v61.1

Revert "Improve error messages in the management tools when external command-line tools are run"
Command line arguments have user secrets in some cases which should not be included in error messages. This reverts commit 26709a3c1d. Reported by AK.
2026-03-13 17:17:23 +01:00 · 2023-01-28 11:25:21 -05:00 · 2023-01-28 11:24:38 -05:00 · 2023-01-28 11:12:40 -05:00 · 2023-01-28 11:11:17 -05:00 · 2023-01-28 11:04:46 -05:00
48 changed files with 837 additions and 612 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,17 +1,120 @@
 CHANGELOG
 =========
-In Development
+Version 61.1 (January 28, 2022)
--------------
+-------------------------------
 * Fixed rsync backups not working with the default port.
 * Reverted "Improve error messages in the management tools when external command-line tools are run." because of the possibility of user secrets being included in error messages.
 * Fix for TLS certificate SHA fingerprint not being displayed during setup.
 Version 61 (January 21, 2023)
 -----------------------------
 System:
 * fail2ban didn't start after setup.
 Mail:
 * Disable Roundcube password plugin since it was corrupting the user database.
 Control panel:
 * Fix changing existing backup settings when the rsync type is used.
 * Allow setting a custom port for rsync backups.
 * Fixes to DNS lookups during status checks when there are timeouts, enforce timeouts better.
 * A new check is added to ensure fail2ban is running.
 * Fixed a color.
 * Improve error messages in the management tools when external command-line tools are run.
 Version 60.1 (October 30, 2022)
 -------------------------------
 * A setup issue where the DNS server nsd isn't running at the end of setup is (hopefully) fixed.
 * Nextcloud is updated to 23.0.10 (contacts to 4.2.2, calendar to 3.5.1).
 Version 60 (October 11, 2022)
 -----------------------------
 This is the first release for Ubuntu 22.04.
 **Before upgrading**, you must **first upgrade your existing Ubuntu 18.04 box to Mail-in-a-Box v0.51 or later**, if you haven't already done so. That may not be possible after Ubuntu 18.04 reaches its end of life in April 2023, so please complete the upgrade well before then. (If you are not using Nextcloud's contacts or calendar, you can migrate to the latest version of Mail-in-a-Box from any previous version.)
 For complete upgrade instructions, see:
 https://discourse.mailinabox.email/t/version-60-for-ubuntu-22-04-is-about-to-be-released/9558
 No major features of Mail-in-a-Box have changed in this release, although some minor fixes were made.
 With the newer version of Ubuntu the following software packages we use are updated:
 * dovecot is upgraded to 2.3.16, postfix to 3.6.4, opendmark to 1.4 (which adds ARC-Authentication-Results headers), and spampd to 2.53 (alleviating a mail delivery rate limiting bug).
 * Nextcloud is upgraded to 23.0.4 (contacts to 4.2.0, calendar to 3.5.0).
 * Roundcube is upgraded to 1.6.0.
 * certbot is upgraded to 1.21 (via the Ubuntu repository instead of a PPA).
 * fail2ban is upgraded to 0.11.2.
 * nginx is upgraded to 1.18.
 * PHP is upgraded from 7.2 to 8.0.
 Also:
 * Roundcube's login session cookie was tightened. Existing sessions may require a manual logout.
 * Moved Postgrey's database under $STORAGE_ROOT.
 Version 57a (June 19, 2022)
 ---------------------------
 * The Backblaze backups fix posted in Version 57 was incomplete. It's now fixed.
 Version 57 (June 12, 2022)
 --------------------------
 Setup:
 * Fixed issue upgrading from Mail-in-a-Box v0.40-v0.50 because of a changed URL that Nextcloud is downloaded from.
 Backups:
 * Fixed S3 backups which broke with duplicity 0.8.23.
 * Fixed Backblaze backups which broke with latest b2sdk package by rolling back its version.
 Control panel:
 * Fixed spurious changes in system status checks messages by sorting DNSSEC DS records.
 * Fixed fail2ban lockout over IPv6 from excessive loads of the system status checks.
 * Fixed an incorrect IPv6 system status check message.
 Version 56 (January 19, 2022)
 -----------------------------
 Software updates:
 * Roundcube updated to 1.5.2 (from 1.5.0), and the persistent_login and CardDAV (to 4.3.0 from 3.0.3) plugins are updated.
 * Nextcloud updated to 20.0.14 (from 20.0.8), contacts to 4.0.7 (from 3.5.1), and calendar to 3.0.4 (from 2.2.0).
 Setup:
 * Fixed failed setup if a previous attempt failed while updating Nextcloud.
 Control panel:
 * Fixed a crash if a custom DNS entry is not under a zone managed by the box.
 * Fix DNSSEC instructions typo.
 Other:
 * Set systemd journald log retention to 10 days (from no limit) to reduce disk usage.
 * Fixed log processing for submission lines that have a sasl_sender or other extra information.
 * Fix DNS secondary nameserver refesh failure retry period.
 Version 55 (October 18, 2021)
 -----------------------------
 Mail:
 * "SMTPUTF8" is now disabled in Postfix. Because Dovecot still does not support SMTPUTF8, incoming mail to internationalized addresses was bouncing. This fixes incoming mail to internationalized domains (which was probably working prior to v0.40), but it will prevent sending outbound mail to addresses with internationalized local-parts.
-* Upgraded to Roundcube 1.5 Release Candidate.
+* Upgraded to Roundcube 1.5.
 Firewall:
 * Fail2ban's IPv6 support is enabled.
 Control panel:
@@ -27,6 +130,7 @@ Control panel:
 Other:
 * Fail2ban's IPv6 support is enabled.
 * The mail log tool now doesn't crash if there are email addresess in log messages with invalid UTF-8 characters.
 * Additional nsd.conf files can be placed in /etc/nsd.conf.d.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -20,9 +20,9 @@ _If you're seeing an error message about your *IP address being listed in the Sp
 ### Modifying your `hosts` file
-After a while, Mail-in-a-Box will be available at `192.168.50.4` (unless you changed that in your `Vagrantfile`). To be able to use the web-based bits, we recommend to add a hostname to your `hosts` file:
+After a while, Mail-in-a-Box will be available at `192.168.56.4` (unless you changed that in your `Vagrantfile`). To be able to use the web-based bits, we recommend to add a hostname to your `hosts` file:
-    $ echo "192.168.50.4 mailinabox.lan" | sudo tee -a /etc/hosts
+    $ echo "192.168.56.4 mailinabox.lan" | sudo tee -a /etc/hosts
 You should now be able to navigate to https://mailinabox.lan/admin using your browser. There should be an initial admin user with the name `me@mailinabox.lan` and the password `12345678`.
--- a/README.md
+++ b/README.md
@@ -23,7 +23,7 @@ Additionally, this project has a [Code of Conduct](CODE_OF_CONDUCT.md), which su
 In The Box
 ----------
-Mail-in-a-Box turns a fresh Ubuntu 18.04 LTS 64-bit machine into a working mail server by installing and configuring various components.
+Mail-in-a-Box turns a fresh Ubuntu 22.04 LTS 64-bit machine into a working mail server by installing and configuring various components.
 It is a one-click email appliance. There are no user-configurable setup options. It "just works."
@@ -54,13 +54,13 @@ Installation
 See the [setup guide](https://mailinabox.email/guide.html) for detailed, user-friendly instructions.
-For experts, start with a completely fresh (really, I mean it) Ubuntu 18.04 LTS 64-bit machine. On the machine...
+For experts, start with a completely fresh (really, I mean it) Ubuntu 22.04 LTS 64-bit machine. On the machine...
 Clone this repository and checkout the tag corresponding to the most recent release:
 	$ git clone https://github.com/mail-in-a-box/mailinabox
 	$ cd mailinabox
-	$ git checkout v0.54
+	$ git checkout v61.1
 Begin the installation.
--- a/4
+++ b/4
@@ -2,14 +2,14 @@
 # vi: set ft=ruby :
 Vagrant.configure("2") do |config|
-  config.vm.box = "ubuntu/bionic64"
+  config.vm.box = "ubuntu/jammy64"
  # Network config: Since it's a mail server, the machine must be connected
  # to the public web. However, we currently don't want to expose SSH since
  # the machine's box will let anyone log into it. So instead we'll put the
  # machine on a private network.
  config.vm.hostname = "mailinabox.lan"
-  config.vm.network "private_network", ip: "192.168.50.4"
+  config.vm.network "private_network", ip: "192.168.56.4"
  config.vm.provision :shell, :inline => <<-SH
    # Set environment variables so that the setup script does
--- a/api/mailinabox.yml
+++ b/api/mailinabox.yml
@@ -71,7 +71,7 @@ paths:
      x-codeSamples:
        - lang: curl
          source: |
-            curl -X GET "https://{host}/admin/login" \
+            curl -X POST "https://{host}/admin/login" \
              -u "<email>:<password>"
      responses:
        200:
@@ -103,13 +103,15 @@ paths:
      x-codeSamples:
        - lang: curl
          source: |
-            curl -X GET "https://{host}/admin/logout" \
+            curl -X POST "https://{host}/admin/logout" \
              -u "<email>:<session_key>"
      responses:
        200:
          description: Successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/LogoutResponse'
  /system/status:
    post:
      tags:
@@ -1740,7 +1742,7 @@ paths:
            text/html:
              schema:
                type: string
-  /mfa/enable/totp:
+  /mfa/totp/enable:
    post:
      tags:
        - MFA
@@ -2723,3 +2725,8 @@ components:
          nullable: true
    MfaDisableSuccessResponse:
      type: string
    LogoutResponse:
      type: object
      properties:
        status:
          type: string
--- a/conf/fail2ban/jails.conf
+++ b/conf/fail2ban/jails.conf
@@ -5,7 +5,7 @@
 # Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks
 # ping services over the public interface so we should whitelist that address of
 # ours too. The string is substituted during installation.
-ignoreip = 127.0.0.1/8 PUBLIC_IP
+ignoreip = 127.0.0.1/8 PUBLIC_IP ::1 PUBLIC_IPV6
 [dovecot]
 enabled = true
--- a/conf/mailinabox.service
+++ b/conf/mailinabox.service
@@ -4,6 +4,7 @@ After=multi-user.target
 [Service]
 Type=idle
 IgnoreSIGPIPE=False
 ExecStart=/usr/local/lib/mailinabox/start
 [Install]
--- a/conf/nginx-top.conf
+++ b/conf/nginx-top.conf
@@ -7,6 +7,6 @@
 ##       your own --- please do not ask for help from us.
 upstream php-fpm {
-	server unix:/var/run/php/php7.2-fpm.sock;
+	server unix:/var/run/php/php8.0-fpm.sock;
 }
--- a/management/auth.py
+++ b/management/auth.py
@@ -22,20 +22,8 @@ class AuthService:
 	def init_system_api_key(self):
 		"""Write an API key to a local file so local processes can use the API"""
-		def create_file_with_mode(path, mode):
+		with open(self.key_path, 'r') as file:
-			# Based on answer by A-B-B: http://stackoverflow.com/a/15015748
+			self.key = file.read()
 			old_umask = os.umask(0)
 			try:
 				return os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, mode), 'w')
 			finally:
 				os.umask(old_umask)
 		self.key = secrets.token_hex(32)
 		os.makedirs(os.path.dirname(self.key_path), exist_ok=True)
 		with create_file_with_mode(self.key_path, 0o640) as key_file:
 			key_file.write(self.key + '\n')
 	def authenticate(self, request, env, login_only=False, logout=False):
 		"""Test if the HTTP Authorization header's username matches the system key, a session key,
--- a/management/backup.py
+++ b/management/backup.py
@@ -12,12 +12,7 @@ import dateutil.parser, dateutil.relativedelta, dateutil.tz
 import rtyaml
 from exclusiveprocess import Lock
-from utils import load_environment, shell, wait_for_service, fix_boto
+from utils import load_environment, shell, wait_for_service
 rsync_ssh_options = [
 	"--ssh-options= -i /root/.ssh/id_rsa_miab",
 	"--rsync-options= -e \"/usr/bin/ssh -oStrictHostKeyChecking=no -oBatchMode=yes -p 22 -i /root/.ssh/id_rsa_miab\"",
 ]
 def backup_status(env):
 	# If backups are dissbled, return no status.
@@ -64,9 +59,9 @@ def backup_status(env):
 		"--archive-dir", backup_cache_dir,
 		"--gpg-options", "--cipher-algo=AES256",
 		"--log-fd", "1",
-		config["target"],
+		get_duplicity_target_url(config),
-		] + rsync_ssh_options,
+		] + get_duplicity_additional_args(env),
-		get_env(env),
+		get_duplicity_env_vars(env),
 		trap=True)
 	if code != 0:
 		# Command failed. This is likely due to an improperly configured remote
@@ -195,7 +190,54 @@ def get_passphrase(env):
 	return passphrase
-def get_env(env):
+def get_duplicity_target_url(config):
 	target = config["target"]
 	if get_target_type(config) == "s3":
 		from urllib.parse import urlsplit, urlunsplit
 		target = list(urlsplit(target))
 		# Although we store the S3 hostname in the target URL,
 		# duplicity no longer accepts it in the target URL. The hostname in
 		# the target URL must be the bucket name. The hostname is passed
 		# via get_duplicity_additional_args. Move the first part of the
 		# path (the bucket name) into the hostname URL component, and leave
 		# the rest for the path.
 		target[1], target[2] = target[2].lstrip('/').split('/', 1)
 		target = urlunsplit(target)
 	return target
 def get_duplicity_additional_args(env):
 	config = get_backup_config(env)
 	if get_target_type(config) == 'rsync':
 		# Extract a port number for the ssh transport.  Duplicity accepts the
 		# optional port number syntax in the target, but it doesn't appear to act
 		# on it, so we set the ssh port explicitly via the duplicity options.
 		from urllib.parse import urlsplit
 		try:
 			port = urlsplit(config["target"]).port
 		except ValueError:
 			port = 22
 		if port is None:
 			port = 22
 		return [
 			f"--ssh-options= -i /root/.ssh/id_rsa_miab -p {port}",
 			f"--rsync-options= -e \"/usr/bin/ssh -oStrictHostKeyChecking=no -oBatchMode=yes -p {port} -i /root/.ssh/id_rsa_miab\"",
 		]
 	elif get_target_type(config) == 's3':
 		# See note about hostname in get_duplicity_target_url.
 		from urllib.parse import urlsplit, urlunsplit
 		target = urlsplit(config["target"])
 		endpoint_url = urlunsplit(("https", target.netloc, '', '', ''))
 		return ["--s3-endpoint-url",  endpoint_url]
 	return []
 def get_duplicity_env_vars(env):
 	config = get_backup_config(env)
 	env = { "PASSPHRASE" : get_passphrase(env) }
@@ -247,9 +289,10 @@ def perform_backup(full_backup):
 			if quit:
 				sys.exit(code)
-	service_command("php7.2-fpm", "stop", quit=True)
+	service_command("php8.0-fpm", "stop", quit=True)
 	service_command("postfix", "stop", quit=True)
 	service_command("dovecot", "stop", quit=True)
 	service_command("postgrey", "stop", quit=True)
 	# Execute a pre-backup script that copies files outside the homedir.
 	# Run as the STORAGE_USER user, not as root. Pass our settings in
@@ -273,15 +316,16 @@ def perform_backup(full_backup):
 			"--volsize", "250",
 			"--gpg-options", "--cipher-algo=AES256",
 			env["STORAGE_ROOT"],
-			config["target"],
+			get_duplicity_target_url(config),
 			"--allow-source-mismatch"
-			] + rsync_ssh_options,
+			] + get_duplicity_additional_args(env),
-			get_env(env))
+			get_duplicity_env_vars(env))
 	finally:
 		# Start services again.
 		service_command("postgrey", "start", quit=False)
 		service_command("dovecot", "start", quit=False)
 		service_command("postfix", "start", quit=False)
-		service_command("php7.2-fpm", "start", quit=False)
+		service_command("php8.0-fpm", "start", quit=False)
 	# Remove old backups. This deletes all backup data no longer needed
 	# from more than 3 days ago.
@@ -292,9 +336,9 @@ def perform_backup(full_backup):
 		"--verbosity", "error",
 		"--archive-dir", backup_cache_dir,
 		"--force",
-		config["target"]
+		get_duplicity_target_url(config)
-		] + rsync_ssh_options,
+		] + get_duplicity_additional_args(env),
-		get_env(env))
+		get_duplicity_env_vars(env))
 	# From duplicity's manual:
 	# "This should only be necessary after a duplicity session fails or is
@@ -307,9 +351,9 @@ def perform_backup(full_backup):
 		"--verbosity", "error",
 		"--archive-dir", backup_cache_dir,
 		"--force",
-		config["target"]
+		get_duplicity_target_url(config)
-		] + rsync_ssh_options,
+		] + get_duplicity_additional_args(env),
-		get_env(env))
+		get_duplicity_env_vars(env))
 	# Change ownership of backups to the user-data user, so that the after-bcakup
 	# script can access them.
@@ -345,9 +389,9 @@ def run_duplicity_verification():
 		"--compare-data",
 		"--archive-dir", backup_cache_dir,
 		"--exclude", backup_root,
-		config["target"],
+		get_duplicity_target_url(config),
 		env["STORAGE_ROOT"],
-	] + rsync_ssh_options, get_env(env))
+	] + get_duplicity_additional_args(env), get_duplicity_env_vars(env))
 def run_duplicity_restore(args):
 	env = load_environment()
@@ -357,9 +401,9 @@ def run_duplicity_restore(args):
 		"/usr/bin/duplicity",
 		"restore",
 		"--archive-dir", backup_cache_dir,
-		config["target"],
+		get_duplicity_target_url(config),
-		] + rsync_ssh_options + args,
+		] + get_duplicity_additional_args(env) + args,
-	get_env(env))
+	get_duplicity_env_vars(env))
 def list_target_files(config):
 	import urllib.parse
@@ -375,6 +419,16 @@ def list_target_files(config):
 		rsync_fn_size_re = re.compile(r'.*    ([^ ]*) [^ ]* [^ ]* (.*)')
 		rsync_target = '{host}:{path}'
 		# Strip off any trailing port specifier because it's not valid in rsync's
 		# DEST syntax.  Explicitly set the port number for the ssh transport.
 		user_host, *_ = target.netloc.rsplit(':', 1)
 		try:
 			port = target.port
 		except ValueError:
 			 port = 22
 		if port is None:
 			port = 22
 		target_path = target.path
 		if not target_path.endswith('/'):
 			target_path = target_path + '/'
@@ -383,11 +437,11 @@ def list_target_files(config):
 		rsync_command = [ 'rsync',
 					'-e',
-					'/usr/bin/ssh -i /root/.ssh/id_rsa_miab -oStrictHostKeyChecking=no -oBatchMode=yes',
+					f'/usr/bin/ssh -i /root/.ssh/id_rsa_miab -oStrictHostKeyChecking=no -oBatchMode=yes -p {port}',
 					'--list-only',
 					'-r',
 					rsync_target.format(
-						host=target.netloc,
+						host=user_host,
 						path=target_path)
 				]
@@ -415,26 +469,13 @@ def list_target_files(config):
 			raise ValueError("Connection to rsync host failed: {}".format(reason))
 	elif target.scheme == "s3":
-		# match to a Region
+		import boto3.s3
-		fix_boto() # must call prior to importing boto
+		from botocore.exceptions import ClientError
-		import boto.s3
+		
-		from boto.exception import BotoServerError
+		# separate bucket from path in target
 		custom_region = False
 		for region in boto.s3.regions():
 			if region.endpoint == target.hostname:
 				break
 		else:
 			# If region is not found this is a custom region
 			custom_region = True
 		bucket = target.path[1:].split('/')[0]
 		path = '/'.join(target.path[1:].split('/')[1:]) + '/'
 		# Create a custom region with custom endpoint
 		if custom_region:
 			from boto.s3.connection import S3Connection
 			region = boto.s3.S3RegionInfo(name=bucket, endpoint=target.hostname, connection_cls=S3Connection)
 		# If no prefix is specified, set the path to '', otherwise boto won't list the files
 		if path == '/':
 			path = ''
@@ -444,18 +485,15 @@ def list_target_files(config):
 		# connect to the region & bucket
 		try:
-			conn = region.connect(aws_access_key_id=config["target_user"], aws_secret_access_key=config["target_pass"])
+			s3 = boto3.client('s3', \
-			bucket = conn.get_bucket(bucket)
+				endpoint_url=f'https://{target.hostname}', \
-		except BotoServerError as e:
+				aws_access_key_id=config['target_user'], \
-			if e.status == 403:
+				aws_secret_access_key=config['target_pass'])
-				raise ValueError("Invalid S3 access key or secret access key.")
+			bucket_objects = s3.list_objects_v2(Bucket=bucket, Prefix=path)['Contents']
-			elif e.status == 404:
+			backup_list = [(key['Key'][len(path):], key['Size']) for key in bucket_objects]
-				raise ValueError("Invalid S3 bucket name.")
+		except ClientError as e:
-			elif e.status == 301:
+			raise ValueError(e)
-				raise ValueError("Incorrect region for this bucket.")
+		return backup_list
 			raise ValueError(e.reason)
 		return [(key.name[len(path):], key.size) for key in bucket.list(prefix=path)]
 	elif target.scheme == 'b2':
 		from b2sdk.v1 import InMemoryAccountInfo, B2Api
 		from b2sdk.v1.exception import NonExistentBucket
@@ -514,7 +552,8 @@ def get_backup_config(env, for_save=False, for_ui=False):
 	# Merge in anything written to custom.yaml.
 	try:
-		custom_config = rtyaml.load(open(os.path.join(backup_root, 'custom.yaml')))
+		with open(os.path.join(backup_root, 'custom.yaml'), 'r') as f:
 			custom_config = rtyaml.load(f)
 		if not isinstance(custom_config, dict): raise ValueError() # caught below
 		config.update(custom_config)
 	except:
@@ -539,7 +578,8 @@ def get_backup_config(env, for_save=False, for_ui=False):
 		config["target"] = "file://" + config["file_target_directory"]
 	ssh_pub_key = os.path.join('/root', '.ssh', 'id_rsa_miab.pub')
 	if os.path.exists(ssh_pub_key):
-		config["ssh_pub_key"] = open(ssh_pub_key, 'r').read()
+		with open(ssh_pub_key, 'r') as f:
 			config["ssh_pub_key"] = f.read()
 	return config
--- a/management/cli.py
+++ b/management/cli.py
@@ -47,7 +47,8 @@ def read_password():
    return first
 def setup_key_auth(mgmt_uri):
-	key = open('/var/lib/mailinabox/api.key').read().strip()
+	with open('/var/lib/mailinabox/api.key', 'r') as f:
 		key = f.read().strip()
 	auth_handler = urllib.request.HTTPBasicAuthHandler()
 	auth_handler.add_password(
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -21,7 +21,7 @@ import auth, utils
 from mailconfig import get_mail_users, get_mail_users_ex, get_admins, add_mail_user, set_mail_password, remove_mail_user
 from mailconfig import get_mail_user_privileges, add_remove_mail_user_privilege
 from mailconfig import get_mail_aliases, get_mail_aliases_ex, get_mail_domains, add_mail_alias, remove_mail_alias
-from mfa import get_public_mfa_state, provision_totp, provision_webauthn, validate_totp_secret, enable_mfa, disable_mfa
+from mfa import get_public_mfa_state, provision_totp, validate_totp_secret, enable_mfa, disable_mfa
 env = utils.load_environment()
@@ -121,9 +121,9 @@ def index():
 	no_users_exist = (len(get_mail_users(env)) == 0)
 	no_admins_exist = (len(get_admins(env)) == 0)
-	utils.fix_boto() # must call prior to importing boto
+	import boto3.s3
-	import boto.s3
+	backup_s3_hosts = [(r, f"s3.{r}.amazonaws.com") for r in boto3.session.Session().get_available_regions('s3')]
-	backup_s3_hosts = [(r.name, r.endpoint) for r in boto.s3.regions()]
+
 	return render_template('index.html',
 		hostname=env['PRIMARY_HOSTNAME'],
@@ -330,7 +330,7 @@ def dns_get_records(qname=None, rtype=None):
 		r["sort-order"]["created"] = i
 	domain_sort_order = utils.sort_domains([r["qname"] for r in records], env)
 	for i, r in enumerate(sorted(records, key = lambda r : (
-			zones.index(r["zone"]),
+			zones.index(r["zone"]) if r.get("zone") else 0, # record is not within a zone managed by the box
 			domain_sort_order.index(r["qname"]),
 			r["rtype"]))):
 		r["sort-order"]["qname"] = i
@@ -468,7 +468,7 @@ def ssl_provision_certs():
 def mfa_get_status():
 	# Anyone accessing this route is an admin, and we permit them to
 	# see the MFA status for any user if they submit a 'user' form
-	# field. But we don't always include provisioning info since a user can
+	# field. But we don't include provisioning info since a user can
 	# only provision for themselves.
 	email = request.form.get('user', request.user_email) # user field if given, otherwise the user making the request
 	try:
@@ -478,15 +478,14 @@ def mfa_get_status():
 		if email == request.user_email:
 			resp.update({
 				"new_mfa": {
-					"totp": provision_totp(email, env),
+					"totp": provision_totp(email, env)
 					"webauthn": provision_webauthn(email, env)
 				}
 			})
 	except ValueError as e:
 		return (str(e), 400)
 	return json_response(resp)
-@app.route('/mfa/enable/totp', methods=['POST'])
+@app.route('/mfa/totp/enable', methods=['POST'])
@authorized_personnel_only
 def totp_post_enable():
 	secret = request.form.get('secret')
@@ -496,20 +495,7 @@ def totp_post_enable():
 		return ("Bad Input", 400)
 	try:
 		validate_totp_secret(secret)
-		enable_mfa(request.user_email, "totp", env, secret, token, label)
+		enable_mfa(request.user_email, "totp", secret, token, label, env)
 	except ValueError as e:
 		return (str(e), 400)
 	return "OK"
@app.route('/mfa/enable/webauthn', methods=['POST'])
@authorized_personnel_only
 def webauthn_post_enable():
 	attestationObject = request.form.get('attestationObject')
 	clientDataJSON = request.form.get('clientDataJSON')
 	if type(attestationObject) != str or type(clientDataJSON) != str:
 		return ("Bad Input", 400)
 	try:
 		enable_mfa(request.user_email, "webauthn", env, attestationObject, clientDataJSON)
 	except ValueError as e:
 		return (str(e), 400)
 	return "OK"
@@ -585,6 +571,8 @@ def system_status():
 	# Create a temporary pool of processes for the status checks
 	with multiprocessing.pool.Pool(processes=5) as pool:
 		run_checks(False, env, output, pool)
 		pool.close()
 		pool.join()
 	return json_response(output.items)
@app.route('/system/updates')
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -96,9 +96,18 @@ def do_dns_update(env, force=False):
 		if len(updated_domains) == 0:
 			updated_domains.append("DNS configuration")
-	# Kick nsd if anything changed.
+	# Tell nsd to reload changed zone files.
 	if len(updated_domains) > 0:
-		shell('check_call', ["/usr/sbin/service", "nsd", "restart"])
+		# 'reconfig' is needed if there are added or removed zones, but
 		# it may not reload existing zones, so we call 'reload' too. If
 		# nsd isn't running, nsd-control fails, so in that case revert
 		# to restarting nsd to make sure it is running. Restarting nsd
 		# should also refresh everything.
 		try:
 			shell('check_call', ["/usr/sbin/nsd-control", "reconfig"])
 			shell('check_call', ["/usr/sbin/nsd-control", "reload"])
 		except:
 			shell('check_call', ["/usr/sbin/service", "nsd", "restart"])
 	# Write the OpenDKIM configuration tables for all of the mail domains.
 	from mailconfig import get_mail_domains
@@ -298,7 +307,7 @@ def build_zone(domain, domain_properties, additional_records, env, is_zone=True)
 		# Append a DMARC record.
 		# Skip if the user has set a DMARC record already.
 		if not has_rec("_dmarc", "TXT", prefix="v=DMARC1; "):
-			records.append(("_dmarc", "TXT", 'v=DMARC1; p=quarantine', "Recommended. Specifies that mail that does not originate from the box but claims to be from @%s or which does not have a valid DKIM signature is suspect and should be quarantined by the recipient's mail system." % domain))
+			records.append(("_dmarc", "TXT", 'v=DMARC1; p=quarantine;', "Recommended. Specifies that mail that does not originate from the box but claims to be from @%s or which does not have a valid DKIM signature is suspect and should be quarantined by the recipient's mail system." % domain))
 	if domain_properties[domain]["user"]:
 		# Add CardDAV/CalDAV SRV records on the non-primary hostname that points to the primary hostname
@@ -363,7 +372,7 @@ def build_zone(domain, domain_properties, additional_records, env, is_zone=True)
 			if not has_rec(qname, "TXT", prefix="v=spf1 "):
 				records.append((qname,  "TXT", 'v=spf1 -all', "Recommended. Prevents use of this domain name for outbound mail by specifying that no servers are valid sources for mail from @%s. If you do send email from this domain name you should either override this record such that the SPF rule does allow the originating server, or, take the recommended approach and have the box handle mail for this domain (simply add any receiving alias at this domain name to make this machine treat the domain name as one of its mail domains)." % d))
 			if not has_rec("_dmarc" + ("."+qname if qname else ""), "TXT", prefix="v=DMARC1; "):
-				records.append(("_dmarc" + ("."+qname if qname else ""), "TXT", 'v=DMARC1; p=reject', "Recommended. Prevents use of this domain name for outbound mail by specifying that the SPF rule should be honoured for mail from @%s." % d))
+				records.append(("_dmarc" + ("."+qname if qname else ""), "TXT", 'v=DMARC1; p=reject;', "Recommended. Prevents use of this domain name for outbound mail by specifying that the SPF rule should be honoured for mail from @%s." % d))
 			# And with a null MX record (https://explained-from-first-principles.com/email/#null-mx-record)
 			if not has_rec(qname, "MX"):
@@ -484,7 +493,7 @@ def write_nsd_zone(domain, zonefile, records, env, force):
 	# @ the PRIMARY_HOSTNAME. Hopefully that's legit.
 	#
 	# For the refresh through TTL fields, a good reference is:
-	# http://www.peerwisdom.org/2013/05/15/dns-understanding-the-soa-record/
+	# https://www.ripe.net/publications/docs/ripe-203
 	#
 	# A hash of the available DNSSEC keys are added in a comment so that when
 	# the keys change we force a re-generation of the zone which triggers
@@ -497,7 +506,7 @@ $TTL 86400          ; default time to live
@ IN SOA ns1.{primary_domain}. hostmaster.{primary_domain}. (
           __SERIAL__     ; serial number
           7200     ; Refresh (secondary nameserver update interval)
-           86400    ; Retry (when refresh fails, how often to try again)
+           3600     ; Retry (when refresh fails, how often to try again, should be lower than the refresh)
           1209600  ; Expire (when refresh fails, how long secondary nameserver will keep records around anyway)
           86400    ; Negative TTL (how long negative responses are cached)
           )
@@ -806,7 +815,8 @@ def write_opendkim_tables(domains, env):
 def get_custom_dns_config(env, only_real_records=False):
 	try:
-		custom_dns = rtyaml.load(open(os.path.join(env['STORAGE_ROOT'], 'dns/custom.yaml')))
+		with open(os.path.join(env['STORAGE_ROOT'], 'dns/custom.yaml'), 'r') as f:
 			custom_dns = rtyaml.load(f)
 		if not isinstance(custom_dns, dict): raise ValueError() # caught below
 	except:
 		return [ ]
@@ -983,6 +993,7 @@ def set_custom_dns_record(qname, rtype, value, action, env):
 def get_secondary_dns(custom_dns, mode=None):
 	resolver = dns.resolver.get_default_resolver()
 	resolver.timeout = 10
 	resolver.lifetime = 10
 	values = []
 	for qname, rtype, value in custom_dns:
@@ -1000,10 +1011,17 @@ def get_secondary_dns(custom_dns, mode=None):
 			# doesn't.
 			if not hostname.startswith("xfr:"):
 				if mode == "xfr":
-					response = dns.resolver.query(hostname+'.', "A", raise_on_no_answer=False)
+					try:
-					values.extend(map(str, response))
+						response = resolver.resolve(hostname+'.', "A", raise_on_no_answer=False)
-					response = dns.resolver.query(hostname+'.', "AAAA", raise_on_no_answer=False)
+						values.extend(map(str, response))
-					values.extend(map(str, response))
+					except dns.exception.DNSException:
 						pass
 					try:
 						response = resolver.resolve(hostname+'.', "AAAA", raise_on_no_answer=False)
 						values.extend(map(str, response))
 					except dns.exception.DNSException:
 						pass
 					continue
 				values.append(hostname)
@@ -1021,15 +1039,17 @@ def set_secondary_dns(hostnames, env):
 		# Validate that all hostnames are valid and that all zone-xfer IP addresses are valid.
 		resolver = dns.resolver.get_default_resolver()
 		resolver.timeout = 5
 		resolver.lifetime = 5
 		for item in hostnames:
 			if not item.startswith("xfr:"):
 				# Resolve hostname.
 				try:
-					response = resolver.query(item, "A")
+					response = resolver.resolve(item, "A")
-				except (dns.resolver.NoNameservers, dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
+				except (dns.resolver.NoNameservers, dns.resolver.NXDOMAIN, dns.resolver.NoAnswer, dns.resolver.Timeout):
 					try:
-						response = resolver.query(item, "AAAA")
+						response = resolver.resolve(item, "AAAA")
-					except (dns.resolver.NoNameservers, dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
+					except (dns.resolver.NoNameservers, dns.resolver.NXDOMAIN, dns.resolver.NoAnswer, dns.resolver.Timeout):
 						raise ValueError("Could not resolve the IP address of %s." % item)
 			else:
 				# Validate IP address.
@@ -1062,7 +1082,7 @@ def get_custom_dns_records(custom_dns, qname, rtype):
 def build_recommended_dns(env):
 	ret = []
 	for (domain, zonefile, records) in build_zones(env):
-		# remove records that we don't dislay
+		# remove records that we don't display
 		records = [r for r in records if r[3] is not False]
 		# put Required at the top, then Recommended, then everythiing else
--- a/management/mail_log.py
+++ b/management/mail_log.py
@@ -73,7 +73,8 @@ def scan_files(collector):
            continue
        elif fn[-3:] == '.gz':
            tmp_file = tempfile.NamedTemporaryFile()
-            shutil.copyfileobj(gzip.open(fn), tmp_file)
+            with gzip.open(fn, 'rb') as f:
                shutil.copyfileobj(f, tmp_file)
        if VERBOSE:
            print("Processing file", fn, "...")
@@ -549,8 +550,9 @@ def scan_postfix_submission_line(date, log, collector):
    """
    # Match both the 'plain' and 'login' sasl methods, since both authentication methods are
-    # allowed by Dovecot
+    # allowed by Dovecot. Exclude trailing comma after the username when additional fields 
-    m = re.match("([A-Z0-9]+): client=(\S+), sasl_method=(PLAIN|LOGIN), sasl_username=(\S+)", log)
+	# follow after.
    m = re.match("([A-Z0-9]+): client=(\S+), sasl_method=(PLAIN|LOGIN), sasl_username=(\S+)(?<!,)", log)
    if m:
        _, client, method, user = m.groups()
--- a/management/mfa.py
+++ b/management/mfa.py
@@ -1,12 +1,9 @@
 import base64
 import hmac
 import io
 import json
 import os
 import pyotp
 import qrcode
 import pywarp
 import pywarp.backends
 from mailconfig import open_database
@@ -32,44 +29,25 @@ def get_public_mfa_state(email, env):
 	]
 def get_hash_mfa_state(email, env):
-	# Get the current MFA credential secrets from which we form a hash
+	mfa_state = get_mfa_state(email, env)
-	# so that we can reset user logins when any authentication information
+	return [
-	# changes.
+		{ "id": s["id"], "type": s["type"], "secret": s["secret"] }
-	mfa_state = []
+		for s in mfa_state
-	for s in get_mfa_state(email, env):
+	]
 		# Add TOTP id and secret to the state.
 		# Skip WebAuthn state if it's just a challenge.
 		if s["type"] == "webauthn":
 			try:
 				# Get the credential and only include it (not challenges) in the state.
 				s["secret"] = json.loads(s["secret"])["cred_pub_key"]
 			except:
 				# Skip this one --- there is no cred_pub_key.
 				continue
 		mfa_state.append({ "id": s["id"], "type": s["type"], "secret": s["secret"] })
 	return mfa_state
-def enable_mfa(email, type, env, *args):
+def enable_mfa(email, type, secret, token, label, env):
 	if type == "totp":
 		secret, token, label = args
 		validate_totp_secret(secret)
 		# Sanity check with the provide current token.
 		totp = pyotp.TOTP(secret)
 		if not totp.verify(token, valid_window=1):
 			raise ValueError("Invalid token.")
 		conn, c = open_database(env, with_connection=True)
 		c.execute('INSERT INTO mfa (user_id, type, secret, label) VALUES (?, ?, ?, ?)', (get_user_id(email, c), type, secret, label))
 		conn.commit()
 	elif type == "webauthn":
 		attestationObject, clientDataJSON = args
 		rp = pywarp.RelyingPartyManager(
 			get_relying_party_name(env),
 			rp_id=env["PRIMARY_HOSTNAME"], # must match hostname the control panel is served from
 			credential_storage_backend=WebauthnStorageBackend(env))
 		rp.register(attestation_object=base64.b64decode(attestationObject), client_data_json=base64.b64decode(clientDataJSON), email=email.encode("utf8")) # encoding of email is a little funky here, pywarp calls .decode() with no args?
 	else:
 		raise ValueError("Invalid MFA type.")
 	conn, c = open_database(env, with_connection=True)
 	c.execute('INSERT INTO mfa (user_id, type, secret, label) VALUES (?, ?, ?, ?)', (get_user_id(email, c), type, secret, label))
 	conn.commit()
 def set_mru_token(email, mfa_id, token, env):
 	conn, c = open_database(env, with_connection=True)
@@ -93,9 +71,6 @@ def validate_totp_secret(secret):
 	if len(secret) != 32:
 		raise ValueError("Secret should be a 32 characters base32 string")
 def get_relying_party_name(env):
 	return env["PRIMARY_HOSTNAME"] + " Mail-in-a-Box Control Panel"
 def provision_totp(email, env):
 	# Make a new secret.
 	secret = base64.b32encode(os.urandom(20)).decode('utf-8')
@@ -104,7 +79,7 @@ def provision_totp(email, env):
 	# Make a URI that we encode within a QR code.
 	uri = pyotp.TOTP(secret).provisioning_uri(
 		name=email,
-		issuer_name=get_relying_party_name(env)
+		issuer_name=env["PRIMARY_HOSTNAME"] + " Mail-in-a-Box Control Panel"
 	)
 	# Generate a QR code as a base64-encode PNG image.
@@ -119,55 +94,6 @@ def provision_totp(email, env):
 		"qr_code_base64": png_b64
 	}
 class WebauthnStorageBackend(pywarp.backends.CredentialStorageBackend):
 	def __init__(self, env):
 		self.env = env
 	def get_record(self, email, conn=None, c=None):
 		# Get an existing record and parse the 'secret' column as JSON.
 		if conn is None: conn, c = open_database(self.env, with_connection=True)
 		c.execute('SELECT secret FROM mfa WHERE user_id=? AND type="webauthn"', (get_user_id(email, c),))
 		config = c.fetchone()
 		if config:
 			try:
 				return json.loads(config[0])
 			except:
 				pass
 		return { }
 	def update_record(self, email, fields):
 		# Update the webauthn record in the database for this user by
 		# merging the fields with the existing fields in the database.
 		conn, c = open_database(self.env, with_connection=True)
 		config = self.get_record(email, conn=conn, c=c)
 		if config:
 			# Merge and update.
 			config.update(fields)
 			config = json.dumps(config)
 			c.execute('UPDATE mfa SET secret=? WHERE user_id=? AND type="webauthn"', (config, get_user_id(email, c),))
 			conn.commit()
 			return
 		# Either there's no existing webauthn record or it's corrupted. Delete any existing record.
 		# Then add a new record.
 		c.execute('DELETE FROM mfa WHERE user_id=? AND type="webauthn"', (get_user_id(email, c),))
 		c.execute('INSERT INTO mfa (user_id, type, secret, label) VALUES (?, ?, ?, ?)', (
 			get_user_id(email, c), "webauthn",
 			json.dumps(fields),
 			"WebAuthn"))
 		conn.commit()
 	def save_challenge_for_user(self, email, challenge, type):
 		self.update_record(email, { type + "challenge": base64.b64encode(challenge).decode("ascii") })
 	def get_challenge_for_user(self, email, type):
 		challenge = self.get_record(email).get(type + "challenge")
 		if challenge: challenge = base64.b64decode(challenge.encode("ascii"))
 		return challenge
 def provision_webauthn(email, env):
 	rp = pywarp.RelyingPartyManager(
 		get_relying_party_name(env),
 		rp_id=env["PRIMARY_HOSTNAME"], # must match hostname the control panel is served from
 		credential_storage_backend=WebauthnStorageBackend(env))
 	return rp.get_registration_options(email=email)
 def validate_auth_mfa(email, request, env):
 	# Validates that a login request satisfies any MFA modes
 	# that have been enabled for the user's account. Returns
--- a/management/ssl_certificates.py
+++ b/management/ssl_certificates.py
@@ -58,36 +58,33 @@ def get_ssl_certificates(env):
 			# Not a valid PEM format for a PEM type we care about.
 			continue
 		# Remember where we got this object.
 		pem._filename = fn
 		# Is it a private key?
 		if isinstance(pem, RSAPrivateKey):
-			private_keys[pem.public_key().public_numbers()] = pem
+			private_keys[pem.public_key().public_numbers()] = { "filename": fn, "key": pem }
 		# Is it a certificate?
 		if isinstance(pem, Certificate):
-			certificates.append(pem)
+			certificates.append({ "filename": fn, "cert": pem })
 	# Process the certificates.
 	domains = { }
 	for cert in certificates:
 		# What domains is this certificate good for?
-		cert_domains, primary_domain = get_certificate_domains(cert)
+		cert_domains, primary_domain = get_certificate_domains(cert["cert"])
-		cert._primary_domain = primary_domain
+		cert["primary_domain"] = primary_domain
 		# Is there a private key file for this certificate?
-		private_key = private_keys.get(cert.public_key().public_numbers())
+		private_key = private_keys.get(cert["cert"].public_key().public_numbers())
 		if not private_key:
 			continue
-		cert._private_key = private_key
+		cert["private_key"] = private_key
 		# Add this cert to the list of certs usable for the domains.
 		for domain in cert_domains:
 			# The primary hostname can only use a certificate mapped
 			# to the system private key.
 			if domain == env['PRIMARY_HOSTNAME']:
-				if cert._private_key._filename != os.path.join(env['STORAGE_ROOT'], 'ssl', 'ssl_private_key.pem'):
+				if cert["private_key"]["filename"] != os.path.join(env['STORAGE_ROOT'], 'ssl', 'ssl_private_key.pem'):
 					continue
 			domains.setdefault(domain, []).append(cert)
@@ -100,10 +97,10 @@ def get_ssl_certificates(env):
 		#for c in cert_list: print(domain, c.not_valid_before, c.not_valid_after, "("+str(now)+")", c.issuer, c.subject, c._filename)
 		cert_list.sort(key = lambda cert : (
 			# must be valid NOW
-			cert.not_valid_before <= now <= cert.not_valid_after,
+			cert["cert"].not_valid_before <= now <= cert["cert"].not_valid_after,
 			# prefer one that is not self-signed
-			cert.issuer != cert.subject,
+			cert["cert"].issuer != cert["cert"].subject,
 			###########################################################
 			# The above lines ensure that valid certificates are chosen
@@ -113,7 +110,7 @@ def get_ssl_certificates(env):
 			# prefer one with the expiration furthest into the future so
 			# that we can easily rotate to new certs as we get them
-			cert.not_valid_after,
+			cert["cert"].not_valid_after,
 			###########################################################
 			# We always choose the certificate that is good for the
@@ -128,15 +125,15 @@ def get_ssl_certificates(env):
 			# in case a certificate is installed in multiple paths,
 			# prefer the... lexicographically last one?
-			cert._filename,
+			cert["filename"],
 		), reverse=True)
 		cert = cert_list.pop(0)
 		ret[domain] = {
-			"private-key": cert._private_key._filename,
+			"private-key": cert["private_key"]["filename"],
-			"certificate": cert._filename,
+			"certificate": cert["filename"],
-			"primary-domain": cert._primary_domain,
+			"primary-domain": cert["primary_domain"],
-			"certificate_object": cert,
+			"certificate_object": cert["cert"],
 			}
 	return ret
@@ -538,7 +535,8 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, warn_if_expiring
 	# Second, check that the certificate matches the private key.
 	if ssl_private_key is not None:
 		try:
-			priv_key = load_pem(open(ssl_private_key, 'rb').read())
+			with open(ssl_private_key, 'rb') as f:
 				priv_key = load_pem(f.read())
 		except ValueError as e:
 			return ("The private key file %s is not a private key file: %s" % (ssl_private_key, str(e)), None)
--- a/management/status_checks.py
+++ b/management/status_checks.py
@@ -95,6 +95,12 @@ def run_services_checks(env, output, pool):
 		fatal = fatal or fatal2
 		output2.playback(output)
 	# Check fail2ban.
 	code, ret = shell('check_output', ["fail2ban-client", "status"], capture_stderr=True, trap=True)
 	if code != 0:
 		output.print_error("fail2ban is not running.")
 		all_running = False
 	if all_running:
 		output.print_ok("All system services are running.")
@@ -135,7 +141,7 @@ def check_service(i, service, env):
 			# IPv4 ok but IPv6 failed. Try the PRIVATE_IPV6 address to see if the service is bound to the interface.
 			elif service["port"] != 53 and try_connect(env["PRIVATE_IPV6"]):
-				output.print_error("%s is running (and available over IPv4 and the local IPv6 address), but it is not publicly accessible at %s:%d." % (service['name'], env['PUBLIC_IP'], service['port']))
+				output.print_error("%s is running (and available over IPv4 and the local IPv6 address), but it is not publicly accessible at %s:%d." % (service['name'], env['PUBLIC_IPV6'], service['port']))
 			else:
 				output.print_error("%s is running and available over IPv4 but is not accessible over IPv6 at %s port %d." % (service['name'], env['PUBLIC_IPV6'], service['port']))
@@ -207,7 +213,8 @@ def check_ssh_password(env, output):
 	# the configuration file.
 	if not os.path.exists("/etc/ssh/sshd_config"):
 		return
-	sshd = open("/etc/ssh/sshd_config").read()
+	with open("/etc/ssh/sshd_config", "r") as f:
 		sshd = f.read()
 	if re.search("\nPasswordAuthentication\s+yes", sshd) \
 		or not re.search("\nPasswordAuthentication\s+no", sshd):
 		output.print_error("""The SSH server on this machine permits password-based login. A more secure
@@ -253,6 +260,18 @@ def check_free_disk_space(rounded_values, env, output):
 		if rounded_values: disk_msg = "The disk has less than 15% free space."
 		output.print_error(disk_msg)
 	# Check that there's only one duplicity cache. If there's more than one,
 	# it's probably no longer in use, and we can recommend clearing the cache
 	# to save space. The cache directory may not exist yet, which is OK.
 	backup_cache_path = os.path.join(env['STORAGE_ROOT'], 'backup/cache')
 	try:
 		backup_cache_count = len(os.listdir(backup_cache_path))
 	except:
 		backup_cache_count = 0
 	if backup_cache_count > 1:
 		output.print_warning("The backup cache directory {} has more than one backup target cache. Consider clearing this directory to save disk space."
 			.format(backup_cache_path))
 def check_free_memory(rounded_values, env, output):
 	# Check free memory.
 	percent_free = 100 - psutil.virtual_memory().percent
@@ -296,6 +315,8 @@ def run_network_checks(env, output):
 		output.print_ok("IP address is not blacklisted by zen.spamhaus.org.")
 	elif zen == "[timeout]":
 		output.print_warning("Connection to zen.spamhaus.org timed out. We could not determine whether your server's IP address is blacklisted. Please try again later.")
 	elif zen == "[Not Set]":
 		output.print_warning("Could not connect to zen.spamhaus.org. We could not determine whether your server's IP address is blacklisted. Please try again later.")
 	else:
 		output.print_error("""The IP address of this machine %s is listed in the Spamhaus Block List (code %s),
 			which may prevent recipients from receiving your email. See http://www.spamhaus.org/query/ip/%s."""
@@ -529,7 +550,7 @@ def check_dns_zone(domain, env, output, dns_zonefiles):
 		for ns in custom_secondary_ns:
 			# We must first resolve the nameserver to an IP address so we can query it.
 			ns_ips = query_dns(ns, "A")
-			if not ns_ips:
+			if not ns_ips or ns_ips in {'[Not Set]', '[timeout]'}:
 				output.print_error("Secondary nameserver %s is not valid (it doesn't resolve to an IP address)." % ns)
 				continue
 			# Choose the first IP if nameserver returns multiple
@@ -580,7 +601,8 @@ def check_dnssec(domain, env, output, dns_zonefiles, is_checking_primary=False):
 			# record that we suggest using is for the KSK (and that's how the DS records were generated).
 			# We'll also give the nice name for the key algorithm.
 			dnssec_keys = load_env_vars_from_file(os.path.join(env['STORAGE_ROOT'], 'dns/dnssec/%s.conf' % alg_name_map[ds_alg]))
-			dnsssec_pubkey = open(os.path.join(env['STORAGE_ROOT'], 'dns/dnssec/' + dnssec_keys['KSK'] + '.key')).read().split("\t")[3].split(" ")[3]
+			with open(os.path.join(env['STORAGE_ROOT'], 'dns/dnssec/' + dnssec_keys['KSK'] + '.key'), 'r') as f:
 				dnsssec_pubkey = f.read().split("\t")[3].split(" ")[3]
 			expected_ds_records[ (ds_keytag, ds_alg, ds_digalg, ds_digest) ] = {
 				"record": rr_ds,
@@ -646,7 +668,7 @@ def check_dnssec(domain, env, output, dns_zonefiles, is_checking_primary=False):
 		output.print_line("Option " + str(i+1) + ":")
 		output.print_line("----------")
 		output.print_line("Key Tag: " + ds_suggestion['keytag'])
-		output.print_line("Key Flags: KSK (256)")
+		output.print_line("Key Flags: KSK / 257")
 		output.print_line("Algorithm: %s / %s" % (ds_suggestion['alg'], ds_suggestion['alg_name']))
 		output.print_line("Digest Type: %s / %s" % (ds_suggestion['digalg'], ds_suggestion['digalg_name']))
 		output.print_line("Digest: " + ds_suggestion['digest'])
@@ -658,7 +680,7 @@ def check_dnssec(domain, env, output, dns_zonefiles, is_checking_primary=False):
 	if len(ds) > 0:
 		output.print_line("")
 		output.print_line("The DS record is currently set to:")
-		for rr in ds:
+		for rr in sorted(ds):
 			output.print_line("Key Tag: {0}, Algorithm: {1}, Digest Type: {2}, Digest: {3}".format(*rr))
 def check_mail_domain(domain, env, output):
@@ -703,7 +725,7 @@ def check_mail_domain(domain, env, output):
 		output.print_ok(good_news)
 		# Check MTA-STS policy.
-		loop = asyncio.get_event_loop()
+		loop = asyncio.new_event_loop()
 		sts_resolver = postfix_mta_sts_resolver.resolver.STSResolver(loop=loop)
 		valid, policy = loop.run_until_complete(sts_resolver.resolve(domain))
 		if valid == postfix_mta_sts_resolver.resolver.STSFetchResult.VALID:
@@ -732,6 +754,8 @@ def check_mail_domain(domain, env, output):
 		output.print_ok("Domain is not blacklisted by dbl.spamhaus.org.")
 	elif dbl == "[timeout]":
 		output.print_warning("Connection to dbl.spamhaus.org timed out. We could not determine whether the domain {} is blacklisted. Please try again later.".format(domain))
 	elif dbl == "[Not Set]":
 		output.print_warning("Could not connect to dbl.spamhaus.org. We could not determine whether the domain {} is blacklisted. Please try again later.".format(domain))
 	else:
 		output.print_error("""This domain is listed in the Spamhaus Domain Block List (code %s),
 			which may prevent recipients from receiving your mail.
@@ -776,16 +800,21 @@ def query_dns(qname, rtype, nxdomain='[Not Set]', at=None, as_list=False):
 	# running bind server), or if the 'at' argument is specified, use that host
 	# as the nameserver.
 	resolver = dns.resolver.get_default_resolver()
-	if at:
+	
 	# Make sure at is not a string that cannot be used as a nameserver
 	if at and at not in {'[Not set]', '[timeout]'}:
 		resolver = dns.resolver.Resolver()
 		resolver.nameservers = [at]
 	# Set a timeout so that a non-responsive server doesn't hold us back.
 	resolver.timeout = 5
 	# The number of seconds to spend trying to get an answer to the question. If the
 	# lifetime expires a dns.exception.Timeout exception will be raised.
 	resolver.lifetime = 5
 	# Do the query.
 	try:
-		response = resolver.query(qname, rtype)
+		response = resolver.resolve(qname, rtype)
 	except (dns.resolver.NoNameservers, dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
 		# Host did not have an answer for this query; not sure what the
 		# difference is between the two exceptions.
@@ -935,7 +964,8 @@ def run_and_output_changes(env, pool):
 	# Load previously saved status checks.
 	cache_fn = "/var/cache/mailinabox/status_checks.json"
 	if os.path.exists(cache_fn):
-		prev = json.load(open(cache_fn))
+		with open(cache_fn, 'r') as f:
 			prev = json.load(f)
 		# Group the serial output into categories by the headings.
 		def group_by_heading(lines):
--- a/management/templates/external-dns.html
+++ b/management/templates/external-dns.html
@@ -38,7 +38,7 @@
 <p class="alert" role="alert">
 	<span class="glyphicon glyphicon-info-sign"></span>
 	You may encounter zone file errors when attempting to create a TXT record with a long string.
-	<a href="http://tools.ietf.org/html/rfc4408#section-3.1.3">RFC 4408</a> states a TXT record is allowed to contain multiple strings, and this technique can be used to construct records that would exceed the 255-byte maximum length.
+	<a href="https://tools.ietf.org/html/rfc4408#section-3.1.3">RFC 4408</a> states a TXT record is allowed to contain multiple strings, and this technique can be used to construct records that would exceed the 255-byte maximum length.
 	You may need to adopt this technique when adding DomainKeys. Use a tool like <code>named-checkzone</code> to validate your zone file.
 </p>
--- a/management/templates/index.html
+++ b/management/templates/index.html
@@ -72,11 +72,6 @@
        html {
          filter: invert(100%) hue-rotate(180deg);
        }
        /* Set explicit background color (necessary for Firefox) */
        html {
          background-color: #111;
        }
        /* Override Boostrap theme here to give more contrast. The black turns to white by the filter. */
        .form-control {
--- a/management/templates/mfa.html
+++ b/management/templates/mfa.html
@@ -1,10 +1,34 @@
 <style>
    .twofactor #totp-setup,
    .twofactor #disable-2fa,
    .twofactor #output-2fa {
        display: none;
    }
    .twofactor.loaded .loading-indicator {
        display: none;
    }
    .twofactor.disabled #disable-2fa,
    .twofactor.enabled #totp-setup {
        display: none;
    }
    .twofactor.disabled #totp-setup,
    .twofactor.enabled #disable-2fa {
        display: block;
    }
    .twofactor #totp-setup-qr img {
        display: block;
        width: 256px;
        max-width: 100%;
        height: auto;
    }
    .twofactor #output-2fa.visible {
        display: block;
    }
 </style>
 <h2>Two-Factor Authentication</h2>
@@ -27,11 +51,10 @@ and ensure every administrator account for this control panel does the same.</st
 </div>
 <div class="twofactor">
-    <div id="mfa-devices">
+    <div class="loading-indicator">Loading...</div>
    </div>
-    <form id="totp-setup" style="display: none">
+    <form id="totp-setup">
-        <h3>Add a TOTP Device</h3>
+        <h3>Setup Instructions</h3>
        <div class="form-group">
            <p>1. Install <a href="https://freeotp.github.io/">FreeOTP</a> or <a href="https://www.pcworld.com/article/3225913/what-is-two-factor-authentication-and-which-2fa-apps-are-best.html">any
@@ -62,32 +85,24 @@ and ensure every administrator account for this control panel does the same.</st
        </div>
    </form>
-    <form id="webauthn-setup" style="display: none">
+    <form id="disable-2fa">
-        <h3>Add a WebAuthn Device</h3>
+        <div class="form-group">
-        <p>If you have a WebAuthn device such as a YubiKey, plug it in and click Add WebAuthn Device.</p>
+            <p>Two-factor authentication is active for your account<span id="mfa-device-label"></span>.</p>
-        <button type="submit" class="btn" onclick="return do_enable_webauthn()">Add WebAuthn Device</button>
+            <p>You will have to log into the admin panel again after disabling two-factor authentication.</p>
        </div>
        <div class="form-group">
            <button type="submit" class="btn btn-danger">Disable Two-Factor Authentication</button>
        </div>
    </form>
-    <div id="webauthn-setup" style="display: none">
+    <div id="output-2fa" class="panel panel-danger">
    </div>
    <div id="output-2fa" class="panel panel-danger hidden">
        <div class="panel-body"></div>
    </div>
    <div id="mfa-device-templates" style="display: none">
      <form class="totp" style="margin: 1em 0; border: 1px solid #AAA; padding: 10px;">
          <p>Two-factor authentication is active for your account<span class="mfa-device-label"></span>.</p>
          <div class="form-group">
              <button type="submit" class="btn btn-danger">Disable TOTP Device</button>
          </div>
          <p style="margin-bottom: 0">You will have to log into the admin panel again after disabling two-factor authentication.</p>
      </form>
    </div>
 </div>
 <script>
    var el = {
        disableForm: document.getElementById('disable-2fa'),
        output: document.getElementById('output-2fa'),
        totpSetupForm: document.getElementById('totp-setup'),
        totpSetupToken: document.getElementById('totp-setup-token'),
@@ -95,7 +110,6 @@ and ensure every administrator account for this control panel does the same.</st
        totpSetupLabel: document.getElementById('totp-setup-label'),
        totpQr: document.getElementById('totp-setup-qr'),
        totpSetupSubmit: document.querySelector('#totp-setup-submit'),
        webauthnSetupForm: document.getElementById('webauthn-setup'),
        wrapper: document.querySelector('.twofactor')
    }
@@ -116,8 +130,6 @@ and ensure every administrator account for this control panel does the same.</st
    }
    function render_totp_setup(provisioned_totp) {
        $(el.totpSetupForm).show();
        var img = document.createElement('img');
        img.src = "data:image/png;base64," + provisioned_totp.qr_code_base64;
@@ -135,50 +147,38 @@ and ensure every administrator account for this control panel does the same.</st
        el.wrapper.classList.add('disabled');
    }
    function arrayBufferToBase64(a) { return btoa(String.fromCharCode(...new Uint8Array(a))); }
    function base64ToArrayBuffer(b) { return Uint8Array.from(atob(b), c => c.charCodeAt(0)); }
    function render_webauthn_setup(provisioning) {
        $(el.webauthnSetupForm).show();
        provisioning.challenge = base64ToArrayBuffer(provisioning.challenge);
        provisioning.user.id = new TextEncoder().encode(provisioning.user.name);
        window.mailinabix_mfa_webauthn_provision = provisioning;
    }
    function render_disable(mfa) {
-        var panel = $('#mfa-device-templates .' + mfa.type).clone();
+        el.disableForm.addEventListener('submit', do_disable);
-        $('#mfa-devices').append(panel);
+        el.wrapper.classList.add('enabled');
        panel.attr('data-mfa-id', mfa.id);
        panel.on('submit', do_disable);
        if (mfa.label)
-          panel.find(".mfa-device-label").text(" on device '" + mfa.label + "'");
+          $("#mfa-device-label").text(" on device '" + mfa.label + "'");
    }
    function hide_error() {
        el.output.querySelector('.panel-body').innerHTML = '';
-        el.output.classList.add('hidden');
+        el.output.classList.remove('visible');
    }
    function render_error(msg) {
        el.output.querySelector('.panel-body').innerHTML = msg;
-        el.output.classList.remove('hidden');
+        el.output.classList.add('visible');
    }
    function reset_view() {
        el.wrapper.classList.remove('loaded', 'disabled', 'enabled');
-        $('#mfa-devices > *').remove();
+
        el.disableForm.removeEventListener('submit', do_disable);
        hide_error();
        $(el.totpSetupForm).hide();
        el.totpSetupForm.reset();
        el.totpSetupForm.removeEventListener('submit', do_enable_totp);
        el.totpSetupSecret.setAttribute('value', '');
        el.totpSetupToken.removeEventListener('input', update_setup_disabled);
        el.totpSetupSubmit.setAttribute('disabled', '');
        el.totpQr.innerHTML = '';
        $(el.webauthnSetupForm).hide();
    }
    function show_mfa() {
@@ -191,16 +191,16 @@ and ensure every administrator account for this control panel does the same.</st
            function(res) {
                el.wrapper.classList.add('loaded');
                var has_mfa = false;
                res.enabled_mfa.forEach(function(mfa) {
                    if (mfa.type == "totp") {
                        render_disable(mfa);
                        has_mfa = true;
                    }
                });
-                if (res.new_mfa.totp)
+                if (!has_mfa)
-                    render_totp_setup(res.new_mfa.totp);
+                  render_totp_setup(res.new_mfa.totp);
                if (res.new_mfa.webauthn && 'credentials' in navigator)
                    render_webauthn_setup(res.new_mfa.webauthn);
            }
        );
    }
@@ -212,7 +212,7 @@ and ensure every administrator account for this control panel does the same.</st
        api(
            '/mfa/disable',
            'POST',
-            { id: $(this).attr('data-mfa-id') },
+            { type: 'totp' },
            function() {
                do_logout();
            }
@@ -226,7 +226,7 @@ and ensure every administrator account for this control panel does the same.</st
        hide_error();
        api(
-            '/mfa/enable/totp',
+            '/mfa/totp/enable',
            'POST',
            {
                token: $(el.totpSetupToken).val(),
@@ -239,22 +239,4 @@ and ensure every administrator account for this control panel does the same.</st
        return false;
    }
    function do_enable_webauthn() {
        navigator.credentials.create({ publicKey: window.mailinabix_mfa_webauthn_provision })
        .then(function(creds) {
            api(
                '/mfa/enable/webauthn',
                'POST',
                {
                    attestationObject: arrayBufferToBase64(creds.response['attestationObject']),
                    clientDataJSON: arrayBufferToBase64(creds.response['clientDataJSON'])
                },
                function(res) { do_logout(); },
                function(res) { render_error(res); }
            );
        });
        return false;
    }
 </script>
--- a/management/templates/sync-guide.html
+++ b/management/templates/sync-guide.html
@@ -30,9 +30,9 @@
 			<table class="table">
 			<thead><tr><th>For...</th> <th>Use...</th></tr></thead>
-			<tr><td>Contacts and Calendar</td> <td><a href="https://play.google.com/store/apps/details?id=at.bitfire.davdroid">DAVdroid</a> ($3.69; free <a href="https://f-droid.org/packages/at.bitfire.davdroid/">here</a>)</td></tr>
+			<tr><td>Contacts and Calendar</td> <td><a href="https://play.google.com/store/apps/details?id=at.bitfire.davdroid">DAVx⁵</a> ($5.99; free <a href="https://f-droid.org/packages/at.bitfire.davdroid/">here</a>)</td></tr>
-			<tr><td>Only Contacts</td> <td><a href="https://play.google.com/store/apps/details?id=org.dmfs.carddav.sync">CardDAV-Sync free beta</a> (free)</td></tr>
+			<tr><td>Only Contacts</td> <td><a href="https://play.google.com/store/apps/details?id=org.dmfs.carddav.sync">CardDAV-Sync free</a> (free)</td></tr>
-			<tr><td>Only Calendar</td> <td><a href="https://play.google.com/store/apps/details?id=org.dmfs.caldav.lib">CalDAV-Sync</a> ($2.89)</td></tr>
+			<tr><td>Only Calendar</td> <td><a href="https://play.google.com/store/apps/details?id=org.dmfs.caldav.lib">CalDAV-Sync</a> ($2.99)</td></tr>
 			</table>
 			<p>Use the following settings:</p>
--- a/management/templates/system-backup.html
+++ b/management/templates/system-backup.html
@@ -5,7 +5,7 @@
 <h2>Backup Status</h2>
-<p>The box makes an incremental backup each night. By default the backup is stored on the machine itself, but you can also store in on S3-compatible services like Amazon Web Services (AWS).</p>
+<p>The box makes an incremental backup each night. By default the backup is stored on the machine itself, but you can also store it on S3-compatible services like Amazon Web Services (AWS).</p>
 <h3>Configuration</h3>
@@ -45,6 +45,10 @@
    <label for="backup-target-rsync-host" class="col-sm-2 control-label">Hostname</label>
    <div class="col-sm-8">
      <input type="text" placeholder="hostname.local" class="form-control" rows="1" id="backup-target-rsync-host">
      <div class="small" style="margin-top: 2px">
 	The hostname at your rsync provider, e.g. <tt>da2327.rsync.net</tt>.  Optionally includes a colon
 	and the provider's non-standard ssh port number, e.g. <tt>u215843.your-storagebox.de:23</tt>. 
      </div>
    </div>
  </div>
  <div class="form-group backup-target-rsync">
@@ -259,16 +263,16 @@ function show_custom_backup() {
        } else if (r.target == "off") {
          $("#backup-target-type").val("off");
        } else if (r.target.substring(0, 8) == "rsync://") {
-          $("#backup-target-type").val("rsync");
+          const spec = url_split(r.target);
-          var path = r.target.substring(8).split('//');
+          $("#backup-target-type").val(spec.scheme);
-          var host_parts = path.shift().split('@');
+	  $("#backup-target-rsync-user").val(spec.user);
-          $("#backup-target-rsync-user").val(host_parts[0]);
+	  $("#backup-target-rsync-host").val(spec.host);
-          $("#backup-target-rsync-host").val(host_parts[1]);
+	  $("#backup-target-rsync-path").val(spec.path);
          $("#backup-target-rsync-path").val('/'+path[0]);
        } else if (r.target.substring(0, 5) == "s3://") {
          $("#backup-target-type").val("s3");
          var hostpath = r.target.substring(5).split('/');
          var host = hostpath.shift();
          $("#backup-target-s3-host-select").val(host);
          $("#backup-target-s3-host").val(host);
          $("#backup-target-s3-path").val(hostpath.join('/'));
        } else if (r.target.substring(0, 5) == "b2://") {
@@ -343,4 +347,31 @@ function init_inputs(target_type) {
    set_host($('#backup-target-s3-host-select').val());
  }
 }
 // Return a two-element array of the substring preceding and the substring following
 // the first occurence of separator in string. Return [undefined, string] if the
 // separator does not appear in string.
 const split1_rest = (string, separator) => {
    const index = string.indexOf(separator);
    return (index >= 0) ? [string.substring(0, index), string.substring(index + separator.length)] : [undefined, string];
 };
 // Note: The manifest JS URL class does not work in some security-conscious
 // settings, e.g. Brave browser, so we roll our own that handles only what we need.
 //
 // Use greedy separator parsing to get parts of a MIAB backup target url.
 // Note: path will not include a leading forward slash '/'
 const url_split = url => {
    const [ scheme, scheme_rest ] = split1_rest(url, '://');
    const [ user, user_rest ] = split1_rest(scheme_rest, '@');
    const [ host, path ] = split1_rest(user_rest, '/');
    return {
 	scheme,
 	user,
 	host,
 	path,
    }
 };
 </script>
--- a/management/templates/system-status.html
+++ b/management/templates/system-status.html
@@ -10,13 +10,13 @@
  border-top: none;
  padding-top: 0;
 }
-#system-checks .status-error td {
+#system-checks .status-error td, .summary-error {
  color: #733;
 }
-#system-checks .status-warning td {
+#system-checks .status-warning td, .summary-warning {
  color: #770;
 }
-#system-checks .status-ok td {
+#system-checks .status-ok td, .summary-ok {
  color: #040;
 }
 #system-checks div.extra {
@@ -52,6 +52,9 @@
 	</div> <!-- /col -->
 	<div class="col-md-pull-3 col-md-8">
          <div id="system-checks-summary">
          </div>
 <table id="system-checks" class="table" style="max-width: 60em">
  <thead>
  </thead>
@@ -64,6 +67,9 @@
 <script>
 function show_system_status() {
  const summary = $('#system-checks-summary');
  summary.html("");
  $('#system-checks tbody').html("<tr><td colspan='2' class='text-muted'>Loading...</td></tr>")
  api(
@@ -93,6 +99,12 @@ function show_system_status() {
    { },
    function(r) {
      $('#system-checks tbody').html("");
      const ok_symbol = "✓";
      const error_symbol = "✖";
      const warning_symbol = "?";
      let count_by_status = { ok: 0, error: 0, warning: 0 };
      for (var i = 0; i < r.length; i++) {
        var n = $("<tr><td class='status'/><td class='message'><p style='margin: 0'/><div class='extra'/><a class='showhide' href='#'/></tr>");
        if (i == 0) n.addClass('first')
@@ -100,9 +112,12 @@ function show_system_status() {
                n.addClass(r[i].type)
        else
                n.addClass("status-" + r[i].type)
-        if (r[i].type == "ok") n.find('td.status').text("✓")
+
-        if (r[i].type == "error") n.find('td.status').text("✖")
+        if (r[i].type == "ok") n.find('td.status').text(ok_symbol);
-        if (r[i].type == "warning") n.find('td.status').text("?")
+        if (r[i].type == "error") n.find('td.status').text(error_symbol);
        if (r[i].type == "warning") n.find('td.status').text(warning_symbol);
        count_by_status[r[i].type]++;
        n.find('td.message p').text(r[i].text)
        $('#system-checks tbody').append(n);
@@ -122,8 +137,17 @@ function show_system_status() {
          n.find('> td.message > div').append(m);
        }
      }
    })
      // Summary counts
      summary.html("Summary: ");
      if (count_by_status['error'] + count_by_status['warning'] == 0) {
        summary.append($('<span class="summary-ok"/>').text(`All ${count_by_status['ok']} ${ok_symbol} OK`));
      } else {
        summary.append($('<span class="summary-ok"/>').text(`${count_by_status['ok']} ${ok_symbol} OK, `));
        summary.append($('<span class="summary-error"/>').text(`${count_by_status['error']} ${error_symbol} Error, `));
        summary.append($('<span class="summary-warning"/>').text(`${count_by_status['warning']} ${warning_symbol} Warning`));
      }
    })
 }
 var current_privacy_setting = null;
--- a/management/utils.py
+++ b/management/utils.py
@@ -14,7 +14,9 @@ def load_env_vars_from_file(fn):
    # Load settings from a KEY=VALUE file.
    import collections
    env = collections.OrderedDict()
-    for line in open(fn): env.setdefault(*line.strip().split("=", 1))
+    with open(fn, 'r')  as f:
        for line in f:
            env.setdefault(*line.strip().split("=", 1))
    return env
 def save_environment(env):
@@ -34,7 +36,8 @@ def load_settings(env):
    import rtyaml
    fn = os.path.join(env['STORAGE_ROOT'], 'settings.yaml')
    try:
-        config = rtyaml.load(open(fn, "r"))
+        with open(fn, "r") as f:
            config = rtyaml.load(f)
        if not isinstance(config, dict): raise ValueError() # caught below
        return config
    except:
@@ -175,14 +178,6 @@ def wait_for_service(port, public, env, timeout):
 				return False
 		time.sleep(min(timeout/4, 1))
 def fix_boto():
 	# Google Compute Engine instances install some Python-2-only boto plugins that
 	# conflict with boto running under Python 3. Disable boto's default configuration
 	# file prior to importing boto so that GCE's plugin is not loaded:
 	import os
 	os.environ["BOTO_CONFIG"] = "/etc/boto3.cfg"
 if __name__ == "__main__":
 	from web_update import get_web_domains
 	env = load_environment()
--- a/management/web_update.py
+++ b/management/web_update.py
@@ -63,7 +63,8 @@ def get_web_domains_with_root_overrides(env):
 	root_overrides = { }
 	nginx_conf_custom_fn = os.path.join(env["STORAGE_ROOT"], "www/custom.yaml")
 	if os.path.exists(nginx_conf_custom_fn):
-		custom_settings = rtyaml.load(open(nginx_conf_custom_fn))
+		with open(nginx_conf_custom_fn, 'r') as f:
 			custom_settings = rtyaml.load(f)
 		for domain, settings in custom_settings.items():
 			for type, value in [('redirect', settings.get('redirects', {}).get('/')),
 				('proxy', settings.get('proxies', {}).get('/'))]:
@@ -75,13 +76,18 @@ def do_web_update(env):
 	# Pre-load what SSL certificates we will use for each domain.
 	ssl_certificates = get_ssl_certificates(env)
 	# Helper for reading config files and templates
 	def read_conf(conf_fn):
 		with open(os.path.join(os.path.dirname(__file__), "../conf", conf_fn), "r") as f:
 			return f.read()
 	# Build an nginx configuration file.
-	nginx_conf = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-top.conf")).read()
+	nginx_conf = read_conf("nginx-top.conf")
 	# Load the templates.
-	template0 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx.conf")).read()
+	template0 = read_conf("nginx.conf")
-	template1 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-alldomains.conf")).read()
+	template1 = read_conf("nginx-alldomains.conf")
-	template2 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-primaryonly.conf")).read()
+	template2 = read_conf("nginx-primaryonly.conf")
 	template3 = "\trewrite ^(.*) https://$REDIRECT_DOMAIN$1 permanent;\n"
 	# Add the PRIMARY_HOST configuration first so it becomes nginx's default server.
@@ -141,11 +147,8 @@ def make_domain_config(domain, templates, ssl_certificates, env):
 	def hashfile(filepath):
 		import hashlib
 		sha1 = hashlib.sha1()
-		f = open(filepath, 'rb')
+		with open(filepath, 'rb') as f:
 		try:
 			sha1.update(f.read())
 		finally:
 			f.close()
 		return sha1.hexdigest()
 	nginx_conf_extra += "\t# ssl files sha1: %s / %s\n" % (hashfile(tls_cert["private-key"]), hashfile(tls_cert["certificate"]))
@@ -153,7 +156,8 @@ def make_domain_config(domain, templates, ssl_certificates, env):
 	hsts = "yes"
 	nginx_conf_custom_fn = os.path.join(env["STORAGE_ROOT"], "www/custom.yaml")
 	if os.path.exists(nginx_conf_custom_fn):
-		yaml = rtyaml.load(open(nginx_conf_custom_fn))
+		with open(nginx_conf_custom_fn, 'r') as f:
 			yaml = rtyaml.load(f)
 		if domain in yaml:
 			yaml = yaml[domain]
--- a/management/wsgi.py
+++ b/management/wsgi.py
@@ -0,0 +1,7 @@
 from daemon import app
 import auth, utils
 app.logger.addHandler(utils.create_syslog_handler())
 if __name__ == "__main__":
    app.run(port=10222)
--- a/security.md
+++ b/security.md
@@ -1,9 +1,14 @@
 Mail-in-a-Box Security Guide
 ============================
-Mail-in-a-Box turns a fresh Ubuntu 18.04 LTS 64-bit machine into a mail server appliance by installing and configuring various components.
+Mail-in-a-Box turns a fresh Ubuntu 22.04 LTS 64-bit machine into a mail server appliance by installing and configuring various components.
-This page documents the security features of Mail-in-a-Box. The term “box” is used below to mean a configured Mail-in-a-Box.
+This page documents the security posture of Mail-in-a-Box. The term “box” is used below to mean a configured Mail-in-a-Box.
 Reporting Security Vulnerabilities
 ----------------------------------
 Security vulnerabilities should be reported to the [project's maintainer](https://joshdata.me) via email.
 Threat Model
 ------------
@@ -49,9 +54,7 @@ Additionally:
 ### Password Storage
-The passwords for mail users are stored on disk using the [SHA512-CRYPT](http://man7.org/linux/man-pages/man3/crypt.3.html) hashing scheme. ([source](management/mailconfig.py))
+The passwords for mail users are stored on disk using the [SHA512-CRYPT](http://man7.org/linux/man-pages/man3/crypt.3.html) hashing scheme. ([source](management/mailconfig.py)) Password changes (as well as changes to control panel two-factor authentication settings) expire any control panel login sessions.
 When using the web-based administrative control panel, after logging in an API key is placed in the browser's local storage (rather than, say, the user's actual password). The API key is an HMAC based on the user's email address and current password, and it is keyed by a secret known only to the control panel service. By resetting an administrator's password, any HMACs previously generated for that user will expire.
 ### Console access
@@ -65,7 +68,7 @@ If DNSSEC is enabled at the box's domain name's registrar, the SSHFP record that
 `fail2ban` provides some protection from brute-force login attacks (repeated logins that guess account passwords) by blocking offending IP addresses at the network level.
-The following services are protected: SSH, IMAP (dovecot), SMTP submission (postfix), webmail (roundcube), Nextcloud/CalDAV/CardDAV (over HTTP), and the Mail-in-a-Box control panel & munin (over HTTP).
+The following services are protected: SSH, IMAP (dovecot), SMTP submission (postfix), webmail (roundcube), Nextcloud/CalDAV/CardDAV (over HTTP), and the Mail-in-a-Box control panel (over HTTP).
 Some other services running on the box may be missing fail2ban filters.
--- a/setup/bootstrap.sh
+++ b/setup/bootstrap.sh
@@ -9,32 +9,37 @@
 if [ -z "$TAG" ]; then
 	# If a version to install isn't explicitly given as an environment
 	# variable, then install the latest version. But the latest version
-	# depends on the operating system. Existing Ubuntu 14.04 users need
+	# depends on the machine's version of Ubuntu. Existing users need to
-	# to be able to upgrade to the latest version supporting Ubuntu 14.04,
+	# be able to upgrade to the latest version available for that version
-	# in part because an upgrade is required before jumping to Ubuntu 18.04.
+	# of Ubuntu to satisfy the migration requirements.
 	# New users on Ubuntu 18.04 need to get the latest version number too.
 	#
 	# Also, the system status checks read this script for TAG = (without the
 	# space, but if we put it in a comment it would confuse the status checks!)
 	# to get the latest version, so the first such line must be the one that we
 	# want to display in status checks.
-	if [ "$(lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' )" == "Ubuntu 18.04 LTS" ]; then
+	#
-		# This machine is running Ubuntu 18.04.
+	# Allow point-release versions of the major releases, e.g. 22.04.1 is OK.
-		TAG=v0.54
+	UBUNTU_VERSION=$( lsb_release -d | sed 's/.*:\s*//' | sed 's/\([0-9]*\.[0-9]*\)\.[0-9]/\1/' )
-
+	if [ "$UBUNTU_VERSION" == "Ubuntu 22.04 LTS" ]; then
-	elif [ "$(lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' )" == "Ubuntu 14.04 LTS" ]; then
+		# This machine is running Ubuntu 22.04, which is supported by
-		# This machine is running Ubuntu 14.04.
+		# Mail-in-a-Box versions 60 and later.
-		echo "You are installing the last version of Mail-in-a-Box that will"
+		TAG=v61.1
-		echo "support Ubuntu 14.04. If this is a new installation of Mail-in-a-Box,"
+	elif [ "$UBUNTU_VERSION" == "Ubuntu 18.04 LTS" ]; then
-		echo "stop now and switch to a machine running Ubuntu 18.04. If you are"
+		# This machine is running Ubuntu 18.04, which is supported by
-		echo "upgrading an existing Mail-in-a-Box --- great. After upgrading this"
+		# Mail-in-a-Box versions 0.40 through 5x.
-		echo "box, please visit https://mailinabox.email for notes on how to upgrade"
+		echo "Support is ending for Ubuntu 18.04."
-		echo "to Ubuntu 18.04."
+		echo "Please immediately begin to migrate your data to"
-		echo ""
+		echo "a new machine running Ubuntu 22.04. See:"
 		echo "https://mailinabox.email/maintenance.html#upgrade"
 		TAG=v57a
 	elif [ "$UBUNTU_VERSION" == "Ubuntu 14.04 LTS" ]; then
 		# This machine is running Ubuntu 14.04, which is supported by
 		# Mail-in-a-Box versions 1 through v0.30.
 		echo "Ubuntu 14.04 is no longer supported."
 		echo "The last version of Mail-in-a-Box supporting Ubuntu 14.04 will be installed."
 		TAG=v0.30
 	else
-		echo "This script must be run on a system running Ubuntu 18.04 or Ubuntu 14.04."
+		echo "This script may be used only on a machine running Ubuntu 14.04, 18.04, or 22.04."
 		exit 1
 	fi
 fi
--- a/setup/dns.sh
+++ b/setup/dns.sh
@@ -10,17 +10,13 @@
 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars
 # Install the packages.
 #
 # * nsd: The non-recursive nameserver that publishes our DNS records.
 # * ldnsutils: Helper utilities for signing DNSSEC zones.
 # * openssh-client: Provides ssh-keyscan which we use to create SSHFP records.
 echo "Installing nsd (DNS server)..."
 apt_install nsd ldnsutils openssh-client
 # Prepare nsd's configuration.
-
+# We configure nsd before installation as we only want it to bind to some addresses
 # and it otherwise will have port / bind conflicts with bind9 used as the local resolver
 mkdir -p /var/run/nsd
 mkdir -p /etc/nsd
 mkdir -p /etc/nsd/zones
 touch /etc/nsd/zones.conf
 cat > /etc/nsd/nsd.conf << EOF;
 # Do not edit. Overwritten by Mail-in-a-Box setup.
@@ -42,18 +38,6 @@ server:
 EOF
 # Add log rotation
 cat > /etc/logrotate.d/nsd <<EOF;
 /var/log/nsd.log {
  weekly
  missingok
  rotate 12
  compress
  delaycompress
  notifempty
 }
 EOF
 # Since we have bind9 listening on localhost for locally-generated
 # DNS queries that require a recursive nameserver, and the system
 # might have other network interfaces for e.g. tunnelling, we have
@@ -70,6 +54,26 @@ echo "include: /etc/nsd/nsd.conf.d/*.conf" >> /etc/nsd/nsd.conf;
 # now be stored in /etc/nsd/nsd.conf.d.
 rm -f /etc/nsd/zones.conf
 # Add log rotation
 cat > /etc/logrotate.d/nsd <<EOF;
 /var/log/nsd.log {
  weekly
  missingok
  rotate 12
  compress
  delaycompress
  notifempty
 }
 EOF
 # Install the packages.
 #
 # * nsd: The non-recursive nameserver that publishes our DNS records.
 # * ldnsutils: Helper utilities for signing DNSSEC zones.
 # * openssh-client: Provides ssh-keyscan which we use to create SSHFP records.
 echo "Installing nsd (DNS server)..."
 apt_install nsd ldnsutils openssh-client
 # Create DNSSEC signing keys.
 mkdir -p "$STORAGE_ROOT/dns/dnssec";
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -4,6 +4,8 @@
 # -o pipefail: don't ignore errors in the non-last command in a pipeline
 set -euo pipefail
 PHP_VER=8.0
 function hide_output {
 	# This function hides the output of a command unless the command fails
 	# and returns a non-zero exit code.
--- a/setup/mail-dovecot.sh
+++ b/setup/mail-dovecot.sh
@@ -84,10 +84,11 @@ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
 	ssl=required \
 	"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
 	"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
-	"ssl_protocols=TLSv1.2" \
+	"ssl_min_protocol=TLSv1.2" \
 	"ssl_cipher_list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
 	"ssl_prefer_server_ciphers=no" \
-	"ssl_dh_parameters_length=2048"
+	"ssl_dh_parameters_length=2048" \
 	"ssl_dh=<$STORAGE_ROOT/ssl/dh2048.pem"
 # Disable in-the-clear IMAP/POP because there is no reason for a user to transmit
 # login credentials outside of an encrypted connection. Only the over-TLS versions
@@ -201,13 +202,13 @@ chmod -R o-rwx /etc/dovecot
 # Ensure mailbox files have a directory that exists and are owned by the mail user.
 mkdir -p $STORAGE_ROOT/mail/mailboxes
-chown -R mail.mail $STORAGE_ROOT/mail/mailboxes
+chown -R mail:mail $STORAGE_ROOT/mail/mailboxes
 # Same for the sieve scripts.
 mkdir -p $STORAGE_ROOT/mail/sieve
 mkdir -p $STORAGE_ROOT/mail/sieve/global_before
 mkdir -p $STORAGE_ROOT/mail/sieve/global_after
-chown -R mail.mail $STORAGE_ROOT/mail/sieve
+chown -R mail:mail $STORAGE_ROOT/mail/sieve
 # Allow the IMAP/POP ports in the firewall.
 ufw_allow imaps
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@@ -13,8 +13,8 @@
 # destinations according to aliases, and passses email on to
 # another service for local mail delivery.
 #
-# The first hop in local mail delivery is to Spamassassin via
+# The first hop in local mail delivery is to spampd via
-# LMTP. Spamassassin then passes mail over to Dovecot for
+# LMTP. spampd then passes mail over to Dovecot for
 # storage in the user's mailbox.
 #
 # Postfix also listens on ports 465/587 (SMTPS, SMTP+STARTLS) for
@@ -193,16 +193,17 @@ tools/editconf.py /etc/postfix/main.cf \
 # ### Incoming Mail
-# Pass any incoming mail over to a local delivery agent. Spamassassin
+# Pass mail to spampd, which acts as the local delivery agent (LDA),
-# will act as the LDA agent at first. It is listening on port 10025
+# which then passes the mail over to the Dovecot LMTP server after.
-# with LMTP. Spamassassin will pass the mail over to Dovecot after.
+# spampd runs on port 10025 by default.
 #
 # In a basic setup we would pass mail directly to Dovecot by setting
 # virtual_transport to `lmtp:unix:private/dovecot-lmtp`.
 tools/editconf.py /etc/postfix/main.cf "virtual_transport=lmtp:[127.0.0.1]:10025"
-# Because of a spampd bug, limit the number of recipients in each connection.
+# Clear the lmtp_destination_recipient_limit setting which in previous
 # versions of Mail-in-a-Box was set to 1 because of a spampd bug.
 # See https://github.com/mail-in-a-box/mailinabox/issues/1523.
-tools/editconf.py /etc/postfix/main.cf lmtp_destination_recipient_limit=1
+tools/editconf.py /etc/postfix/main.cf  -e lmtp_destination_recipient_limit=
 # Who can send mail to us? Some basic filters.
@@ -232,11 +233,32 @@ tools/editconf.py /etc/postfix/main.cf \
 # As a matter of fact RFC is not strict about retry timer so postfix and
 # other MTA have their own intervals. To fix the problem of receiving
 # e-mails really latter, delay of greylisting has been set to
-# 180 seconds (default is 300 seconds).
+# 180 seconds (default is 300 seconds). We will move the postgrey database
 # under $STORAGE_ROOT. This prevents a "warming up" that would have occured
 # previously with a migrated or reinstalled OS.  We will specify this new path
 # with the --dbdir=... option. Arguments within POSTGREY_OPTS can not have spaces,
 # including dbdir. This is due to the way the init script sources the
 # /etc/default/postgrey file. --dbdir=... either needs to be a path without spaces
 # (luckily $STORAGE_ROOT does not currently work with spaces), or it needs to be a
 # symlink without spaces that can point to a folder with spaces).  We'll just assume
 # $STORAGE_ROOT won't have spaces to simplify things.
 tools/editconf.py /etc/default/postgrey \
-	POSTGREY_OPTS=\"'--inet=127.0.0.1:10023 --delay=180'\"
+	POSTGREY_OPTS=\""--inet=127.0.0.1:10023 --delay=180 --dbdir=$STORAGE_ROOT/mail/postgrey/db"\"
 # If the $STORAGE_ROOT/mail/postgrey is empty, copy the postgrey database over from the old location
 if [ ! -d $STORAGE_ROOT/mail/postgrey/db ]; then
 	# Stop the service
 	service postgrey stop
 	# Ensure the new paths for postgrey db exists
 	mkdir -p $STORAGE_ROOT/mail/postgrey/db
 	# Move over database files
 	mv /var/lib/postgrey/* $STORAGE_ROOT/mail/postgrey/db/ || true
 fi
 # Ensure permissions are set
 chown -R postgrey:postgrey $STORAGE_ROOT/mail/postgrey/
 chmod 700 $STORAGE_ROOT/mail/postgrey/{,db}
 # We are going to setup a newer whitelist for postgrey, the version included in the distribution is old
 cat > /etc/cron.daily/mailinabox-postgrey-whitelist << EOF;
 #!/bin/bash
--- a/setup/management.sh
+++ b/setup/management.sh
@@ -1,23 +1,12 @@
 #!/bin/bash
 source setup/functions.sh
 source /etc/mailinabox.conf # load global vars
 echo "Installing Mail-in-a-Box system management daemon..."
 # DEPENDENCIES
 # We used to install management daemon-related Python packages
 # directly to /usr/local/lib. We moved to a virtualenv because
 # these packages might conflict with apt-installed packages.
 # We may have a lingering version of acme that conflcits with
 # certbot, which we're about to install below, so remove it
 # first. Once acme is installed by an apt package, this might
 # break the package version and `apt-get install --reinstall python3-acme`
 # might be needed in that case.
 while [ -d /usr/local/lib/python3.4/dist-packages/acme ]; do
 	pip3 uninstall -y acme;
 done
 # duplicity is used to make backups of user data.
 #
 # virtualenv is used to isolate the Python 3 packages we
@@ -25,12 +14,12 @@ done
 #
 # certbot installs EFF's certbot which we use to
 # provision free TLS certificates.
-apt_install duplicity python-pip virtualenv certbot
+apt_install duplicity python3-pip virtualenv certbot rsync
 # b2sdk is used for backblaze backups.
-# boto is used for amazon aws backups.
+# boto3 is used for amazon aws backups.
 # Both are installed outside the pipenv, so they can be used by duplicity
-hide_output pip3 install --upgrade b2sdk boto
+hide_output pip3 install --upgrade b2sdk boto3
 # Create a virtualenv for the installation of Python 3 packages
 # used by the management daemon.
@@ -49,9 +38,10 @@ hide_output $venv/bin/pip install --upgrade pip
 # NOTE: email_validator is repeated in setup/questions.sh, so please keep the versions synced.
 hide_output $venv/bin/pip install --upgrade \
 	rtyaml "email_validator>=1.0.0" "exclusiveprocess" \
-	flask dnspython python-dateutil expiringdict \
+	flask dnspython python-dateutil expiringdict gunicorn \
-	qrcode[pil] pyotp pywarp \
+	qrcode[pil] pyotp \
-	"idna>=2.0.0" "cryptography==2.2.2" boto psutil postfix-mta-sts-resolver b2sdk
+	"idna>=2.0.0" "cryptography==37.0.2" psutil postfix-mta-sts-resolver \
 	b2sdk boto3
 # CONFIGURATION
@@ -88,6 +78,9 @@ rm -f /tmp/bootstrap.zip
 # Create an init script to start the management daemon and keep it
 # running after a reboot.
 # Set a long timeout since some commands take a while to run, matching
 # the timeout we set for PHP (fastcgi_read_timeout in the nginx confs).
 # Note: Authentication currently breaks with more than 1 gunicorn worker.
 cat > $inst_dir/start <<EOF;
 #!/bin/bash
 # Set character encoding flags to ensure that any non-ASCII don't cause problems.
@@ -96,8 +89,13 @@ export LC_ALL=en_US.UTF-8
 export LANG=en_US.UTF-8
 export LC_TYPE=en_US.UTF-8
 mkdir -p /var/lib/mailinabox
 tr -cd '[:xdigit:]' < /dev/urandom | head -c 32 > /var/lib/mailinabox/api.key
 chmod 640 /var/lib/mailinabox/api.key
 source $venv/bin/activate
-exec python $(pwd)/management/daemon.py
+export PYTHONPATH=$(pwd)/management
 exec gunicorn -b localhost:10222 -w 1 --timeout 630 wsgi:app
 EOF
 chmod +x $inst_dir/start
 cp --remove-destination conf/mailinabox.service /lib/systemd/system/mailinabox.service # target was previously a symlink so remove it first
--- a/setup/munin.sh
+++ b/setup/munin.sh
@@ -34,8 +34,8 @@ contact.admin.always_send warning critical
 EOF
 # The Debian installer touches these files and chowns them to www-data:adm for use with spawn-fcgi
-chown munin. /var/log/munin/munin-cgi-html.log
+chown munin /var/log/munin/munin-cgi-html.log
-chown munin. /var/log/munin/munin-cgi-graph.log
+chown munin /var/log/munin/munin-cgi-graph.log
 # ensure munin-node knows the name of this machine
 # and reduce logging level to warning
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -9,12 +9,50 @@ source /etc/mailinabox.conf # load global vars
 echo "Installing Nextcloud (contacts/calendar)..."
 # Nextcloud core and app (plugin) versions to install.
 # With each version we store a hash to ensure we install what we expect.
 # Nextcloud core
 # --------------
 # * See https://nextcloud.com/changelog for the latest version.
 # * Check https://docs.nextcloud.com/server/latest/admin_manual/installation/system_requirements.html
 #   for whether it supports the version of PHP available on this machine.
 # * Since Nextcloud only supports upgrades from consecutive major versions,
 #   we automatically install intermediate versions as needed.
 # * The hash is the SHA1 hash of the ZIP package, which you can find by just running this script and
 #   copying it from the error message when it doesn't match what is below.
 nextcloud_ver=23.0.10
 nextcloud_hash=8831c7862e39460fbb789bacac8729fab0ba02dd
 # Nextcloud apps
 # --------------
 # * Find the most recent tag that is compatible with the Nextcloud version above by
 #   consulting the <dependencies>...<nextcloud> node at:
 #   https://github.com/nextcloud-releases/contacts/blob/main/appinfo/info.xml
 #   https://github.com/nextcloud-releases/calendar/blob/main/appinfo/info.xml
 #   https://github.com/nextcloud/user_external/blob/master/appinfo/info.xml
 # * The hash is the SHA1 hash of the ZIP package, which you can find by just running this script and
 #   copying it from the error message when it doesn't match what is below.
 contacts_ver=4.2.2
 contacts_hash=ca13d608ed8955aa374cb4f31b6026b57ef88887
 calendar_ver=3.5.1
 calendar_hash=c8136a3deb872a3ef73ce1155b58f3ab27ec7110
 user_external_ver=3.0.0
 user_external_hash=0df781b261f55bbde73d8c92da3f99397000972f
 # Clear prior packages and install dependencies from apt.
 apt-get purge -qq -y owncloud* # we used to use the package manager
-apt_install php php-fpm \
+apt_install curl php${PHP_VER} php${PHP_VER}-fpm \
-	php-cli php-sqlite3 php-gd php-imap php-curl php-pear curl \
+	php${PHP_VER}-cli php${PHP_VER}-sqlite3 php${PHP_VER}-gd php${PHP_VER}-imap php${PHP_VER}-curl \
-	php-dev php-gd php-xml php-mbstring php-zip php-apcu php-json \
+	php${PHP_VER}-dev php${PHP_VER}-gd php${PHP_VER}-xml php${PHP_VER}-mbstring php${PHP_VER}-zip php${PHP_VER}-apcu \
-	php-intl php-imagick php-gmp php-bcmath
+	php${PHP_VER}-intl php${PHP_VER}-imagick php${PHP_VER}-gmp php${PHP_VER}-bcmath
 # Enable APC before Nextcloud tools are run.
 tools/editconf.py /etc/php/$PHP_VER/mods-available/apcu.ini -c ';' \
 	apc.enabled=1 \
 	apc.enable_cli=1
 InstallNextcloud() {
@@ -46,18 +84,18 @@ InstallNextcloud() {
 	# their github repositories.
 	mkdir -p /usr/local/lib/owncloud/apps
-	wget_verify https://github.com/nextcloud/contacts/releases/download/v$version_contacts/contacts.tar.gz $hash_contacts /tmp/contacts.tgz
+	wget_verify https://github.com/nextcloud-releases/contacts/archive/refs/tags/v$version_contacts.tar.gz $hash_contacts /tmp/contacts.tgz
 	tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/contacts.tgz
-	wget_verify https://github.com/nextcloud/calendar/releases/download/v$version_calendar/calendar.tar.gz $hash_calendar /tmp/calendar.tgz
+	wget_verify https://github.com/nextcloud-releases/calendar/archive/refs/tags/v$version_calendar.tar.gz $hash_calendar /tmp/calendar.tgz
 	tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/calendar.tgz
 	# Starting with Nextcloud 15, the app user_external is no longer included in Nextcloud core,
 	# we will install from their github repository.
 	if [ -n "$version_user_external" ]; then
-		wget_verify https://github.com/nextcloud/user_external/releases/download/v$version_user_external/user_external-$version_user_external.tar.gz $hash_user_external /tmp/user_external.tgz
+		wget_verify https://github.com/nextcloud-releases/user_external/releases/download/v$version_user_external/user_external-v$version_user_external.tar.gz $hash_user_external /tmp/user_external.tgz
 		tar -xf /tmp/user_external.tgz -C /usr/local/lib/owncloud/apps/
 		rm /tmp/user_external.tgz
 	fi
@@ -72,40 +110,30 @@ InstallNextcloud() {
 	# Make sure permissions are correct or the upgrade step won't run.
 	# $STORAGE_ROOT/owncloud may not yet exist, so use -f to suppress
 	# that error.
-	chown -f -R www-data.www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud || /bin/true
+	chown -f -R www-data:www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud || /bin/true
 	# If this isn't a new installation, immediately run the upgrade script.
 	# Then check for success (0=ok and 3=no upgrade needed, both are success).
 	if [ -e $STORAGE_ROOT/owncloud/owncloud.db ]; then
 		# ownCloud 8.1.1 broke upgrades. It may fail on the first attempt, but
 		# that can be OK.
-		sudo -u www-data php /usr/local/lib/owncloud/occ upgrade
+		sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ upgrade
 		if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then
 			echo "Trying ownCloud upgrade again to work around ownCloud upgrade bug..."
-			sudo -u www-data php /usr/local/lib/owncloud/occ upgrade
+			sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ upgrade
 			if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi
-			sudo -u www-data php /usr/local/lib/owncloud/occ maintenance:mode --off
+			sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ maintenance:mode --off
 			echo "...which seemed to work."
 		fi
 		# Add missing indices. NextCloud didn't include this in the normal upgrade because it might take some time.
-		sudo -u www-data php /usr/local/lib/owncloud/occ db:add-missing-indices
+		sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ db:add-missing-indices
 		# Run conversion to BigInt identifiers, this process may take some time on large tables.
-		sudo -u www-data php /usr/local/lib/owncloud/occ db:convert-filecache-bigint --no-interaction
+		sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ db:convert-filecache-bigint --no-interaction
 	fi
 }
 # Nextcloud Version to install. Checks are done down below to step through intermediate versions.
 nextcloud_ver=20.0.8
 nextcloud_hash=372b0b4bb07c7984c04917aff86b280e68fbe761
 contacts_ver=3.5.1
 contacts_hash=d2ffbccd3ed89fa41da20a1dff149504c3b33b93
 calendar_ver=2.2.0
 calendar_hash=673ad72ca28adb8d0f209015ff2dca52ffad99af
 user_external_ver=1.0.0
 user_external_hash=3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
 # Current Nextcloud Version, #1623
 # Checking /usr/local/lib/owncloud/version.php shows version of the Nextcloud application, not the DB
 # $STORAGE_ROOT/owncloud is kept together even during a backup.  It is better to rely on config.php than
@@ -114,7 +142,7 @@ user_external_hash=3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
 # If config.php exists, get version number, otherwise CURRENT_NEXTCLOUD_VER is empty.
 if [ -f "$STORAGE_ROOT/owncloud/config.php" ]; then
-	CURRENT_NEXTCLOUD_VER=$(php -r "include(\"$STORAGE_ROOT/owncloud/config.php\"); echo(\$CONFIG['version']);")
+	CURRENT_NEXTCLOUD_VER=$(php$PHP_VER -r "include(\"$STORAGE_ROOT/owncloud/config.php\"); echo(\$CONFIG['version']);")
 else
 	CURRENT_NEXTCLOUD_VER=""
 fi
@@ -123,8 +151,8 @@ fi
 # from the version currently installed, do the install/upgrade
 if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextcloud_ver ]]; then
-	# Stop php-fpm if running. If theyre not running (which happens on a previously failed install), dont bail.
+	# Stop php-fpm if running. If they are not running (which happens on a previously failed install), dont bail.
-	service php7.2-fpm stop &> /dev/null || /bin/true
+	service php$PHP_VER-fpm stop &> /dev/null || /bin/true
 	# Backup the existing ownCloud/Nextcloud.
 	# Create a backup directory to store the current installation and database to
@@ -151,41 +179,21 @@ if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextc
 		elif [[ ${CURRENT_NEXTCLOUD_VER} =~ ^1[012] ]]; then
 			echo "Upgrades from Mail-in-a-Box prior to v0.28 (dated July 30, 2018) with Nextcloud < 13.0.6 (you have ownCloud 10, 11 or 12) are not supported. Upgrade to Mail-in-a-Box version v0.30 first. Setup will continue, but skip the Nextcloud migration."
 			return 0
-		elif [[ ${CURRENT_NEXTCLOUD_VER} =~ ^13 ]]; then
+		elif [[ ${CURRENT_NEXTCLOUD_VER} =~ ^1[3456789] ]]; then
-			# If we are running Nextcloud 13, upgrade to Nextcloud 14
+			echo "Upgrades from Mail-in-a-Box prior to v60 with Nextcloud 19 or earlier are not supported. Upgrade to the latest Mail-in-a-Box version supported on your machine first. Setup will continue, but skip the Nextcloud migration."
-			InstallNextcloud 14.0.6 4e43a57340f04c2da306c8eea98e30040399ae5a 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466
+			return 0
 			CURRENT_NEXTCLOUD_VER="14.0.6"
 		fi
-		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^14 ]]; then
+		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^20 ]]; then
-			# During the upgrade from Nextcloud 14 to 15, user_external may cause the upgrade to fail.
+			InstallNextcloud 21.0.7 f5c7079c5b56ce1e301c6a27c0d975d608bb01c9 4.0.7 45e7cf4bfe99cd8d03625cf9e5a1bb2e90549136 3.0.4 d0284b68135777ec9ca713c307216165b294d0fe
-			# We will disable it here before the upgrade and install it again after the upgrade.
+			CURRENT_NEXTCLOUD_VER="21.0.7"
-			hide_output sudo -u www-data php /usr/local/lib/owncloud/console.php app:disable user_external
+		fi
-			InstallNextcloud 15.0.8 4129d8d4021c435f2e86876225fb7f15adf764a3 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
+		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^21 ]]; then
-			CURRENT_NEXTCLOUD_VER="15.0.8"
+			InstallNextcloud 22.2.6 9d39741f051a8da42ff7df46ceef2653a1dc70d9 4.1.0 697f6b4a664e928d72414ea2731cb2c9d1dc3077 3.2.2 ce4030ab57f523f33d5396c6a81396d440756f5f 3.0.0 0df781b261f55bbde73d8c92da3f99397000972f
 			CURRENT_NEXTCLOUD_VER="22.2.6"
 		fi
 		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^15 ]]; then
                        InstallNextcloud 16.0.6 0bb3098455ec89f5af77a652aad553ad40a88819 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
                        CURRENT_NEXTCLOUD_VER="16.0.6"
        	fi
 	        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^16 ]]; then
                        InstallNextcloud 17.0.6 50b98d2c2f18510b9530e558ced9ab51eb4f11b0 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
                        CURRENT_NEXTCLOUD_VER="17.0.6"
 	        fi
 	        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^17 ]]; then
 			echo "ALTER TABLE oc_flow_operations ADD COLUMN entity VARCHAR;" | sqlite3 $STORAGE_ROOT/owncloud/owncloud.db
                        InstallNextcloud 18.0.10 39c0021a8b8477c3f1733fddefacfa5ebf921c68 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
                        CURRENT_NEXTCLOUD_VER="18.0.10"
 	        fi
 	        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^18 ]]; then
                        InstallNextcloud 19.0.4 01e98791ba12f4860d3d4047b9803f97a1b55c60 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
                        CURRENT_NEXTCLOUD_VER="19.0.4"
 	        fi
 	fi
 	InstallNextcloud $nextcloud_ver $nextcloud_hash $contacts_ver $contacts_hash $calendar_ver $calendar_hash $user_external_ver $user_external_hash
 	# Nextcloud 20 needs to have some optional columns added
 	sudo -u www-data php /usr/local/lib/owncloud/occ db:add-missing-columns
 fi
 # ### Configuring Nextcloud
@@ -211,10 +219,10 @@ if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then
  'overwrite.cli.url' => '/cloud',
  'user_backends' => array(
    array(
-      'class' => 'OC_User_IMAP',
+      'class' => '\OCA\UserExternal\IMAP',
-        'arguments' => array(
+      'arguments' => array(
-          '127.0.0.1', 143, null
+        '127.0.0.1', 143, null, null, false, false
-         ),
+       ),
    ),
  ),
  'memcache.local' => '\OC\Memcache\APCu',
@@ -251,12 +259,12 @@ EOF
 EOF
 	# Set permissions
-	chown -R www-data.www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud
+	chown -R www-data:www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud
 	# Execute Nextcloud's setup step, which creates the Nextcloud sqlite database.
 	# It also wipes it if it exists. And it updates config.php with database
 	# settings and deletes the autoconfig.php file.
-	(cd /usr/local/lib/owncloud; sudo -u www-data php /usr/local/lib/owncloud/index.php;)
+	(cd /usr/local/lib/owncloud; sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/index.php;)
 fi
 # Update config.php.
@@ -272,10 +280,12 @@ fi
 # Use PHP to read the settings file, modify it, and write out the new settings array.
 TIMEZONE=$(cat /etc/timezone)
 CONFIG_TEMP=$(/bin/mktemp)
-php <<EOF > $CONFIG_TEMP && mv $CONFIG_TEMP $STORAGE_ROOT/owncloud/config.php;
+php$PHP_VER <<EOF > $CONFIG_TEMP && mv $CONFIG_TEMP $STORAGE_ROOT/owncloud/config.php;
 <?php
 include("$STORAGE_ROOT/owncloud/config.php");
 \$CONFIG['config_is_read_only'] = true;
 \$CONFIG['trusted_domains'] = array('$PRIMARY_HOSTNAME');
 \$CONFIG['memcache.local'] = '\OC\Memcache\APCu';
@@ -287,38 +297,45 @@ include("$STORAGE_ROOT/owncloud/config.php");
 \$CONFIG['mail_domain'] = '$PRIMARY_HOSTNAME';
-\$CONFIG['user_backends'] = array(array('class' => 'OC_User_IMAP','arguments' => array('127.0.0.1', 143, null),),);
+\$CONFIG['user_backends'] = array(
  array(
    'class' => '\OCA\UserExternal\IMAP',
    'arguments' => array(
      '127.0.0.1', 143, null, null, false, false
    ),
  ),
 );
 echo "<?php\n\\\$CONFIG = ";
 var_export(\$CONFIG);
 echo ";";
 ?>
 EOF
-chown www-data.www-data $STORAGE_ROOT/owncloud/config.php
+chown www-data:www-data $STORAGE_ROOT/owncloud/config.php
 # Enable/disable apps. Note that this must be done after the Nextcloud setup.
 # The firstrunwizard gave Josh all sorts of problems, so disabling that.
 # user_external is what allows Nextcloud to use IMAP for login. The contacts
 # and calendar apps are the extensions we really care about here.
-hide_output sudo -u www-data php /usr/local/lib/owncloud/console.php app:disable firstrunwizard
+hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/console.php app:disable firstrunwizard
-hide_output sudo -u www-data php /usr/local/lib/owncloud/console.php app:enable user_external
+hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/console.php app:enable user_external
-hide_output sudo -u www-data php /usr/local/lib/owncloud/console.php app:enable contacts
+hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/console.php app:enable contacts
-hide_output sudo -u www-data php /usr/local/lib/owncloud/console.php app:enable calendar
+hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/console.php app:enable calendar
 # When upgrading, run the upgrade script again now that apps are enabled. It seems like
 # the first upgrade at the top won't work because apps may be disabled during upgrade?
 # Check for success (0=ok, 3=no upgrade needed).
-sudo -u www-data php /usr/local/lib/owncloud/occ upgrade
+sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ upgrade
 if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi
 # Disable default apps that we don't support
 sudo -u www-data \
-	php /usr/local/lib/owncloud/occ app:disable photos dashboard activity \
+	php$PHP_VER /usr/local/lib/owncloud/occ app:disable photos dashboard activity \
 	| (grep -v "No such app enabled" || /bin/true)
 # Set PHP FPM values to support large file uploads
 # (semicolon is the comment character in this file, hashes produce deprecation warnings)
-tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \
+tools/editconf.py /etc/php/$PHP_VER/fpm/php.ini -c ';' \
 	upload_max_filesize=16G \
 	post_max_size=16G \
 	output_buffering=16384 \
@@ -327,7 +344,7 @@ tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \
 	short_open_tag=On
 # Set Nextcloud recommended opcache settings
-tools/editconf.py /etc/php/7.2/cli/conf.d/10-opcache.ini -c ';' \
+tools/editconf.py /etc/php/$PHP_VER/cli/conf.d/10-opcache.ini -c ';' \
 	opcache.enable=1 \
 	opcache.enable_cli=1 \
 	opcache.interned_strings_buffer=8 \
@@ -336,23 +353,20 @@ tools/editconf.py /etc/php/7.2/cli/conf.d/10-opcache.ini -c ';' \
 	opcache.save_comments=1 \
 	opcache.revalidate_freq=1
-# If apc is explicitly disabled we need to enable it
+# Migrate users_external data from <0.6.0 to version 3.0.0 (see https://github.com/nextcloud/user_external).
-if grep -q apc.enabled=0 /etc/php/7.2/mods-available/apcu.ini; then
+# This version was probably in use in Mail-in-a-Box v0.41 (February 26, 2019) and earlier.
-	tools/editconf.py /etc/php/7.2/mods-available/apcu.ini -c ';' \
+# We moved to v0.6.3 in 193763f8. Ignore errors - maybe there are duplicated users with the
-		apc.enabled=1
+# correct backend already.
-fi
+sqlite3 $STORAGE_ROOT/owncloud/owncloud.db "UPDATE oc_users_external SET backend='127.0.0.1';" || /bin/true
 # Set up a cron job for Nextcloud.
 cat > /etc/cron.d/mailinabox-nextcloud << EOF;
 #!/bin/bash
 # Mail-in-a-Box
-*/5 * * * *	root	sudo -u www-data php -f /usr/local/lib/owncloud/cron.php
+*/5 * * * *	root	sudo -u www-data php$PHP_VER -f /usr/local/lib/owncloud/cron.php
 EOF
 chmod +x /etc/cron.d/mailinabox-nextcloud
 # Remove previous hourly cronjob
 rm -f /etc/cron.hourly/mailinabox-owncloud
 # There's nothing much of interest that a user could do as an admin for Nextcloud,
 # and there's a lot they could mess up, so we don't make any users admins of Nextcloud.
 # But if we wanted to, we would do this:
@@ -363,4 +377,4 @@ rm -f /etc/cron.hourly/mailinabox-owncloud
 # ```
 # Enable PHP modules and restart PHP.
-restart_service php7.2-fpm
+restart_service php$PHP_VER-fpm
--- a/setup/preflight.sh
+++ b/setup/preflight.sh
@@ -7,11 +7,11 @@ if [[ $EUID -ne 0 ]]; then
 	exit 1
 fi
-# Check that we are running on Ubuntu 18.04 LTS (or 18.04.xx).
+# Check that we are running on Ubuntu 20.04 LTS (or 20.04.xx).
-if [ "$(lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' )" != "Ubuntu 18.04 LTS" ]; then
+if [ "$( lsb_release --id --short )" != "Ubuntu" ] || [ "$( lsb_release --release --short )" != "22.04" ]; then
-	echo "Mail-in-a-Box only supports being installed on Ubuntu 18.04, sorry. You are running:"
+	echo "Mail-in-a-Box only supports being installed on Ubuntu 22.04, sorry. You are running:"
 	echo
-	lsb_release -d | sed 's/.*:\s*//'
+	lsb_release --description --short
 	echo
 	echo "We can't write scripts that run on every possible setup, sorry."
 	exit 1
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -67,6 +67,10 @@ fi
 fi
 # Create the STORAGE_USER and STORAGE_ROOT directory if they don't already exist.
 #
 # Set the directory and all of its parent directories' permissions to world
 # readable since it holds files owned by different processes.
 #
 # If the STORAGE_ROOT is missing the mailinabox.version file that lists a
 # migration (schema) number for the files stored there, assume this is a fresh
 # installation to that directory and write the file to contain the current
@@ -77,9 +81,11 @@ fi
 if [ ! -d $STORAGE_ROOT ]; then
 	mkdir -p $STORAGE_ROOT
 fi
 f=$STORAGE_ROOT
 while [[ $f != / ]]; do chmod a+rx "$f"; f=$(dirname "$f"); done;
 if [ ! -f $STORAGE_ROOT/mailinabox.version ]; then
 	setup/migrate.py --current > $STORAGE_ROOT/mailinabox.version
-	chown $STORAGE_USER.$STORAGE_USER $STORAGE_ROOT/mailinabox.version
+	chown $STORAGE_USER:$STORAGE_USER $STORAGE_ROOT/mailinabox.version
 fi
 # Save the global options in /etc/mailinabox.conf so that standalone
@@ -161,7 +167,7 @@ if management/status_checks.py --check-primary-hostname; then
 	echo "If you have a DNS problem put the box's IP address in the URL"
 	echo "(https://$PUBLIC_IP/admin) but then check the TLS fingerprint:"
 	openssl x509 -in $STORAGE_ROOT/ssl/ssl_certificate.pem -noout -fingerprint -sha256\
-        	| sed "s/SHA256 Fingerprint=//"
+        	| sed "s/SHA256 Fingerprint=//i"
 else
 	echo https://$PUBLIC_IP/admin
 	echo
@@ -169,7 +175,7 @@ else
 	echo the certificate fingerprint matches:
 	echo
 	openssl x509 -in $STORAGE_ROOT/ssl/ssl_certificate.pem -noout -fingerprint -sha256\
-        	| sed "s/SHA256 Fingerprint=//"
+        	| sed "s/SHA256 Fingerprint=//i"
 	echo
 	echo Then you can confirm the security exception and continue.
 	echo
--- a/setup/system.sh
+++ b/setup/system.sh
@@ -75,6 +75,13 @@ then
 	fi
 fi
 # ### Set log retention policy.
 # Set the systemd journal log retention from infinite to 10 days,
 # since over time the logs take up a large amount of space.
 # (See https://discourse.mailinabox.email/t/journalctl-reclaim-space-on-small-mailinabox/6728/11.)
 tools/editconf.py /etc/systemd/journald.conf MaxRetentionSec=10day
 # ### Add PPAs.
 # We install some non-standard Ubuntu packages maintained by other
@@ -90,12 +97,13 @@ fi
 # come from there and minimal Ubuntu installs may have it turned off.
 hide_output add-apt-repository -y universe
 # Install the certbot PPA.
 hide_output add-apt-repository -y ppa:certbot/certbot
 # Install the duplicity PPA.
 hide_output add-apt-repository -y ppa:duplicity-team/duplicity-release-git
 # Stock PHP is now 8.1, but we're transitioning through 8.0 because
 # of Nextcloud.
 hide_output add-apt-repository --y ppa:ondrej/php
 # ### Update Packages
 # Update system packages to make sure we have the latest upstream versions
@@ -116,9 +124,6 @@ apt_get_quiet autoremove
 # Install basic utilities.
 #
 # * haveged: Provides extra entropy to /dev/random so it doesn't stall
 #	         when generating random numbers for private keys (e.g. during
 #	         ldns-keygen).
 # * unattended-upgrades: Apt tool to install security updates automatically.
 # * cron: Runs background processes periodically.
 # * ntp: keeps the system time correct
@@ -132,8 +137,8 @@ apt_get_quiet autoremove
 echo Installing system packages...
 apt_install python3 python3-dev python3-pip python3-setuptools \
-	netcat-openbsd wget curl git sudo coreutils bc \
+	netcat-openbsd wget curl git sudo coreutils bc file \
-	haveged pollinate openssh-client unzip \
+	pollinate openssh-client unzip \
 	unattended-upgrades cron ntp fail2ban rsyslog
 # ### Suppress Upgrade Prompts
@@ -324,7 +329,7 @@ fi #NODOC
 #  	If more queries than specified are sent, bind9 returns SERVFAIL. After flushing the cache during system checks,
 #	we ran into the limit thus we are increasing it from 75 (default value) to 100.
 apt_install bind9
-tools/editconf.py /etc/default/bind9 \
+tools/editconf.py /etc/default/named \
 	"OPTIONS=\"-u bind -4\""
 if ! grep -q "listen-on " /etc/bind/named.conf.options; then
 	# Add a listen-on directive if it doesn't exist inside the options block.
@@ -356,6 +361,7 @@ systemctl restart systemd-resolved
 rm -f /etc/fail2ban/jail.local # we used to use this file but don't anymore
 rm -f /etc/fail2ban/jail.d/defaults-debian.conf # removes default config so we can manage all of fail2ban rules in one config
 cat conf/fail2ban/jails.conf \
    | sed "s/PUBLIC_IPV6/$PUBLIC_IPV6/g" \
 	| sed "s/PUBLIC_IP/$PUBLIC_IP/g" \
 	| sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \
 	> /etc/fail2ban/jail.d/mailinabox.conf
@@ -367,3 +373,5 @@ cp -f conf/fail2ban/filter.d/* /etc/fail2ban/filter.d/
 # scripts will ensure the files exist and then fail2ban is given another
 # restart at the very end of setup.
 restart_service fail2ban
 systemctl enable fail2ban
--- a/setup/web.sh
+++ b/setup/web.sh
@@ -19,7 +19,7 @@ fi
 echo "Installing Nginx (web server)..."
-apt_install nginx php-cli php-fpm idn2
+apt_install nginx php${PHP_VER}-cli php${PHP_VER}-fpm idn2
 rm -f /etc/nginx/sites-enabled/default
@@ -46,15 +46,15 @@ tools/editconf.py /etc/nginx/nginx.conf -s \
 	ssl_protocols="TLSv1.2 TLSv1.3;"
 # Tell PHP not to expose its version number in the X-Powered-By header.
-tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \
+tools/editconf.py /etc/php/$PHP_VER/fpm/php.ini -c ';' \
 	expose_php=Off
 # Set PHPs default charset to UTF-8, since we use it. See #367.
-tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \
+tools/editconf.py /etc/php/$PHP_VER/fpm/php.ini -c ';' \
        default_charset="UTF-8"
 # Configure the path environment for php-fpm
-tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
+tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \
 	env[PATH]=/usr/local/bin:/usr/bin:/bin \
 # Configure php-fpm based on the amount of memory the machine has
@@ -64,7 +64,7 @@ tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
 TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}' || /bin/true)
 if [ $TOTAL_PHYSICAL_MEM -lt 1000000 ]
 then
-        tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
+        tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \
                pm=ondemand \
                pm.max_children=8 \
                pm.start_servers=2 \
@@ -72,7 +72,7 @@ then
                pm.max_spare_servers=3
 elif [ $TOTAL_PHYSICAL_MEM -lt 2000000 ]
 then
-        tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
+        tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \
                pm=ondemand \
                pm.max_children=16 \
                pm.start_servers=4 \
@@ -80,14 +80,14 @@ then
                pm.max_spare_servers=6
 elif [ $TOTAL_PHYSICAL_MEM -lt 3000000 ]
 then
-        tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
+        tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \
                pm=dynamic \
                pm.max_children=60 \
                pm.start_servers=6 \
                pm.min_spare_servers=3 \
                pm.max_spare_servers=9
 else
-        tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
+        tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \
                pm=dynamic \
                pm.max_children=120 \
                pm.start_servers=12 \
@@ -147,7 +147,7 @@ chown -R $STORAGE_USER $STORAGE_ROOT/www
 # Start services.
 restart_service nginx
-restart_service php7.2-fpm
+restart_service php$PHP_VER-fpm
 # Open ports.
 ufw_allow http
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@@ -22,19 +22,25 @@ source /etc/mailinabox.conf # load global vars
 echo "Installing Roundcube (webmail)..."
 apt_install \
 	dbconfig-common \
-	php-cli php-sqlite3 php-intl php-json php-common php-curl php-ldap \
+	php${PHP_VER}-cli php${PHP_VER}-sqlite3 php${PHP_VER}-intl php${PHP_VER}-common php${PHP_VER}-curl php${PHP_VER}-imap \
-	php-gd php-pspell tinymce libjs-jquery libjs-jquery-mousewheel libmagic1 php-mbstring
+	php${PHP_VER}-gd php${PHP_VER}-pspell php${PHP_VER}-mbstring libjs-jquery libjs-jquery-mousewheel libmagic1
 # Install Roundcube from source if it is not already present or if it is out of date.
 # Combine the Roundcube version number with the commit hash of plugins to track
 # whether we have the latest version of everything.
-
+# For the latest versions, see:
-VERSION=1.5-rc
+#   https://github.com/roundcube/roundcubemail/releases
-HASH=a7cb2a39702536d769c7ff93f716e27f0b93f9d9
+#   https://github.com/mfreiholz/persistent_login/commits/master
-PERSISTENT_LOGIN_VERSION=6b3fc450cae23ccb2f393d0ef67aa319e877e435 # version 5.2.0
+#   https://github.com/stremlau/html5_notifier/commits/master
 #   https://github.com/mstilkerich/rcmcarddav/releases
 # The easiest way to get the package hashes is to run this script and get the hash from
 # the error message.
 VERSION=1.6.0
 HASH=fd84b4fac74419bb73e7a3bcae1978d5589c52de
 PERSISTENT_LOGIN_VERSION=bde7b6840c7d91de627ea14e81cf4133cbb3c07a # version 5.2
 HTML5_NOTIFIER_VERSION=68d9ca194212e15b3c7225eb6085dbcf02fd13d7 # version 0.6.4+
-CARDDAV_VERSION=3.0.3
+CARDDAV_VERSION=4.4.3
-CARDDAV_HASH=d1e3b0d851ffa2c6bd42bf0c04f70d0e1d0d78f8
+CARDDAV_HASH=74f8ba7aee33e78beb9de07f7f44b81f6071b644
 UPDATE_KEY=$VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:$CARDDAV_VERSION
@@ -77,13 +83,13 @@ if [ $needs_update == 1 ]; then
 	# download and verify the full release of the carddav plugin
 	wget_verify \
-		https://github.com/blind-coder/rcmcarddav/releases/download/v${CARDDAV_VERSION}/carddav-${CARDDAV_VERSION}.zip \
+		https://github.com/mstilkerich/rcmcarddav/releases/download/v${CARDDAV_VERSION}/carddav-v${CARDDAV_VERSION}.tar.gz \
 		$CARDDAV_HASH \
-		/tmp/carddav.zip
+		/tmp/carddav.tar.gz
 	# unzip and cleanup
-	unzip -q /tmp/carddav.zip -d ${RCM_PLUGIN_DIR}
+	tar -C ${RCM_PLUGIN_DIR} -zxf /tmp/carddav.tar.gz
-	rm -f /tmp/carddav.zip
+	rm -f /tmp/carddav.tar.gz
 	# record the version we've installed
 	echo $UPDATE_KEY > ${RCM_DIR}/version
@@ -109,8 +115,7 @@ cat > $RCM_CONFIG <<EOF;
 \$config['log_dir'] = '/var/log/roundcubemail/';
 \$config['temp_dir'] = '/var/tmp/roundcubemail/';
 \$config['db_dsnw'] = 'sqlite:///$STORAGE_ROOT/mail/roundcube/roundcube.sqlite?mode=0640';
-\$config['default_host'] = 'ssl://localhost';
+\$config['imap_host'] = 'ssl://localhost:993';
 \$config['default_port'] = 993;
 \$config['imap_conn_options'] = array(
  'ssl'         => array(
     'verify_peer'  => false,
@@ -118,7 +123,7 @@ cat > $RCM_CONFIG <<EOF;
   ),
 );
 \$config['imap_timeout'] = 15;
-\$config['smtp_server'] = 'tls://127.0.0.1';
+\$config['smtp_host'] = 'tls://127.0.0.1';
 \$config['smtp_conn_options'] = array(
  'ssl'         => array(
     'verify_peer'  => false,
@@ -129,12 +134,16 @@ cat > $RCM_CONFIG <<EOF;
 \$config['product_name'] = '$PRIMARY_HOSTNAME Webmail';
 \$config['cipher_method'] = 'AES-256-CBC'; # persistent login cookie and potentially other things
 \$config['des_key'] = '$SECRET_KEY'; # 37 characters -> ~256 bits for AES-256, see above
-\$config['plugins'] = array('html5_notifier', 'archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'persistent_login', 'carddav');
+\$config['plugins'] = array('html5_notifier', 'archive', 'zipdownload', 'managesieve', 'jqueryui', 'persistent_login', 'carddav');
 \$config['skin'] = 'elastic';
 \$config['login_autocomplete'] = 2;
 \$config['login_username_filter'] = 'email';
 \$config['password_charset'] = 'UTF-8';
 \$config['junk_mbox'] = 'Spam';
 /* ensure roudcube session id's aren't leaked to other parts of the server */
 \$config['session_path'] = '/mail/';
 /* prevent CSRF, requires php 7.3+ */
 \$config['session_samesite'] = 'Strict';
 ?>
 EOF
@@ -148,7 +157,7 @@ cat > ${RCM_PLUGIN_DIR}/carddav/config.inc.php <<EOF;
 	 'name'         =>  'ownCloud',
 	 'username'     =>  '%u', // login username
 	 'password'     =>  '%p', // login password
-	 'url'          =>  'https://${PRIMARY_HOSTNAME}/cloud/remote.php/carddav/addressbooks/%u/contacts',
+	 'url'          =>  'https://${PRIMARY_HOSTNAME}/cloud/remote.php/dav/addressbooks/users/%u/contacts/',
 	 'active'       =>  true,
 	 'readonly'     =>  false,
 	 'refresh_time' => '02:00:00',
@@ -161,7 +170,7 @@ EOF
 # Create writable directories.
 mkdir -p /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
-chown -R www-data.www-data /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
+chown -R www-data:www-data /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
 # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
 sudo -u www-data touch /var/log/roundcubemail/errors.log
@@ -185,21 +194,21 @@ usermod -a -G dovecot www-data
 # set permissions so that PHP can use users.sqlite
 # could use dovecot instead of www-data, but not sure it matters
-chown root.www-data $STORAGE_ROOT/mail
+chown root:www-data $STORAGE_ROOT/mail
 chmod 775 $STORAGE_ROOT/mail
-chown root.www-data $STORAGE_ROOT/mail/users.sqlite
+chown root:www-data $STORAGE_ROOT/mail/users.sqlite
 chmod 664 $STORAGE_ROOT/mail/users.sqlite
 # Fix Carddav permissions:
-chown -f -R root.www-data ${RCM_PLUGIN_DIR}/carddav
+chown -f -R root:www-data ${RCM_PLUGIN_DIR}/carddav
-# root.www-data need all permissions, others only read
+# root:www-data need all permissions, others only read
 chmod -R 774 ${RCM_PLUGIN_DIR}/carddav
 # Run Roundcube database migration script (database is created if it does not exist)
-${RCM_DIR}/bin/updatedb.sh --dir ${RCM_DIR}/SQL --package roundcube
+php$PHP_VER ${RCM_DIR}/bin/updatedb.sh --dir ${RCM_DIR}/SQL --package roundcube
 chown www-data:www-data $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
 chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
 # Enable PHP modules.
-phpenmod -v php mcrypt imap
+phpenmod -v $PHP_VER imap
-restart_service php7.2-fpm
+restart_service php$PHP_VER-fpm
--- a/setup/zpush.sh
+++ b/setup/zpush.sh
@@ -17,9 +17,9 @@ source /etc/mailinabox.conf # load global vars
 echo "Installing Z-Push (Exchange/ActiveSync server)..."
 apt_install \
-	php-soap php-imap libawl-php php-xsl
+       php${PHP_VER}-soap php${PHP_VER}-imap libawl-php php$PHP_VER-xml
-phpenmod -v php imap
+phpenmod -v $PHP_VER imap
 # Copy Z-Push into place.
 VERSION=2.6.2
@@ -42,8 +42,6 @@ if [ $needs_update == 1 ]; then
 	rm -rf /tmp/z-push.zip /tmp/z-push
 	rm -f /usr/sbin/z-push-{admin,top}
 	ln -s /usr/local/lib/z-push/z-push-admin.php /usr/sbin/z-push-admin
 	ln -s /usr/local/lib/z-push/z-push-top.php /usr/sbin/z-push-top
 	echo $VERSION > /usr/local/lib/z-push/version
 fi
@@ -102,8 +100,8 @@ EOF
 # Restart service.
-restart_service php7.2-fpm
+restart_service php$PHP_VER-fpm
 # Fix states after upgrade
-hide_output z-push-admin -a fixstates
+hide_output php$PHP_VER /usr/local/lib/z-push/z-push-admin.php -a fixstates
--- a/tests/test_dns.py
+++ b/tests/test_dns.py
@@ -30,7 +30,7 @@ def test(server, description):
 		(hostname, "TXT", "\"v=spf1 mx -all\""),
 		("mail._domainkey." + hostname, "TXT", "\"v=DKIM1; k=rsa; s=email; \" \"p=__KEY__\""),
 		#("_adsp._domainkey." + hostname, "TXT", "\"dkim=all\""),
-		("_dmarc." + hostname, "TXT", "\"v=DMARC1; p=quarantine\""),
+		("_dmarc." + hostname, "TXT", "\"v=DMARC1; p=quarantine;\""),
 	]
 	return test2(tests, server, description)
@@ -48,7 +48,7 @@ def test2(tests, server, description):
 	for qname, rtype, expected_answer in tests:
 		# do the query and format the result as a string
 		try:
-			response = dns.resolver.query(qname, rtype)
+			response = dns.resolver.resolve(qname, rtype)
 		except dns.resolver.NoNameservers:
 			# host did not have an answer for this query
 			print("Could not connect to %s for DNS query." % server)
--- a/tests/test_mail.py
+++ b/tests/test_mail.py
@@ -48,7 +48,7 @@ server = smtplib.SMTP_SSL(host)
 ipaddr = socket.gethostbyname(host) # IPv4 only!
 reverse_ip = dns.reversename.from_address(ipaddr) # e.g. "1.0.0.127.in-addr.arpa."
 try:
-	reverse_dns = dns.resolver.query(reverse_ip, 'PTR')[0].target.to_text(omit_final_dot=True) # => hostname
+	reverse_dns = dns.resolver.resolve(reverse_ip, 'PTR')[0].target.to_text(omit_final_dot=True) # => hostname
 except dns.resolver.NXDOMAIN:
 	print("Reverse DNS lookup failed for %s. SMTP EHLO name check skipped." % ipaddr)
 	reverse_dns = None
--- a/tools/editconf.py
+++ b/tools/editconf.py
@@ -14,6 +14,10 @@
 #
 # NAME VALUE
 #
 # If the -e option is given and VALUE is empty, the setting is removed
 # from the configuration file if it is set (i.e. existing occurrences
 # are commented out and no new setting is added).
 #
 # If the -c option is given, then the supplied character becomes the comment character
 #
 # If the -w option is given, then setting lines continue onto following
@@ -35,6 +39,7 @@ settings = sys.argv[2:]
 delimiter = "="
 delimiter_re = r"\s*=\s*"
 erase_setting = False
 comment_char = "#"
 folded_lines = False
 testing = False
@@ -44,6 +49,9 @@ while settings[0][0] == "-" and settings[0] != "--":
 		# Space is the delimiter
 		delimiter = " "
 		delimiter_re = r"\s+"
 	elif opt == "-e":
 		# Erase settings that have empty values.
 		erase_setting = True
 	elif opt == "-w":
 		# Line folding is possible in this file.
 		folded_lines = True
@@ -68,7 +76,8 @@ for setting in settings:
 found = set()
 buf = ""
-input_lines = list(open(filename))
+with open(filename, "r") as f:
        input_lines = list(f)
 while len(input_lines) > 0:
 	line = input_lines.pop(0)
@@ -81,7 +90,7 @@ while len(input_lines) > 0:
 	# See if this line is for any settings passed on the command line.
 	for i in range(len(settings)):
-		# Check that this line contain this setting from the command-line arguments.
+		# Check if this line contain this setting from the command-line arguments.
 		name, val = settings[i].split("=", 1)
 		m = re.match(
 			   "(\s*)"
@@ -91,8 +100,10 @@ while len(input_lines) > 0:
 		if not m: continue
 		indent, is_comment, existing_val = m.groups()
-		# If this is already the setting, do nothing.
+		# If this is already the setting, keep it in the file, except:
-		if is_comment is None and existing_val == val:
+		# * If we've already seen it before, then remove this duplicate line.
 		# * If val is empty and erase_setting is on, then comment it out.
 		if is_comment is None and existing_val == val and not (not val and erase_setting):
 			# It may be that we've already inserted this setting higher
 			# in the file so check for that first.
 			if i in found: break
@@ -107,8 +118,9 @@ while len(input_lines) > 0:
 			# the line is already commented, pass it through
 			buf += line
-		# if this option oddly appears more than once, don't add the setting again
+		# if this option already is set don't add the setting again,
-		if i in found:
+		# or if we're clearing the setting with -e, don't add it
 		if (i in found) or (not val and erase_setting):
 			break
 		# add the new setting
@@ -122,11 +134,13 @@ while len(input_lines) > 0:
 		# If did not match any setting names, pass this line through.
 		buf += line
-# Put any settings we didn't see at the end of the file.
+# Put any settings we didn't see at the end of the file,
 # except settings being cleared.
 for i in range(len(settings)):
 	if i not in found:
 		name, val = settings[i].split("=", 1)
-		buf += name + delimiter + val + "\n"
+		if not (not val and erase_setting):
 			buf += name + delimiter + val + "\n"
 if not testing:
 	# Write out the new file.
--- a/tools/owncloud-restore.sh
+++ b/tools/owncloud-restore.sh
@@ -26,7 +26,7 @@ if [ ! -f $1/config.php ]; then
 fi
 echo "Restoring backup from $1"
-service php7.2-fpm stop
+service php8.0-fpm stop
 # remove the current ownCloud/Nextcloud installation
 rm -rf /usr/local/lib/owncloud/
@@ -40,10 +40,10 @@ cp "$1/owncloud.db" $STORAGE_ROOT/owncloud/
 cp "$1/config.php" $STORAGE_ROOT/owncloud/
 ln -sf $STORAGE_ROOT/owncloud/config.php /usr/local/lib/owncloud/config/config.php
-chown -f -R www-data.www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud
+chown -f -R www-data:www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud
-chown www-data.www-data $STORAGE_ROOT/owncloud/config.php
+chown www-data:www-data $STORAGE_ROOT/owncloud/config.php
-sudo -u www-data php /usr/local/lib/owncloud/occ maintenance:mode --off
+sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ maintenance:mode --off
-service php7.2-fpm start
+service php8.0-fpm start
 echo "Done"
--- a/tools/owncloud-unlockadmin.sh
+++ b/tools/owncloud-unlockadmin.sh
@@ -20,4 +20,4 @@ echo
 echo Press enter to continue.
 read
-sudo -u www-data php /usr/local/lib/owncloud/occ group:adduser admin $ADMIN && echo Done.
+sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ group:adduser admin $ADMIN && echo Done.
--- a/tools/parse-nginx-log-bootstrap-accesses.py
+++ b/tools/parse-nginx-log-bootstrap-accesses.py
@@ -17,13 +17,8 @@ accesses = set()
 # Scan the current and rotated access logs.
 for fn in glob.glob("/var/log/nginx/access.log*"):
 	# Gunzip if necessary.
 	if fn.endswith(".gz"):
 		f = gzip.open(fn)
 	else:
 		f = open(fn, "rb")
 	# Loop through the lines in the access log.
-	with f:
+	with (gzip.open if fn.endswith(".gz") else open)(fn, "rb") as f:
 		for line in f:
 			# Find lines that are GETs on the bootstrap script by either curl or wget.
 			# (Note that we purposely skip ...?ping=1 requests which is the admin panel querying us for updates.)
@@ -43,7 +38,8 @@ for date, ip in accesses:
 # Since logs are rotated, store the statistics permanently in a JSON file.
 # Load in the stats from an existing file.
 if os.path.exists(outfn):
-	existing_data = json.load(open(outfn))
+	with open(outfn, "r") as f:
 		existing_data = json.load(f)
 	for date, count in existing_data:
 		if date not in by_date:
 			by_date[date] = count
--- a/tools/readable_bash.py
+++ b/tools/readable_bash.py
@@ -124,13 +124,14 @@ def generate_documentation():
 """)
 	parser = Source.parser()
-	for line in open("setup/start.sh"):
+	with open("setup/start.sh", "r") as start_file: 
-		try:
+                for line in start_file:
-			fn = parser.parse_string(line).filename()
+                        try:
-		except:
+                                fn = parser.parse_string(line).filename()
-			continue
+                        except:
-		if fn in ("setup/start.sh", "setup/preflight.sh", "setup/questions.sh", "setup/firstuser.sh", "setup/management.sh"):
+                                continue
-			continue
+                        if fn in ("setup/start.sh", "setup/preflight.sh", "setup/questions.sh", "setup/firstuser.sh", "setup/management.sh"):
                                continue
 		import sys
 		print(fn, file=sys.stderr)
@@ -401,7 +402,8 @@ class BashScript(Grammar):
 	@staticmethod
 	def parse(fn):
 		if fn in ("setup/functions.sh", "/etc/mailinabox.conf"): return ""
-		string = open(fn).read()
+		with open(fn, "r") as f:
 			string = f.read()
 		# tokenize
 		string = re.sub(".* #NODOC\n", "", string)
Author	SHA1	Message	Date
Joshua Tauberer	6f94412204	v61.1	2023-01-28 11:25:21 -05:00
Joshua Tauberer	c77d1697a7	Revert "Improve error messages in the management tools when external command-line tools are run" Command line arguments have user secrets in some cases which should not be included in error messages. This reverts commit `26709a3c1d`. Reported by AK.	2023-01-28 11:24:38 -05:00
Hugh Secker-Walker	31bbef3401	chore(setup): Make sed fingerprint patterns in start.sh be case insensitive (#2201 )	2023-01-28 11:12:40 -05:00
Hugh Secker-Walker	7af713592a	feat(status page): Add summary of ok/error/warning counts (#2204 ) * feat(status page): Add summary of ok/error/warning counts * simplify a bit --------- Co-authored-by: Hugh Secker-Walker <hsw+miac@hodain.net> Co-authored-by: Joshua Tauberer <jt@occams.info>	2023-01-28 11:11:17 -05:00
Hugh Secker-Walker	4408cb1fba	fix(rsync-backup): Provide default port 22 for rsync usage in backup.py (#2226 ) Co-authored-by: Hugh Secker-Walker <hsw+miac@hodain.net>	2023-01-28 11:04:46 -05:00
Joshua Tauberer	5e3e4a2161	v61	2023-01-21 08:20:48 -05:00
Joshua Tauberer	61d1ea1ea7	Changelog entries	2023-01-15 10:17:10 -05:00
Joshua Tauberer	b3743a31e9	Add a status checks check that fail2ban is running using fail2ban-client	2023-01-15 10:17:10 -05:00
Joshua Tauberer	26709a3c1d	Improve error messages in the management tools when external command-line tools are run	2023-01-15 10:17:10 -05:00
jcm-shove-it	20ec6c2080	Updated security.md to reflect the support of ubuntu 22.04 (#2219 )	2023-01-15 10:05:36 -05:00
Steven Conaway	7a79153afe	Remove old darkmode background color (#2218 ) Removing this old background color solves the problem of the bottom of short pages (like `/admin`'s login page) being white. The background was being set to black, which would be inverted, so it'd appear white. Since the `filter:` css has [~97% support](https://caniuse.com/?search=filter), I think that this change should be made. Tested on latest versions of Chrome (mac and iOS), Firefox, and Safari (mac and iOS).	2023-01-15 10:05:13 -05:00
Hugh Secker-Walker	a2565227f2	feat(rsync-port): Add support for non-standard ssh port for rsync backup (#2208 )	2023-01-15 10:03:05 -05:00
Hugh Secker-Walker	02b34ce699	fix(backup-display): Fix parsing of rsync target in system-backup.html, fixes #2206 (#2207 )	2023-01-15 10:01:07 -05:00
Hugh Secker-Walker	820a39b865	chore(python open): Refactor open and gzip.open to use context manager (#2203 ) Co-authored-by: Hugh Secker-Walker <hsw+miac@hodain.net>	2023-01-15 08:28:43 -05:00
Hugh Secker-Walker	57047d96e9	chore(setup): Update obsolete chown group syntax (#2202 ) Co-authored-by: Hugh Secker-Walker <hsw+miac@hodain.net>	2023-01-15 08:25:36 -05:00
KiekerJan	1587248762	Disable Roundcube password plugin since it was corrupting the user database (#2198 )	2023-01-15 08:22:43 -05:00
KiekerJan	0fc5105da5	Fixes to DNS lookups during status checks when there are timeouts, enforce timeouts better (#2191 ) * add dns query handling changes * replace exception pass with error message * simplify dns exception catching * Add not set case to blacklist lookup result handling	2023-01-15 08:20:08 -05:00
KiekerJan	c29593b5ef	explicitly enable fail2ban which didn't start (#2190 )	2023-01-15 08:10:04 -05:00
Joshua Tauberer	3314c4f7de	v60.1	2022-10-30 08:18:13 -04:00
Joshua Tauberer	1f60236985	Upgrade Nextcloud to 23.0.4 (contacts to 4.2.0, calendar to 3.5.0) This fixes the monthly view calendar items being in random order.	2022-10-30 08:16:54 -04:00
alento-group	32c68874c5	Fix NSD not restarting (#2182 ) A previous commit (`0a970f4bb2`) broke nsd restarting. This fixes that change by reverting it. Josh added: Use nsd-control with reconfig and reload if they succeed and only fall back to restarting nsd if they fail Co-authored-by: Joshua Tauberer <jt@occams.info>	2022-10-30 08:16:03 -04:00
Joshua Tauberer	286a4bd9e7	Remove stray quote in bootstrap.sh Reported at https://discourse.mailinabox.email/t/version-60-for-ubuntu-22-04-is-released/9558/4.	2022-10-12 06:11:02 -04:00
Joshua Tauberer	ddf8e857fd	Support Ubuntu 22.04 Jammy Jellyfish (#2083 )	2022-10-11 21:18:34 -04:00
Joshua Tauberer	4d5ff0210b	Version 60	2022-10-11 21:14:31 -04:00
Joshua Tauberer	89cd9fb611	Increase gunicorn's worker timeout since some /admin commands take a long time	2022-10-08 08:23:48 -04:00
Joshua Tauberer	22a6270657	Remove old setup step to uninstall acme library	2022-10-08 08:23:48 -04:00
Joshua Tauberer	0a970f4bb2	Use nsd-control to refresh nsd after zone files are rewritten rather than 'service nsd restart' I am not sure if this was the problem but nsd didn't serve updated zonefiles on my box and 'service nsd restart' must have been used, so maybe it doesn't reload zones.	2022-10-08 07:24:57 -04:00
Joshua Tauberer	9b111e2493	Update to Nextcloud 23.0.8 (contacts 4.2.0, calendar 3.5.0)	2022-10-08 07:23:21 -04:00
jvolkenant	b8feb77ef4	Move postgrey database under $STORAGE_ROOT (#2077 )	2022-09-24 13:17:55 -04:00
Joshua Tauberer	3c44604316	Install 'file' package The command is used in mailinabox-postgrey-whitelist. Reported missing (on systems that don't install it by default) in #2083.	2022-09-24 10:10:50 -04:00
Steve Hay	1e1a054686	BUGFIX: Correctly handle the multiprocessing for run_checks in the management daemon (#2163 ) See discussion here: #2083 Co-authored-by: Steve Hay <hay.steve@gmail.com>	2022-09-24 09:56:27 -04:00
kiekerjan	d584a41e60	Update Roundcube to 1.6.0 (#2153 )	2022-09-17 09:20:20 -04:00
downtownallday	56074ae035	Tighten roundcube session config (#2138 ) Merges #2138.	2022-09-17 09:09:00 -04:00
downtownallday	30631b0fc5	Fix undefined variable 'val' in tools/editconf.py (#2137 ) Merges #2137.	2022-09-17 09:09:00 -04:00
Steve Hay	84da4e6000	Update dovecot to use same DH parameters file as the other services Originally from #2157.	2022-09-17 09:07:54 -04:00
Joshua Tauberer	58ded74181	Restore the backup S3 host select box if an S3 target has been set Also remove unnecessary import added in `7cda439c`. Was a mistake from edits during PR review.	2022-09-17 09:07:54 -04:00
Steve Hay	3fd2e3efa9	Replace Flask built-in WSGI server with gunicorn (#2158 )	2022-09-17 08:03:16 -04:00
Steve Hay	7cda439c80	Port boto to boto3 and fix asyncio issue in the management daemon (#2156 ) Co-authored-by: Steve Hay <hay.steve@gmail.com>	2022-09-17 07:57:12 -04:00
Joshua Tauberer	91fc74b408	Setup fixes for Ubuntu 22.04 Nextcloud: * The Nextcloud user_external 1.0.0 package for Nextcloud 21.0.7 isn't available from Nextcloud's releases page, but it's not needed in an intermediate upgrade step (hopefully), so we can skip it. * Nextcloud updgrade steps should not be elifs because multiple intermediate upgrades may be needed. * Continue if the user_external backend migration fails. Maybe it's not necessary. It gives a scary error message though. * Remove a line that removes an old file that hasn't been in use since 2019 and the expectation is that Ubuntu 22.04 installations are on fresh machines. Backups: * For duplicity, we now need boto3 for AWS.	2022-09-03 07:50:36 -04:00
Sudheesh Singanamalla	d7244ed920	Fixes #2149 Append ; in policy strings for DMARC settings (#2151 ) Signed-off-by: Sudheesh Singanamalla <sudheesh@cloudflare.com>	2022-08-19 13:23:42 -04:00
David Duque	e0c0b5053c	Upgrade Nextcloud External User Backend to v3.0.0 Co-Authored-By: Joshua Tauberer <jt@occams.info>	2022-07-28 14:42:51 -04:00
Joshua Tauberer	268b31685d	Ensure STORAGE_ROOT has a+rx permission since processes run by different system users need to access files within it	2022-07-28 14:42:51 -04:00
Joshua Tauberer	ab71abbc7c	Update to latest cryptography Python package, add missing source at top of management.sh so it can run standalone (needs STORAGE_ROOT)	2022-07-28 14:42:51 -04:00
Joshua Tauberer	87e6df9e28	Fix roundcube dependency missing imap and unneeded ldap	2022-07-28 14:42:51 -04:00
Felix Matouschek	558f2db31f	system.sh: Remove no longer needed haveged (#2090 ) Starting from kernels 5.6 haveged is obsolete. Therefore remove it in Ubuntu 22.04. See https://github.com/jirka-h/haveged/issues/57	2022-07-28 14:42:51 -04:00
Joshua Tauberer	c23dd701f0	Start changelog and instructions updates for version 60 supporting Ubuntu 22.04 To scan for updated apt packages in Ubuntu 22.04, I ran on Ubuntu 18.04 and 22.04 and compared the output: ``` for package in openssl openssh-client haveged pollinate fail2ban ufw bind9 nsd ldnsutils nginx dovecot-core postfix opendkim opendkim-tools opendmarc postgrey spampd razor pyzor dovecot-antispam sqlite3 duplicity certbot munin munin-node php python3; do echo -n "$package "; dpkg-query --showformat='${Version}' --show $package; echo done ```	2022-07-28 14:42:51 -04:00
Joshua Tauberer	0a7b9d5089	Update dovecot, spampd settings for Ubuntu 22.04 * dovecot's ssl_protocols became ssl_min_protocol in 2.3 * spampd fixed a bug so we can remove lmtp_destination_recipient_limit=1 in postfix	2022-07-28 14:34:45 -04:00
Joshua Tauberer	1eddf9a220	Upgrade to Nextcloud 23.0.4 The first version supporting PHP 8.0 is Nextcloud 21. Therefore we can add migrations only to Nextcloud 21 forward, and so we only support migrating from Nextcloud 20 (Mail-in-a-Box versions v0.51+). Migration steps through Nextcloud 21 and 22 are added. Also: * Fix PHP APUc settings to be before Nextcloud tools are run.	2022-07-28 14:34:45 -04:00
Joshua Tauberer	78d71498fa	Upgrade from PHP 7.2 to 8.0 for Ubuntu 22.04 * Add the PHP PPA. * Specify the version when invoking the php CLI. * Specify the version in package names. * Update paths to 8.0 (using a variable in the setup scripts). * Update z-push's php-xsl dependency to php8.0-xml. * php-json is now built-into PHP. Although PHP 8.1 is the stock version in Ubuntu 22.04, it's not supported by Nextcloud yet, and it likely will never be supported by the the version of Nextcloud that succeeds the last version of Nextcloud that supports PHP 7.2, and we have to install the next version so that an upgrade is permitted, so skipping to PHP 8.1 may not be easily possible.	2022-07-28 14:02:46 -04:00
Joshua Tauberer	b41a0ad80e	Drop some hacks that we needed for Ubuntu 18.04 * certbot's PPA is no longer needed because a recent version is now included in the Ubuntu respository. * Un-pin b2sdk (reverts `69d8fdef99` and `d829d74048`). * Revert boto+s3 workaround for duplicity (partial revert of `99474b348f`). * Revert old "fix boto 2 conflict on Google Compute Engine instances" (`cf33be4596`) which is probably no longer needed.	2022-07-28 14:02:46 -04:00
Rauno Moisto	78569e9a88	Fix DeprecationWarning in dnspython query vs resolve method The resolve method disables resolving relative names by default. This change probably makes `a7710e90` unnecessary. @JoshData added some additional changes from query to resolve.	2022-07-28 14:02:46 -04:00
Daniel Mabbett	8cb360fe36	Configure nsd listening interfaces before installing nsd so that it does not interfere with bind9	2022-07-28 14:02:46 -04:00
Joshua Tauberer	f534a530d4	Update and drop some package and file names for Ubuntu 22.04 * Fix path to bind9 startup options file in Ubuntu 22.04. * tinymce has not been a Roundcube requirement recently and is no longer a package in Ubuntu 22.04 * Upgrade Vagrant box to Ubuntu 22.04	2022-07-28 14:02:46 -04:00
Joshua Tauberer	2abcafd670	Update Ubuntu version checks from 18.04 to 22.04	2022-07-28 14:02:44 -04:00
Joshua Tauberer	3c3d62ac27	Version 57a	2022-06-19 08:58:09 -04:00
Joshua Tauberer	d829d74048	Pin b2sdk to version 1.14.1 in the virtualenv also We install b2sdk in two places: Once globally for duplicity (see 9d8fdef9915127f016eb6424322a149cdff25d7 for #2125) and once in a virtualenv used by our control panel. The latter wasn't pinned when the former was but should be to fix new Python compatibility issues. Anyone who updated Python packages recently (so anyone who upgraded Mail-in-a-Box) started encountering these issues. Fixes #2131. See https://discourse.mailinabox.email/t/backblaze-b2-backup-not-working-since-v57/9231.	2022-06-18 13:15:59 -04:00
Joshua Tauberer	2aca421415	Version 57	2022-06-12 08:18:42 -04:00
Joshua Tauberer	99474b348f	Update backup to be compatible with duplicity 0.8.23 We were using duplicity 0.8.21-ppa202111091602~ubuntu1 from the duplicity PPA probably until June 5, which is when my box automatically updated to 0.8.23-ppa202205151528~ubuntu18.04.1. Starting with that version, two changes broke backups: * The default s3 backend was changed to boto3. But boto3 depends on the AWS SDK which does not support Ubuntu 18.04, so we can't install it. Instead, we map s3: backup target URLs to the boto+s3 scheme which tells duplicity to use legacy boto. This should be reverted when we can switch to boto3. * Contrary to the documentation, the s3 target no longer accepts a S3 hostname in the URL. It now reads the bucket from the hostname part of the URL. So we now drop the hostname from our target URL before passing it to duplicity and we pass the endpoint URL in a separate command-line argument. (The boto backend was dropped from duplicity's "uses_netloc" in `74d4cf44b1 (f5a07610d36bd242c3e5b98f8348879a468b866a_37_34)`, but other changes may be related.) The change of target URL (due to both changes) seems to also cause duplicity to store cached data in a different directory within $STORAGE_ROOT/backup/cache, so on the next backup it will re-download cached manifest/signature files. Since the cache directory will still hold the prior data which is no longer needed, it might be a good idea to clear out the cache directory to save space. A system status checks message is added about that. Fixes #2123	2022-06-12 08:17:48 -04:00
Joshua Tauberer	8bebaf6a48	Simplify duplicity command line by omitting rsync options if the backup target type is not rsync	2022-06-11 15:12:31 -04:00
jbandholz	9004bb6e8e	Add IPV6 addresses to fail2ban ignoreip (#2069 ) Update jails.conf to include IPV6 localhost and external ip to ignoreip line. Update system.sh to include IPV6 address in replacement. See mail-in-a-box#2066 for details.	2022-06-05 09:40:54 -04:00
m-picc	69d8fdef99	Specify b2sdk version 1.14.1 (#2125 ) pin b2sdk version to 1.14.1 to resolve exception that occurs when attempting to use backblaze backups. See https://github.com/mail-in-a-box/mailinabox/issues/2124 for details.	2022-06-05 09:24:32 -04:00
Austin Ewens	eeee712cf3	Switched to using tags over releases for NextCloud contacts/calendar (#2105 ) See [mailinabox issue #2088](https://github.com/mail-in-a-box/mailinabox/issues/2088). This also updates the commit hashes to for anyone updating from NextCloud version 17 (as shown in the related issue) since a different hash is used for tags vs releases. This was tested and verified to work on a setup previously running v0.44 and then updating to the latest version (v56).	2022-05-04 17:09:53 -04:00
Joshua Tauberer	8f42d97b54	Merge pull request #2109 from lamberete/main	2022-05-04 17:08:48 -04:00
lamberete	6e40c69cb5	Error message using IPv4 instead of failing IPv6. One of the error messages around IPv6 was using the IPv4 for the output, making the error message confusing.	2022-03-26 13:50:24 +01:00
lamberete	c0e54f87d7	Sorting ds records on report. When building the part of the report about the current DS records founded, they are added in the same order as they were received when calling query_dns(), which can differ from run to run. This was making the difflib.SequenceMatcher() method to find the same line removed and added one line later, and sending an Status Checks Change Notice email with the same line added and removed when there was actually no real changes.	2022-03-26 13:45:49 +01:00
Joshua Tauberer	3a7de051ee	Version 56 (January 19, 2022)	2022-01-19 16:59:34 -05:00
Darek Kowalski	f11cb04a72	Update Vagrant private IP address, fix issue #2062 (#2064 )	2022-01-08 18:29:23 -05:00
Joshua Tauberer	cb564a130a	Fix DNS secondary nameserver refesh failure retry period Fixes #1979	2022-01-08 09:38:41 -05:00
Joshua Tauberer	d1d6318862	Set systemd journald log retention to 10 days (from no limit) to reduce disk usage	2022-01-08 09:11:48 -05:00
Joshua Tauberer	34b7a02f4f	Update Roundcube to 1.5.2	2022-01-08 09:00:12 -05:00
Joshua Tauberer	a312acc3bc	Update to Nextcloud 20.0.8 and update apps	2022-01-08 09:00:12 -05:00
Joshua Tauberer	aab1ec691c	CHANGELOG entries	2022-01-08 07:46:24 -05:00
Erik Hennig	520caf6557	fix: typo in system backup template (#2081 )	2022-01-02 08:11:41 -05:00
jvolkenant	c92fd02262	Don't die if column already exists on Nextcloud 18 upgrade (#2078 )	2021-12-25 10:17:34 -05:00
Arno Hautala	a85c429a85	regex change to exclude comma from sasl_username (#2074 ) as proposed in #2071 by @jvolkenant	2021-12-19 08:33:59 -05:00
Ilnahro	50a5cb90bc	Include rsync to the installed basic packages (#2067 ) Some VPS providers strip this package from their Ubuntu 18.04 VM images. This will help avoid errors.	2021-11-30 19:50:01 -05:00
steadfasterX	aac878dce5	fix: key flag id for KSK, fix format (#2063 ) as mentioned (https://github.com/mail-in-a-box/mailinabox/pull/2033#issuecomment-976365087) KSK is 257, not 256	2021-11-23 11:06:17 -05:00
jvolkenant	58b0323b36	Update persistent_login for Roundcube 1.5 (#2055 )	2021-11-04 18:59:10 -04:00
kiekerjan	646f971d8b	Update mailinabox.yml (#2054 ) The examples for login and logout use GET instead of POST. GET gives me an error when using it, while POST seems to work.	2021-10-31 12:49:26 -04:00
Felix Spöttel	86067be142	fix(docs): set a schema for /logout responses (#2051 ) * this remedies an OpenAPI syntax violation resulting in a redoc-cli crash	2021-10-27 12:27:54 -04:00
Joshua Tauberer	c67ff241c4	Updates to security.md	2021-10-23 08:57:05 -04:00
Joshua Tauberer	7b4cd443bf	How to report security issues	2021-10-22 18:49:16 -04:00
Joshua Tauberer	34017548d5	Don't crash if a custom DNS entry is not under a zone managed by the box, fixes #1961	2021-10-22 18:39:53 -04:00
Joshua Tauberer	65861c68b7	Version 55	2021-10-18 20:40:51 -04:00
Joshua Tauberer	71a7a3e201	Upgrade to Roundcube 1.5	2021-10-18 20:40:51 -04:00
Richard Willis	1c3bca53bb	Fix broken link in external-dns.html (#2045 )	2021-10-18 07:36:48 -04:00
ukfhVp0zms	b643cb3478	Update calendar/contacts android app info (#2044 ) DAVdroid has been renamed to DAVx⁵ and price increased from $3.69 to $5.99. CardDAV-Sync free is no longer in beta. CalDAV-Sync price increased from $2.89 to $2.99.	2021-10-13 19:09:05 -04:00