Go to file

Joshua Tauberer 837d327c1e v0.09 ===== May 8, 2015 Mail: * Spam checking is now performed on messages larger than the previous limit of 64KB. * POP3S is now enabled (port 995). * Roundcube is updated to version 1.1.1. * Minor security improvements (more mail headers with user agent info are anonymized; crypto settings were tightened). ownCloud: * Downloading files you uploaded to ownCloud broke because of a change in ownCloud 8. DNS: * Internationalized Domain Names (IDNs) should now work in email. If you had custom DNS or custom web settings for internationalized domains, check that they are still working. * It is now possible to set multiple TXT and other types of records on the same domain in the control panel. * The custom DNS API was completely rewritten to support setting multiple records of the same type on a domain. Any existing client code using the DNS API will have to be rewritten. (Existing code will just get 404s back.) * On some systems the `nsd` service failed to start if network inferfaces were not ready. System / Control Panel: * In order to guard against misconfiguration that can lead to domain control validation hijacking, email addresses that begin with admin, administrator, postmaster, hostmaster, and webmaster can no longer be used for (new) mail user accounts, and aliases for these addresses may direct mail only to the box's administrator(s). * Backups now use duplicity's built-in gpg symmetric AES256 encryption rather than my home-brewed encryption. Old backups will be incorporated inside the first backup after this update but then deleted from disk (i.e. your backups from the previous few days will be backed up). * There was a race condition between backups and the new nightly status checks. * The control panel would sometimes lock up with an unnecessary loading indicator. * You can no longer delete your own account from the control panel. Setup: * All Mail-in-a-Box release tags are now signed on github, instructions for verifying the signature are added to the README, and the integrity of some packages downloaded during setup is now verified against a SHA1 hash stored in the tag itself. * Bugs in first user account creation were fixed.		2015-05-08 08:10:39 -04:00
conf	anonymize X-Pgp-Agent, Mime-Version outgoing mail headers; fixes #342	2015-05-03 14:03:59 +00:00
management	move the server: block of nsd.conf out of the management daemon and into the setup scripts	2015-05-04 11:24:40 +00:00
setup	v0.09	2015-05-08 08:10:39 -04:00
tests	update test_dns	2014-06-21 12:32:20 -04:00
tools	editconf.py: better error message if command line arguments are not valid	2015-04-11 15:25:11 -04:00
.gitignore	adding externals and .env to gitignore	2014-07-07 07:06:36 -04:00
CHANGELOG.md	v0.09	2015-05-08 08:10:39 -04:00
CONTRIBUTING.md	adding CONTRIBUTING.md, see #23	2014-04-23 15:52:49 -04:00
LICENSE	add CC0 1.0 Universal in LICENSE	2014-04-23 15:49:23 -04:00
README.md	add instructions for verifying the signed tags to the README	2015-04-01 10:38:09 -04:00
Vagrantfile	replace '-t 0' test with an environment variable since '-t 0' is false when standard input has been redirected and doesn't tell us whether or not we can use dialog for input, but Vagrant must be non-interactive	2014-08-25 07:54:11 -04:00

README.md

Mail-in-a-Box

By @JoshData and contributors.

Mail-in-a-Box helps individuals take back control of their email by defining a one-click, easy-to-deploy SMTP+everything else server: a mail server in a box.

Please see https://mailinabox.email for the project's website and setup guide!

I am trying to:

Make deploying a good mail server easy.
Promote decentralization, innovation, and privacy on the web.
Have automated, auditable, and idempotent configuration.
Not be a mail server that the NSA cannot hack.
Not be customizable by power users.

The long-term goal is to have this be a one-click email appliance with no user-configurable setup options.

For more background, see The Rationale.

This setup is what has been powering my own personal email since September 2013.

The Box

Mail-in-a-Box turns a fresh Ubuntu 14.04 LTS 64-bit machine into a working mail server, including SMTP (postfix), IMAP (dovecot), Exchange ActiveSync (z-push), webmail (Roundcube), spam filtering (spamassassin), greylisting (postgrey), CardDAV/CalDAV (ownCloud), DNS, SPF, DKIM (OpenDKIM), DMARC, DNSSEC, DANE TLSA, SSHFP, and basic system services like a firewall, intrusion protection, and setting the system clock.

Authenticity

I sign the release tags. To verify that a tag is signed by me, you can perform the following steps:

# Download my PGP key.
$ curl -s https://keybase.io/joshdata/key.asc | gpg --import
gpg: key C10BDD81: public key "Joshua Tauberer <jt@occams.info>" imported

# Clone this repository.
$ git clone https://github.com/mail-in-a-box/mailinabox
$ cd mailinabox

# Verify the tag.
$ git verify-tag v0.08
gpg: Signature made ..... using RSA key ID C10BDD81
gpg: Good signature from "Joshua Tauberer <jt@occams.info>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5F4C 0E73 13CC D744 693B  2AEA B920 41F4 C10B DD81

The key ID and fingerprint above should match my Keybase.io key and the fingerprint I publish on my homepage.

The Acknowledgements

This project was inspired in part by the "NSA-proof your email in 2 hours" blog post by Drew Crawford, Sovereign by Alex Payne, and conversations with @shevski, @konklone, and @GregElin.

Mail-in-a-Box is similar to iRedMail and Modoboa.

The History

In 2007 I wrote a relatively popular Mozilla Thunderbird extension that added client-side SPF and DKIM checks to mail to warn users about possible phishing: add-on page, source.
Mail-in-a-Box was a semifinalist in the 2014 Knight News Challenge, but it was not selected as a winner.
Mail-in-a-Box hit the front page of Hacker News in April and September 2014.