- 02 Jul, 2015 8 commits
-
-
Hnk Reno authored
-
Joshua Tauberer authored
-
Joshua Tauberer authored
cleanup and harden of fail2ban
-
anoma authored
No legitimate admin will require 20 login attempts. The default 6 is a sane middle ground especially since in 10 minutes they can try again or immediately from another IP anyway.
-
anoma authored
-
anoma authored
-
anoma authored
A 60 second/1 minute ban time is not long enough to counter brute force attacks which is the main purpose of fail2ban for mail in a box. The default bantime of 10 minutes is still sane and I think we have proven fail2ban is reliable enough not to cause problems in general. It is not worth sacrificing security for the rare case where an admin locks themselves out for 10 minutes.
-
anoma authored
-
- 30 Jun, 2015 8 commits
-
-
Joshua Tauberer authored
Set PHPs default charset to UTF-8, since we use it. Closes #367.
-
Joshua Tauberer authored
don't automatically create the administrator@ alias (e.g. on first user creation) because we dont know what it should be an alias to (leave this to be resolved manually), fixes #470 Was broken by 462a79cf.
-
Joshua Tauberer authored
idna domains in certificate subject alternative names were not handled correctly after switching to cryptography package
-
Joshua Tauberer authored
some IDNA functionality was still using Python's built-in IDNA 2003 encoder rather than the idna package's IDNA 2008 encoder
-
Hnk Reno authored
-
Joshua Tauberer authored
-
Joshua Tauberer authored
-
Joshua Tauberer authored
--------------------- Advisories: * Users can no longer spoof arbitrary email addresses in outbound mail. When sending mail, the email address configured in your mail client must match the SMTP login username being used, or the email address must be an alias with the SMTP login username listed as one of the alias's targets. * This update replaces your DKIM signing key with a stronger key. Because of DNS caching/propagation, mail sent within a few hours after this update could be marked as spam by recipients. If you use External DNS, you will need to update your DNS records. * The box will now install software from a new Mail-in-a-Box PPA on Launchpad.net, where we are distributing two of our own packages: a patched postgrey and dovecot-lucene. Mail: * Greylisting will now let some reputable senders pass through immediately. * Searching mail (via IMAP) will now be much faster using the dovecot lucene full text search plugin. * Users can no longer spoof arbitrary email addresses in outbound mail (see above). * Fix for deleting admin@ and postmaster@ addresses. * Roundcube is updated to version 1.1.2, plugins updated. * Exchange/ActiveSync autoconfiguration was not working on all devices (e.g. iPhone) because of a case-sensitive URL. * The DKIM signing key has been increased to 2048 bits, from 1024, replacing the existing key. Web: * 'www' subdomains now automatically redirect to their parent domain (but you'll need to install an SSL certificate). * OCSP no longer uses Google Public DNS. * The installed PHP version is no longer exposed through HTTP response headers, for better security. DNS: * Default IPv6 AAAA records were missing since version 0.09. Control panel: * Resetting a user's password now forces them to log in again everywhere. * Status checks were not working if an ssh server was not installed. * SSL certificate validation now uses the Python cryptography module in some places where openssl was used. * There is a new tab to show the installed version of Mail-in-a-Box and to fetch the latest released version. System: * The munin system monitoring tool is now installed and accessible at /admin/munin. * ownCloud updated to version 8.0.4. The ownCloud installation step now is reslient to download problems. The ownCloud configuration file is now stored in STORAGE_ROOT to fix loss of data when moving STORAGE_ROOT to a new machine. * The setup scripts now run `apt-get update` prior to installing anything to ensure the apt database is in sync with the packages actually available.
-
- 27 Jun, 2015 2 commits
-
-
Joshua Tauberer authored
-
Joshua Tauberer authored
The sslmate guidance changed. See #458.
-
- 26 Jun, 2015 2 commits
-
-
Joshua Tauberer authored
-
Joshua Tauberer authored
-
- 25 Jun, 2015 7 commits
-
-
Joshua Tauberer authored
-
Joshua Tauberer authored
show the Mail-in-a-Box version in the control panel and a button to ping the MiaB website for the latest version fixes #441
-
Joshua Tauberer authored
-
Joshua Tauberer authored
* Add a migration to delete any existing DKIM key so that existing machines get a fresh 2048-bit key. (Sadly we don't support key rotation so the change is immediate.) * Because the DNS record for a 2048-bit key is so much longer, the way we read OpenDKIM's DNS record text file had to be modified to combine an arbitrary number of TXT record quoted ("...") strings. * When writing out the TXT record value, the string must be split into quoted ("...") strings with a maximum length of 255 bytes each, per the DNS spec. * Added a changelog entry.
-
Joshua Tauberer authored
-
Joshua Tauberer authored
Z-Push autoconfiguration fails due to URL case sensitivity
-
Marc Schiller authored
-
- 24 Jun, 2015 6 commits
-
-
PortableTech authored
Currently MiaB creates 1024 bit keys which is seen as a minimum standard by several providers such as Google who already uses a 2048 bit key. Increasing the keysize beyond 2048 is an issue as it often goes beyond supported DNS record sizes.
-
Joshua Tauberer authored
-
Joshua Tauberer authored
-
Joshua Tauberer authored
Reject outgoing mail if MAIL FROM (envelope sender) does not match login name or is not an alias that directs mail (directly) to login name.
-
Joshua Tauberer authored
ownCloud breaks if download fails (Issue #449)
-
aLeX authored
If the downloaded file doesn't pass hash verification, the script exits and leaves a broken system Just make hash verification before moving owncloud directory
-
- 23 Jun, 2015 1 commit
-
-
Joshua Tauberer authored
-
- 21 Jun, 2015 2 commits
-
-
Joshua Tauberer authored
validate certificates using the cryptography python package as much as possible, shelling out to openssl just once instead of four times per certificate * Use `cryptography` instead of parsing openssl's output. * When checking if we can reuse the primary domain certificate or a www-parent-domain certificate for a domain, avoid shelling out to openssl entirely.
-
Joshua Tauberer authored
-
- 20 Jun, 2015 1 commit
-
-
Morteza Milani authored
-
- 18 Jun, 2015 3 commits
-
-
Toilal authored
[JT added installing netcat-openbsd in system.sh]
-
Joshua Tauberer authored
add a new autoconfiguration option PRIMARY_HOSTNAME=auto to simply grab the hostname from reverse DNS drawn from https://github.com/Toilal/mailinabox/commit/5b23a06a7410e4530a56fd6200a6c46c3c6ea9b6.
-
Joshua Tauberer authored
-