merge upstream v68

CHANGELOG.md

@@ -1,8 +1,29 @@
 CHANGELOG
 =========
 
-* Roundcube updated to 1.6.5 fixing a security vulnerability.
-* Nextcloud updated to 26.0.8 (and its apps also updated).
+Version 68 (April 1, 2024)
+--------------------------
+
+Package updates:
+
+* Roundcube updated to version 1.6.6.
+* Nextcloud is updated to version 26.0.12.
+
+Mail:
+
+* Updated postfix's configuration to guard against SMTP smuggling to the long-term fix (https://www.postfix.org/smtp-smuggling.html).
+
+Control Panel:
+
+* Improved reporting of Spamhaus response codes.
+* Improved detection of SSH port.
+* Fixed an error if last saved status check results were corrupted.
+* Other minor fixes.
+
+Other:
+
+* fail2ban is updated to see "HTTP/2.0" requests to munin also.
+* Internal improvements to the code to make it more reliable and readable.
 
 Version 67 (December 22, 2023)
 ------------------------------

README.md

@@ -123,7 +123,7 @@ Clone this repository and checkout the tag corresponding to the most recent rele
 
 	$ git clone https://github.com/mail-in-a-box/mailinabox
 	$ cd mailinabox
-	$ git checkout v67
+	$ git checkout v68
 
 Begin the installation.
 

management/dns_update.py

@@ -482,7 +482,8 @@ def build_sshfp_records():
 	# specify that port to sshkeyscan.
 
 	port = get_ssh_port()
-	# If nothing returned, assume ssh not installed
+
+	# If nothing returned, SSH is probably not installed.
 	if not port:
 		return
 

management/status_checks.py

@@ -197,9 +197,9 @@ def check_ssh_password(env, output):
 			output.print_ok("SSH disallows password-based login.")
 		else:
 			output.print_error("""The SSH server on this machine permits password-based login. A more secure
-        	                way to log in is using a public key. Add your SSH public key to $HOME/.ssh/authorized_keys, check
-                	        that you can log in without a password, set the option 'PasswordAuthentication no' in
-                	        /etc/ssh/sshd_config, and then restart the openssh via 'sudo service ssh restart'.""")
+				way to log in is using a public key. Add your SSH public key to $HOME/.ssh/authorized_keys, check
+				that you can log in without a password, set the option 'PasswordAuthentication no' in
+				/etc/ssh/sshd_config, and then restart the openssh via 'sudo service ssh restart'.""")
 
 def is_reboot_needed_due_to_package_installation():
 	return os.path.exists("/var/run/reboot-required")

management/templates/mail-guide.html

@@ -16,7 +16,7 @@ <h3>Mobile/desktop apps</h3>
 
 				<h4>Automatic configuration</h4>
 
-					<p>iOS and OS X only: Open <a style="font-weight: bold" href="https://{{hostname}}/mailinabox.mobileconfig">this configuration link</a> on your iOS device or on your Mac desktop to easily set up mail (IMAP/SMTP), Contacts, and Calendar. Your username is your whole email address.</p>
+					<p>iOS and macOS only: Open <a style="font-weight: bold" href="https://{{hostname}}/mailinabox.mobileconfig">this configuration link</a> on your iOS device or on your Mac desktop to easily set up mail (IMAP/SMTP), Contacts, and Calendar. Your username is your whole email address.</p>
 
 				<h4>Manual configuration</h4>
 

management/utils.py

@@ -181,7 +181,7 @@ def wait_for_service(port, public, env, timeout):
 
 def get_ssh_port():
 	port_value = get_ssh_config_value("port")
-	
+
 	if port_value:
 		return int(port_value)
 

setup/bootstrap.sh

@@ -25,7 +25,7 @@ if [ -z "$TAG" ]; then
 	if [ "$UBUNTU_VERSION" == "Ubuntu 22.04 LTS" ]; then
 		# This machine is running Ubuntu 22.04, which is supported by
 		# Mail-in-a-Box versions 60 and later.
-		TAG=v67
+		TAG=v68
 	elif [ "$UBUNTU_VERSION" == "Ubuntu 18.04 LTS" ]; then
 		# This machine is running Ubuntu 18.04, which is supported by
 		# Mail-in-a-Box versions 0.40 through 5x.

setup/mail-postfix.sh

@@ -70,7 +70,11 @@ tools/editconf.py /etc/postfix/main.cf \
 	bounce_queue_lifetime=1d
 
 # Guard against SMTP smuggling
-# This setting works starting version 3.6.4-1ubuntu1.3 of postfix. See also https://www.postfix.org/smtp-smuggling.html
+# This "long-term" fix is recommended at https://www.postfix.org/smtp-smuggling.html.
+# This became supported in a backported fix in package version 3.6.4-1ubuntu1.3. It is
+# unnecessary in Postfix 3.9+ where this is the default. The "short-term" workarounds
+# that we previously had are reverted to postfix defaults (though smtpd_discard_ehlo_keywords
+# was never included in a released version of Mail-in-a-Box).
 tools/editconf.py /etc/postfix/main.cf \
 	smtpd_forbid_bare_newline=normalize
 

setup/webmail.sh

@@ -226,7 +226,7 @@ sed -i.miabold 's/^[^#]\+.\+PRAGMA journal_mode = WAL.\+$/#&/' \
 # Because Roundcube wants to set the PRAGMA we just deleted from the source, we apply it here
 # to the roundcube database (see https://github.com/roundcube/roundcubemail/issues/8035)
 # Database should exist, created by migration script
-sqlite3 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite 'PRAGMA journal_mode=WAL;' | 2>&1
+hide_output sqlite3 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite 'PRAGMA journal_mode=WAL;'
 
 # Enable PHP modules.
 phpenmod -v php imap

tools/editconf.py

@@ -30,7 +30,7 @@
 
 # sanity check
 if len(sys.argv) < 3:
-	print("usage: python3 editconf.py /etc/file.conf [-s] [-w] [-c <CHARACTER>] [-t] NAME=VAL [NAME=VAL ...]")
+	print("usage: python3 editconf.py /etc/file.conf [-e] [-s] [-w] [-c <CHARACTER>] [-t] NAME=VAL [NAME=VAL ...]")
 	sys.exit(1)
 
 # parse command line arguments