minimal changeset to get things working on 18.04

@joshdata squashed pull request #1398, removed some comments, and added these notes: * The old init.d script for the management daemon is replaced with a systemd service. * A systemd service configuration is added to configure permissions for munin on startup. * nginx SSL settings are updated because nginx's options and defaults have changed, and we now enable http2. * Automatic SSHFP record generation is updated to know that 22 is the default SSH daemon port, since it is no longer explicit in sshd_config. * The dovecot-lucene package is dropped because the Mail-in-a-Box PPA where we built the package has not been updated for Ubuntu 18.04. * The stock postgrey package is installed instead of the one from our PPA (which we no longer support), which loses the automatic whitelisting of DNSWL.org-whitelisted senders. * Drop memcached and the status check for memcached, which we used to use with ownCloud long ago but are no longer installing. * Other minor changes.
2018-07-07 18:41:41 +00:00 · 2018-07-07 18:41:41 +00:00 · d96613b8fe
commit d96613b8fe
parent 504a9b0abc
20 changed files with 101 additions and 412 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,10 +1,13 @@
 CHANGELOG
 =========
 This branch supports Ubuntu 18.04 **only**. When upgrading, **always** upgrade your **existing** Ubuntu 14.04 machine to version the latest release supporting Ubuntu 14.04 --- v0.28. If you are running an older version of Mail-in-a-Box which has an old version of ownCloud or Nextcloud, you will *not* be able to upgrade your data because older versions of ownCloud and Nextcloud that are required to perform the upgrade *cannot* be run on Ubuntu 18.04.
 In Development
 --------------
 * Starting with v0.28, TLS certificate provisioning wouldn't work on new boxes until the mailinabox setup command was run a second time because of a problem with the non-interactive setup.
 * Update to Nextcloud 13.0.5.
 * Update to Roundcube 1.3.7.
 * Update to Z-Push 2.4.4.
--- a/9
+++ b/9
@ -2,14 +2,7 @@
 # vi: set ft=ruby :
 Vagrant.configure("2") do |config|
-  config.vm.box = "ubuntu14.04"
+  config.vm.box = "ubuntu/bionic64"
  config.vm.box_url = "http://cloud-images.ubuntu.com/vagrant/trusty/current/trusty-server-cloudimg-amd64-vagrant-disk1.box"
  if Vagrant.has_plugin?("vagrant-cachier")
    # Configure cached packages to be shared between instances of the same base box.
    # More info on http://fgrehm.viewdocs.io/vagrant-cachier/usage
    config.cache.scope = :box
  end
  # Network config: Since it's a mail server, the machine must be connected
  # to the public web. However, we currently don't want to expose SSH since
--- a/conf/mailinabox.service
+++ b/conf/mailinabox.service
@ -0,0 +1,10 @@
 [Unit]
 Description=Mail-in-a-Box System Management Service
 After=multi-user.target
 [Service]
 Type=idle
 ExecStart=/usr/local/lib/mailinabox/start
 [Install]
 WantedBy=multi-user.target
--- a/conf/management-initscript
+++ b/conf/management-initscript
@ -1,135 +0,0 @@
 #! /bin/sh
 ### BEGIN INIT INFO
 # Provides:          mailinabox
 # Required-Start:    $all
 # Required-Stop:     $all
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: Start and stop the Mail-in-a-Box management daemon.
 # Description:       Start and stop the Mail-in-a-Box management daemon.
 ### END INIT INFO
 # Adapted from http://blog.codefront.net/2007/06/11/nginx-php-and-a-php-fastcgi-daemon-init-script/
 PATH=/sbin:/usr/sbin:/bin:/usr/bin
 DESC="Mail-in-a-Box Management Daemon"
 NAME=mailinabox
 DAEMON=/usr/local/lib/mailinabox/start
 PIDFILE=/var/run/$NAME.pid
 SCRIPTNAME=/etc/init.d/$NAME
 # Exit if the package is not installed
 [ -x "$DAEMON" ] || exit 0
 # Set defaults.
 START=yes
 EXEC_AS_USER=root
 # Ensure Python reads/writes files in UTF-8. If the machine
 # triggers some other locale in Python, like ASCII encoding,
 # Python may not be able to read/write files. Set also
 # setup/start.sh (where the locale is also installed if not
 # already present) and management/daily_tasks.sh.
 export LANGUAGE=en_US.UTF-8
 export LC_ALL=en_US.UTF-8
 export LANG=en_US.UTF-8
 export LC_TYPE=en_US.UTF-8
 # Read configuration variable file if it is present
 [ -r /etc/default/$NAME ] && . /etc/default/$NAME
 # Load the VERBOSE setting and other rcS variables
 . /lib/init/vars.sh
 # Define LSB log_* functions.
 # Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
 . /lib/lsb/init-functions
 # If the daemon is not enabled, give the user a warning and then exit,
 # unless we are stopping the daemon
 if [ "$START" != "yes" -a "$1" != "stop" ]; then
        log_warning_msg "To enable $NAME, edit /etc/default/$NAME and set START=yes"
        exit 0
 fi
 # Process configuration
 #export ...
 DAEMON_ARGS=""
 do_start()
 {
        # Return
        #   0 if daemon has been started
        #   1 if daemon was already running
        #   2 if daemon could not be started
        start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
                || return 1
        start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON \
                --background --make-pidfile --chuid $EXEC_AS_USER --startas $DAEMON -- \
                $DAEMON_ARGS \
                || return 2
 }
 do_stop()
 {
        # Return
        #   0 if daemon has been stopped
        #   1 if daemon was already stopped
        #   2 if daemon could not be stopped
        #   other if a failure occurred
        start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE > /dev/null # --name $DAEMON
        RETVAL="$?"
        [ "$RETVAL" = 2 ] && return 2
        # Wait for children to finish too if this is a daemon that forks
        # and if the daemon is only ever run from this initscript.
        # If the above conditions are not satisfied then add some other code
        # that waits for the process to drop all resources that could be
        # needed by services started subsequently.  A last resort is to
        # sleep for some time.
        start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
        [ "$?" = 2 ] && return 2
        # Many daemons don't delete their pidfiles when they exit.
        rm -f $PIDFILE
        return "$RETVAL"
 }
 case "$1" in
  start)
        [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
        do_start
        case "$?" in
                0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
                2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
        esac
        ;;
  stop)
        [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
        do_stop
        case "$?" in
                0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
                2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
        esac
        ;;
  restart|force-reload)
        log_daemon_msg "Restarting $DESC" "$NAME"
        do_stop
        case "$?" in
          0|1)
                do_start
                case "$?" in
                        0) log_end_msg 0 ;;
                        1) log_end_msg 1 ;; # Old process is still running
                        *) log_end_msg 1 ;; # Failed to start
                esac
                ;;
          *)
                # Failed to stop
                log_end_msg 1
                ;;
        esac
        ;;
  *)
        echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
        exit 3
        ;;
 esac
--- a/conf/munin.service
+++ b/conf/munin.service
@ -0,0 +1,10 @@
 [Unit]
 Description=Munin System Monitoring Startup Script
 After=multi-user.target
 [Service]
 Type=idle
 ExecStart=/usr/local/lib/mailinabox/munin_start.sh
 [Install]
 WantedBy=multi-user.target
--- a/conf/nginx-ssl.conf
+++ b/conf/nginx-ssl.conf
@ -1,76 +1,20 @@
-# from https://gist.github.com/konklone/6532544 and https://mozilla.github.io/server-side-tls/ssl-config-generator/
+# We track the Mozilla "intermediate" compatibility TLS recommendations.
-###################################################################################################################
+# Note that these settings are repeated in the SMTP and IMAP configuration.
 # Basically the nginx configuration I use at konklone.com. 
 # I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
 #
 # To provide feedback, please tweet at @konklone or email eric@konklone.com.
 # Comments on gists don't notify the author. 
 # 
 # Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites.
 # Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration.
 # Path to certificate and private key.
 # The .crt may omit the root CA cert, if it's a standard CA that ships with clients.
 #ssl_certificate /path/to/unified.crt;
 #ssl_certificate_key /path/to/my-private-decrypted.key;
 # Tell browsers to require SSL (warning: difficult to change your mind)
 # Handled by the management daemon because we can toggle this version or a
 # preload version.
 #add_header Strict-Transport-Security max-age=31536000;
 # Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
 # 
 # Forces forward secrecy in all browsers and clients that can use TLS,
 # but with a small exception (DES-CBC3-SHA) for IE8/XP users.
 # 
 # Reference client: https://www.ssllabs.com/ssltest/analyze.html
 ssl_prefer_server_ciphers on;
 ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
 # Cut out (the old, broken) SSLv3 entirely. 
 # This **excludes IE6 users** and (apparently) Yandexbot.
 # Just comment out if you need to support IE6, bless your soul.
 ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
 ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
 ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem;
 # Turn on session resumption, using a cache shared across nginx processes,
 # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
 ssl_session_cache shared:SSL:50m;
 ssl_session_timeout 1d;
 #keepalive_timeout   70; # in Ubuntu 14.04/nginx 1.4.6 the default is 65, so plenty good
 # Buffer size of 1400 bytes fits in one MTU.
 # nginx 1.5.9+ ONLY
-#ssl_buffer_size 1400; 
+ssl_buffer_size 1400; 
 # SPDY header compression (0 for none, 9 for slow/heavy compression). Preferred is 6. 
 # 
 # BUT: header compression is flawed and vulnerable in SPDY versions 1 - 3.
 # Disable with 0, until using a version of nginx with SPDY 4.
 spdy_headers_comp 0;
 # Now let's really get fancy, and pre-generate a 2048 bit random parameter
 # for DH elliptic curves. If not created and specified, default is only 1024 bits. 
 #
 # Generated by OpenSSL with the following command:
 #   openssl dhparam -outform pem -out dhparam2048.pem 2048
 # 
 # Note: raising the bits to 2048 excludes Java 6 clients. Comment out if a problem.
 ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem;
 # OCSP stapling - means nginx will poll the CA for signed OCSP responses, 
 # and send them to clients so clients don't make their own OCSP calls.
 # http://en.wikipedia.org/wiki/OCSP_stapling
 # 
 # while the ssl_certificate above may omit the root cert if the CA is trusted,
 # ssl_trusted_certificate below must point to a chain of **all** certs
 # in the trust path - (your cert, intermediary certs, root cert)
 #
 # 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers. 
 # nginx will use them to talk to the CA.
 ssl_stapling on;
 ssl_stapling_verify on;
 resolver 127.0.0.1 valid=86400;
 resolver_timeout 10;
 # h/t https://gist.github.com/konklone/6532544
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -31,8 +31,8 @@ server {
 # The secure HTTPS server.
 server {
-	listen 443 ssl;
+	listen 443 ssl http2;
-	listen [::]:443 ssl;
+	listen [::]:443 ssl http2;
 	server_name $HOSTNAME;
--- a/management/dns_update.py
+++ b/management/dns_update.py
@ -354,19 +354,20 @@ def build_sshfp_records():
 	# Get our local fingerprints by running ssh-keyscan. The output looks
 	# like the known_hosts file: hostname, keytype, fingerprint. The order
 	# of the output is arbitrary, so sort it to prevent spurrious updates
-	# to the zone file (that trigger bumping the serial number).
+	# to the zone file (that trigger bumping the serial number). However,
-
+	# if SSH has been configured to listen on a nonstandard port, we must
-	# scan the sshd_config and find the ssh ports (port 22 may be closed)
+	# specify that port to sshkeyscan.
 	port = 22
 	with open('/etc/ssh/sshd_config', 'r') as f:
-		ports = []
+		for line in f:
-		t = f.readlines()
+			s = line.rstrip().split()
 		for line in t:
 			s = line.split()
 			if len(s) == 2 and s[0] == 'Port':
-				ports = ports + [s[1]]
+				try:
-	# the keys are the same at each port, so we only need to get
+					port = int(s[1])
-	# them at the first port found (may not be port 22)
+				except ValueError:
-	keys = shell("check_output", ["ssh-keyscan", "-t", "rsa,dsa,ecdsa,ed25519", "-p", ports[0], "localhost"])
+					pass
 				break
 	keys = shell("check_output", ["ssh-keyscan", "-t", "rsa,dsa,ecdsa,ed25519", "-p", str(port), "localhost"])
 	for key in sorted(keys.split("\n")):
 		if key.strip() == "" or key[0] == "#": continue
 		try:
--- a/management/munin_start.sh
+++ b/management/munin_start.sh
@ -0,0 +1,2 @@
 #!/bin/bash
 mkdir -p /var/run/munin && chown munin /var/run/munin
--- a/management/status_checks.py
+++ b/management/status_checks.py
@ -28,7 +28,6 @@ def get_services():
 		{ "name": "Spamassassin", "port": 10025, "public": False, },
 		{ "name": "OpenDKIM", "port": 8891, "public": False, },
 		{ "name": "OpenDMARC", "port": 8893, "public": False, },
 		{ "name": "Memcached", "port": 11211, "public": False, },
 		{ "name": "Mail-in-a-Box Management Daemon", "port": 10222, "public": False, },
 		{ "name": "SSH Login (ssh)", "port": get_ssh_port(), "public": True, },
 		{ "name": "Public DNS (nsd4)", "port": 53, "public": True, },
--- a/setup/dkim.sh
+++ b/setup/dkim.sh
@ -21,6 +21,11 @@ mkdir -p $STORAGE_ROOT/mail/dkim
 # Not quite sure why.
 echo "127.0.0.1" > /etc/opendkim/TrustedHosts
 # We need to at least create these files, since we reference them later.
 # Otherwise, opendkim startup will fail
 touch /etc/opendkim/KeyTable
 touch /etc/opendkim/SigningTable
 if grep -q "ExternalIgnoreList" /etc/opendkim.conf; then
 	true # already done #NODOC
 else
@ -75,6 +80,9 @@ tools/editconf.py /etc/postfix/main.cf \
 	non_smtpd_milters=\$smtpd_milters \
 	milter_default_action=accept
 # We need to explicitly enable the opendmarc service, or it will not start
 hide_output systemctl enable opendmarc
 # Restart services.
 restart_service opendkim
 restart_service opendmarc
--- a/setup/mail-dovecot.sh
+++ b/setup/mail-dovecot.sh
@ -26,7 +26,7 @@ source /etc/mailinabox.conf # load global vars
 echo "Installing Dovecot (IMAP server)..."
 apt_install \
 	dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-sqlite sqlite3 \
-	dovecot-sieve dovecot-managesieved dovecot-lucene
+	dovecot-sieve dovecot-managesieved
 # The `dovecot-imapd`, `dovecot-pop3d`, and `dovecot-lmtpd` packages automatically
 # enable IMAP, POP and LMTP protocols.
@ -112,17 +112,6 @@ tools/editconf.py /etc/dovecot/conf.d/20-imap.conf \
 tools/editconf.py /etc/dovecot/conf.d/20-pop3.conf \
 	pop3_uidl_format="%08Xu%08Xv"
 # Full Text Search - Enable full text search of mail using dovecot's lucene plugin,
 # which *we* package and distribute (dovecot-lucene package).
 tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \
 	mail_plugins="\$mail_plugins fts fts_lucene"
 cat > /etc/dovecot/conf.d/90-plugin-fts.conf << EOF;
 plugin {
  fts = lucene
  fts_lucene = whitespace_chars=@.
 }
 EOF
 # ### LDA (LMTP)
 # Enable Dovecot's LDA service with the LMTP protocol. It will listen
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@ -48,9 +48,8 @@ source /etc/mailinabox.conf # load global vars
 # > Every user with more than 100’000 queries per day on the public nameserver
 # > infrastructure and every commercial vendor of dnswl.org data (eg through
 # > anti-spam solutions) must register with dnswl.org and purchase a subscription.
 echo "Installing Postfix (SMTP server)..."
-apt_install postfix postfix-pcre postgrey ca-certificates
+apt_install postfix postfix-sqlite postfix-pcre postgrey ca-certificates
 # ### Basic Settings
--- a/setup/management.sh
+++ b/setup/management.sh
@ -87,16 +87,16 @@ rm -f /tmp/bootstrap.zip
 # Create an init script to start the management daemon and keep it
 # running after a reboot.
-rm -f /usr/local/bin/mailinabox-daemon # old path
+rm -f /usr/local/bin/mailinabox-daemon /etc/init.d/mailinabox # old paths
 cat > $inst_dir/start <<EOF;
 #!/bin/bash
 source $venv/bin/activate
 exec python `pwd`/management/daemon.py
 EOF
 chmod +x $inst_dir/start
-rm -f /etc/init.d/mailinabox
+hide_output systemctl link conf/mailinabox.service
-ln -s $(pwd)/conf/management-initscript /etc/init.d/mailinabox
+hide_output systemctl daemon-reload
-hide_output update-rc.d mailinabox defaults
+hide_output systemctl enable mailinabox.service
 # Remove old files we no longer use.
 rm -f /etc/cron.daily/mailinabox-backup
--- a/setup/munin.sh
+++ b/setup/munin.sh
@ -61,6 +61,14 @@ done
 # Create a 'state' directory. Not sure why we need to do this manually.
 mkdir -p /var/lib/munin-node/plugin-state/
 # Create a systemd service for munin.
 ln -sf $(pwd)/management/munin_start.sh /usr/local/lib/mailinabox/munin_start.sh
 chmod 0744 /usr/local/lib/mailinabox/munin_start.sh
 hide_output systemctl link conf/munin.service
 hide_output systemctl daemon-reload
 hide_output systemctl unmask munin.service
 hide_output systemctl enable munin.service
 # Restart services.
 restart_service munin
 restart_service munin-node
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@ -9,29 +9,11 @@ source /etc/mailinabox.conf # load global vars
 echo "Installing Nextcloud (contacts/calendar)..."
-# Keep the php5 dependancies for the owncloud upgrades
+apt-get purge -qq -y owncloud* # we used to use the package manager
 apt_install \
 	dbconfig-common \
 	php5-cli php5-sqlite php5-gd php5-imap php5-curl php-pear php-apc curl libapr1 libtool libcurl4-openssl-dev php-xml-parser \
 	php5 php5-dev php5-gd php5-fpm memcached php5-memcached
 apt-get purge -qq -y owncloud*
 apt_install php7.0 php7.0-fpm \
 	php7.0-cli php7.0-sqlite php7.0-gd php7.0-imap php7.0-curl php-pear php-apc curl \
-        php7.0-dev php7.0-gd php7.0-xml php7.0-mbstring php7.0-zip php7.0-apcu php7.0-json php7.0-intl
+    php7.0-dev php7.0-gd php7.0-xml php7.0-mbstring php7.0-zip php7.0-apcu php7.0-json php7.0-intl
 # Migrate <= v0.10 setups that stored the ownCloud config.php in /usr/local rather than
 # in STORAGE_ROOT. Move the file to STORAGE_ROOT.
 if [ ! -f $STORAGE_ROOT/owncloud/config.php ] \
 	&& [ -f /usr/local/lib/owncloud/config/config.php ]; then
 	# Move config.php and symlink back into previous location.
 	echo "Migrating owncloud/config.php to new location."
 	mv /usr/local/lib/owncloud/config/config.php $STORAGE_ROOT/owncloud/config.php \
 		&& \
 	ln -sf $STORAGE_ROOT/owncloud/config.php /usr/local/lib/owncloud/config/config.php
 fi
 InstallNextcloud() {
@ -93,157 +75,42 @@ InstallNextcloud() {
 	fi
 }
-# We only install ownCloud intermediate versions to be able to seemlesly upgrade to Nextcloud
+nextcloud_ver=13.0.5
-InstallOwncloud() {
+nextcloud_hash=e2b4a4bebd4fac14feae1e6e8997682f73fa8b50
-	version=$1
+# Check if Nextcloud dir exist, and check if version matches nextcloud_ver (if either doesn't - install/upgrade)
 	hash=$2
 	echo
 	echo "Upgrading to OwnCloud version $version"
 	echo
 	# Remove the current owncloud/Nextcloud
 	rm -rf /usr/local/lib/owncloud
 	# Download and verify
 	wget_verify https://download.owncloud.org/community/owncloud-$version.tar.bz2 $hash /tmp/owncloud.tar.bz2
 	# Extract ownCloud
 	tar xjf /tmp/owncloud.tar.bz2 -C /usr/local/lib
 	rm -f /tmp/owncloud.tar.bz2
 	# The two apps we actually want are not in Nextcloud core. Download the releases from
 	# their github repositories.
 	mkdir -p /usr/local/lib/owncloud/apps
 	wget_verify https://github.com/owncloud/contacts/releases/download/v1.4.0.0/contacts.tar.gz c1c22d29699456a45db447281682e8bc3f10e3e7 /tmp/contacts.tgz
 	tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/contacts.tgz
 	wget_verify https://github.com/nextcloud/calendar/releases/download/v1.4.0/calendar.tar.gz c84f3170efca2a99ea6254de34b0af3cb0b3a821 /tmp/calendar.tgz
 	tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/calendar.tgz
 	# Fix weird permissions.
 	chmod 750 /usr/local/lib/owncloud/{apps,config}
 	# Create a symlink to the config.php in STORAGE_ROOT (for upgrades we're restoring the symlink we previously
 	# put in, and in new installs we're creating a symlink and will create the actual config later).
 	ln -sf $STORAGE_ROOT/owncloud/config.php /usr/local/lib/owncloud/config/config.php
 	# Make sure permissions are correct or the upgrade step won't run.
 	# $STORAGE_ROOT/owncloud may not yet exist, so use -f to suppress
 	# that error.
 	chown -f -R www-data.www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud
 	# If this isn't a new installation, immediately run the upgrade script.
 	# Then check for success (0=ok and 3=no upgrade needed, both are success).
 	if [ -e $STORAGE_ROOT/owncloud/owncloud.db ]; then
 		# ownCloud 8.1.1 broke upgrades. It may fail on the first attempt, but
 		# that can be OK.
 		sudo -u www-data php5 /usr/local/lib/owncloud/occ upgrade
 		if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then
 			echo "Trying ownCloud upgrade again to work around ownCloud upgrade bug..."
 			sudo -u www-data php5 /usr/local/lib/owncloud/occ upgrade
 			if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi
 			sudo -u www-data php5 /usr/local/lib/owncloud/occ maintenance:mode --off
 			echo "...which seemed to work."
 		fi
 	fi
 }
 owncloud_ver=13.0.5
 owncloud_hash=e2b4a4bebd4fac14feae1e6e8997682f73fa8b50
 # Check if Nextcloud dir exist, and check if version matches owncloud_ver (if either doesn't - install/upgrade)
 if [ ! -d /usr/local/lib/owncloud/ ] \
-        || ! grep -q $owncloud_ver /usr/local/lib/owncloud/version.php; then
+		|| ! grep -q $nextcloud_ver /usr/local/lib/owncloud/version.php; then
 	# Stop php-fpm if running. If theyre not running (which happens on a previously failed install), dont bail.
 	service php7.0-fpm stop &> /dev/null || /bin/true
 	service php5-fpm stop &> /dev/null || /bin/true
 	# Backup the existing ownCloud/Nextcloud.
 	# Create a backup directory to store the current installation and database to
 	BACKUP_DIRECTORY=$STORAGE_ROOT/owncloud-backup/`date +"%Y-%m-%d-%T"`
 	mkdir -p "$BACKUP_DIRECTORY"
 	if [ -d /usr/local/lib/owncloud/ ]; then
-		echo "upgrading ownCloud/Nextcloud to $owncloud_flavor $owncloud_ver (backing up existing installation, configuration and database to directory to $BACKUP_DIRECTORY..."
+		echo "Upgrading Nextcloud --- backing up existing installation, configuration, and database to directory to $BACKUP_DIRECTORY..."
 		cp -r /usr/local/lib/owncloud "$BACKUP_DIRECTORY/owncloud-install"
 	fi
 	if [ -e /home/user-data/owncloud/owncloud.db ]; then
 		cp /home/user-data/owncloud/owncloud.db $BACKUP_DIRECTORY
-        fi
+	fi
-        if [ -e /home/user-data/owncloud/config.php ]; then
+	if [ -e /home/user-data/owncloud/config.php ]; then
-                cp /home/user-data/owncloud/config.php $BACKUP_DIRECTORY
+		cp /home/user-data/owncloud/config.php $BACKUP_DIRECTORY
-        fi
+	fi
-	# We only need to check if we do upgrades when owncloud/Nextcloud was previously installed
+	# If ownCloud or Nextcloud was previously installed....
 	if [ -e /usr/local/lib/owncloud/version.php ]; then
-		if grep -q "OC_VersionString = '8\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then
+		# Database migrations from ownCloud are no longer possible because ownCloud cannot be run under
-			echo "We are running 8.1.x, upgrading to 8.2.11 first"
+		# PHP 7.
-			InstallOwncloud 8.2.11 e4794938fc2f15a095018ba9d6ee18b53f6f299c
+		if grep -q "OC_VersionString = '[89]\." /usr/local/lib/owncloud/version.php; then
 			echo "Upgrades from Mail-in-a-Box prior to v0.26c (dated February 13, 2018) with Nextcloud < 12.0.5 (you have ownCloud 8 or 9) are not supported. Upgrade to Mail-in-a-Box version v0.28 first. Setup aborting."
 			exit 1
 		fi
-
+		if grep -q "OC_VersionString = '10\." /usr/local/lib/owncloud/version.php; then
-		# If we are upgrading from 8.2.x we should go to 9.0 first. Owncloud doesn't support skipping minor versions
+			echo "Upgrades from Mail-in-a-Box prior to v0.26c (dated February 13, 2018) with Nextcloud < 12.0.5 (you have ownCloud 10) are not supported. Upgrade to Mail-in-a-Box version v0.28 first. Setup aborting."
-		if grep -q "OC_VersionString = '8\.2\.[0-9]" /usr/local/lib/owncloud/version.php; then
+			exit 1
 			echo "We are running version 8.2.x, upgrading to 9.0.11 first"
 			# We need to disable memcached. The upgrade and install fails
 			# with memcached
 			CONFIG_TEMP=$(/bin/mktemp)
 			php <<EOF > $CONFIG_TEMP && mv $CONFIG_TEMP $STORAGE_ROOT/owncloud/config.php;
 			<?php
 				include("$STORAGE_ROOT/owncloud/config.php");
 				\$CONFIG['memcache.local'] = '\OC\Memcache\APCu';
 				echo "<?php\n\\\$CONFIG = ";
 				var_export(\$CONFIG);
 				echo ";";
 			?>
 EOF
 			chown www-data.www-data $STORAGE_ROOT/owncloud/config.php
 			# We can now install owncloud 9.0.11
 			InstallOwncloud 9.0.11 fc8bad8a62179089bc58c406b28997fb0329337b
 			# The owncloud 9 migration doesn't migrate calendars and contacts
 			# The option to migrate these are removed in 9.1
 			# So the migrations should be done when we have 9.0 installed
 			sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:migrate-addressbooks
 			# The following migration has to be done for each owncloud user
 			for directory in $STORAGE_ROOT/owncloud/*@*/ ; do
 				username=$(basename "${directory}")
 				sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:migrate-calendar $username
 			done
 			sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:sync-birthday-calendar
 		fi
 		# If we are upgrading from 9.0.x we should go to 9.1 first.
 		if grep -q "OC_VersionString = '9\.0\.[0-9]" /usr/local/lib/owncloud/version.php; then
 			echo "We are running ownCloud 9.0.x, upgrading to ownCloud 9.1.7 first"
 			InstallOwncloud 9.1.7 1307d997d0b23dc42742d315b3e2f11423a9c808
 		fi
 		# Newer ownCloud 9.1.x versions cannot be upgraded to Nextcloud 10 and have to be
 		# upgraded to Nextcloud 11 straight away, see:
 		# https://github.com/nextcloud/server/issues/2203
 		# However, for some reason, upgrading to the latest Nextcloud 11.0.7 doesn't
 		# work either. Therefore, we're upgrading to Nextcloud 11.0.0 in the interim.
 		# This should not be a problem since we're upgrading to the latest Nextcloud 12
 		# in the next step.
 		if grep -q "OC_VersionString = '9\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then
 			echo "We are running ownCloud 9.1.x, upgrading to Nextcloud 11.0.0 first"
 			InstallNextcloud 11.0.0 e8c9ebe72a4a76c047080de94743c5c11735e72e
 		fi
 		# If we are upgrading from 10.0.x we should go to Nextcloud 11.0 first.
 		if grep -q "OC_VersionString = '10\.0\.[0-9]" /usr/local/lib/owncloud/version.php; then
 			echo "We are running Nextcloud 10.0.x, upgrading to Nextcloud 11.0.7 first"
 			InstallNextcloud 11.0.7 f936ddcb2ae3dbb66ee4926eb8b2ebbddc3facbe
 		fi
 		# If we are upgrading from Nextcloud 11 we should go to Nextcloud 12 first.
@ -253,7 +120,7 @@ EOF
 		fi
 	fi
-	InstallNextcloud $owncloud_ver $owncloud_hash
+	InstallNextcloud $nextcloud_ver $nextcloud_hash
 fi
 # ### Configuring Nextcloud
@ -278,10 +145,10 @@ if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then
  'overwritewebroot' => '/cloud',
  'overwrite.cli.url' => '/cloud',
  'user_backends' => array(
-    array(
+	array(
-      'class'=>'OC_User_IMAP',
+	  'class'=>'OC_User_IMAP',
-      'arguments'=>array('{127.0.0.1:993/imap/ssl/novalidate-cert}')
+	  'arguments'=>array('{127.0.0.1:993/imap/ssl/novalidate-cert}')
-    )
+	)
  ),
  'memcache.local' => '\OC\Memcache\APCu',
  'mail_smtpmode' => 'sendmail',
@ -397,7 +264,7 @@ tools/editconf.py /etc/php/7.0/cli/conf.d/10-opcache.ini -c ';' \
 # Configure the path environment for php-fpm
 tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \
-        env[PATH]=/usr/local/bin:/usr/bin:/bin
+		env[PATH]=/usr/local/bin:/usr/bin:/bin
 # If apc is explicitly disabled we need to enable it
 if grep -q apc.enabled=0 /etc/php/7.0/mods-available/apcu.ini; then
--- a/setup/preflight.sh
+++ b/setup/preflight.sh
@ -7,9 +7,9 @@ if [[ $EUID -ne 0 ]]; then
 	exit
 fi
-# Check that we are running on Ubuntu 14.04 LTS (or 14.04.xx).
+# Check that we are running on Ubuntu 18.04 LTS (or 18.04.xx).
-if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' `" != "Ubuntu 14.04 LTS" ]; then
+if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' `" != "Ubuntu 18.04 LTS" ]; then
-	echo "Mail-in-a-Box only supports being installed on Ubuntu 14.04, sorry. You are running:"
+	echo "Mail-in-a-Box only supports being installed on Ubuntu 18.04, sorry. You are running:"
 	echo
 	lsb_release -d | sed 's/.*:\s*//'
 	echo
--- a/setup/start.sh
+++ b/setup/start.sh
@ -106,7 +106,7 @@ source setup/dkim.sh
 source setup/spamassassin.sh
 source setup/web.sh
 source setup/webmail.sh
-source setup/owncloud.sh
+source setup/nextcloud.sh
 source setup/zpush.sh
 source setup/management.sh
 source setup/munin.sh
--- a/setup/system.sh
+++ b/setup/system.sh
@ -70,7 +70,7 @@ fi
 # ### Add PPAs.
-# We install some non-standard Ubuntu packages maintained by us and other
+# We install some non-standard Ubuntu packages maintained by other
 # third-party providers. First ensure add-apt-repository is installed.
 if [ ! -f /usr/bin/add-apt-repository ]; then
@ -79,14 +79,7 @@ if [ ! -f /usr/bin/add-apt-repository ]; then
 	apt_install software-properties-common
 fi
-# [Main-in-a-Box's own PPA](https://launchpad.net/~mail-in-a-box/+archive/ubuntu/ppa)
+# Install the certbot PPA.
 # holds several .deb packages that we built on our own.
 # One is a replacement for Ubuntu's stock postgrey package that makes
 # some enhancements. The other is dovecot-lucene, a Lucene-based full
 # text search plugin for (and by) dovecot, which is not available in
 # Ubuntu currently.
 hide_output add-apt-repository -y ppa:mail-in-a-box/ppa
 hide_output add-apt-repository -y ppa:certbot/certbot
 # ### Update Packages
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@ -25,8 +25,6 @@ apt_install \
 	php7.0-cli php7.0-sqlite php7.0-mcrypt php7.0-intl php7.0-json php7.0-common php7.0-curl \
 	php7.0-gd php7.0-pspell tinymce libjs-jquery libjs-jquery-mousewheel libmagic1 php7.0-mbstring
 apt_get_quiet remove php-mail-mimedecode # no longer needed since Roundcube 1.1.3
 # We used to install Roundcube from Ubuntu, without triggering the dependencies #NODOC
 # on Apache and MySQL, by downloading the debs and installing them manually. #NODOC
 # Now that we're beyond that, get rid of those debs before installing from source. #NODOC
		`@ -0,0 +1,2 @@`
							`#!/bin/bash`
							`mkdir -p /var/run/munin && chown munin /var/run/munin`