- 05 Nov, 2015 1 commit
-
-
Joshua Tauberer authored
-
- 04 Nov, 2015 1 commit
-
-
Joshua Tauberer authored
v0.14 (November 4, 2015) ------------------------ Mail: * Spamassassin's network-based tests (Pyzor, others) and DKIM tests are now enabled. (Pyzor had always been installed but was not active due to a misconfiguration.) * Moving spam out of the Spam folder and into Trash would incorrectly train Spamassassin that those messages were not spam. * Automatically create the Sent and Archive folders for new users. * The HTML5_Notifier plugin for Roundcube is now included, which when turned on in Roundcube settings provides desktop notifications for new mail. * The Exchange/ActiveSync backend Z-Push has been updated to fix a problem with CC'd emails not being sent to the CC recipients. Calender/Contacts: * CalDAV/CardDAV and Exchange/ActiveSync for calendar/contacts wasn't working in some network configurations. Web: * When a new domain is added to the box, rather than applying a new self-signed certificate for that domain, the SSL certificate for the box's primary hostname will be used instead. * If a custom DNS record is set on a domain or 'www'+domain, web would not be served for that domain. If the custom DNS record is just the box's IP address, that's a configuration mistake, but allow it and let web continue to be served. * Accommodate really long domain names by increasing an nginx setting. Control panel: * Added an option to check for new Mail-in-a-Box versions within status checks. It is off by default so that boxes don't "phone home" without permission. * Added a random password generator on the users page to simplify creating new accounts. * When S3 backup credentials are set, the credentials are now no longer ever sent back from the box to the client, for better security. * Fixed the jumpiness when a modal is displayed. * Focus is put into the login form fields when the login form is displayed. * Status checks now include a warning if a custom DNS record has been set on a domain that would normally serve web and as a result that domain no longer is serving web. * Status checks now check that secondary nameservers, if specified, are actually serving the domains. * Some errors in the control panel when there is invalid data in the database or an improperly named archived user account have been suppressed. * Added subresource integrity attributes to all remotely-sourced resources (i.e. via CDNs) to guard against CDNs being used as an attack vector. System: * Tweaks to fail2ban settings. * Fixed a spurrious warning while installing munin.
-
- 03 Nov, 2015 2 commits
-
-
Joshua Tauberer authored
...but then also have to compare against the intended IP address, which might have a custom override, see #582
-
Joshua Tauberer authored
secondary NS status checks in 3b91bc2c should not be skipped if the target IP address has been modified by a custom record see #582
-
- 01 Nov, 2015 1 commit
-
-
Joshua Tauberer authored
-
- 31 Oct, 2015 6 commits
-
-
Joshua Tauberer authored
-
Joshua Tauberer authored
bump HTML5_Notifier version, include its version in the check for whether we need to update Roundcube
-
Joshua Tauberer authored
Merge branch 'patch-1' of https://github.com/Hoekynl/mailinabox
-
Joshua Tauberer authored
Added wosign as a suggested free SSL provider.
-
Joshua Tauberer authored
Update z-push to latest version
-
Michael Kroes authored
-
- 27 Oct, 2015 4 commits
-
-
Michael Kroes authored
-
Joshua Tauberer authored
For a new user create the archive folder
-
Michael Kroes authored
-
Michael Kroes authored
-
- 25 Oct, 2015 4 commits
-
-
Michael Kroes authored
-
Michael Kroes authored
-
Michael Kroes authored
-
Michael Kroes authored
-
- 24 Oct, 2015 1 commit
-
-
Joshua Tauberer authored
nginx-ssl.conf changes were partially incorrect, partial revert of 834c42bc My own /etc/nginx/nginx.conf was messed up, so what I thought were Ubuntu 14.04 defaults weren't, and we lost the ssl_protocols and ssl_prefer_server_ciphers settings. This puts those back. https://discourse.mailinabox.email/t/dev-master-version-reported-as-poodle-attack-vulnerable-by-ssllabs/898
-
- 22 Oct, 2015 2 commits
-
-
Joshua Tauberer authored
-
Joshua Tauberer authored
-
- 18 Oct, 2015 2 commits
-
-
Joshua Tauberer authored
-
Joshua Tauberer authored
let dovecot automatically create mailbox folders rather than doing it manually in the management daemon, fixes #554
-
- 12 Oct, 2015 2 commits
-
-
Joshua Tauberer authored
Added 'Sent' folder when creating user.
-
Peter Timofejew authored
-
- 11 Oct, 2015 1 commit
-
-
X O authored
-
- 10 Oct, 2015 1 commit
-
-
Joshua Tauberer authored
-
- 08 Oct, 2015 1 commit
-
-
Joshua Tauberer authored
an earlier problem about --upgrade (de34d0d3) seemed to be just a local problem on my box, so going back to unpinned >= requirement specs https://discourse.mailinabox.email/t/upgrade-to-v0-13b-broke-admin/876
-
- 27 Sep, 2015 1 commit
-
-
Joshua Tauberer authored
-
- 18 Sep, 2015 3 commits
-
-
Joshua Tauberer authored
use subresource integrity attributes to guard against CDNs being used as an attack vector; drop external resources that we can't protect this way (fonts); fixes #234
-
Joshua Tauberer authored
choose the best SSL cert from among the installed certificates; use the server certificate instead of self-signed certificates For HTTPS for the non-primary domains, instead of selecting an SSL certificate by expecting it to be in a directory named after the domain name (with special-case lookups for www domains, and reusing the server certificate where possible), now scan all of the certificates that have been installed and just pick the best to use for each domain. If no certificate is available, don't create a self-signed certificate anymore. This wasn't ever really necessary. Instead just use the server certificate.
-
Joshua Tauberer authored
-
- 08 Sep, 2015 1 commit
-
-
Joshua Tauberer authored
let the HSTS header be controlled by the management daemon so some domains can choose to enable preload
-
- 07 Sep, 2015 3 commits
-
-
Joshua Tauberer authored
Revert two FAIL2BAN SSH jail changes
-
anoma authored
I propose that the default 600s/10minute find time is a better test duration for this ban. The altered 120s findtime sounds reasonable until you consider that attackers can simply throttle to 3 attempts per minute and never be banned. The remaining non default jail settings of maxretry = 7 and bantime = 3600 I believe are good.
-
anoma authored
-
- 06 Sep, 2015 3 commits
-
-
Joshua Tauberer authored
-
Joshua Tauberer authored
see #531
-
Hoekynl authored
Removed :$HTML5_NOTIFIER_VERSION, which breaks it
-