Commit graph

2302 commits

Author SHA1 Message Date
David
3018cdd698
v0.54.POWER.0 2021-06-28 00:17:23 +01:00
David
edfb1cf623
Resolve dovecot deprecations 2021-06-27 23:11:24 +01:00
David
d0b5794588
New version notice - point to the correct page 2021-06-27 22:26:19 +01:00
David
afe7123f70
Merge v0.54 from upstream 2021-06-27 22:24:26 +01:00
Joshua Tauberer
4cb46ea465 v0.54 2021-06-20 15:50:04 -04:00
David Duque
9f9eb920b3
v0.53.POWER.2 2021-05-16 23:20:55 +01:00
David Duque
217b0b51ff
Bad bootstrap script, fixing! 2021-05-16 23:20:20 +01:00
David Duque
f382a55a0a
v0.53.POWER.1 2021-05-16 21:41:37 +01:00
David Duque
483817440e
Fetch updates from upstream 2021-05-16 21:18:40 +01:00
Joshua Tauberer
35fa3fe891 Changelog entries 2021-05-15 16:50:19 -04:00
Joshua Tauberer
d510c8ae2a Enable and recommend port 465 for mail submission instead of port 587 (fixes #1849)
Port 465 with "implicit" (i.e. always-on) TLS is a more secure approach than port 587 with explicit (i.e. optional and only on with STARTTLS). Although we reject credentials on port 587 without STARTTLS, by that point credentials have already been sent.
2021-05-15 16:42:14 -04:00
Joshua Tauberer
e283a12047 Add null SPF, DMARC, and MX records for automatically generated autoconfig, autodiscover, and mta-sts subdomains; add null MX records for custom A-record subdomains
All A/AAAA-resolvable domains that don't send or receive mail should have these null records.

This simplifies the handling of domains a bit by handling automatically generated subdomains more like other domains.
2021-05-15 16:42:14 -04:00
Joshua Tauberer
e421addf1c Pre-load domain purpopses when building DNS zonefiles rather than querying mail domains at each subdomain 2021-05-09 08:16:07 -04:00
Joshua Tauberer
354a774989 Remove a debug line added in 8cda58fb 2021-05-09 07:34:44 -04:00
Joshua Tauberer
aaa81ec879 Fix indentation issue in bc4ae51c2d 2021-05-08 09:06:18 -04:00
Joshua Tauberer
dbd6dae5ce Fix exit status issue cased by 69fc2fdd 2021-05-08 09:02:48 -04:00
John @ S4
d4c5872547
Make clear that non-AWS S3 backups are supported (#1947)
Just a few wording changes to show that it is possible to make S3 backups to other services than AWS - prompted by a thread on MIAB discourse.
2021-05-08 08:32:58 -04:00
Thomas Urban
3701e05d92
Rewrite envelope from address in sieve forwards (#1949)
Fixes #1946.
2021-05-08 08:30:53 -04:00
Hala Alajlan
bc4ae51c2d
Handle query dns timeout unhandled error (#1950)
Co-authored-by: hala alajlan <halalajlan@gmail.com>
2021-05-08 08:26:40 -04:00
Jawad Seddar
12aaebfc54
custom.yaml: add support for X-Frame-Options header and proxy_redirect off (#1954) 2021-05-08 08:25:33 -04:00
jvolkenant
49813534bd
Updated Nextcloud to 20.0.8, contacts to 3.5.1, calendar to 2.2.0 (#1960) 2021-05-08 08:24:04 -04:00
jvolkenant
16e81e1439
Fix to allow for non forced "enforce" MTA_STS_MODE (#1970) 2021-05-08 08:18:49 -04:00
Joshua Tauberer
b7b67e31b7 Merged point release branch for v0.53a
Changed the Z-Push download URL.
2021-05-08 08:14:39 -04:00
Joshua Tauberer
2e7f2835e7 v0.53a 2021-05-08 08:13:37 -04:00
Joshua Tauberer
8a5f9f464a Download Z-Push from alternate site
The old server has been down for a few days.

Solution from https://discourse.mailinabox.email/t/temporary-fix-for-failed-wget-o-tmp-z-push-zip-https-stash-z-hub-io/8028. Fixes #1974.
2021-05-08 07:59:53 -04:00
Joshua Tauberer
69fc2fdd3a Hide spurrious Nextcloud setup output 2021-05-03 19:41:00 -04:00
Joshua Tauberer
9b07d86bf7 Use $(...) notation instead of legacy backtick notation for embedded shell commands
shellcheck reported

    SC2006: Use $(...) notation instead of legacy backticked `...`.

Fixed by applying shellcheck's diff output as a patch.
2021-05-03 19:28:23 -04:00
Joshua Tauberer
ae3feebd80 Fix warnings reported by shellcheck
* SC2068: Double quote array expansions to avoid re-splitting elements.
* SC2186: tempfile is deprecated. Use mktemp instead.
* SC2124: Assigning an array to a string! Assign as array, or use * instead of @ to concatenate.
* SC2102: Ranges can only match single chars (mentioned due to duplicates).
* SC2005: Useless echo? Instead of 'echo $(cmd)', just use 'cmd'.
2021-05-03 19:25:09 -04:00
Joshua Tauberer
2c295bcafd Upgrade the Roundcube persistent login cookie encryption to AES-256-CBC and increase the key length accordingly
This change will force everyone to be logged out of Roundcube since the encryption key and cipher won't match anyone's already-set cookie, but this happens anyway after every Mail-in-a-Box update since we generate a new key each time already.

Fixes #1968.
2021-04-23 17:04:56 -04:00
David Duque
9f13ee6d55
v0.53.POWER.0 2021-04-13 23:02:08 +01:00
David Duque
40babe3e03
do_web_update: Order the domains in some way before writing to the nginx local.conf 2021-04-13 23:01:18 +01:00
David Duque
b9bdf50628
Merge v0.53 from upstream 2021-04-13 16:35:02 +01:00
Joshua Tauberer
8cda58fb22 Speed up status checks a bit by removing a redundant check if the PRIMARY_HOSTNAME certificate is signed and valid 2021-04-12 19:42:12 -04:00
Joshua Tauberer
178c587654 Migrate to the ECDSAP256SHA256 (13) DNSSEC algorithm
* Stop generating RSASHA1-NSEC3-SHA1 keys on new installs since it is no longer recommended, but preserve the key on existing installs so that we continue to sign zones with existing keys to retain the chain of trust with existing DS records.
* Start generating ECDSAP256SHA256 keys during setup, the current best practice (in addition to RSASHA256 which is also ok). See https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1 and https://www.cloudflare.com/dns/dnssec/ecdsa-and-dnssec/.
* Sign zones using all available keys rather than choosing just one based on the TLD to enable rotation/migration to the new key and to give the user some options since not every registrar/TLD supports every algorithm.
* Allow a user to drop a key from signing specific domains using DOMAINS= in our key configuration file. Signing the zones with extraneous keys may increase the size of DNS responses, which isn't ideal, although I don't know if this is a problem in practice. (Although a user can delete the RSASHA1-NSEC3-SHA1 key file, the other keys will be re-generated on upgrade.)
* When generating zonefiles, add a hash of all of the DNSSEC signing keys so that when the keys change the zone is definitely regenerated and re-signed.
* In status checks, if DNSSEC is not active (or not valid), offer to use all of the keys that have been generated (for RSASHA1-NSEC3-SHA1 on existing installs, RSASHA256, and now ECDSAP256SHA256) with all digest types, since not all registers support everything, but list them in an order that guides users to the best practice.
* In status checks, if the deployed DS record doesn't use a ECDSAP256SHA256 key, prompt the user to update their DS record.
* In status checks, if multiple DS records are set, only fail if none are valid. If some use ECDSAP256SHA256 and some don't, remind the user to delete the DS records that don't.
* Don't fail if the DS record uses the SHA384 digest (by pre-generating a DS record with that digest type) but don't recommend it because it is not in the IANA mandatory list yet (https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml).

See #1953
2021-04-12 19:42:12 -04:00
Joshua Tauberer
34569d24a9 v0.53 2021-04-11 12:45:37 -04:00
David Duque
a3851bd6be
v0.52.POWER.3 2021-03-30 20:34:27 +01:00
David Duque
f4df9a5e1a
When updating, kickoff the database again so that the noreply address is added 2021-03-30 20:32:56 +01:00
David Duque
c2f627ea82
update_wkd(): Return 'OK' at the end 2021-03-30 20:32:01 +01:00
David Duque
5e20a00e25
v0.52.POWER.2 2021-03-30 20:09:01 +01:00
David Duque
103ff39500
get_web_domains(): Only return www redirects when asked to (include_www_redirects) 2021-03-30 20:01:46 +01:00
David Duque
aa41702825
When creating reports, do not output the number of days until the key expires 2021-03-30 16:23:08 +01:00
David Duque
a2193289e2
Merge jrsupplee's quota fork 2021-03-30 13:09:35 +01:00
David Duque
aa0da22614
Add a nice welcome page 2021-03-30 01:35:16 +01:00
David Duque
071002b755
Changes to the noreply-daemon key 2021-03-30 00:14:00 +01:00
David Duque
127629611b
Force WKD rebuild when importing or deleting keys 2021-03-29 17:54:58 +01:00
David Duque
c260e164eb
Remove print() calls 2021-03-29 17:54:24 +01:00
David Duque
c25a935f2b
strip_and_export(): Parse key contents to determine id's to exclude 2021-03-29 17:14:44 +01:00
David Duque
013f6f2ed1
Don't calculate uidlists when parsing the list, as they're not ordered accurately 2021-03-29 16:32:47 +01:00
David Duque
0f5a5bfbb1
Handle 'KEYEXPIRED' warnings 2021-03-29 16:25:50 +01:00
David Duque
200aefee00
Add data sink to the fork_context decorator 2021-03-29 16:23:42 +01:00