Releases: mail-in-a-box/mailinabox
Releases · mail-in-a-box/mailinabox
v0.47
v0.47 (July 29, 2020) --------------------- Security fixes: * Roundcube is updated to version 1.4.7 fixing a cross-site scripting (XSS) vulnerability with HTML messages with malicious svg/na$ * SSH connections are now rate-limited at the firewall level (in addition to fail2ban).
v0.46
v0.46 (June 11, 2020) --------------------- Security fixes: * Roundcube is updated to version 1.4.6 (https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12).
v0.45 (May 16, 2020)
Security fixes: * Fix missing brute force login protection for Roundcube logins. Software updates: * Upgraded Roundcube from 1.4.2 to 1.4.4. * Upgraded Nextcloud from 17.0.2 to 17.0.6 (with Contacts from 3.1.6 to 3.3.0 and Calendar from 1.7.1 to v2.0.3) * Upgraded Z-Push to 2.5.2. System: * Nightly backups now occur on a random minute in the 3am hour (in the system time zone). The minute is chosen during Mail-in-a-Box installation/upgrade and remains the same until the next upgrade. * Fix for mail log statistics report on leap days. * Fix Mozilla autoconfig useGlobalPreferredServer setting. Web: * Add a new hidden feature to set nginx alias in www/custom.yaml. Setup: * Improved error handling.
v0.40 (January 12, 2019)
------------------------ This is the first release for Ubuntu 18.04. This version and versions going forward can **only** be installed on Ubuntu 18.04; however, upgrades of existing Ubuntu 14.04 boxes to the latest version supporting Ubuntu 14.04 (v0.30) continue to work as normal. When **upgrading**, you **must first upgrade your existing Ubuntu 14.04 Mail-in-a-Box box** to the latest release supporting Ubuntu 14.04 --- that's v0.30 --- before you migrate to Ubuntu 18.04. If you are running an older version of Mail-in-a-Box which has an old version of ownCloud or Nextcloud, you will *not* be able to upgrade your data because older versions of ownCloud and Nextcloud that are required to perform the upgrade *cannot* be run on Ubuntu 18.04. To upgrade from Ubuntu 14.04 to Ubuntu 18.04, you **must create a fresh Ubuntu 18.04 machine** before installing this version. In-place upgrades of servers are not supported. Since Ubuntu's support for Ubuntu 14.04 has almost ended, everyone is encouraged to create a new Ubuntu 18.04 machine and migrate to it. For complete upgrade instructions, see: https://discourse.mailinabox.email/t/mail-in-a-box-version-v0-40-and-moving-to-ubuntu-18-04/4289 The changelog for this release follows. Setup: * Mail-in-a-Box now targets Ubuntu 18.04 LTS, which will have support from Ubuntu through 2022. * Some of the system packages updated in virtue of using Ubuntu 18.04 include postfix (2.11=>3.3) nsd (4.0=>4.1), nginx (1.4=>1.14), PHP (7.0=>7.2), Python (3.4=>3.6), fail2ban (0.8=>0.10), Duplicity (0.6=>0.7). * [Unofficial Bash Strict Mode](http://redsymbol.net/articles/unofficial-bash-strict-mode/) is turned on for setup, which might catch previously uncaught issues during setup. Mail: * IMAP server-side full text search is no longer supported because we were using a custom-built `dovecot-lucene` package that we are no longer maintaining. * Sending email is now disabled on port 25 --- you must log in to port 587 to send email, per the long-standing mail instructions. * Greylisting may delay more emails from new senders. We were using a custom-built postgrey package previously that whitelisted sending domains in dnswl.org, but we are no longer maintaining that package.
v0.30 (January 9, 2019)
----------------------- Setup: * Update to Roundcube 1.3.8 and the CardDAV plugin to 3.0.3. * Add missing rsyslog package to install line since some OS images don't have it installed by default. * A log file for nsd was added. Control Panel: * The users page now documents that passwords should only have ASCII characters to prevent character encoding mismaches between clients and the server. * The users page no longer shows user mailbox sizes because this was extremely slow for very large mailboxes. * The Mail-in-a-Box version is now shown in the system status checks even when the new-version check is disabled. * The alises page now warns that alises should not be used to forward mail off of the box. Mail filters within Roundcube are better for that. * The explanation of greylisting has been improved.
v0.26 (January 18, 2018)
------------------------ Security: * HTTPS, IMAP, and POP's TLS settings have been updated to Mozilla's intermediate cipher list recommendation. Some extremely old devices that use less secure TLS ciphers may no longer be able to connect to IMAP/POP. * Updated web HSTS header to use longer six month duration. Mail: * Adding attachments in Roundcube broke after the last update for some users after rebooting because a temporary directory was deleted on reboot. The temporary directory is now moved from /tmp to /var so that it is persistent. * `X-Spam-Score` header is added to incoming mail. Control panel: * RSASHA256 is now used for DNSSEC for .lv domains. * Some documentation/links improvements. Installer: * We now run `apt-get autoremove` at the start of setup to clear out old packages, especially old kernels that take up a lot of space. On the first run, this step may take a long time. * We now fetch Z-Push from its tagged git repository, fixing an installation problem. * Some old PHP5 packages are removed from setup, fixing an installation bug where Apache would get installed. * Python 3 packages for the control panel are now installed using a virtualenv to prevent installation errors.
v0.25 (November 15, 2017)
------------------------- This update is a security update addressing [CVE-2017-16651, a vulnerability in Roundcube webmail that allows logged-in users to access files on the local filesystem](https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10). Mail: * Update to Roundcube 1.3.3. Control Panel: * Fix DNS validation to allow wildcard custom DNS entries to be set.
v0.24
v0.24 (October 3, 2017)
System:
- Install PHP7 via a PPA. Switch to the on-demand process manager.
Mail:
- Updated to Roundcube 1.3.1, but unfortunately dropping the Vacation plugin because it has not been supported by its author and is not compatible with Roundcube 1.3, and updated the persistent login plugin.
- Updated to Z-Push 2.3.8.
- Dovecot now uses stronger 2048 bit DH params for better forward secrecy.
Nextcloud:
- Nextcloud updated to 12.0.3, using PHP7.
Control Panel:
- Nameserver (NS) records can now be set on custom domains.
- Fix an erroneous status check error due to IPv6 address formatting.
- Aliases for administrative addresses can now be set to send mail to +tag administrative addresses.
v0.12
This is a minor update to v0.11, which was a major update. Please read v0.11's advisories. * The administrator@ alias was incorrectly created starting with v0.11. If your first install was v0.11, check that the administrator@ alias forwards mail to you. * Intrusion detection rules (fail2ban) are relaxed (i.e. less is blocked). * SSL certificates could not be installed for the new automatic 'www.' redirect domains. * PHP's default character encoding is changed from no default to UTF8. The effect of this change is unclear but should prevent possible future text conversion issues. * User-installed SSL private keys in the BEGIN PRIVATE KEY format were not accepted. * SSL certificates with SAN domains with IDNA encoding were broken in v0.11. * Some IDNA functionality was using IDNA 2003 rather than IDNA 2008.
v0.11 (June 29, 2015)
--------------------- Advisories: * Users can no longer spoof arbitrary email addresses in outbound mail. When sending mail, the email address configured in your mail client must match the SMTP login username being used, or the email address must be an alias with the SMTP login username listed as one of the alias's targets. * This update replaces your DKIM signing key with a stronger key. Because of DNS caching/propagation, mail sent within a few hours after this update could be marked as spam by recipients. If you use External DNS, you will need to update your DNS records. * The box will now install software from a new Mail-in-a-Box PPA on Launchpad.net, where we are distributing two of our own packages: a patched postgrey and dovecot-lucene. Mail: * Greylisting will now let some reputable senders pass through immediately. * Searching mail (via IMAP) will now be much faster using the dovecot lucene full text search plugin. * Users can no longer spoof arbitrary email addresses in outbound mail (see above). * Fix for deleting admin@ and postmaster@ addresses. * Roundcube is updated to version 1.1.2, plugins updated. * Exchange/ActiveSync autoconfiguration was not working on all devices (e.g. iPhone) because of a case-sensitive URL. * The DKIM signing key has been increased to 2048 bits, from 1024, replacing the existing key. Web: * 'www' subdomains now automatically redirect to their parent domain (but you'll need to install an SSL certificate). * OCSP no longer uses Google Public DNS. * The installed PHP version is no longer exposed through HTTP response headers, for better security. DNS: * Default IPv6 AAAA records were missing since version 0.09. Control panel: * Resetting a user's password now forces them to log in again everywhere. * Status checks were not working if an ssh server was not installed. * SSL certificate validation now uses the Python cryptography module in some places where openssl was used. * There is a new tab to show the installed version of Mail-in-a-Box and to fetch the latest released version. System: * The munin system monitoring tool is now installed and accessible at /admin/munin. * ownCloud updated to version 8.0.4. The ownCloud installation step now is reslient to download problems. The ownCloud configuration file is now stored in STORAGE_ROOT to fix loss of data when moving STORAGE_ROOT to a new machine. * The setup scripts now run `apt-get update` prior to installing anything to ensure the apt database is in sync with the packages actually available.