From 163b1a297ef65f2157765170c1ef277ec93e2913 Mon Sep 17 00:00:00 2001 From: jvolkenant Date: Sat, 23 Mar 2024 05:49:24 -0700 Subject: [PATCH 1/6] Silence "wal" output on setup using hide_output (#2368) --- setup/webmail.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/webmail.sh b/setup/webmail.sh index 680427892..3cff14165 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -217,7 +217,7 @@ sed -i.miabold 's/^[^#]\+.\+PRAGMA journal_mode = WAL.\+$/#&/' \ # Because Roundcube wants to set the PRAGMA we just deleted from the source, we apply it here # to the roundcube database (see https://github.com/roundcube/roundcubemail/issues/8035) # Database should exist, created by migration script -sqlite3 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite 'PRAGMA journal_mode=WAL;' | 2>&1 +hide_output sqlite3 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite 'PRAGMA journal_mode=WAL;' # Enable PHP modules. phpenmod -v $PHP_VER imap From 9b450469eb8ff912ed9e909d869e3e9cb61b9646 Mon Sep 17 00:00:00 2001 From: Gio Date: Sat, 23 Mar 2024 21:04:43 +0800 Subject: [PATCH 2/6] Mail guide: OS X -> macOS (#2306) --- management/templates/mail-guide.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/management/templates/mail-guide.html b/management/templates/mail-guide.html index 0ffadbdf2..5e3dc1ecf 100644 --- a/management/templates/mail-guide.html +++ b/management/templates/mail-guide.html @@ -16,7 +16,7 @@

Mobile/desktop apps

Automatic configuration

-

iOS and OS X only: Open this configuration link on your iOS device or on your Mac desktop to easily set up mail (IMAP/SMTP), Contacts, and Calendar. Your username is your whole email address.

+

iOS and macOS only: Open this configuration link on your iOS device or on your Mac desktop to easily set up mail (IMAP/SMTP), Contacts, and Calendar. Your username is your whole email address.

Manual configuration

From 1a239c55bb2955af607e2784eec63431ec5b607d Mon Sep 17 00:00:00 2001 From: KiekerJan Date: Sat, 23 Mar 2024 16:16:40 +0100 Subject: [PATCH 3/6] More robust reading of sshd configuration (#2330) Use sshd -T instead of directly reading the configuration files --- management/dns_update.py | 15 +++++-------- management/status_checks.py | 44 +++++++++---------------------------- management/utils.py | 28 +++++++++++++++++++++++ 3 files changed, 44 insertions(+), 43 deletions(-) diff --git a/management/dns_update.py b/management/dns_update.py index 597df243e..599f27b19 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -9,7 +9,7 @@ import rtyaml import dns.resolver -from utils import shell, load_env_vars_from_file, safe_domain_name, sort_domains +from utils import shell, load_env_vars_from_file, safe_domain_name, sort_domains, get_ssh_port from ssl_certificates import get_ssl_certificates, check_certificate import contextlib @@ -448,14 +448,11 @@ def build_sshfp_records(): # if SSH has been configured to listen on a nonstandard port, we must # specify that port to sshkeyscan. - port = 22 - with open('/etc/ssh/sshd_config', encoding="utf-8") as f: - for line in f: - s = line.rstrip().split() - if len(s) == 2 and s[0] == 'Port': - with contextlib.suppress(ValueError): - port = int(s[1]) - break + port = get_ssh_port() + + # If nothing returned, SSH is probably not installed. + if not port: + return keys = shell("check_output", ["ssh-keyscan", "-4", "-t", "rsa,dsa,ecdsa,ed25519", "-p", str(port), "localhost"]) keys = sorted(keys.split("\n")) diff --git a/management/status_checks.py b/management/status_checks.py index 77019a4b6..51f8e6319 100755 --- a/management/status_checks.py +++ b/management/status_checks.py @@ -17,7 +17,7 @@ from ssl_certificates import get_ssl_certificates, get_domain_ssl_files, check_certificate from mailconfig import get_mail_domains, get_mail_aliases -from utils import shell, sort_domains, load_env_vars_from_file, load_settings +from utils import shell, sort_domains, load_env_vars_from_file, load_settings, get_ssh_port, get_ssh_config_value def get_services(): return [ @@ -65,24 +65,6 @@ def run_checks(rounded_values, env, output, pool, domains_to_check=None): run_network_checks(env, output) run_domain_checks(rounded_values, env, output, pool, domains_to_check=domains_to_check) -def get_ssh_port(): - # Returns ssh port - try: - output = shell('check_output', ['sshd', '-T']) - except FileNotFoundError: - # sshd is not installed. That's ok. - return None - - returnNext = False - for e in output.split(): - if returnNext: - return int(e) - if e == "port": - returnNext = True - - # Did not find port! - return None - def run_services_checks(env, output, pool): # Check that system services are running. all_running = True @@ -206,21 +188,15 @@ def is_port_allowed(ufw, port): return any(re.match(str(port) +"[/ \t].*", item) for item in ufw) def check_ssh_password(env, output): - # Check that SSH login with password is disabled. The openssh-server - # package may not be installed so check that before trying to access - # the configuration file. - if not os.path.exists("/etc/ssh/sshd_config"): - return - with open("/etc/ssh/sshd_config", encoding="utf-8") as f: - sshd = f.read() - if re.search("\nPasswordAuthentication\\s+yes", sshd) \ - or not re.search("\nPasswordAuthentication\\s+no", sshd): - output.print_error("""The SSH server on this machine permits password-based login. A more secure - way to log in is using a public key. Add your SSH public key to $HOME/.ssh/authorized_keys, check - that you can log in without a password, set the option 'PasswordAuthentication no' in - /etc/ssh/sshd_config, and then restart the openssh via 'sudo service ssh restart'.""") - else: - output.print_ok("SSH disallows password-based login.") + config_value = get_ssh_config_value("passwordauthentication") + if config_value: + if config_value == "no": + output.print_ok("SSH disallows password-based login.") + else: + output.print_error("""The SSH server on this machine permits password-based login. A more secure + way to log in is using a public key. Add your SSH public key to $HOME/.ssh/authorized_keys, check + that you can log in without a password, set the option 'PasswordAuthentication no' in + /etc/ssh/sshd_config, and then restart the openssh via 'sudo service ssh restart'.""") def is_reboot_needed_due_to_package_installation(): return os.path.exists("/var/run/reboot-required") diff --git a/management/utils.py b/management/utils.py index 929544d18..397f124d8 100644 --- a/management/utils.py +++ b/management/utils.py @@ -179,6 +179,34 @@ def wait_for_service(port, public, env, timeout): return False time.sleep(min(timeout/4, 1)) +def get_ssh_port(): + port_value = get_ssh_config_value("port") + + if port_value: + return int(port_value) + + return None + +def get_ssh_config_value(parameter_name): + # Returns ssh configuration value for the provided parameter + try: + output = shell('check_output', ['sshd', '-T']) + except FileNotFoundError: + # sshd is not installed. That's ok. + return None + except subprocess.CalledProcessError: + # error while calling shell command + return None + + for line in output.split("\n"): + if " " not in line: continue # there's a blank line at the end + key, values = line.split(" ", 1) + if key == parameter_name: + return values # space-delimited if there are multiple values + + # Did not find the parameter! + return None + if __name__ == "__main__": from web_update import get_web_domains env = load_environment() From fa72e015ee642bef1b1533378c6d67cc1d732bff Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sat, 23 Mar 2024 12:59:39 -0400 Subject: [PATCH 4/6] Update SMTP Smuggling protection to the 'long-term fix' * Revert "Guard against SMTP smuggling", commit faf23f150c5fa85c8e9af1e345d796d2c36a4577, by restoring the setting to its default. * Revert "[security] SMTP smuggling: update short term fix (#2346)", commmit e931e103fe1d6db81681e3c9732d21e9860acdcd, by restoring the setting to its default. * Set smtpd_forbid_bare_newline=normalize. --- setup/mail-postfix.sh | 12 +++++++++--- tools/editconf.py | 2 +- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index eab152fb1..24969513a 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -70,10 +70,16 @@ tools/editconf.py /etc/postfix/main.cf \ bounce_queue_lifetime=1d # Guard against SMTP smuggling -# This short-term workaround is recommended at https://www.postfix.org/smtp-smuggling.html +# This "long-term" fix is recommended at https://www.postfix.org/smtp-smuggling.html. +# This beecame supported in a backported fix in package version 3.6.4-1ubuntu1.3. It is +# unnecessary in Postfix 3.9+ where this is the default. The "short-term" workarounds +# that we previously had are reverted to postfix defaults (though smtpd_discard_ehlo_keywords +# was never included in a released version of Mail-in-a-Box). +tools/editconf.py /etc/postfix/main.cf -e \ + smtpd_data_restrictions= \ + smtpd_discard_ehlo_keywords= tools/editconf.py /etc/postfix/main.cf \ - smtpd_data_restrictions=reject_unauth_pipelining \ - smtpd_discard_ehlo_keywords="chunking, silent-discard" + smtpd_forbid_bare_newline=normalize # ### Outgoing Mail diff --git a/tools/editconf.py b/tools/editconf.py index 0438695be..db19e5f12 100755 --- a/tools/editconf.py +++ b/tools/editconf.py @@ -30,7 +30,7 @@ # sanity check if len(sys.argv) < 3: - print("usage: python3 editconf.py /etc/file.conf [-s] [-w] [-c ] [-t] NAME=VAL [NAME=VAL ...]") + print("usage: python3 editconf.py /etc/file.conf [-e] [-s] [-w] [-c ] [-t] NAME=VAL [NAME=VAL ...]") sys.exit(1) # parse command line arguments From 7382c18e8fafcd34534e71b7937fedb5acfa2b43 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sat, 23 Mar 2024 13:18:14 -0400 Subject: [PATCH 5/6] CHANGELOG entries --- CHANGELOG.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c855c2146..f6f79508e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,31 @@ CHANGELOG ========= +In Development +-------------- + +Package updates: + +* Roundcube updated to version 1.6.6. +* Nextcloud is updated to version 26.0.12. + +Mail: + +* Updated postfix's configuration to guard against SMTP smuggling to the long-term fix (https://www.postfix.org/smtp-smuggling.html). + +Control Panel: + +* Improved reporting of Spamhaus response codes. +* Improved detection of SSH port. +* Fixed an error if last saved status check results were corrupted. +* Other minor fixes. + +Other: + +* fail2ban is updated to see "HTTP/2.0" requests to munin also. +* Internal improvements to the code to make it more reliable and readable. + + Version 67 (December 22, 2023) ------------------------------ From 830c83daa1e7bc902cc3d5606aef9046d1226147 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Mon, 1 Apr 2024 10:55:17 -0400 Subject: [PATCH 6/6] v68 --- CHANGELOG.md | 4 ++-- README.md | 2 +- setup/bootstrap.sh | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f6f79508e..b048d219c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,8 @@ CHANGELOG ========= -In Development --------------- +Version 68 (April 1, 2024) +-------------------------- Package updates: diff --git a/README.md b/README.md index 8411c4508..0b3d320be 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,7 @@ Clone this repository and checkout the tag corresponding to the most recent rele $ git clone https://github.com/mail-in-a-box/mailinabox $ cd mailinabox - $ git checkout v67 + $ git checkout v68 Begin the installation. diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh index b52848ee9..de373aff1 100644 --- a/setup/bootstrap.sh +++ b/setup/bootstrap.sh @@ -23,7 +23,7 @@ if [ -z "$TAG" ]; then if [ "$UBUNTU_VERSION" == "Ubuntu 22.04 LTS" ]; then # This machine is running Ubuntu 22.04, which is supported by # Mail-in-a-Box versions 60 and later. - TAG=v67 + TAG=v68 elif [ "$UBUNTU_VERSION" == "Ubuntu 18.04 LTS" ]; then # This machine is running Ubuntu 18.04, which is supported by # Mail-in-a-Box versions 0.40 through 5x.