- 17 Jul, 2015 4 commits
-
-
Joshua Tauberer authored
-
Joshua Tauberer authored
-
Joshua Tauberer authored
hard-code pyzor sevice URL because 'pyzor discover' is failing because Sourceforge is offline, fixes #496
-
Joshua Tauberer authored
-
- 13 Jul, 2015 2 commits
-
-
Joshua Tauberer authored
Add TLSA record for SSL connections.
-
PortableTech authored
While not widely supported, there are some browser addons that can validate DNSSEC and TLSA for additional out-of-band verification of certificates when browsing the web. Costs nothing to implement and might improve security in some situations.
-
- 11 Jul, 2015 2 commits
-
-
Joshua Tauberer authored
outgoing_mail_header_filters use local hostname and ip
-
Joshua Tauberer authored
Optimise FAIL2BAN jail.local
-
- 10 Jul, 2015 3 commits
-
-
Joshua Tauberer authored
closes #476
-
Joshua Tauberer authored
-
Brian Bustin authored
-
- 09 Jul, 2015 1 commit
-
-
Joshua Tauberer authored
-
- 06 Jul, 2015 2 commits
-
-
anoma authored
Explicitly set the timings and counts for the dovecot jail rather than change the global [DEFAULT] and inherit it for this one jail. These settings are far too safe so a future PR should increase security here.
-
anoma authored
Reverts the remaining FAIL2BAN settings to default: findtime 600 and maxretry 3. As jail settings override default settings this was hardly being used anyway so it is better to explicitly set it per jail as and when required.
-
- 04 Jul, 2015 2 commits
-
-
Joshua Tauberer authored
-
Joshua Tauberer authored
setting an alias to forward to two or more addresses was broken since aa334283 fixes #482
-
- 03 Jul, 2015 4 commits
-
-
Joshua Tauberer authored
-------------------- This is a minor update to v0.11, which was a major update. Please read v0.11's advisories. * The administrator@ alias was incorrectly created starting with v0.11. If your first install was v0.11, check that the administrator@ alias forwards mail to you. * Intrusion detection rules (fail2ban) are relaxed (i.e. less is blocked). * SSL certificates could not be installed for the new automatic 'www.' redirect domains. * PHP's default character encoding is changed from no default to UTF8. The effect of this change is unclear but should prevent possible future text conversion issues. * User-installed SSL private keys in the BEGIN PRIVATE KEY format were not accepted. * SSL certificates with SAN domains with IDNA encoding were broken in v0.11. * Some IDNA functionality was using IDNA 2003 rather than IDNA 2008.
-
Joshua Tauberer authored
-
Joshua Tauberer authored
-
Joshua Tauberer authored
-
- 02 Jul, 2015 11 commits
-
-
PortableTech authored
Modify outgoing_mail_header_filters and mail-postfix.sh files to result in the primary hostname, and the public ip of the server showing in the first mail header route instead of unknown and 127.0.0.1. This could help lower the spam score of mail sent from your server to some public mail services.
-
-
Joshua Tauberer authored
update docstring to clarify usage of -c option
-
Hnk Reno authored
-
Joshua Tauberer authored
-
Joshua Tauberer authored
cleanup and harden of fail2ban
-
anoma authored
No legitimate admin will require 20 login attempts. The default 6 is a sane middle ground especially since in 10 minutes they can try again or immediately from another IP anyway.
-
anoma authored
-
anoma authored
-
anoma authored
A 60 second/1 minute ban time is not long enough to counter brute force attacks which is the main purpose of fail2ban for mail in a box. The default bantime of 10 minutes is still sane and I think we have proven fail2ban is reliable enough not to cause problems in general. It is not worth sacrificing security for the rare case where an admin locks themselves out for 10 minutes.
-
anoma authored
-
- 30 Jun, 2015 8 commits
-
-
Joshua Tauberer authored
Set PHPs default charset to UTF-8, since we use it. Closes #367.
-
Joshua Tauberer authored
don't automatically create the administrator@ alias (e.g. on first user creation) because we dont know what it should be an alias to (leave this to be resolved manually), fixes #470 Was broken by 462a79cf.
-
Joshua Tauberer authored
idna domains in certificate subject alternative names were not handled correctly after switching to cryptography package
-
Joshua Tauberer authored
some IDNA functionality was still using Python's built-in IDNA 2003 encoder rather than the idna package's IDNA 2008 encoder
-
Hnk Reno authored
-
Joshua Tauberer authored
-
Joshua Tauberer authored
-
Joshua Tauberer authored
--------------------- Advisories: * Users can no longer spoof arbitrary email addresses in outbound mail. When sending mail, the email address configured in your mail client must match the SMTP login username being used, or the email address must be an alias with the SMTP login username listed as one of the alias's targets. * This update replaces your DKIM signing key with a stronger key. Because of DNS caching/propagation, mail sent within a few hours after this update could be marked as spam by recipients. If you use External DNS, you will need to update your DNS records. * The box will now install software from a new Mail-in-a-Box PPA on Launchpad.net, where we are distributing two of our own packages: a patched postgrey and dovecot-lucene. Mail: * Greylisting will now let some reputable senders pass through immediately. * Searching mail (via IMAP) will now be much faster using the dovecot lucene full text search plugin. * Users can no longer spoof arbitrary email addresses in outbound mail (see above). * Fix for deleting admin@ and postmaster@ addresses. * Roundcube is updated to version 1.1.2, plugins updated. * Exchange/ActiveSync autoconfiguration was not working on all devices (e.g. iPhone) because of a case-sensitive URL. * The DKIM signing key has been increased to 2048 bits, from 1024, replacing the existing key. Web: * 'www' subdomains now automatically redirect to their parent domain (but you'll need to install an SSL certificate). * OCSP no longer uses Google Public DNS. * The installed PHP version is no longer exposed through HTTP response headers, for better security. DNS: * Default IPv6 AAAA records were missing since version 0.09. Control panel: * Resetting a user's password now forces them to log in again everywhere. * Status checks were not working if an ssh server was not installed. * SSL certificate validation now uses the Python cryptography module in some places where openssl was used. * There is a new tab to show the installed version of Mail-in-a-Box and to fetch the latest released version. System: * The munin system monitoring tool is now installed and accessible at /admin/munin. * ownCloud updated to version 8.0.4. The ownCloud installation step now is reslient to download problems. The ownCloud configuration file is now stored in STORAGE_ROOT to fix loss of data when moving STORAGE_ROOT to a new machine. * The setup scripts now run `apt-get update` prior to installing anything to ensure the apt database is in sync with the packages actually available.
-
- 27 Jun, 2015 1 commit
-
-
Joshua Tauberer authored
-