though smtpd_discard_ehlo_keywords
-# was never included in a released version of Mail-in-a-Box).
-tools/editconf.py /etc/postfix/main.cf -e \
-       smtpd_data_restrictions= \
-       smtpd_discard_ehlo_keywords=
+# This short-term workaround is recommended at https://www.postfix.org/smtp-smuggling.html
 tools/editconf.py /etc/postfix/main.cf \
-       smtpd_forbid_bare_newline=normalize
+	smtpd_data_restrictions=reject_unauth_pipelining \
+	smtpd_discard_ehlo_keywords="chunking, silent-discard"
 
 # ### Outgoing Mail
 

setup/webmail.sh

@@ -217,7 +217,7 @@ sed -i.miabold 's/^[^#]\+.\+PRAGMA journal_mode = WAL.\+$/#&/' \
 # Because Roundcube wants to set the PRAGMA we just deleted from the source, we apply it here
 # to the roundcube database (see https://github.com/roundcube/roundcubemail/issues/8035)
 # Database should exist, created by migration script
-hide_output sqlite3 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite 'PRAGMA journal_mode=WAL;'
+sqlite3 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite 'PRAGMA journal_mode=WAL;' | 2>&1
 
 # Enable PHP modules.
 phpenmod -v $PHP_VER imap

tools/editconf.py

@@ -30,7 +30,7 @@ import sys, re
 
 # sanity check
 if len(sys.argv) < 3:
-	print("usage: python3 editconf.py /etc/file.conf [-e] [-s] [-w] [-c <CHARACTER>] [-t] NAME=VAL [NAME=VAL ...]")
+	print("usage: python3 editconf.py /etc/file.conf [-s] [-w] [-c <CHARACTER>] [-t] NAME=VAL [NAME=VAL ...]")
 	sys.exit(1)
 
 # parse command line arguments