Merge pull request #482 from NethServer/master

Merge master to v7

administrator-manual/en/.tx/config

@@ -415,3 +415,22 @@ file_filter = locale/<lang>/LC_MESSAGES/web_server.po
 source_file = _build/locale/web_server.pot
 source_lang = en
 type = PO
+
+[docs-v7.launcher]
+file_filter = locale/<lang>/LC_MESSAGES/launcher.po
+source_file = _build/locale/launcher.pot
+source_lang = en
+type = PO
+
+
+[docs-v7.blacklist]
+file_filter = locale/<lang>/LC_MESSAGES/blacklist.po
+source_file = _build/locale/blacklist.pot
+source_lang = en
+type = PO
+
+[docs-v7.mssql]
+file_filter = locale/<lang>/LC_MESSAGES/mssql.po
+source_file = _build/locale/mssql.pot
+source_lang = en
+type = PO

administrator-manual/en/base_system2.rst

@@ -237,7 +237,7 @@ The shell and the processes will run with the user privileges.
 Role delegation
 ===============
 
-On complex environments, the *root* user can delegate the access of some section
+On complex environments, the *root* user can :index:`delegate` the access of some section
 to specific groups of local users.
 
 A local user can be delegated to access:
@@ -261,3 +261,48 @@ The following pages are always accessible to all users:
 * dashboard
 * applications
 * terminal
+
+Two-factor authentication (2FA)
+===============================
+
+Two-factor authentication (2FA) can be used to add an extra layer of security required to access the new Server Manager.
+First, users will enter user name and password, then they will be required to provide a temporary verification code
+generated by an application running on their smartphone.
+
+2FA is disabled by default. Each user can enable it by accessing the :guilabel:`Two-factor authentication` section
+under :guilabel:`Settings` page, then following these steps:
+
+1. download and install the preferred 2FA application inside the smartphone
+2. scan the QR code with the 2FA application
+3. generate a new code and copy it inside :guilabel:`Verification code` field, than click :button:`Check code`
+4. if the verification code is correct, click on the :button:`Save` button
+
+Recovery codes
+--------------
+
+Recovery codes can be used instead of temporary codes if the user cannot access the 2FA application on the smartphone.
+Each recovery code is a one-time password and can be used only once.
+
+To generate new recovery codes, disable 2FA, then re-enable it by registering the application again following the above steps.
+
+Smartphone applications
+-----------------------
+
+There are several commercial and open source 2FA applications:
+
+Available for both Android and iOS:
+
+- `FreeOTP <https://freeotp.github.io/>`_: available for both Android and iOS
+- `Authenticator <https://mattrubin.me/authenticator/>`_: available on iOS only
+- `andOTP <https://github.com/andOTP/andOTP>`_: available for both Android and iOS https://github.com/andOTP/andOTP
+
+Emergency recovery
+------------------
+
+In case of emergency, 2FA can be disabled accessing the server from a physical console like a keyboard and a monitor,
+a serial cable or a VNC-like connection for virtual machines:
+
+1. access the system with user name and password
+2. execute: ::
+     rm -f ~/.2fa.secret
+     sudo /sbin/e-smith/signal-event -j otp-save

administrator-manual/en/blacklist.rst

@@ -0,0 +1,47 @@
+=============
+Threat shield
+=============
+
+.. note::
+
+  The configuration page of this module is available only in the new Server Manager.
+
+
+The threat shield blocks connections to and from malicious hosts, preventing attacks, service abuse, malware, and other cybercrime activities.
+The package can be installed both on firewalls and on machines without a red interface, like mail servers
+or PBXs.
+
+Configuration
+=============
+
+First, access the threat shield web interface to set the download URL for the blacklists.
+
+After setting the URL, the administrator can choose what :index:`blacklist` categories should be enabled.
+Each category can have a :guilabel:`Confidence` score between 0 and 10.
+Categories with a higher confidence are less prone to false positives.
+
+Enabled categories will be automatically updated at regular intervals.
+
+The download URL must contain a valid GIT repository.
+Administrators can choose a public repository, like `Firehol ipsets one <https://github.com/firehol/blocklist-ipsets>`_,
+or subscribe to a commercial service. If the machine has a Community or an Enterprise subscription, the access to the URL
+will be authenticated using system id and secret.
+
+Experienced administrators can also `setup their own blacklist server <https://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-blacklist.html#setup-a-blacklist-server>`_.
+
+Whitelist
+---------
+
+In case of a false positive, a host or a CIDR can be added to the local :guilabel:`Whitelist`.
+If the firewall module is installed, the whitelist will also accept host and CIDR firewall objects.
+
+Hosts should be added to the whitelist only for a limited period of time.
+As a best pratice, when a false positive is found, please report it to the blacklist maintainer.
+
+Incident response
+=================
+
+The :guilabel:`Analysis` page displays most recent attacks which can be filtered by source, destination, protocol and port.
+Using the :guilabel:`Check IP address` section, administrators can also check if a given IP has been blacklisted by an enabled category.
+
+For advanced log analysis with regular expressions support, use the :guilabel:`Logs` page.

administrator-manual/en/dns.rst

@@ -47,3 +47,28 @@ The server will then be accessible from clients on the LAN even using the name y
 Aliases are only valid for the internal LAN. If you want the server is reachable from the outside with the same name 
 you need to ask the provider to associate the public address of the server to the desired name.
 
+
+.. _dns_redirection-section:
+
+Domain redirection
+==================
+
+The administrator can override the upstream DNS for specific domains.
+A typical usage scenario is setting the Active Directory server as resolver for the queries to the internal domain.
+
+Such changes can be done by editing the ``DomainRedirection`` property via command line.
+The property accepts a comma-separated list of couples in the form ``<domain>:<ip_address>``.
+
+Example: ::
+
+  config setprop dnsmasq DomainRedirection my.local.domain.org:192.168.1.1,my.domain.com:192.168.1.2
+  signal-event nethserver-dnsmasq-save
+
+The ``my.domain.org:192.168.1.1`` configuration will send all queries for ``my.local.domain.org`` to ``192.168.1.1``. 
+
+The special server address ``#`` can be used to send queries to the default DNS server. Example: ::
+
+  config setprop dnsmasq DomainRedirection domain.org:1.1.1.1,sub.domain.org:#
+  signal-event nethserver-dnsmasq-save
+
+In this example all queries for ``domain.org`` will be sent to ``1.1.1.1``, while queries for ``sub.domain.org`` will be sent to default upstream DNS.

administrator-manual/en/index.rst

@@ -115,6 +115,7 @@ Administrator Manual
    fail2ban
    rspamd
    antivirus
+   blacklist
 
 .. toctree::
    :hidden:
@@ -131,6 +132,7 @@ Administrator Manual
        sogo
        phpVirtualBox
        hotsync
+       mssql
 
 .. toctree::
    :maxdepth: 2

administrator-manual/en/mail.rst

@@ -82,11 +82,11 @@ Append a legal notice
 .. warning::
 
     Since |product| 7.5.1804 this feature is shipped in a separate, optional
-    package: ``nethserver-mail2-disclaimer``. It is considered *deprecated*
+    package: ``nethserver-mail-disclaimer``. It is considered *deprecated*
     because the alterMIME [#alterMIME]_ project which provides the actual
     implementation is no longer developed and can stop working at any time.
 
-If the optional ``nethserver-mail2-disclaimer`` package was installed from the
+If the optional ``nethserver-mail-disclaimer`` package was installed from the
 :guilabel:`Software center`, |product| can automatically :guilabel:`append a
 legal notice to sent messages`. This text is also known as "disclaimer" and
 it can be used to meet some legal requirements.
@@ -270,6 +270,24 @@ use the following credentials:
 * user name: ``john*root``
 * password: ``secr3t``
 
+Users could share their mailbox (or some parts of it, folders) with selected accounts on the system. 
+Everyone who is given access to a shared mailbox can read or delete messages according to permissions
+granted by the mailbox owner.
+
+An IMAP flag named ``/Seen`` is used to mark if a message has been read or not. In a shared mailbox,
+each user has their copy of the messages they have read, but sometimes a team sharing a mailbox
+could prefer to know if a mail has already been read by someone else.
+To enable sharing of the ``/Seen`` flag for all shared mailboxes use the following commands: ::
+
+    config setprop dovecot SharedSeen enabled
+    signal-event nethserver-mail-server-save
+
+Please note that changing the ``SharedSeen`` status resets the ``/Seen`` flag for all users on all mailboxes.
+
+Public folders are created by the administrator and are usually visible to all users (or large groups).
+The ``/Seen`` flag is kept for each user and it cannot be shared.
+
+
 .. _email_messages:
 
 Messages

administrator-manual/en/mssql.rst

@@ -0,0 +1,86 @@
+====================
+Microsoft SQL Server
+====================
+
+.. note::
+
+  This package is not supported in NethServer Enterprise
+
+
+With this package you can install Microsoft SQL Server on NethServer: it will automatically configure Microsoft repository and default configuration.
+
+
+Installation
+============
+
+To install this package go on Software Center and install Microsoft SQL Server application. Otherwise use this command: ::
+
+    yum install -y nethserver-mssql --enablerepo=nethforge
+    
+
+Default configuration
+=====================
+
+When installed the module generates a default configuration as follow:
+* Auto-generated SA password saved in /var/lib/nethserver/secrets/mssql
+* Create default MSSQL databases (master, model, msdb, tempdb)
+* Allow access to SQL service from Green network on default port 1433
+
+User can change access network from Cockpit Services page or from Firewall section.
+
+Database example: ::
+
+    mssql-server=service
+        ProductId=express
+        ProductKey=
+        TCPPort=1433
+        access=green
+        status=enabled
+
+
+Install mssql-server service
+============================
+
+The package needs a first configuration. Please access the Cockpit application and select MSSQL edition between these options: Evaluation, Developer, Web, Express, Standard, Enterprise. Alternatively it is possibile also to insert a product key.
+
+You can do this also from command line: ::
+
+    config setprop mssql-server ProductId <version>
+    signal-event nethserver-mssql-save
+    
+
+Instead, if you want to configure a product key use these commands: ::
+  
+    config setprop mssql-server ProductId key
+    config setprop mssql-server ProductKey <ProductKey>
+    signal-event nethserver-mssql-save
+    
+
+.. note::
+
+  After save event is launched, Microsoft package download will starts: this phase can be long, depending on Internet connection.
+
+
+Now your SQL Server is ready to use!
+
+
+Helpful actions
+===============
+
+Directly from Cockpit interface you can:
+* create a new database under Databases page
+* view and change SA password under Settings page
+* see SQL Server status in MSSQL Dashboard page
+* change SQL Server edition from Settings page
+
+
+.. warning::
+
+  Don't change SA password from SQL Server, but use Cockpit interface. Otherwise NethServer will not able to load correct informations and perform backup-data.
+
+
+Backup and restore
+==================
+
+Configuration is saved with backup-config event. After you've restored configuration on new server download of MSSQL package will starts in post-config-restore event.
+Database are automatically saved in backup-data event. They will be restored in post-restore-data.