Go to file

anoma 593fd242bf Activate FAIL2BAN recidive jail Recidive can be thought of as FAIL2BAN checking itself. This setup will monitor the FAIL2BAN log and if 10 bans are seen within one day activate a week long ban and email the mail in a box admin that it has been applied . These bans survive FAIL2BAN service restarts so are much stronger which obviously means we need to be careful with them. Our current settings are relatively safe and definitely not easy to trigger by mistake e.g to activate a recidive IP jail by failed SSH logins a user would have to fail logging into SSH 6 times in 10 minutes, get banned, wait for the ban to expire and then repeat this process 9 further times within a 24 hour period. The default maxretry of 5 is much saner but that can be applied once users are happy with this jail. I have been running a stronger version of this for months and it does a very good job of ejecting persistent abusers.		2015-07-07 12:37:42 +01:00
conf	Activate FAIL2BAN recidive jail	2015-07-07 12:37:42 +01:00
management	setting an alias to forward to two or more addresses was broken since `aa33428311`	2015-07-04 15:28:45 +00:00
ppa	merge #406 - dovecot-lucene & packaging	2015-06-03 15:51:16 -04:00
setup	v0.12b	2015-07-04 11:31:51 -04:00
tests	best guess at what clients are supported by the tls settings used	2015-05-22 17:36:55 -04:00
tools	update docstring to clarify usage of -c option	2015-07-02 19:27:05 +02:00
.gitignore	adding externals and .env to gitignore	2014-07-07 07:06:36 -04:00
CHANGELOG.md	v0.12b	2015-07-04 11:31:51 -04:00
CONTRIBUTING.md	adding CONTRIBUTING.md, see #23	2014-04-23 15:52:49 -04:00
LICENSE	add CC0 1.0 Universal in LICENSE	2014-04-23 15:49:23 -04:00
README.md	v0.12b	2015-07-04 11:31:51 -04:00
Vagrantfile	replace '-t 0' test with an environment variable since '-t 0' is false when standard input has been redirected and doesn't tell us whether or not we can use dialog for input, but Vagrant must be non-interactive	2014-08-25 07:54:11 -04:00
security.md	typo in security.md	2015-06-26 11:38:40 -04:00

README.md

Mail-in-a-Box

By @JoshData and contributors.

Mail-in-a-Box helps individuals take back control of their email by defining a one-click, easy-to-deploy SMTP+everything else server: a mail server in a box.

Please see https://mailinabox.email for the project's website and setup guide!

I am trying to:

Make deploying a good mail server easy.
Promote decentralization, innovation, and privacy on the web.
Have automated, auditable, and idempotent configuration.
Not make a totally unhackable, NSA-proof server.
Not make something customizable by power users.

This setup is what has been powering my own personal email since September 2013.

The Box

Mail-in-a-Box turns a fresh Ubuntu 14.04 LTS 64-bit machine into a working mail server by installing and configuring various components.

It is a one-click email appliance (see the setup guide). There are no user-configurable setup options. It "just works".

The components installed are:

SMTP (postfix), IMAP (dovecot), CardDAV/CalDAV (ownCloud), Exchange ActiveSync (z-push)
Webmail (Roundcube), static website hosting (nginx)
Spam filtering (spamassassin), greylisting (postgrey)
DNS (nsd4) with SPF, DKIM (OpenDKIM), DMARC, DNSSEC, DANE TLSA, and SSHFP records automatically set
Firewall (ufw), intrusion protection (fail2ban), system monitoring (munin)

It also includes:

A control panel and API for adding/removing mail users, aliases, custom DNS records, etc. and detailed system monitoring.
Our own builds of postgrey and dovecot-lucene distributed via the Mail-in-a-Box PPA on Launchpad.

For more information on how Mail-in-a-Box handles your privacy, see the security details page.

The Security

See the security guide for more information about the box's security configuration (TLS, password storage, etc).

I sign the release tags on git. To verify that a tag is signed by me, you can perform the following steps:

# Download my PGP key.
$ curl -s https://keybase.io/joshdata/key.asc | gpg --import
gpg: key C10BDD81: public key "Joshua Tauberer <jt@occams.info>" imported

# Clone this repository.
$ git clone https://github.com/mail-in-a-box/mailinabox
$ cd mailinabox

# Verify the tag.
$ git verify-tag v0.12b
gpg: Signature made ..... using RSA key ID C10BDD81
gpg: Good signature from "Joshua Tauberer <jt@occams.info>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5F4C 0E73 13CC D744 693B  2AEA B920 41F4 C10B DD81

# Check out the tag.
$ git checkout v0.12b

The key ID and fingerprint above should match my Keybase.io key and the fingerprint I publish on my homepage.

The Acknowledgements

This project was inspired in part by the "NSA-proof your email in 2 hours" blog post by Drew Crawford, Sovereign by Alex Payne, and conversations with @shevski, @konklone, and @GregElin.

Mail-in-a-Box is similar to iRedMail and Modoboa.

The History

In 2007 I wrote a relatively popular Mozilla Thunderbird extension that added client-side SPF and DKIM checks to mail to warn users about possible phishing: add-on page, source.
In August 2013 I began Mail-in-a-Box by combining my own mail server configuration with the setup in "NSA-proof your email in 2 hours" and making the setup steps reproducible with bash scripts.
Mail-in-a-Box was a semifinalist in the 2014 Knight News Challenge, but it was not selected as a winner.
Mail-in-a-Box hit the front page of Hacker News in April 2014, September 2014, and May 2015.
FastCompany mentioned Mail-in-a-Box a roundup of privacy projects on June 26, 2015.