mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2025-04-04 00:17:06 +00:00
1f0d2ddb92
This commit will: 1. Change the user account database from sqlite to OpenLDAP 2. Add policyd-spf to postfix for SPF validation 3. Add a test runner with some automated test suites Notes: User account password hashes are preserved. There is a new Roundcube contact list called "Directory" that lists the users in LDAP (MiaB users), similar to what Google Suite does. Users can still change their password in Roundcube. OpenLDAP is configured with TLS, but all remote access is blocked by firewall rules. Manual changes are required to open it for remote access (eg. "ufw allow proto tcp from <HOST> to any port ldaps"). The test runner is started by executing tests/runner.sh. Be aware that it will make changes to your system, including adding new users, domains, mailboxes, start/stop services, etc. It is highly unadvised to run it on a production system! The LDAP schema that supports mail delivery with postfix and dovecot is located in conf/postfix.schema. This file is copied verbatim from the LdapAdmin project (GPL, ldapadmin.org). Instead of including the file in git, it could be referenced by URL and downloaded by the setup script if GPL is an issue or apply for a PEN from IANA. Mangement console and other services should not appear or behave any differently than before.
83 lines
2.0 KiB
Plaintext
83 lines
2.0 KiB
Plaintext
# Fail2Ban configuration file for Mail-in-a-Box. Do not edit.
|
|
# This file is re-generated on updates.
|
|
|
|
[DEFAULT]
|
|
# Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks
|
|
# ping services over the public interface so we should whitelist that address of
|
|
# ours too. The string is substituted during installation.
|
|
ignoreip = 127.0.0.1/8 PUBLIC_IP
|
|
|
|
[dovecot]
|
|
enabled = true
|
|
filter = dovecotimap
|
|
logpath = /var/log/mail.log
|
|
findtime = 30
|
|
maxretry = 20
|
|
|
|
[miab-management]
|
|
enabled = true
|
|
filter = miab-management-daemon
|
|
port = http,https
|
|
logpath = /var/log/syslog
|
|
maxretry = 20
|
|
findtime = 30
|
|
|
|
[miab-munin]
|
|
enabled = true
|
|
port = http,https
|
|
filter = miab-munin
|
|
logpath = /var/log/nginx/access.log
|
|
maxretry = 20
|
|
findtime = 30
|
|
|
|
[miab-owncloud]
|
|
enabled = true
|
|
port = http,https
|
|
filter = miab-owncloud
|
|
logpath = STORAGE_ROOT/owncloud/nextcloud.log
|
|
maxretry = 20
|
|
findtime = 120
|
|
|
|
[miab-postfix587]
|
|
enabled = true
|
|
port = 587
|
|
filter = miab-postfix-submission
|
|
logpath = /var/log/mail.log
|
|
maxretry = 20
|
|
findtime = 30
|
|
|
|
[miab-roundcube]
|
|
enabled = true
|
|
port = http,https
|
|
filter = miab-roundcube
|
|
logpath = /var/log/roundcubemail/errors
|
|
maxretry = 20
|
|
findtime = 30
|
|
|
|
[recidive]
|
|
enabled = true
|
|
maxretry = 10
|
|
action = iptables-allports[name=recidive]
|
|
# In the recidive section of jail.conf the action contains:
|
|
#
|
|
# action = iptables-allports[name=recidive]
|
|
# sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
|
|
#
|
|
# The last line on the action will sent an email to the configured address. This mail will
|
|
# notify the administrator that someone has been repeatedly triggering one of the other jails.
|
|
# By default we don't configure this address and no action is required from the admin anyway.
|
|
# So the notification is ommited. This will prevent message appearing in the mail.log that mail
|
|
# can't be delivered to fail2ban@$HOSTNAME.
|
|
|
|
[postfix-sasl]
|
|
enabled = true
|
|
|
|
[sshd]
|
|
enabled = true
|
|
maxretry = 7
|
|
bantime = 3600
|
|
|
|
[slapd]
|
|
enabled = true
|
|
logpath = /var/log/ldap/slapd.log
|