Merge from main

README.md

@@ -1,5 +1,5 @@
 # Power Mail-in-a-Box
-**[Installation](#installation)** (current version: v56.1)
+**[Installation](#installation)** (current version: v56.2)
 
 Power Mail-in-a-Box (a fork of [Mail-in-a-Box](https://mailinabox.email/)) is a complete pre-configured mail appliance, quickly deployable in a matter of minutes.
 
@@ -17,7 +17,7 @@ It's main difference to the main project is focused on ad-hoc, advanced features
 
 ## Goals
 - **Easy of use** - deployment shouldn't take too many technical details to understand. Power Mail-in-a-Box already comes with default configurations which should be good for most users.
-- **Privacy, security and independence** - keeping your mail safe from the big companies.
+- **Privacy, security and independence** - keeping your mail and data safe from advertisers and prying eyes.
 - **Accessible customizability** - bring the features closer to the people instead of tucking them away in configuration files.
 - **Customizability potential** - allow for deep customization by power users.
 - **Concentration** - all the services you need in just one box.

api/mailinabox.yml

@@ -15,7 +15,7 @@ info:
   license:
     name: CC0 1.0 Universal
     url: https://creativecommons.org/publicdomain/zero/1.0/legalcode
-  version: 56.1
+  version: 56.2
   x-logo:
     url: https://mailinabox.email/static/logo.png
     altText: Mail-in-a-Box logo

management/daemon.py

@@ -855,6 +855,7 @@ def smtp_relay_get():
 		"port": config.get("SMTP_RELAY_PORT", None),
 		"user": config.get("SMTP_RELAY_USER", ""),
 		"authorized_servers": config.get("SMTP_RELAY_AUTHORIZED_SERVERS", []),
+		"spf_record": config.get("SMTP_RELAY_SPF_RECORD", None),
 		"dkim_selector": config.get("SMTP_RELAY_DKIM_SELECTOR", None),
 		"dkim_rr": dkim_rrtxt
 	}
@@ -879,28 +880,24 @@ def smtp_relay_set():
 		config["SMTP_RELAY_DKIM_RR"] = None
 	elif re.fullmatch(r"[a-z\d\._]+", sel.strip()) is None:
 		return ("The DKIM selector is invalid!", 400)
-	elif sel.strip() == config.get("local_dkim_selector", "mail"):
-		return (
-			f"The DKIM selector {sel.strip()} is already in use by the box!",
-			400)
-	else:
-		# DKIM selector looks good, try processing the RR
-		rr = newconf.get("dkim_rr", "")
-		if rr.strip() == "":
-			return ("Cannot publish a selector with an empty key!", 400)
 
-		components = {}
-		for r in re.split(r"[;\s]+", rr):
-			sp = re.split(r"\=", r)
-			if len(sp) != 2:
-				return ("DKIM public key RR is malformed!", 400)
-			components[sp[0]] = sp[1]
+	# DKIM selector looks good, try processing the RR
+	rr = newconf.get("dkim_rr", "")
+	if rr.strip() == "":
+		return ("Cannot publish a selector with an empty key!", 400)
 
-		if not components.get("p"):
-			return ("The DKIM public key doesn't exist!", 400)
+	components = {}
+	for r in re.split(r"[;\s]+", rr):
+		sp = re.split(r"\=", r)
+		if len(sp) != 2:
+			return ("DKIM public key RR is malformed!", 400)
+		components[sp[0]] = sp[1]
 
-		config["SMTP_RELAY_DKIM_SELECTOR"] = sel
-		config["SMTP_RELAY_DKIM_RR"] = components
+	if not components.get("p"):
+		return ("The DKIM public key doesn't exist!", 400)
+
+	config["SMTP_RELAY_DKIM_SELECTOR"] = sel
+	config["SMTP_RELAY_DKIM_RR"] = components
 
 	relay_on = False
 	implicit_tls = False
@@ -942,16 +939,13 @@ def smtp_relay_set():
 
 	try:
 		# Write on daemon settings
+		config["local_dkim_selector"] = "mailorigin" if relay_on and sel == "mail" else "mail"
 		config["SMTP_RELAY_ENABLED"] = relay_on
 		config["SMTP_RELAY_HOST"] = newconf.get("host")
 		config["SMTP_RELAY_PORT"] = int(newconf.get("port"))
 		config["SMTP_RELAY_USER"] = newconf.get("user")
-		config["SMTP_RELAY_AUTHORIZED_SERVERS"] = [
-			s.strip()
-			for s in re.split(r"[, ]+",
-							newconf.get("authorized_servers", []) or "")
-			if s.strip() != ""
-		]
+		config["SMTP_RELAY_AUTHORIZED_SERVERS"] = [s.strip() for s in re.split(r"[, ]+", newconf.get("authorized_servers", []) or "") if s.strip() != ""]
+		config["SMTP_RELAY_SPF_RECORD"] = newconf.get("spf_record")
 		utils.write_settings(config, env)
 
 		# Write on Postfix configs

management/dns_update.py

@@ -200,7 +200,8 @@ def build_zone(domain,
 	# Are there any other authorized servers for this domain?
 	settings = load_settings(env)
 	spf_extra = None
-	if settings.get("SMTP_RELAY_ENABLED", False):
+	relay_on = settings.get("SMTP_RELAY_ENABLED", False)
+	if relay_on:
 		spf_extra = ""
 		# Convert settings to spf elements
 		for r in settings.get("SMTP_RELAY_AUTHORIZED_SERVERS", []):
@@ -396,16 +397,12 @@ def build_zone(domain,
 		# the domain, and no one else (unless the user is using an SMTP relay and authorized other servers).
 		# Skip if the user has set a custom SPF record.
 		if not has_rec(None, "TXT", prefix="v=spf1 "):
-			if spf_extra is None:
-				records.append((
-					None, "TXT", 'v=spf1 mx -all',
-					"Recommended. Specifies that only the box is permitted to send @%s mail."
-					% domain, None))
+			if settings.get("SMTP_RELAY_SPF_RECORD", "").strip() != "" and relay_on:
+				records.append((None, "TXT", settings.get("SMTP_RELAY_SPF_RECORD"), "Added by your SMTP Relay provider so that they can send @%s mail on your behalf." % domain, None))
+			elif spf_extra is None:
+				records.append((None, "TXT", "v=spf1 mx -all", "Recommended. Specifies that only the box is permitted to send @%s mail." % domain, None))
 			else:
-				records.append((
-					None, "TXT", f'v=spf1 mx {spf_extra}-all',
-					"Recommended. Specifies that only the box and the server(s) you authorized are permitted to send @%s mail."
-					% domain, None))
+				records.append((None, "TXT", f"v=spf1 mx {spf_extra}-all", "Recommended. Specifies that only the box and the server(s) you authorized are permitted to send @%s mail." % domain, None))
 
 		# Append the DKIM TXT record to the zone as generated by OpenDKIM.
 		# Skip if the user has set a DKIM record already.
@@ -427,7 +424,7 @@ def build_zone(domain,
 		# Skip if manually set by the user.
 		relay_ds = settings.get("SMTP_RELAY_DKIM_SELECTOR")
 		rr = settings.get("SMTP_RELAY_DKIM_RR", {})
-		if relay_ds is not None and not has_rec(
+		if relay_on and relay_ds is not None and not has_rec(
 			f"{relay_ds}._domainkey", "TXT",
 			prefix="v=DKIM1; ") and rr.get("p") is not None:
 			dkim_rrtxt = ""

management/templates/smtp-relays.html

@@ -72,7 +72,7 @@
 				placeholder="mail1.example.net mail2.example.net">
 			<p class="small">You can separate multiple servers with commas or spaces. You can also add IP addresses or
 				subnets using <code>10.20.30.40</code> or <code>10.0.0.0/8</code>. You can "import" SPF records using
-				<code>spf:example.com</code>.
+				<code>spf:example.com</code>. If your provider gave you an SPF record to add to your DNS, you can also paste it here.
 			</p>
 		</div>
 
@@ -98,7 +98,7 @@
 
 		<h3>After configuration</h3>
 		<p>By that time you should be good to go. If your relay provider provides their own custom DNS verification
-			methods, feel free to publish them on DNS.</p>
+			methods (<b>including custom DMARC configurations</b>), feel free to publish them on DNS.</p>
 	</form>
 </div>
 
@@ -145,9 +145,13 @@
 				relay_auth_pass.value = ""
 				relay_authorized_servers.value = ""
 
-				data.authorized_servers.forEach(element => {
-					relay_authorized_servers.value += `${element} `
-				});
+				if (data.spf_record) {
+					relay_authorized_servers.value = data.spf_record
+				}else if (data.authorized_servers) {
+					data.authorized_servers.forEach(element => {
+						relay_authorized_servers.value += `${element} `
+					});
+				}
 
 				if (data.dkim_selector) {
 					relay_dkim_sel.value = data.dkim_selector
@@ -160,19 +164,25 @@
 	}
 
 	function set_smtp_relay_config() {
+		let relay_configuration = {
+			enabled: use_relay.checked,
+			host: relay_host.value,
+			port: relay_port.value,
+			user: relay_auth_user.value,
+			key: relay_auth_pass.value,
+			dkim_selector: relay_dkim_sel.value,
+			dkim_rr: relay_dkim_key.value
+		}
+		if (relay_authorized_servers.value.substr(0, 7) === "v=spf1 ") {
+			relay_configuration.spf_record = relay_authorized_servers.value
+		} else {
+			relay_configuration.authorized_servers = relay_authorized_servers.value
+		}
+
 		api(
 			"/system/smtp/relay",
 			"POST",
-			{
-				enabled: use_relay.checked,
-				host: relay_host.value,
-				port: relay_port.value,
-				user: relay_auth_user.value,
-				key: relay_auth_pass.value,
-				authorized_servers: relay_authorized_servers.value,
-				dkim_selector: relay_dkim_sel.value,
-				dkim_rr: relay_dkim_key.value
-			},
+			relay_configuration,
 			() => {
 				show_modal_error("Done!", "The configuration has been updated and Postfix was restarted successfully. Please make sure everything is functioning as intended.", () => {
 					return false

setup/bootstrap.sh

@@ -35,7 +35,7 @@ if [ -z "$TAG" ]; then
 		[ "$OS" == "Debian GNU/Linux 11 (bullseye)" ] ||
 		[ "$(echo $OS | grep -o 'Ubuntu 20.04')" == "Ubuntu 20.04" ]
 	then
-		TAG=v56.1
+		TAG=v56.2
 	else
 		echo "This script must be run on a system running one of the following OS-es:"
 		echo "* Debian 10 (buster)"

setup/mail-postfix.sh

@@ -42,7 +42,7 @@ source /etc/mailinabox.conf # load global vars
 # * `ca-certificates`: A trust store used to squelch postfix warnings about
 #   untrusted opportunistically-encrypted connections.
 echo "Installing Postfix (SMTP server)..."
-apt_install postfix postfix-sqlite postfix-pcre postgrey ca-certificates
+apt_install postfix postfix-sqlite postfix-pcre postgrey ca-certificates libsasl2-modules
 
 # ### Basic Settings
 
@@ -58,7 +58,7 @@ management/editconf.py /etc/postfix/main.cf \
 	smtp_bind_address=$PRIVATE_IP \
 	smtp_bind_address6=$PRIVATE_IPV6 \
 	myhostname=$PRIMARY_HOSTNAME\
-	smtpd_banner="\$myhostname ESMTP Hi, I'm a Power Mail-in-a-Box (Debian/Postfix)" \
+	smtpd_banner="\$myhostname ESMTP Power Mail-in-a-Box (Postfix)" \
 	mydestination=localhost
 
 # Tweak some queue settings:
@@ -122,7 +122,7 @@ sed -i "s/PUBLIC_IP/$PUBLIC_IP/" /etc/postfix/outgoing_mail_header_filters
 #   the world are very far behind and if we disable too much, they may not be able to use TLS and
 #   won't fall back to cleartext. So we don't disable too much. smtpd_tls_exclude_ciphers applies to
 #   both port 25 and port 587, but because we override the cipher list for both, it probably isn't used.
-#   Use Mozilla's "Old" recommendations at https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=old&openssl-version=1.1.1
+#   Use Mozilla's "Old" recommendations at https://ssl-config.mozilla.org/#server=postfix&version=3.4.8&config=old&openssl=1.1.1&guideline=5.6
 management/editconf.py /etc/postfix/main.cf \
 	smtpd_tls_security_level=may\
 	smtpd_tls_auth_only=yes \
@@ -132,8 +132,8 @@ management/editconf.py /etc/postfix/main.cf \
 	smtpd_tls_protocols="!SSLv2,!SSLv3" \
 	smtpd_tls_ciphers=medium \
 	tls_medium_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA \
-	smtpd_tls_exclude_ciphers=aNULL,RC4 \
-	tls_preempt_cipherlist=no \
+	smtpd_tls_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4 \
+	tls_preempt_cipherlist=yes \
 	smtpd_tls_received_header=yes
 
 # For ports 465/587 (via the 'mandatory' settings):

setup/nextcloud.sh

@@ -33,10 +33,10 @@ nextcloud_hash=92cac708915f51ee2afc1787fd845476fd090c81
 #   https://github.com/nextcloud/user_external/blob/master/appinfo/info.xml
 # * The hash is the SHA1 hash of the ZIP package, which you can find by just running this script and
 #   copying it from the error message when it doesn't match what is below.
-contacts_ver=4.0.7
-contacts_hash=8ab31d205408e4f12067d8a4daa3595d46b513e3
-calendar_ver=3.0.5
-calendar_hash=bbbb0f117fcdd2dbd2daa1d456b43dc534cec72f
+contacts_ver=4.0.8
+contacts_hash=9f368bb2be98c5555b7118648f4cc9fa51e8cb30
+calendar_ver=3.0.6
+calendar_hash=ca49bb1ce23f20e10911e39055fd59d7f7a84c30
 user_external_ver=1.0.0
 user_external_hash=3bf2609061d7214e7f0f69dd8883e55c4ec8f50a