progmaticltd / homebox Goto Github PK

have you given postfixadmin a thought?
It is a great tool to administrate Postfix, available as a package in Debian and it is a very active project.
https://github.com/postfixadmin/postfixadmin
https://sourceforge.net/projects/postfixadmin/
It works great with postgresql.

Hello,

A bit stupid question - what is the best way to install it? Manual is silent in relation to this.

Do I need to run:
ansible-playbook access-check.yml
ansible-playbook access-report.yml
and so on to install everything or is there one command to install everything in my defaults.yml and system.yml?

Thanks

A synchronisation package in Debian repository:

Syncthing replaces proprietary sync and cloud services with something open, trustworthy and decentralized. Your data is your data alone and you deserve to choose where it is stored, if it is shared with some third party and how it's transmitted over the Internet

https://syncthing.net/

There is s post renewal hook, in letsencrypt folder, called renewal-hook.sh
This script is building the full certificate+key in a pem file used by eJabberd, and restart the jabber server.

After trying it manually, I can confirm it works.
However, it has not been called - or perhaps the call has been interrupted, as the final certificate file is not built, generating errors. AppArmor might have been involve, I will check this.

To fix this bug, a post-renewal script should be installed as the ejabberd user, and do the same.

Access the zabbix site would be enough for now

This page contains a list of post-installation tasks to do.
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html

There is some error logs in the LDAP

Mar 13 19:53:56 mail slapd[13351]: <= mdb_substring_candidates: (cn) not indexed
Mar 13 19:53:56 mail slapd[13351]: <= mdb_substring_candidates: (givenName) not indexed
Mar 13 19:53:56 mail slapd[13351]: <= mdb_substring_candidates: (sn) not indexed
Mar 13 19:53:56 mail slapd[13351]: <= mdb_substring_candidates: (mail) not indexed
Mar 13 19:53:56 mail slapd[13351]: <= mdb_substring_candidates: (cn) not indexed
Mar 13 19:53:56 mail slapd[13351]: <= mdb_substring_candidates: (givenName) not indexed
Mar 13 19:53:56 mail slapd[13351]: <= mdb_substring_candidates: (sn) not indexed
Mar 13 19:53:56 mail slapd[13351]: <= mdb_substring_candidates: (mail) not indexed
Mar 13 19:53:57 mail slapd[13351]: <= mdb_substring_candidates: (cn) not indexed
Mar 13 19:53:57 mail slapd[13351]: <= mdb_substring_candidates: (givenName) not indexed
Mar 13 19:53:57 mail slapd[13351]: <= mdb_substring_candidates: (sn) not indexed
Mar 13 19:53:57 mail slapd[13351]: <= mdb_substring_candidates: (mail) not indexed
Mar 13 19:53:57 mail slapd[13351]: <= mdb_substring_candidates: (cn) not indexed
Mar 13 19:53:57 mail slapd[13351]: <= mdb_substring_candidates: (givenName) not indexed
Mar 13 19:53:57 mail slapd[13351]: <= mdb_substring_candidates: (sn) not indexed
Mar 13 19:53:57 mail slapd[13351]: <= mdb_substring_candidates: (mail) not indexed
Mar 13 19:54:12 mail slapd[13351]: <= mdb_equality_candidates: (mail) not indexed
Mar 13 19:54:19 mail slapd[13351]: <= mdb_equality_candidates: (mail) not indexed
Mar 13 19:54:19 mail slapd[13351]: <= mdb_equality_candidates: (mail) not indexed

SOGo copies sent messages in the sent folder, but this is already done by the mail server.

To avoid this, there might be a flag in SOGo 3 that I am not aware of, or the other option is to delete the message from SOGo in the sent folder.

1. Configure postfix to remove user the agent when messages are sent
2. Delete messages in the sent folder that contains the mail user agent

DANE is DNS-based Authentication of Named Entities.

It is an Internet security protocol to allow X.509 digital certificates, commonly used for Transport Layer Security (TLS), to be bound to domain names using Domain Name System Security Extensions (DNSSEC).

It could be interesting to generate random passwords upon installation, instead of specifying them in the configuration file. They would be then:

• store in the backup folder,
• sent to the user using another email address
• sent via another channel (e.g. XMPP)

Deployment logs should not contains passwords and generated keys, this is preventing me from publishing them on https://jenkins.homebox.space/

Let's add this for more security:

DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. It does this by means of a new "CAA" Domain Name System (DNS) resource record.

It was drafted by computer scientists Phillip Hallam-Baker and Rob Stradling in response to increasing concerns about the security of publicly trusted certificate authorities. It is an Internet Engineering Task Force (IETF) proposed standard.

Two tools are opening the root folder ("/") thousand times a day, just for reading and getting the attributes.

This is visible with AppArmor:

operation="getattr" profile="/usr/sbin/sogo-ealarms-notify" name="/" comm="sogo-ealarms-no" requested_mask="r" fsuid=126 ouid=0
operation="getattr" profile="/usr/sbin/sogo-tool" name="/" comm="sogo-tool" requested_mask="r" fsuid=126 ouid=0
operation="open" profile="/usr/sbin/sogo-tool" name="/" comm="sogo-tool" requested_mask="r" fsuid=126 ouid=0

I really wonder why those binaries are opening the root ("/") folder, even for reading and getting the attributes.

• What is the point of doing this?
• Is this a bug?
• Is this fixed in the version 4?

The bug is referenced here: https://sogo.nu/bugs/view.php?id=4704

Add optional/core feature for providing mail listing services, like Mailman, I personally prefer Sympa, which can also be linked to LDAP groups dynamically creating mail lists from LDAP groups.

When Tor is installed, using apt-transport-tor or privoxy to download the packages and improve anonymity.

Write continuous integration scripts and reports to check all the features on every master commit:

• Email: smtp, imap, full text search, etc.
• Collaboration: carddav, caldav, etc.
• Proxying with tor and privoxy
• Gogs repository
• Transmission
• etc.

My system has been running with AppArmor for more than a year, without major issues.
It will be activated by default in the next Debian version, so perhaps we can now remove all the conditions.

Ideally, the box should only have access to a few internet sites, all the rest being blocked and logged.
For instance, access to Debian repositories, ClamAV updates, rspamd repositories, etc.

• A whitelist / blacklist proxy, like tinyproxy might be enough.
• Adding appropriate firewall rules to automatically redirect the traffic to the proxy might be interesting.

The DMARC daemon, opendmarc exits withoout reason, and does not restart.
I cannot find anything in the filesystem logs, neither any information on journalctl.
It looks like the daemon has been stopped.

I have the password policies defined in the LDAP database, but they don't seem to apply to the users when changing a password.

Both "olcPPolicyDefault" and "olcPPolicyHashCleartext" are set up, but only the last is working, i.e. passwords sent in clear text by an LDAP client are automatically encrypted.

There is an overlay entry for the domain, example : "olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space" and a correct entry "pwdPolicySubentry" for each user. However, when I try change the password with pam_ldap or using the roundcube password plugin, even the minimal length rule is ignored.

Revealing information when sending emails, especially the user agent used, might be risky.
We can:

• Allow users to use random user agents when sending emails
• Add an option to send each emails with a random user agent. (http://linuxmafia.com/faq/Mail/muas.html)
• Remove certain headers
• etc.

The platform already removes the version number user agent.

When adding "security=apparmor apparmor=1" to /etc/default/grub, these flags are added multiple times

Some IP address API providers can return ISP information, like https://ipapi.co/ or http://ip-api.com/. The monthly statistics would be clearer when using a dynamic IP address or mobile connections.

Debian comes with ansible-lint package, this would be nice to integrate it.

I just deployed a fresh VPS using these awesome playbooks, so first of all thanks for those, they worked (almost) perfectly.

What works: sending and receiving mail on both [email protected] and [email protected], roundcube, sogo, rspamd, ufw, etc.

However, what doesn't seem to work is using the mail extention ([email protected] or [email protected]) option, and I can't get it to work.

The delimiter seems to be set in both postfix main.cf, dovecot 15-lda.conf and 90-sieve.conf but sending an email (from gmail) to these mailadresses results in an error:

Feb 25 13:37:48 homebox postfix/smtpd[10806]: connect from mail-ed1-f52.google.com[209.85.208.52]
Feb 25 13:37:48 homebox postfix/smtpd[10806]: warning: connect to Milter service inet:localhost:32000: Connection refused
Feb 25 13:37:48 homebox postfix/smtpd[10806]: Anonymous TLS connection established from mail-ed1-f52.google.com[209.85.208.52]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Feb 25 13:37:48 homebox postfix/smtpd[10806]: NOQUEUE: reject: RCPT from mail-ed1-f52.google.com[209.85.208.52]: 554 5.7.1 <[email protected]>: Recipient address rejected: Unknown user; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail-ed1-f52.google.com>
Feb 25 13:37:48 homebox postfix/smtpd[10806]: disconnect from mail-ed1-f52.google.com[209.85.208.52] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7

I searched about everywhere and it seems that the configs already has all the suggestions I can find. Maybe someone here can help?

I didn't paste my configs here, because I haven't edited them in any way, they are just how they are in the git.

The integration of Collabora online development edition (CODE) seems simple enough. This should be added

This would require a simple milter for postfix after-queue, that would lookup the from address inside the SOGO SQL address book, and would add the name of the address book.
This may also be done with a sieve filter.

The Debian package yubikey-luks will be both safe and easier for full disk encryption.

OK got to the first error while running mail.yml playbook, which I cannot fix:

TASK [dovecot : Create dovecot conf.d configuration files] *********************************************************************************************************************************
failed: [homebox] (item=10-auth.conf) => changed=false
file: 10-auth.conf
msg: 'AnsibleUndefinedVariable: ''dict object'' has no attribute ''username_chars'''
failed: [homebox] (item=10-master.conf) => changed=false
file: 10-master.conf
msg: 'AnsibleUndefinedVariable: ''dict object'' has no attribute ''log_access'''
changed: [homebox] => (item=10-mail.conf)
changed: [homebox] => (item=10-logging.conf)
changed: [homebox] => (item=15-lda.conf)
changed: [homebox] => (item=15-mailboxes.conf)
changed: [homebox] => (item=20-managesieve.conf)
changed: [homebox] => (item=20-imap.conf)
changed: [homebox] => (item=20-lmtp.conf)
changed: [homebox] => (item=90-sieve.conf)
changed: [homebox] => (item=90-plugin.conf)
changed: [homebox] => (item=90-quota.conf)

RUNNING HANDLER [dovecot : Restart dovecot] ************************************************************************************************************************************************

PLAY RECAP *********************************************************************************************************************************************************************************
homebox : ok=339 changed=84 unreachable=0 failed=1
localhost : ok=0 changed=0 unreachable=0 failed=0

Where can I find this dict object?

Create a tasks that access internet through the proxy, and check if the content is filtered

The SIP module for eJabberd apparently does not support LDAP.

More information in the links below:

• processone/ejabberd#1419
• https://www.ejabberd.im/node/24717/index.html

One possible solution: external authentication with a script, and caching credentials:

• https://www.ejabberd.im/extauth/
• https://www.ejabberd.im/check_pass_ldap_perl/index.html

Maybe second option: common caching option?

• https://docs.ejabberd.im/admin/configuration/#caching
• May not be supported with the version in Stretch.
• Not sure this option is intended for this.

Create an emergency access procedure, allowing family members to access personal contents in
cases of force majeure.
This will need to be simple and accessible to non technical users.

Command line document converter using LibreOfficeKit.
A command line document format converter which uses LibreOffice (via its LibreOfficeKit API) to do all the hard work.It should support the same formats which LibreOffice does.
More details here: https://gitlab.com/ojwb/lloconv

A per package review is needed, some tools exists, like yasat: http://yasat.sourceforge.net/

Hello,

It would be nice to be able to quickly add extra domains to the mail server and add/delete users. One way to achieve this is to install iRedmail admin panel - https://bitbucket.org/zhb/iredadmin-ose/src/default/

Non-pro version is free and is enough for this. However, it does require installing UWSGI.

Hello!

I have managed to fix all the issues with dovecot by reverting to default settings. However, I am still getting the following error with dovecot, after which the script stops.

Posting it here for benefit of others.

RUNNING HANDLER [dovecot : Restart dovecot] **********************************************************************************************************************************************
task path: /home/user/homebox/install/playbooks/roles/dovecot/handlers/main.yml:2
fatal: [homebox]: FAILED! => changed=false
msg: |-
Unable to restart service dovecot: Job for dovecot.service failed because the control process exited with error code.
See "systemctl status dovecot.service" and "journalctl -xe" for details.

Would be nice to be able to use mailcrypt plugin (folder keys) of dovecot out of the box: https://wiki.dovecot.org/Plugins/MailCrypt
To have encrypted mails stored in dovecot beside the disk encryption for higher security reasons

I think the external-ip-check cron job should not be run as root. It makes network requests to untrusted servers, some of which using http, via the external-ip script and wget.

As it is, it writes to the /etc/homebox/external-ip file, so requires root. Maybe this file should be in something like /var/cache/external-ip/ or /var/cache/homebox/ with rights associated to a restricted user.

Should there be an apparmor profile for these scripts? (That's easy to ask for 😅)

Any thoughts?

Slapd failed to restart with system.debug being true, so when debug options "-d 8 -d 64 -d 2048" are being passed in /etc/default/slapd.

The fail is reported by systemd as a timeout.

$ sudo systemctl restart slapd
Job for slapd.service failed because a timeout was exceeded.
See "systemctl status slapd.service" and "journalctl -xe" for details.

There is no specific output in journalctl.

août 10 12:12:55 systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)...
-- Subject: Unit slapd.service has begun start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit slapd.service has begun starting up.
août 10 12:12:55 slapd[6269]: @(#) $OpenLDAP: slapd  (May 23 2018 04:25:19) $
                                       Debian OpenLDAP Maintainers <[email protected]>
août 10 12:13:11 slapd[6269]: slapd starting
août 10 12:17:32 slapd[6269]: connection_input: conn=1005 deferring operation: binding
août 10 12:17:55 systemd[1]: slapd.service: Start operation timed out. Terminating.
août 10 12:17:55 slapd[6262]: Starting OpenLDAP: slapd
août 10 12:17:55 systemd[1]: Failed to start LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).
-- Subject: Unit slapd.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit slapd.service has failed.
-- 
-- The result is failed.
août 10 12:17:55 systemd[1]: slapd.service: Unit entered failed state.
août 10 12:17:55 systemd[1]: slapd.service: Failed with result 'timeout'.

And the slapd process is still hanging there afterwards.

$ ps waux | grep slapd
openldap  6269  0.0  0.4 1668008 9832 ?        Sl   12:12   0:00 /usr/sbin/slapd -h ldap://127.0.0.1:389/ ldaps:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d -d 8

The same behaviour happened with any one of these debug flags set. It starts without issue when no debug flags are passed.

The test server is a vm and not very powerfull, but I am not sure if this is the issue. I have not taken much time to look into it beyond these tests, and have disabled slapd debug for my tests.

Any idea what could cause this, what to check?

https://github.com/v-zhuravlev/zbx-smartctl

The role imapproxy does not install imapproxy. The bug is visible only when not installing Roundcube.

Registering the domain to https://www.starttls-everywhere.org/add-domain/ protect against downgrade attacks.
Lets investigate how this can be done

Currently, the password change plugin for roundcube is working only with an administrator account. It would be safer to use the user's credentials to bind to the LDAP server.

hey there, first i wanna thank you for this playbook... i startetd to develop my local fork a few days on it!

i have a fix suggestion:
1.
in the clamav main task you should remove line 91-97, since u dropped the virus-alert.sh script.

got also some errors:
1.
the main install task is not be able to create the mail dirs until i create the users, i added in system.yml, locally on the homebox machine with useradd -r username
2.
the rspamd role main task failed everytime with line 91-93 included. Is dmarc reporting also dropped?
3.
dovecot certbot task failed because apache is listening already on port 80
i guess i could write an "stop and start part" into certificates main role for it?

On tasks that uses tor proxy to get its IP address, and check if the address is recognised as an exit node.

When using SSD drives, the full disk encryption with LUKS might be not appropriate, due to performance reasons.

Many options are available

• Use eCryptfs for the home folder
• Rely on hardware Self Encrypted Drives
• ...

Write continuous integration scripts and reports to check on every master commit.
Use Jenkins and the currently hosted scripts to check each installation playbooks.

Hello,

A couple of headers should be added to nginx config to make it more secure:

add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
add_header X-XSS_Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomain; preload";
add_header Content-Security-Policy...
add_header Referrer-Policy 'strict-origin';

It would also be good to add CSP and Feature-Policy as well.
I tried to add those to nginx.conf http { section but it did not work, so had to add security.conf and use include to include those where needed.

Create a temporary email address, with an expiry date. Useful to quickly subscribe to a service, then not share the email any more.

For instance: [email protected]

The address above would expire the 02/02/2019.

Hi,

I am having problems with building Debian ISO using the system.yml from here - https://homebox.readthedocs.io/en/latest/preseed/

Here is what I get:

Building cdbuild
Step 1/21 : FROM debian:stable
---> 882fa751e902
Step 2/21 : RUN echo 'deb http://deb.debian.org/debian/ stretch-backports main contrib non-free' >>/etc/apt/sources.list
---> Using cache
---> be836e20247b
Step 3/21 : RUN apt -qq update
---> Using cache
---> fbd0b46aedfb
Step 4/21 : RUN useradd -ms /bin/dash cdbuild
---> Using cache
---> 8f198caf60f0
Step 5/21 : RUN mkdir -p /home/cdbuild/misc/root/.ssh
---> Using cache
---> fb0b34a946e0
Step 6/21 : COPY --chown=cdbuild:cdbuild ./config/authorized_keys /home/cdbuild/misc/root/.ssh/authorized_keys
---> Using cache
---> b6546622f2eb
Step 7/21 : RUN apt -qq install -t stretch-backports -y simple-cdd
---> Using cache
---> ec3eea7eb7b8
Step 8/21 : RUN apt -qq install -t stretch-backports -y ansible
---> Using cache
---> 7db06386dfe2
Step 9/21 : COPY --chown=cdbuild:cdbuild ./misc /home/cdbuild/misc/
---> Using cache
---> 3f2158f7fc17
Step 10/21 : RUN rm -f /home/cdbuild/misc/readme.md
---> Using cache
---> e75876119edd
Step 11/21 : COPY --chown=cdbuild:cdbuild ./playbooks /home/cdbuild/playbooks/
---> Using cache
---> e43e0f02d502
Step 12/21 : COPY --chown=cdbuild:cdbuild ./config /home/cdbuild/config/
---> 394eae5a3a34
Step 13/21 : USER cdbuild
---> Running in 7ab7d7a6a400
Removing intermediate container 7ab7d7a6a400
---> 8ed8879a9d49
Step 14/21 : WORKDIR /home/cdbuild
---> Running in 976ff45a1bb7
Removing intermediate container 976ff45a1bb7
---> b9d0b0ae208a
Step 15/21 : COPY --chown=cdbuild:cdbuild ansible/ansible.cfg /home/cdbuild
---> 163509ba6c38
Step 16/21 : COPY --chown=cdbuild:cdbuild ansible/hosts.yml /home/cdbuild
---> 448278cdb8a3
Step 17/21 : RUN ansible-playbook -vv -i hosts.yml -l localhost playbooks/docker.yml
---> Running in 19e3c7de1c85
ansible-playbook 2.7.5
config file = /home/cdbuild/ansible.cfg
configured module search path = [u'/home/cdbuild/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/dist-packages/ansible
executable location = /usr/bin/ansible-playbook
python version = 2.7.13 (default, Sep 26 2018, 18:42:22) [GCC 6.3.0 20170516]
Using /home/cdbuild/ansible.cfg as config file
/home/cdbuild/hosts.yml did not meet host_list requirements, check plugin documentation if this is unexpected
/home/cdbuild/hosts.yml did not meet script requirements, check plugin documentation if this is unexpected

PLAYBOOK: docker.yml ***********************************************************
1 plays in playbooks/docker.yml

PLAY [localhost] ***************************************************************

TASK [Gathering Facts] *********************************************************
task path: /home/cdbuild/playbooks/docker.yml:4
ok: [localhost]
META: ran handlers

TASK [build-iso : Create the working directory in /tmp/build-mydomain.com] ******
task path: /home/cdbuild/playbooks/roles/build-iso/tasks/main.yml:3
changed: [localhost] => changed=true
gid: 1000
group: cdbuild
mode: '0755'
owner: cdbuild
path: /tmp/build-mydomain.com
size: 4096
state: directory
uid: 1000

TASK [build-iso : Copy the configuration file for mydomain.com] *****************
task path: /home/cdbuild/playbooks/roles/build-iso/tasks/main.yml:9
changed: [localhost] => changed=true
checksum: 2865bf6b05b3b7a513d8bb26c29984b442d18d76
dest: /tmp/build-mydomain.com/common.conf
gid: 1000
group: cdbuild
md5sum: 424503128a4211d18154c6558d15a08b
mode: '0644'
owner: cdbuild
size: 6099
src: /home/cdbuild/.ansible/tmp/ansible-tmp-1557782818.43-27653293662334/source
state: file
uid: 1000

TASK [build-iso : Copy the build script] ***************************************
task path: /home/cdbuild/playbooks/roles/build-iso/tasks/main.yml:15
changed: [localhost] => (item=build-mirror.sh) => changed=true
checksum: f84263890d653e632f0d20ddd37303a450a75a19
dest: /tmp/build-mydomain.com/build-mirror.sh
file: build-mirror.sh
gid: 1000
group: cdbuild
md5sum: 5f1b98b47ab7ee8c78768a758af99d57
mode: '0744'
owner: cdbuild
size: 514
src: /home/cdbuild/.ansible/tmp/ansible-tmp-1557782819.49-18835295126653/source
state: file
uid: 1000
failed: [localhost] (item=build-cd.sh) => changed=false
file: build-cd.sh
msg: 'AnsibleUndefinedVariable: ''dict object'' has no attribute ''version'''

PLAY RECAP *********************************************************************
localhost : ok=3 changed=2 unreachable=0 failed=1

ERROR: Service 'cdbuild' failed to build: The command '/bin/sh -c ansible-playbook -vv -i hosts.yml -l localhost playbooks/docker.yml' returned a non-zero code: 2
Unable to find image 'cdbuild:latest' locally
docker: Error response from daemon: pull access denied for cdbuild, repository does not exist or may require 'docker login'.
See 'docker run --help'.

Looks like the problem is with main.yml, with 'copy the build script'
I would appreciate if anybody can help me with this. Thanks!