Releases: mail-in-a-box/mailinabox
Releases · mail-in-a-box/mailinabox
v0.40 (January 12, 2019)
------------------------ This is the first release for Ubuntu 18.04. This version and versions going forward can **only** be installed on Ubuntu 18.04; however, upgrades of existing Ubuntu 14.04 boxes to the latest version supporting Ubuntu 14.04 (v0.30) continue to work as normal. When **upgrading**, you **must first upgrade your existing Ubuntu 14.04 Mail-in-a-Box box** to the latest release supporting Ubuntu 14.04 --- that's v0.30 --- before you migrate to Ubuntu 18.04. If you are running an older version of Mail-in-a-Box which has an old version of ownCloud or Nextcloud, you will *not* be able to upgrade your data because older versions of ownCloud and Nextcloud that are required to perform the upgrade *cannot* be run on Ubuntu 18.04. To upgrade from Ubuntu 14.04 to Ubuntu 18.04, you **must create a fresh Ubuntu 18.04 machine** before installing this version. In-place upgrades of servers are not supported. Since Ubuntu's support for Ubuntu 14.04 has almost ended, everyone is encouraged to create a new Ubuntu 18.04 machine and migrate to it. For complete upgrade instructions, see: https://discourse.mailinabox.email/t/mail-in-a-box-version-v0-40-and-moving-to-ubuntu-18-04/4289 The changelog for this release follows. Setup: * Mail-in-a-Box now targets Ubuntu 18.04 LTS, which will have support from Ubuntu through 2022. * Some of the system packages updated in virtue of using Ubuntu 18.04 include postfix (2.11=>3.3) nsd (4.0=>4.1), nginx (1.4=>1.14), PHP (7.0=>7.2), Python (3.4=>3.6), fail2ban (0.8=>0.10), Duplicity (0.6=>0.7). * [Unofficial Bash Strict Mode](http://redsymbol.net/articles/unofficial-bash-strict-mode/) is turned on for setup, which might catch previously uncaught issues during setup. Mail: * IMAP server-side full text search is no longer supported because we were using a custom-built `dovecot-lucene` package that we are no longer maintaining. * Sending email is now disabled on port 25 --- you must log in to port 587 to send email, per the long-standing mail instructions. * Greylisting may delay more emails from new senders. We were using a custom-built postgrey package previously that whitelisted sending domains in dnswl.org, but we are no longer maintaining that package.
v0.30 (January 9, 2019)
----------------------- Setup: * Update to Roundcube 1.3.8 and the CardDAV plugin to 3.0.3. * Add missing rsyslog package to install line since some OS images don't have it installed by default. * A log file for nsd was added. Control Panel: * The users page now documents that passwords should only have ASCII characters to prevent character encoding mismaches between clients and the server. * The users page no longer shows user mailbox sizes because this was extremely slow for very large mailboxes. * The Mail-in-a-Box version is now shown in the system status checks even when the new-version check is disabled. * The alises page now warns that alises should not be used to forward mail off of the box. Mail filters within Roundcube are better for that. * The explanation of greylisting has been improved.
v0.26 (January 18, 2018)
------------------------ Security: * HTTPS, IMAP, and POP's TLS settings have been updated to Mozilla's intermediate cipher list recommendation. Some extremely old devices that use less secure TLS ciphers may no longer be able to connect to IMAP/POP. * Updated web HSTS header to use longer six month duration. Mail: * Adding attachments in Roundcube broke after the last update for some users after rebooting because a temporary directory was deleted on reboot. The temporary directory is now moved from /tmp to /var so that it is persistent. * `X-Spam-Score` header is added to incoming mail. Control panel: * RSASHA256 is now used for DNSSEC for .lv domains. * Some documentation/links improvements. Installer: * We now run `apt-get autoremove` at the start of setup to clear out old packages, especially old kernels that take up a lot of space. On the first run, this step may take a long time. * We now fetch Z-Push from its tagged git repository, fixing an installation problem. * Some old PHP5 packages are removed from setup, fixing an installation bug where Apache would get installed. * Python 3 packages for the control panel are now installed using a virtualenv to prevent installation errors.
v0.25 (November 15, 2017)
------------------------- This update is a security update addressing [CVE-2017-16651, a vulnerability in Roundcube webmail that allows logged-in users to access files on the local filesystem](https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10). Mail: * Update to Roundcube 1.3.3. Control Panel: * Fix DNS validation to allow wildcard custom DNS entries to be set.
v0.24
v0.24 (October 3, 2017)
System:
- Install PHP7 via a PPA. Switch to the on-demand process manager.
Mail:
- Updated to Roundcube 1.3.1, but unfortunately dropping the Vacation plugin because it has not been supported by its author and is not compatible with Roundcube 1.3, and updated the persistent login plugin.
- Updated to Z-Push 2.3.8.
- Dovecot now uses stronger 2048 bit DH params for better forward secrecy.
Nextcloud:
- Nextcloud updated to 12.0.3, using PHP7.
Control Panel:
- Nameserver (NS) records can now be set on custom domains.
- Fix an erroneous status check error due to IPv6 address formatting.
- Aliases for administrative addresses can now be set to send mail to +tag administrative addresses.
v0.12
This is a minor update to v0.11, which was a major update. Please read v0.11's advisories. * The administrator@ alias was incorrectly created starting with v0.11. If your first install was v0.11, check that the administrator@ alias forwards mail to you. * Intrusion detection rules (fail2ban) are relaxed (i.e. less is blocked). * SSL certificates could not be installed for the new automatic 'www.' redirect domains. * PHP's default character encoding is changed from no default to UTF8. The effect of this change is unclear but should prevent possible future text conversion issues. * User-installed SSL private keys in the BEGIN PRIVATE KEY format were not accepted. * SSL certificates with SAN domains with IDNA encoding were broken in v0.11. * Some IDNA functionality was using IDNA 2003 rather than IDNA 2008.
v0.11 (June 29, 2015)
--------------------- Advisories: * Users can no longer spoof arbitrary email addresses in outbound mail. When sending mail, the email address configured in your mail client must match the SMTP login username being used, or the email address must be an alias with the SMTP login username listed as one of the alias's targets. * This update replaces your DKIM signing key with a stronger key. Because of DNS caching/propagation, mail sent within a few hours after this update could be marked as spam by recipients. If you use External DNS, you will need to update your DNS records. * The box will now install software from a new Mail-in-a-Box PPA on Launchpad.net, where we are distributing two of our own packages: a patched postgrey and dovecot-lucene. Mail: * Greylisting will now let some reputable senders pass through immediately. * Searching mail (via IMAP) will now be much faster using the dovecot lucene full text search plugin. * Users can no longer spoof arbitrary email addresses in outbound mail (see above). * Fix for deleting admin@ and postmaster@ addresses. * Roundcube is updated to version 1.1.2, plugins updated. * Exchange/ActiveSync autoconfiguration was not working on all devices (e.g. iPhone) because of a case-sensitive URL. * The DKIM signing key has been increased to 2048 bits, from 1024, replacing the existing key. Web: * 'www' subdomains now automatically redirect to their parent domain (but you'll need to install an SSL certificate). * OCSP no longer uses Google Public DNS. * The installed PHP version is no longer exposed through HTTP response headers, for better security. DNS: * Default IPv6 AAAA records were missing since version 0.09. Control panel: * Resetting a user's password now forces them to log in again everywhere. * Status checks were not working if an ssh server was not installed. * SSL certificate validation now uses the Python cryptography module in some places where openssl was used. * There is a new tab to show the installed version of Mail-in-a-Box and to fetch the latest released version. System: * The munin system monitoring tool is now installed and accessible at /admin/munin. * ownCloud updated to version 8.0.4. The ownCloud installation step now is reslient to download problems. The ownCloud configuration file is now stored in STORAGE_ROOT to fix loss of data when moving STORAGE_ROOT to a new machine. * The setup scripts now run `apt-get update` prior to installing anything to ensure the apt database is in sync with the packages actually available.
v0.10
v0.10 (June 1, 2015)
- SMTP Submission (port 587) began offering the insecure SSLv3 protocol due to a misconfiguration in the previous version.
- Roundcube now allows persistent logins using Roundcube-Persistent-Login-Plugin.
- ownCloud is updated to version 8.0.3.
- SPF records for non-mail domains were tightened.
- The minimum greylisting delay has been reduced from 5 minutes to 3 minutes.
- Users and aliases weren't working if they were entered with any uppercase letters. Now only lowercase is allowed.
- After installing an SSL certificate from the control panel, the page wasn't being refreshed.
- Backups broke if the box's hostname was changed after installation.
- Dotfiles (i.e. .svn) stored in ownCloud Files were not accessible from ownCloud's mobile/desktop clients.
- Fix broken install on OVH VPS's.
v0.09
v0.09 (May 8, 2015)
Mail:
- Spam checking is now performed on messages larger than the previous limit of 64KB.
- POP3S is now enabled (port 995).
- Roundcube is updated to version 1.1.1.
- Minor security improvements (more mail headers with user agent info are anonymized; crypto settings were tightened).
ownCloud:
- Downloading files you uploaded to ownCloud broke because of a change in ownCloud 8.
DNS:
- Internationalized Domain Names (IDNs) should now work in email. If you had custom DNS or custom web settings for internationalized domains, check that they are still working.
- It is now possible to set multiple TXT and other types of records on the same domain in the control panel.
- The custom DNS API was completely rewritten to support setting multiple records of the same type on a domain. Any existing client code using the DNS API will have to be rewritten. (Existing code will just get 404s back.)
- On some systems the
nsdservice failed to start if network inferfaces were not ready.
System / Control Panel:
- In order to guard against misconfiguration that can lead to domain control validation hijacking, email addresses that begin with admin, administrator, postmaster, hostmaster, and webmaster can no longer be used for (new) mail user accounts, and aliases for these addresses may direct mail only to the box's administrator(s).
- Backups now use duplicity's built-in gpg symmetric AES256 encryption rather than my home-brewed encryption. Old backups will be incorporated inside the first backup after this update but then deleted from disk (i.e. your backups from the previous few days will be backed up).
- There was a race condition between backups and the new nightly status checks.
- The control panel would sometimes lock up with an unnecessary loading indicator.
- You can no longer delete your own account from the control panel.
Setup:
- All Mail-in-a-Box release tags are now signed on github, instructions for verifying the signature are added to the README, and the integrity of some packages downloaded during setup is now verified against a SHA1 hash stored in the tag itself.
- Bugs in first user account creation were fixed.
Version v0.08
CHANGELOG
v0.08 (April 1, 2015)
Mail:
- The Roundcube vacation_sieve plugin by @arodier is now installed to make it easier to set vacation auto-reply messages from within Roundcube.
- Authentication-Results headers for DMARC, added in v0.07, were mistakenly added for outbound mail --- that's now removed.
- The Trash folder is now created automatically for new mail accounts, addressing a Roundcube error.
DNS:
- Custom DNS TXT records were not always working and they can now override the default SPF, DKIM, and DMARC records.
System:
- ownCloud updated to version 8.0.2.
- Brute-force SSH and IMAP login attempts are now prevented by properly configuring fail2ban.
- Status checks are run each night and any changes from night to night are emailed to the box administrator (the first user account).
Control panel:
- The new check that system services are running mistakenly checked that the Dovecot Managesieve service is publicly accessible. Although the service binds to the public network interface we don't open the port in ufw. On some machines it seems that ufw blocks the connection from the status checks (which seems correct) and on some machines (mine) it doesn't, which is why I didn't notice the problem.
- The current backup chain will now try to predict how many days until it is deleted (always at least 3 days after the next full backup).
- The list of aliases that forward to a user are removed from the Mail Users page because when there are many alises it is slow and times-out.
- Some status check errors are turned into warnings, especially those that might not apply if External DNS is used.