Home / mail-in-a-box / mailinabox
Repository Analysis

mail-in-a-box/mailinabox

Mail-in-a-Box helps individuals take back control of their email by defining a one-click, easy-to-deploy SMTP+everything else server: a mail server in a box.

14.0 Low AI signal View on GitHub
14.0
Adjusted Score
14.0
Raw Score
100%
Time Factor
2026-05-24
Last Push
15,314
Stars
Python
Language
21,120
Lines of Code
85
Files
195
Pattern Hits
2026-05-31
Scan Date

Score History

Severity Breakdown

CRITICAL 0HIGH 1MEDIUM 48LOW 146

Pattern Findings

195 matches across 9 categories. Click a row to expand file-level details.

Self-Referential Comments30 hits · 86 pts
SeverityFileLineSnippet
MEDIUMsetup/munin.sh64# Create a systemd service for munin.
MEDIUMsetup/management.sh24# Create a virtualenv for the installation of Python 3 packages
MEDIUMsetup/management.sh54# Create a backup directory and a random key for encrypting backups.
MEDIUMsetup/management.sh85# Create an init script to start the management daemon and keep it
MEDIUMsetup/ssl.sh6# Create an RSA private key, a self-signed SSL certificate, and some
MEDIUMsetup/ssl.sh39# Create a directory to store TLS-related things like "SSL" certificates.
MEDIUMsetup/dkim.sh45# Create a new DKIM key. This creates mail.private and mail.txt
MEDIUMsetup/firstuser.sh50 # Create the user's mail account. This will ask for a password if none was given above.
MEDIUMsetup/firstuser.sh56 # Create an alias to which we'll direct all automatically-created administrative aliases.
MEDIUMsetup/web.sh102# Create the iOS/OS X Mobile Configuration file which is exposed via the
MEDIUMsetup/web.sh115# Create the Mozilla Auto-configuration file which is exposed via the
MEDIUMsetup/web.sh125# Create a generic mta-sts.txt file which is exposed via the
MEDIUMsetup/dns.sh49# Create a directory for additional configuration directives, including
MEDIUMsetup/dns.sh96 # Create the Key-Signing Key (KSK) (with `-k`) which is the so-called
MEDIUMsetup/mail-users.sh20# Create an empty database if it doesn't yet exist.
MEDIUMsetup/webmail.sh105# Create a configuration file.
MEDIUMsetup/start.sh69# Create the STORAGE_USER and STORAGE_ROOT directory if they don't already exist.
MEDIUMsetup/nextcloud.sh127 # Create a symlink to the config.php in STORAGE_ROOT (for upgrades we're restoring the symlink we previously
MEDIUMsetup/nextcloud.sh182 # Create a backup directory to store the current installation and database to
MEDIUMsetup/nextcloud.sh255 # Create an initial configuration file.
MEDIUMsetup/nextcloud.sh281 # Create an auto-configuration file to fill in database settings
MEDIUMmanagement/auth.py130 # Create a token that changes if the user's password or MFA options change
MEDIUMmanagement/auth.py143 # Create a new session.
MEDIUMmanagement/ssl_certificates.py304 # Create a CSR file for our master private key so that certbot
MEDIUMmanagement/backup.py271 # Create an global exclusive lock so that the backup script
MEDIUMmanagement/dns_update.py135 # Create a dictionary of domains to a set of attributes for each
MEDIUMmanagement/dns_update.py660 # Create a stable (by sorting the items) hash of all of the private keys
MEDIUMmanagement/dns_update.py724 # Create a DS record based on the patched-up key files. The DS record is specific to the
MEDIUMmanagement/daemon.py138# Create a session key by checking the username/password in the Authorization header.
MEDIUMmanagement/daemon.py590 # Create a temporary pool of processes for the status checks
Over-Commented Block71 hits · 71 pts
SeverityFileLineSnippet
LOWtools/parse-nginx-log-bootstrap-accesses.py1#!/usr/bin/python3
LOWtools/editconf.py1#!/usr/bin/python3
LOWsetup/zpush.sh1#!/bin/bash
LOWsetup/management.sh1#!/bin/bash
LOWsetup/spamassassin.sh1#!/bin/bash
LOWsetup/spamassassin.sh41# check with: pyzor --homedir /etc/mail/spamassassin/pyzor ping
LOWsetup/spamassassin.sh61# content or execute scripts, and it is probably confusing to most users.
LOWsetup/spamassassin.sh121# -----------------
LOWsetup/ssl.sh1#!/bin/bash
LOWsetup/ssl.sh41mkdir -p "$STORAGE_ROOT/ssl"
LOWsetup/mail-postfix.sh1#!/bin/bash
LOWsetup/mail-postfix.sh21# connections from users who can authenticate and then sends
LOWsetup/mail-postfix.sh41# always will.
LOWsetup/mail-postfix.sh81tools/editconf.py /etc/postfix/main.cf \
LOWsetup/mail-postfix.sh121# Modify the `outgoing_mail_header_filters` file to use the local machine name and ip
LOWsetup/mail-postfix.sh161# relayed elsewhere. We don't want to be an "open relay". On outbound
LOWsetup/mail-postfix.sh181# for opportunistic encryption but "Intermediate" recommendations when DANE
LOWsetup/mail-postfix.sh221# Who can send mail to us? Some basic filters.
LOWsetup/mail-postfix.sh241 smtpd_recipient_restrictions="permit_sasl_authenticated,permit_mynetworks,reject_rbl_client zen.spamhaus.org=127.0.0.[2
LOWsetup/mail-dovecot.sh1#!/bin/bash
LOWsetup/mail-dovecot.sh21
LOWsetup/mail-dovecot.sh41# can be allocated. It should be set *reasonably high* to avoid allocation
LOWsetup/mail-dovecot.sh121# are made available (IMAPS on port 993; POP3S on port 995).
LOWsetup/mail-dovecot.sh141
LOWsetup/mail-dovecot.sh181 "postmaster_address=postmaster@$PRIMARY_HOSTNAME"
LOWsetup/dkim.sh41RequireSafeKeys false
LOWsetup/dkim.sh101# intercepts outgoing mail to perform the signing (by adding a mail header)
LOWsetup/web.sh21
LOWsetup/system.sh21# permissions (group writeable) set on the following directories.
LOWsetup/system.sh121# PPAs so we can install those packages later.
LOWsetup/system.sh161fi
LOWsetup/system.sh201# * DNSSEC signing keys (see `dns.sh`)
LOWsetup/system.sh221# entropy saved across boots to a local file" as well as the order of
LOWsetup/system.sh301# (This is unrelated to the box's public, non-recursive DNS server that
LOWsetup/system.sh321#
LOWsetup/system.sh381# On first installation, the log files that the jails look at don't all exist.
LOWsetup/functions.sh41 #
LOWsetup/functions.sh81}
LOWsetup/functions.sh101 # assigned to an interface. `ip route get` reports the
LOWsetup/bootstrap.sh1#!/bin/bash
LOWsetup/dns.sh81# TLDs, registrars, and validating nameservers don't all support the same algorithms,
LOWsetup/dns.sh101 # we're capturing into the `KSK` variable.
LOWsetup/dns.sh121 # * `K_domain_.+007+08882.ds`: DS record normally provided to domain name registrar (but it's actually invalid with `_d
LOWsetup/mail-users.sh1#!/bin/bash
LOWsetup/mail-users.sh81
LOWsetup/mail-users.sh121# SQL statement to check if we handle incoming mail for a user.
LOWsetup/mail-users.sh141# before postfix gets to the third query for catch-alls/domain alises.
LOWsetup/webmail.sh1#!/bin/bash
LOWsetup/webmail.sh21# These dependencies are from `apt-cache showpkg roundcube-core`.
LOWsetup/start.sh1#!/bin/bash
LOWsetup/start.sh61# Skip on existing installs since we don't want this to block the ability to
LOWsetup/questions.sh1#!/bin/bash
LOWsetup/nextcloud.sh1#!/bin/bash
LOWsetup/nextcloud.sh21# we automatically install intermediate versions as needed.
LOWsetup/nextcloud.sh41
LOWsetup/nextcloud.sh301 chown -R www-data:www-data "$STORAGE_ROOT/owncloud" /usr/local/lib/owncloud
LOWsetup/nextcloud.sh441EOF
LOWtests/tls.py1#!/usr/bin/python3
LOWmanagement/auth.py81 # The user is trying to log in with a username and a password
LOWmanagement/ssl_certificates.py101
11 more matches not shown…
Decorative Section Separators15 hits · 45 pts
SeverityFileLineSnippet
MEDIUMsetup/zpush.sh4# ----------------------------------------------
MEDIUMsetup/spamassassin.sh3# -------------------------------------------
MEDIUMsetup/spamassassin.sh16# ----------------------------------------
MEDIUMsetup/spamassassin.sh72# ---------------------------------------
MEDIUMsetup/spamassassin.sh121# -----------------
MEDIUMsetup/ssl.sh4# -------------------------------------------
MEDIUMsetup/mail-postfix.sh4# --------------
MEDIUMsetup/mail-dovecot.sh4# ----------------------
MEDIUMsetup/system.sh6# -------------------------
MEDIUMsetup/dns.sh3# -----------------------------------------------
MEDIUMsetup/mail-users.sh4# ----------------------------------------------
MEDIUMsetup/webmail.sh3# ----------------------
MEDIUMsetup/nextcloud.sh16# --------------
MEDIUMsetup/nextcloud.sh28# --------------
MEDIUMsetup/nextcloud.sh51# ----------------------------
Deep Nesting37 hits · 37 pts
SeverityFileLineSnippet
LOWtools/readable_bash.py299
LOWtools/readable_bash.py402
LOWsetup/migrate.py69
LOWsetup/migrate.py150
LOWtests/tls.py70
LOWmanagement/ssl_certificates.py12
LOWmanagement/ssl_certificates.py172
LOWmanagement/ssl_certificates.py240
LOWmanagement/ssl_certificates.py24
LOWmanagement/backup.py157
LOWmanagement/backup.py441
LOWmanagement/status_checks.py92
LOWmanagement/status_checks.py333
LOWmanagement/status_checks.py399
LOWmanagement/status_checks.py538
LOWmanagement/status_checks.py740
LOWmanagement/status_checks.py1012
LOWmanagement/dns_update.py175
LOWmanagement/dns_update.py474
LOWmanagement/dns_update.py671
LOWmanagement/dns_update.py750
LOWmanagement/dns_update.py803
LOWmanagement/dns_update.py855
LOWmanagement/dns_update.py890
LOWmanagement/dns_update.py982
LOWmanagement/dns_update.py1027
LOWmanagement/mail_log.py63
LOWmanagement/mail_log.py93
LOWmanagement/mail_log.py326
LOWmanagement/mail_log.py390
LOWmanagement/mail_log.py421
LOWmanagement/mail_log.py641
LOWmanagement/web_update.py59
LOWmanagement/web_update.py131
LOWmanagement/mailconfig.py117
LOWmanagement/mailconfig.py510
LOWmanagement/daemon.py363
Hyper-Verbose Identifiers23 hits · 24 pts
SeverityFileLineSnippet
LOWmanagement/auth.py36 def parse_http_authorization_basic(header):
LOWmanagement/auth.py129 def create_user_password_state_token(self, email, env):
LOWmanagement/ssl_certificates.py172def get_certificates_to_provision(env, limit_domains=None, show_valid_certs=True):
LOWmanagement/ssl_certificates.py374def provision_certificates_cmdline():
LOWmanagement/backup.py219def get_duplicity_additional_args(env):
LOWmanagement/backup.py396def run_duplicity_verification():
LOWmanagement/status_checks.py204def is_reboot_needed_due_to_package_installation():
LOWmanagement/status_checks.py399def run_domain_checks_on_domain(domain, rounded_time, env, dns_domains, dns_zonefiles, mail_domains, web_domains, domain
LOWmanagement/status_checks.py456def check_primary_hostname_dns(domain, env, output, dns_domains, dns_zonefiles):
LOWmanagement/status_checks.py622def check_dns_zone_suggestions(domain, env, output, dns_zonefiles, domains_with_a_records):
LOWmanagement/dns_update.py378def is_domain_cert_signed_and_valid(domain, env):
LOWmanagement/mail_log.py541def scan_postfix_submission_line(date, log, collector):
LOWmanagement/web_update.py51def get_domains_with_a_records(env):
LOWmanagement/web_update.py59def get_web_domains_with_root_overrides(env):
LOWmanagement/mailconfig.py57def sanitize_idn_email_address(email):
LOWmanagement/mailconfig.py77def prettify_idn_email_address(email):
LOWmanagement/mailconfig.py483def add_remove_mail_user_privilege(email, priv, action, env):
LOWmanagement/daemon.py48def authorized_personnel_only(viewfunc):
LOWmanagement/daemon.py299def dns_get_secondary_nameserver():
LOWmanagement/daemon.py305def dns_set_secondary_nameserver():
LOWmanagement/daemon.py565def system_latest_upstream_version():
LOWmanagement/daemon.py686def check_request_cookie_for_admin_access():
LOWmanagement/daemon.py693def authorized_personnel_only_via_cookie(f):
Excessive Try-Catch Wrapping11 hits · 16 pts
SeverityFileLineSnippet
LOWsetup/migrate.py91 except Exception as e:
MEDIUMsetup/migrate.py92 print("Error updating IDNA alias", email, e)
LOWsetup/migrate.py248 except Exception as e:
MEDIUMsetup/migrate.py250 print("Error running the migration script:")
LOWmanagement/ssl_certificates.py364 except Exception as e:
LOWmanagement/backup.py290 except Exception as e:
LOWmanagement/daemon.py294 except Exception as e:
LOWmanagement/daemon.py560 except Exception as e:
LOWmanagement/daemon.py569 except Exception as e:
LOWmanagement/daemon.py638 except Exception as e:
MEDIUMmanagement/daemon.py171def logout():
Redundant / Tautological Comments6 hits · 8 pts
SeverityFileLineSnippet
LOWtools/editconf.py93 # Check if this line contain this setting from the command-line arguments.
LOWsetup/system.sh71 # Check if swap is mounted then activate on boot
LOWmanagement/backup.py162 # Check if day of week is a weekend day
LOWmanagement/dns_update.py622 # Check if the file is changing. If it isn't changing,
LOWmanagement/mail_log.py354 # Check if the found date is within the time span we are scanning
LOWmanagement/mail_log.py424 # Check if the incoming mail was rejected
Cross-Language Confusion1 hit · 8 pts
SeverityFileLineSnippet
HIGHmanagement/mailconfig.py250 # permitted_senders: ["user1@domain.com", "sender-only1@domain.com", ...] OR null,
Unused Imports1 hit · 1 pts
SeverityFileLineSnippet
LOWtools/readable_bash.py8