Skip to content
Commits on Source (451)
......@@ -20,7 +20,7 @@ fi
FILECNT=$(eval "${CMD} | wc -l") ;
for F in $(eval "$CMD") ; do
if [[ ! -e "${F}" && -f "${F}" ]] ; then
if [[ ! -e "${F}" || ! -f "${F}" ]] ; then
continue ;
fi
R=$(php -d error_reporting=E_ALL -d display_errors=On -l "$F" 2>/dev/null) ;
......@@ -64,4 +64,4 @@ if [ $WARNCNT -gt 0 ] ; then
echo ""
fi
exit $EX
\ No newline at end of file
exit $EX
.DS_Store
/nbproject/private/
.phplint-cache
*.swp
<?php
/*
Copyright (c) 2020, Till Brehm, ISPConfig UG
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of ISPConfig nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
//*** Ubuntu 18.04 default settings
//* Main
$conf['language'] = 'en';
$conf['distname'] = 'ubuntu2004';
$conf['hostname'] = 'server1.domain.tld'; // Full hostname
$conf['ispconfig_install_dir'] = '/usr/local/ispconfig';
$conf['ispconfig_config_dir'] = '/usr/local/ispconfig';
$conf['ispconfig_log_priority'] = 2; // 0 = Debug, 1 = Warning, 2 = Error
$conf['ispconfig_log_dir'] = '/var/log/ispconfig';
$conf['server_id'] = 1;
$conf['init_scripts'] = '/etc/init.d';
$conf['runlevel'] = '/etc';
$conf['shells'] = '/etc/shells';
$conf['pam'] = '/etc/pam.d';
//* Services provided by this server, this selection will be overridden by the expert mode
$conf['services']['mail'] = true;
$conf['services']['web'] = true;
$conf['services']['dns'] = true;
$conf['services']['file'] = true;
$conf['services']['db'] = true;
$conf['services']['vserver'] = true;
$conf['services']['proxy'] = false;
$conf['services']['firewall'] = false;
//* MySQL
$conf['mysql']['installed'] = false; // will be detected automatically during installation
$conf['mysql']['init_script'] = 'mysql';
$conf['mysql']['host'] = 'localhost';
$conf['mysql']['ip'] = '127.0.0.1';
$conf['mysql']['port'] = '3306';
$conf['mysql']['database'] = 'dbispconfig';
$conf['mysql']['admin_user'] = 'root';
$conf['mysql']['admin_password'] = '';
$conf['mysql']['charset'] = 'utf8';
$conf['mysql']['ispconfig_user'] = 'ispconfig';
$conf['mysql']['ispconfig_password'] = md5(uniqid(rand()));
$conf['mysql']['master_slave_setup'] = 'n';
$conf['mysql']['master_host'] = '';
$conf['mysql']['master_database'] = 'dbispconfig';
$conf['mysql']['master_admin_user'] = 'root';
$conf['mysql']['master_admin_password'] = '';
$conf['mysql']['master_ispconfig_user'] = '';
$conf['mysql']['master_ispconfig_password'] = md5(uniqid(rand()));
//* Apache
$conf['apache']['installed'] = false; // will be detected automatically during installation
$conf['apache']['user'] = 'www-data';
$conf['apache']['group'] = 'www-data';
$conf['apache']['init_script'] = 'apache2';
$conf['apache']['version'] = '2.4';
$conf['apache']['vhost_conf_dir'] = '/etc/apache2/sites-available';
$conf['apache']['vhost_conf_enabled_dir'] = '/etc/apache2/sites-enabled';
$conf['apache']['vhost_port'] = '8080';
$conf['apache']['php_ini_path_apache'] = '/etc/php/7.4/apache2/php.ini';
$conf['apache']['php_ini_path_cgi'] = '/etc/php/7.4/cgi/php.ini';
//* Website base settings
$conf['web']['website_basedir'] = '/var/www';
$conf['web']['website_path'] = '/var/www/clients/client[client_id]/web[website_id]';
$conf['web']['website_symlinks'] = '/var/www/[website_domain]/:/var/www/clients/client[client_id]/[website_domain]/';
//* Apps base settings
$conf['web']['apps_vhost_ip'] = '_default_';
$conf['web']['apps_vhost_port'] = '8081';
$conf['web']['apps_vhost_servername'] = '';
$conf['web']['apps_vhost_user'] = 'ispapps';
$conf['web']['apps_vhost_group'] = 'ispapps';
//* Fastcgi
$conf['fastcgi']['fastcgi_phpini_path'] = '/etc/php/7.4/cgi/';
$conf['fastcgi']['fastcgi_starter_path'] = '/var/www/php-fcgi-scripts/[system_user]/';
$conf['fastcgi']['fastcgi_bin'] = '/usr/bin/php-cgi';
//* Postfix
$conf['postfix']['installed'] = false; // will be detected automatically during installation
$conf['postfix']['config_dir'] = '/etc/postfix';
$conf['postfix']['init_script'] = 'postfix';
$conf['postfix']['user'] = 'postfix';
$conf['postfix']['group'] = 'postfix';
$conf['postfix']['vmail_userid'] = '5000';
$conf['postfix']['vmail_username'] = 'vmail';
$conf['postfix']['vmail_groupid'] = '5000';
$conf['postfix']['vmail_groupname'] = 'vmail';
$conf['postfix']['vmail_mailbox_base'] = '/var/vmail';
//* Mailman
$conf['mailman']['installed'] = false; // will be detected automatically during installation
$conf['mailman']['config_dir'] = '/etc/mailman';
$conf['mailman']['init_script'] = 'mailman';
//* Getmail
$conf['getmail']['installed'] = false; // will be detected automatically during installation
$conf['getmail']['config_dir'] = '/etc/getmail';
$conf['getmail']['program'] = '/usr/bin/getmail';
//* Courier
$conf['courier']['installed'] = false; // will be detected automatically during installation
$conf['courier']['config_dir'] = '/etc/courier';
$conf['courier']['courier-authdaemon'] = 'courier-authdaemon';
$conf['courier']['courier-imap'] = 'courier-imap';
$conf['courier']['courier-imap-ssl'] = 'courier-imap-ssl';
$conf['courier']['courier-pop'] = 'courier-pop';
$conf['courier']['courier-pop-ssl'] = 'courier-pop-ssl';
//* Dovecot
$conf['dovecot']['installed'] = false; // will be detected automatically during installation
$conf['dovecot']['config_dir'] = '/etc/dovecot';
$conf['dovecot']['init_script'] = 'dovecot';
//* SASL
$conf['saslauthd']['installed'] = false; // will be detected automatically during installation
$conf['saslauthd']['config'] = '/etc/default/saslauthd';
$conf['saslauthd']['init_script'] = 'saslauthd';
//* Amavisd
$conf['amavis']['installed'] = false; // will be detected automatically during installation
$conf['amavis']['config_dir'] = '/etc/amavis';
$conf['amavis']['init_script'] = 'amavis';
//* Rspamd
$conf['rspamd']['installed'] = false; // will be detected automatically during installation
$conf['rspamd']['config_dir'] = '/etc/rspamd';
$conf['rspamd']['init_script'] = 'rspamd';
//* ClamAV
$conf['clamav']['installed'] = false; // will be detected automatically during installation
$conf['clamav']['init_script'] = 'clamav-daemon';
//* Pureftpd
$conf['pureftpd']['installed'] = false; // will be detected automatically during installation
$conf['pureftpd']['config_dir'] = '/etc/pure-ftpd';
$conf['pureftpd']['init_script'] = 'pure-ftpd-mysql';
//* MyDNS
$conf['mydns']['installed'] = false; // will be detected automatically during installation
$conf['mydns']['config_dir'] = '/etc';
$conf['mydns']['init_script'] = 'mydns';
//* PowerDNS
$conf['powerdns']['installed'] = false; // will be detected automatically during installation
$conf['powerdns']['database'] = 'powerdns';
$conf["powerdns"]["config_dir"] = '/etc/powerdns/pdns.d';
$conf['powerdns']['init_script'] = 'pdns';
//* BIND DNS Server
$conf['bind']['installed'] = false; // will be detected automatically during installation
$conf['bind']['bind_user'] = 'root';
$conf['bind']['bind_group'] = 'bind';
$conf['bind']['bind_zonefiles_dir'] = '/etc/bind';
$conf['bind']['named_conf_path'] = '/etc/bind/named.conf';
$conf['bind']['named_conf_local_path'] = '/etc/bind/named.conf.local';
$conf['bind']['init_script'] = 'bind9';
//* Jailkit
$conf['jailkit']['installed'] = false; // will be detected automatically during installation
$conf['jailkit']['config_dir'] = '/etc/jailkit';
$conf['jailkit']['jk_init'] = 'jk_init.ini';
$conf['jailkit']['jk_chrootsh'] = 'jk_chrootsh.ini';
$conf['jailkit']['jailkit_chroot_app_programs'] = '/usr/bin/groups /usr/bin/id /usr/bin/dircolors /usr/bin/lesspipe /usr/bin/basename /usr/bin/dirname /usr/bin/nano /usr/bin/pico /usr/bin/mysql /usr/bin/mysqldump /usr/bin/git /usr/bin/git-receive-pack /usr/bin/git-upload-pack /usr/bin/unzip /usr/bin/zip /bin/tar /bin/rm /usr/bin/patch /etc/localtime';
$conf['jailkit']['jailkit_chroot_cron_programs'] = '/usr/bin/php /usr/bin/perl /usr/share/perl /usr/share/php';
//* Squid
$conf['squid']['installed'] = false; // will be detected automatically during installation
$conf['squid']['config_dir'] = '/etc/squid';
$conf['squid']['init_script'] = 'squid';
//* Nginx
$conf['nginx']['installed'] = false; // will be detected automatically during installation
$conf['nginx']['user'] = 'www-data';
$conf['nginx']['group'] = 'www-data';
$conf['nginx']['config_dir'] = '/etc/nginx';
$conf['nginx']['vhost_conf_dir'] = '/etc/nginx/sites-available';
$conf['nginx']['vhost_conf_enabled_dir'] = '/etc/nginx/sites-enabled';
$conf['nginx']['init_script'] = 'nginx';
$conf['nginx']['vhost_port'] = '8080';
$conf['nginx']['cgi_socket'] = '/var/run/fcgiwrap.socket';
$conf['nginx']['php_fpm_init_script'] = 'php7.4-fpm';
$conf['nginx']['php_fpm_ini_path'] = '/etc/php/7.4/fpm/php.ini';
$conf['nginx']['php_fpm_pool_dir'] = '/etc/php/7.4/fpm/pool.d';
$conf['nginx']['php_fpm_start_port'] = 9010;
$conf['nginx']['php_fpm_socket_dir'] = '/var/lib/php7.4-fpm';
//* OpenVZ
$conf['openvz']['installed'] = false;
//*Bastille-Firwall
$conf['bastille']['installed'] = false;
$conf['bastille']['config_dir'] = '/etc/Bastille';
//* vlogger
$conf['vlogger']['config_dir'] = '/etc';
//* cron
$conf['cron']['init_script'] = 'cron';
$conf['cron']['crontab_dir'] = '/etc/cron.d';
$conf['cron']['wget'] = '/usr/bin/wget';
//* Metronome XMPP
$conf['xmpp']['installed'] = false;
$conf['xmpp']['init_script'] = 'metronome';
?>
......@@ -33,11 +33,16 @@ class installer extends installer_base {
public function configure_dovecot()
{
global $conf;
$virtual_transport = 'dovecot';
$configure_lmtp = false;
// use lmtp if installed
if($configure_lmtp = is_file('/usr/lib/dovecot/lmtp')) {
$virtual_transport = 'lmtp:unix:private/dovecot-lmtp';
}
// check if virtual_transport must be changed
if ($this->is_update) {
$tmp = $this->db->queryOneRecord("SELECT * FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . ".server", $conf['server_id']);
......@@ -138,7 +143,7 @@ class installer extends installer_base {
}
//remove #2.3+ comment
$content = file_get_contents($config_dir.'/'.$configfile);
$content = str_replace('#2.3+','',$content);
$content = str_replace('#2.3+ ','',$content);
file_put_contents($config_dir.'/'.$configfile,$content);
unset($content);
......@@ -155,11 +160,20 @@ class installer extends installer_base {
}
}
$dovecot_protocols = 'imap pop3';
//* dovecot-lmtpd
if($configure_lmtp) {
replaceLine($config_dir.'/'.$configfile, 'protocols = imap pop3', 'protocols = imap pop3 lmtp', 1, 0);
$dovecot_protocols .= ' lmtp';
}
//* dovecot-managesieved
if(is_file('/usr/lib/dovecot/managesieve')) {
$dovecot_protocols .= ' sieve';
}
replaceLine($config_dir.'/'.$configfile, 'protocols = imap pop3', "protocols = $dovecot_protocols", 1, 0);
//* dovecot-sql.conf
$configfile = 'dovecot-sql.conf';
if(is_file($config_dir.'/'.$configfile)){
......
......@@ -30,7 +30,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
class installer_dist extends installer_base {
protected $mailman_group = 'mailman';
public function __construct() {
//** check apache modules */
$mods = getapachemodules();
......@@ -42,7 +42,7 @@ class installer_dist extends installer_base {
swriteln($inst->lng(' AllowOverride None'));
swriteln($inst->lng(' Require all denied'));
swriteln($inst->lng(' </Directory>'."\n"));
swriteln($inst->lng(' If it uses the old syntax (deny from all) ISPConfig would fail to work.'));
}
}
......@@ -63,6 +63,12 @@ class installer_dist extends installer_base {
//* mysql-virtual_forwardings.cf
$this->process_postfix_config('mysql-virtual_forwardings.cf');
//* mysql-virtual_alias_domains.cf
$this->process_postfix_config('mysql-virtual_alias_domains.cf');
//* mysql-virtual_alias_maps.cf
$this->process_postfix_config('mysql-virtual_alias_maps.cf');
//* mysql-virtual_mailboxes.cf
$this->process_postfix_config('mysql-virtual_mailboxes.cf');
......@@ -80,7 +86,7 @@ class installer_dist extends installer_base {
//* mysql-virtual_sender_login_maps.cf
$this->process_postfix_config('mysql-virtual_sender_login_maps.cf');
//* mysql-virtual_client.cf
$this->process_postfix_config('mysql-virtual_client.cf');
......@@ -89,7 +95,7 @@ class installer_dist extends installer_base {
//* mysql-virtual_relayrecipientmaps.cf
$this->process_postfix_config('mysql-virtual_relayrecipientmaps.cf');
//* mysql-virtual_outgoing_bcc.cf
$this->process_postfix_config('mysql-virtual_outgoing_bcc.cf');
......@@ -102,6 +108,9 @@ class installer_dist extends installer_base {
//* mysql-virtual_uids.cf
$this->process_postfix_config('mysql-virtual_uids.cf');
//* mysql-virtual_alias_domains.cf
$this->process_postfix_config('mysql-verify_recipients.cf');
//* postfix-dkim
$filename='tag_as_originating.re';
$full_file_name=$config_dir.'/'.$filename;
......@@ -115,12 +124,6 @@ class installer_dist extends installer_base {
$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/postfix-'.$filename.'.master', 'tpl/postfix-'.$filename.'.master');
wf($full_file_name, $content);
//* Changing mode and group of the new created config files.
caselog('chmod o= '.$config_dir.'/mysql-virtual_*.cf* &> /dev/null',
__FILE__, __LINE__, 'chmod on mysql-virtual_*.cf*', 'chmod on mysql-virtual_*.cf* failed');
caselog('chgrp '.$cf['group'].' '.$config_dir.'/mysql-virtual_*.cf* &> /dev/null',
__FILE__, __LINE__, 'chgrp on mysql-virtual_*.cf*', 'chgrp on mysql-virtual_*.cf* failed');
//* Creating virtual mail user and group
$command = 'groupadd -g '.$cf['vmail_groupid'].' '.$cf['vmail_groupname'];
if(!is_group($cf['vmail_groupname'])) caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
......@@ -142,19 +145,26 @@ class installer_dist extends installer_base {
}
}
unset($rbl_hosts);
//* If Postgrey is installed, configure it
$greylisting = '';
if($conf['postgrey']['installed'] == true) {
$greylisting = ', check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf';
}
$reject_sender_login_mismatch = '';
$reject_authenticated_sender_login_mismatch = '';
if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
$reject_sender_login_mismatch = ', reject_authenticated_sender_login_mismatch';
$reject_sender_login_mismatch = ', reject_sender_login_mismatch';
$reject_authenticated_sender_login_mismatch = 'reject_authenticated_sender_login_mismatch, ';
}
# placeholder includes comment char
$stress_adaptive_placeholder = '#{stress_adaptive} ';
$stress_adaptive = (isset($server_ini_array['mail']['stress_adaptive']) && ($server_ini_array['mail']['stress_adaptive'] == 'y')) ? '' : $stress_adaptive_placeholder;
unset($server_ini_array);
$postconf_placeholders = array('{config_dir}' => $config_dir,
'{vmail_mailbox_base}' => $cf['vmail_mailbox_base'],
'{vmail_userid}' => $cf['vmail_userid'],
......@@ -162,8 +172,10 @@ class installer_dist extends installer_base {
'{rbl_list}' => $rbl_list,
'{greylisting}' => $greylisting,
'{reject_slm}' => $reject_sender_login_mismatch,
'{reject_aslm}' => $reject_authenticated_sender_login_mismatch,
$stress_adaptive_placeholder => $stress_adaptive,
);
$postconf_tpl = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/fedora_postfix.conf.master', 'tpl/fedora_postfix.conf.master');
$postconf_tpl = strtr($postconf_tpl, $postconf_placeholders);
$postconf_commands = array_filter(explode("\n", $postconf_tpl)); // read and remove empty lines
......@@ -368,13 +380,13 @@ class installer_dist extends installer_base {
$virtual_transport = 'dovecot';
$configure_lmtp = false;
// check if virtual_transport must be changed
if ($this->is_update) {
$tmp = $this->db->queryOneRecord("SELECT * FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . ".server", $conf['server_id']);
$ini_array = ini_to_array(stripslashes($tmp['config']));
// ini_array needs not to be checked, because already done in update.php -> updateDbAndIni()
if(isset($ini_array['mail']['mailbox_virtual_uidgid_maps']) && $ini_array['mail']['mailbox_virtual_uidgid_maps'] == 'y') {
$virtual_transport = 'lmtp:unix:private/dovecot-lmtp';
$configure_lmtp = true;
......@@ -452,7 +464,7 @@ class installer_dist extends installer_base {
if(version_compare($dovecot_version,2.3) >= 0) {
// Remove deprecated setting(s)
removeLine($config_dir.'/'.$configfile, 'ssl_protocols =');
// Check if we have a dhparams file and if not, create it
if(!file_exists('/etc/dovecot/dh.pem')) {
swriteln('Creating new DHParams file, this takes several minutes. Do not interrupt the script.');
......@@ -475,7 +487,7 @@ class installer_dist extends installer_base {
$content = str_replace('#2.3+','',$content);
file_put_contents($config_dir.'/'.$configfile,$content);
unset($content);
} else {
// remove settings which are not supported in Dovecot < 2.3
removeLine($config_dir.'/'.$configfile, 'ssl_min_protocol =');
......@@ -502,7 +514,7 @@ class installer_dist extends installer_base {
copy("$config_dir/$configfile", "$config_dir/$configfile~");
exec("chmod 400 $config_dir/$configfile~");
}
if(!@file_exists('/etc/dovecot-sql.conf')) exec('ln -s /etc/dovecot/dovecot-sql.conf /etc/dovecot-sql.conf');
$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/fedora_dovecot-sql.conf.master', "tpl/fedora_dovecot-sql.conf.master");
......@@ -520,7 +532,7 @@ class installer_dist extends installer_base {
exec("chmod 600 $config_dir/$configfile");
exec("chown root:root $config_dir/$configfile");
// Dovecot shall ignore mounts in website directory
if(is_installed('doveadm')) exec("doveadm mount add '/var/www/*' ignore > /dev/null 2> /dev/null");
......@@ -543,12 +555,12 @@ class installer_dist extends installer_base {
$content = str_replace('{amavis_config_dir}', $conf['amavis']['config_dir'], $content);
wf($conf["amavis"]["config_dir"].'/amavisd.conf', $content);
chmod($conf['amavis']['config_dir'].'/amavisd.conf', 0640);
if(!is_file($conf['amavis']['config_dir'].'/60-dkim')) {
touch($conf['amavis']['config_dir'].'/60-dkim');
chmod($conf['amavis']['config_dir'].'/60-dkim', 0640);
}
// for CentOS 7.2 only
if($dist['confid'] == 'centos72') {
chmod($conf['amavis']['config_dir'].'/amavisd.conf', 0750);
......@@ -752,16 +764,16 @@ class installer_dist extends installer_base {
$tpl = new tpl('apache_ispconfig.conf.master');
$tpl->setVar('apache_version',getapacheversion());
if($this->is_update == true) {
$tpl->setVar('logging',get_logging_state());
} else {
$tpl->setVar('logging','yes');
}
$records = $this->db->queryAllRecords("SELECT * FROM ?? WHERE server_id = ? AND virtualhost = 'y'", $conf['mysql']['master_database'] . '.server_ip', $conf['server_id']);
$ip_addresses = array();
if(is_array($records) && count($records) > 0) {
foreach($records as $rec) {
if($rec['ip_type'] == 'IPv6') {
......@@ -780,7 +792,7 @@ class installer_dist extends installer_base {
}
}
}
if(count($ip_addresses) > 0) $tpl->setLoop('ip_adresses',$ip_addresses);
wf($vhost_conf_dir.'/ispconfig.conf', $tpl->grab());
......@@ -843,7 +855,7 @@ class installer_dist extends installer_base {
//* add a sshusers group
$command = 'groupadd sshusers';
if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
// add anonymized log option to nginxx.conf file
$nginx_conf_file = $conf['nginx']['config_dir'].'/nginx.conf';
if(is_file($nginx_conf_file)) {
......@@ -853,7 +865,7 @@ class installer_dist extends installer_base {
replaceLine($nginx_conf_file, 'http {', "http {\n\n".file_get_contents('tpl/nginx_anonlog.master'), 0, 0);
}
}
}
public function configure_bastille_firewall()
......@@ -946,31 +958,20 @@ class installer_dist extends installer_base {
//* copy the ISPConfig server part
$command = "cp -rf ../server $install_dir";
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* Make a backup of the security settings
if(is_file('/usr/local/ispconfig/security/security_settings.ini')) copy('/usr/local/ispconfig/security/security_settings.ini','/usr/local/ispconfig/security/security_settings.ini~');
//* copy the ISPConfig security part
$command = 'cp -rf ../security '.$install_dir;
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* Apply changed security_settings.ini values to new security_settings.ini file
if(is_file('/usr/local/ispconfig/security/security_settings.ini~')) {
$security_settings_old = ini_to_array(file_get_contents('/usr/local/ispconfig/security/security_settings.ini~'));
$security_settings_new = ini_to_array(file_get_contents('/usr/local/ispconfig/security/security_settings.ini'));
if(is_array($security_settings_new) && is_array($security_settings_old)) {
foreach($security_settings_new as $section => $sval) {
if(is_array($sval)) {
foreach($sval as $key => $val) {
if(isset($security_settings_old[$section]) && isset($security_settings_old[$section][$key])) {
$security_settings_new[$section][$key] = $security_settings_old[$section][$key];
}
}
}
}
file_put_contents('/usr/local/ispconfig/security/security_settings.ini',array_to_ini($security_settings_new));
}
$configfile = 'security_settings.ini';
if(is_file($install_dir.'/security/'.$configfile)) {
copy($install_dir.'/security/'.$configfile, $install_dir.'/security/'.$configfile.'~');
}
$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
wf($install_dir.'/security/'.$configfile, $content);
//* Create a symlink, so ISPConfig is accessible via web
// Replaced by a separate vhost definition for port 8080
......@@ -1111,15 +1112,15 @@ class installer_dist extends installer_base {
//* chown the interface files to the ispconfig user and group
$command = 'chown -R ispconfig:ispconfig '.$install_dir.'/interface';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* chown the server files to the root user and group
$command = 'chown -R root:root '.$install_dir.'/server';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* chown the security files to the root user and group
$command = 'chown -R root:root '.$install_dir.'/security';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* chown the security directory and security_settings.ini to root:ispconfig
$command = 'chown root:ispconfig '.$install_dir.'/security/security_settings.ini';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
......@@ -1174,12 +1175,12 @@ class installer_dist extends installer_base {
exec("chmod 600 $install_dir/server/lib/mysql_clientdb.conf");
exec("chown root:root $install_dir/server/lib/mysql_clientdb.conf");
}
if(is_dir($install_dir.'/interface/invoices')) {
exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices'));
exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices'));
}
exec('chown -R root:root /usr/local/ispconfig/interface/ssl');
// TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing
......@@ -1210,7 +1211,7 @@ class installer_dist extends installer_base {
$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
$this->db->query($sql, $conf['interface_password']);
}
if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
//* Copy the ISPConfig vhost for the controlpanel
// TODO: These are missing! should they be "vhost_dist_*_dir" ?
......@@ -1239,7 +1240,7 @@ class installer_dist extends installer_base {
} else {
$tpl->setVar('ssl_bundle_comment','#');
}
$tpl->setVar('apache_version',getapacheversion());
wf($vhost_conf_dir.'/ispconfig.vhost', $tpl->grab());
......@@ -1252,24 +1253,16 @@ class installer_dist extends installer_base {
exec("ln -s $vhost_conf_dir/ispconfig.vhost $vhost_conf_enabled_dir/000-ispconfig.vhost");
}
/*
exec('mkdir -p /var/www/php-fcgi-scripts/ispconfig');
exec('cp tpl/apache_ispconfig_fcgi_starter.master /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter');
exec('chmod +x /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter');
exec('ln -s /usr/local/ispconfig/interface/web /var/www/ispconfig');
exec('chown -R ispconfig:ispconfig /var/www/php-fcgi-scripts/ispconfig');
replaceLine('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter','PHPRC=','PHPRC=/etc/',0,0);
*/
//if(!is_file('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter')) {
$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/apache_ispconfig_fcgi_starter.master', 'tpl/apache_ispconfig_fcgi_starter.master');
$content = str_replace('{fastcgi_bin}', $conf['fastcgi']['fastcgi_bin'], $content);
$content = str_replace('{fastcgi_phpini_path}', $conf['fastcgi']['fastcgi_phpini_path'], $content);
if(!is_dir('/var/www/php-fcgi-scripts/ispconfig')) exec('mkdir -p /var/www/php-fcgi-scripts/ispconfig');
$this->set_immutable('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', false);
wf('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', $content);
exec('chmod +x /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter');
if(!is_link('/var/www/ispconfig')) exec('ln -s /usr/local/ispconfig/interface/web /var/www/ispconfig');
exec('chown -R ispconfig:ispconfig /var/www/php-fcgi-scripts/ispconfig');
$this->set_immutable('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', true);
//}
//}
}
......@@ -1384,10 +1377,10 @@ class installer_dist extends installer_base {
//* Remove Domain module as its functions are available in the client module now
if(@is_dir('/usr/local/ispconfig/interface/web/domain')) exec('rm -rf /usr/local/ispconfig/interface/web/domain');
// Add symlink for patch tool
if(!is_link('/usr/local/bin/ispconfig_patch')) exec('ln -s /usr/local/ispconfig/server/scripts/ispconfig_patch /usr/local/bin/ispconfig_patch');
// Change mode of a few files from amavisd
if(is_file($conf['amavis']['config_dir'].'/conf.d/50-user')) chmod($conf['amavis']['config_dir'].'/conf.d/50-user', 0640);
if(is_file($conf['amavis']['config_dir'].'/50-user~')) chmod($conf['amavis']['config_dir'].'/50-user~', 0400);
......
......@@ -100,13 +100,20 @@ class installer extends installer_base
if($conf['postgrey']['installed'] == true) {
$greylisting = ', check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf';
}
$reject_sender_login_mismatch = '';
$reject_authenticated_sender_login_mismatch = '';
if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
$reject_sender_login_mismatch = ', reject_authenticated_sender_login_mismatch';
$reject_sender_login_mismatch = ', reject_sender_login_mismatch';
$reject_authenticated_sender_login_mismatch = 'reject_authenticated_sender_login_mismatch, ';
}
# placeholder includes comment char
$stress_adaptive_placeholder = '#{stress_adaptive} ';
$stress_adaptive = (isset($server_ini_array['mail']['stress_adaptive']) && ($server_ini_array['mail']['stress_adaptive'] == 'y')) ? '' : $stress_adaptive_placeholder;
unset($server_ini_array);
$postconf_placeholders = array('{config_dir}' => $config_dir,
'{vmail_mailbox_base}' => $cf['vmail_mailbox_base'],
'{vmail_userid}' => $cf['vmail_userid'],
......@@ -114,6 +121,8 @@ class installer extends installer_base
'{rbl_list}' => $rbl_list,
'{greylisting}' => $greylisting,
'{reject_slm}' => $reject_sender_login_mismatch,
'{reject_aslm}' => $reject_authenticated_sender_login_mismatch,
$stress_adaptive_placeholder => $stress_adaptive,
);
$postconf_tpl = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/gentoo_postfix.conf.master', 'tpl/gentoo_postfix.conf.master');
......@@ -277,13 +286,13 @@ class installer extends installer_base
$virtual_transport = 'dovecot';
$configure_lmtp = false;
// check if virtual_transport must be changed
if ($this->is_update) {
$tmp = $this->db->queryOneRecord("SELECT * FROM ?? WHERE server_id = ?", $conf["mysql"]["database"].".server", $conf['server_id']);
$ini_array = ini_to_array(stripslashes($tmp['config']));
// ini_array needs not to be checked, because already done in update.php -> updateDbAndIni()
if(isset($ini_array['mail']['mailbox_virtual_uidgid_maps']) && $ini_array['mail']['mailbox_virtual_uidgid_maps'] == 'y') {
$virtual_transport = 'lmtp:unix:private/dovecot-lmtp';
$configure_lmtp = true;
......@@ -338,6 +347,11 @@ class installer extends installer_base
replaceLine($config_dir.'/'.$configfile, 'protocols = imap pop3', 'protocols = imap pop3 lmtp', 1, 0);
}
//* Get the dovecot version
exec('dovecot --version', $tmp);
$dovecot_version = $tmp[0];
unset($tmp);
//* dovecot-sql.conf
$configfile = $config_dir.'/dovecot-sql.conf';
$content = $this->get_template_file('debian_dovecot-sql.conf', true, true);
......@@ -602,16 +616,16 @@ class installer extends installer_base
//* Copy the ISPConfig configuration include
$tpl = new tpl('apache_ispconfig.conf.master');
$tpl->setVar('apache_version',getapacheversion());
if($this->is_update == true) {
$tpl->setVar('logging',get_logging_state());
} else {
$tpl->setVar('logging','yes');
}
$records = $this->db->queryAllRecords("SELECT * FROM ?? WHERE server_id = ? AND virtualhost = 'y'", $conf['mysql']['master_database'] . '.server_ip', $conf['server_id']);
$ip_addresses = array();
if(is_array($records) && count($records) > 0) {
foreach($records as $rec) {
if($rec['ip_type'] == 'IPv6') {
......@@ -630,7 +644,7 @@ class installer extends installer_base
}
}
}
if(count($ip_addresses) > 0) $tpl->setLoop('ip_adresses',$ip_addresses);
wf($conf['apache']['vhost_conf_dir'].'/000-ispconfig.conf', $tpl->grab());
......@@ -727,10 +741,11 @@ class installer extends installer_base
$content = str_replace('{fastcgi_phpini_path}', $conf['fastcgi']['fastcgi_phpini_path'], $content);
mkdir($conf['web']['website_basedir'].'/php-fcgi-scripts/apps', 0755, true);
//copy('tpl/apache_apps_fcgi_starter.master',$conf['web']['website_basedir'].'/php-fcgi-scripts/apps/.php-fcgi-starter');
$this->set_immutable($conf['web']['website_basedir'].'/php-fcgi-scripts/apps/.php-fcgi-starter', false);
wf($conf['web']['website_basedir'].'/php-fcgi-scripts/apps/.php-fcgi-starter', $content);
exec('chmod +x '.$conf['web']['website_basedir'].'/php-fcgi-scripts/apps/.php-fcgi-starter');
exec('chown -R ispapps:ispapps '.$conf['web']['website_basedir'].'/php-fcgi-scripts/apps');
$this->set_immutable($conf['web']['website_basedir'].'/php-fcgi-scripts/apps/.php-fcgi-starter', true);
//}
}
if($conf['nginx']['installed'] == true){
......@@ -783,11 +798,11 @@ class installer extends installer_base
//$content = str_replace('{fpm_port}', ($conf['nginx']['php_fpm_start_port']+1), $content);
$content = str_replace('{fpm_socket}', $fpm_socket, $content);
$content = str_replace('{cgi_socket}', $cgi_socket, $content);
// SSL in apps vhost is off by default. Might change later.
$content = str_replace('{ssl_on}', 'ssl', $content);
$content = str_replace('{ssl_comment}', '#', $content);
wf($vhost_conf_dir.'/apps.vhost', $content);
// PHP-FPM
......@@ -843,14 +858,14 @@ class installer extends installer_base
//* copy the ISPConfig server part
$command = "cp -rf ../server $install_dir";
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* Make a backup of the security settings
if(is_file('/usr/local/ispconfig/security/security_settings.ini')) copy('/usr/local/ispconfig/security/security_settings.ini','/usr/local/ispconfig/security/security_settings.ini~');
//* copy the ISPConfig security part
$command = 'cp -rf ../security '.$install_dir;
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* Apply changed security_settings.ini values to new security_settings.ini file
if(is_file('/usr/local/ispconfig/security/security_settings.ini~')) {
$security_settings_old = ini_to_array(file_get_contents('/usr/local/ispconfig/security/security_settings.ini~'));
......@@ -983,15 +998,15 @@ class installer extends installer_base
//* chown the interface files to the ispconfig user and group
$command = 'chown -R ispconfig:ispconfig '.$install_dir.'/interface';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* chown the server files to the root user and group
$command = 'chown -R root:root '.$install_dir.'/server';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* chown the security files to the root user and group
$command = 'chown -R root:root '.$install_dir.'/security';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* chown the security directory and security_settings.ini to root:ispconfig
$command = 'chown root:ispconfig '.$install_dir.'/security/security_settings.ini';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
......@@ -1005,7 +1020,7 @@ class installer extends installer_base
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/nginx_directives.blacklist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* Make the global language file directory group writable
exec("chmod -R 770 $install_dir/interface/lib/lang");
......@@ -1058,7 +1073,7 @@ class installer extends installer_base
exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices'));
exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices'));
}
exec('chown -R root:root /usr/local/ispconfig/interface/ssl');
// TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing
......@@ -1089,7 +1104,7 @@ class installer extends installer_base
$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
$this->db->query($sql, $conf['interface_password']);
}
if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
//* Copy the ISPConfig vhost for the controlpanel
$content = $this->get_template_file("apache_ispconfig.vhost", true);
......@@ -1121,11 +1136,13 @@ class installer extends installer_base
$content = str_replace('{fastcgi_bin}', $conf['fastcgi']['fastcgi_bin'], $content);
$content = str_replace('{fastcgi_phpini_path}', $conf['fastcgi']['fastcgi_phpini_path'], $content);
@mkdir('/var/www/php-fcgi-scripts/ispconfig', 0755, true);
$this->set_immutable('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', false);
wf('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', $content);
exec('chmod +x /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter');
chmod('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', 0755);
@symlink($install_dir.'/interface/web', '/var/www/ispconfig');
exec('chown -R ispconfig:ispconfig /var/www/php-fcgi-scripts/ispconfig');
$this->set_immutable('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', true);
}
}
......@@ -1238,16 +1255,16 @@ class installer extends installer_base
//* Remove Domain module as its functions are available in the client module now
if(@is_dir('/usr/local/ispconfig/interface/web/domain')) exec('rm -rf /usr/local/ispconfig/interface/web/domain');
// Add symlink for patch tool
if(!is_link('/usr/local/bin/ispconfig_patch')) exec('ln -s /usr/local/ispconfig/server/scripts/ispconfig_patch /usr/local/bin/ispconfig_patch');
// Change mode of a few files from amavisd
if(is_file($conf['amavis']['config_dir'].'/conf.d/50-user')) chmod($conf['amavis']['config_dir'].'/conf.d/50-user', 0640);
if(is_file($conf['amavis']['config_dir'].'/50-user~')) chmod($conf['amavis']['config_dir'].'/50-user~', 0400);
if(is_file($conf['amavis']['config_dir'].'/amavisd.conf')) chmod($conf['amavis']['config_dir'].'/amavisd.conf', 0640);
if(is_file($conf['amavis']['config_dir'].'/amavisd.conf~')) chmod($conf['amavis']['config_dir'].'/amavisd.conf~', 0400);
}
}
......
......@@ -30,7 +30,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
class installer_dist extends installer_base {
protected $mailman_group = 'mailman';
public function __construct() {
//** check apache modules */
$mods = getapachemodules();
......@@ -42,7 +42,7 @@ class installer_dist extends installer_base {
swriteln($inst->lng(' AllowOverride None'));
swriteln($inst->lng(' Require all denied'));
swriteln($inst->lng(' </Directory>'."\n"));
swriteln($inst->lng(' If it uses the old syntax (deny from all) ISPConfig would fail to work.'));
}
}
......@@ -63,6 +63,12 @@ class installer_dist extends installer_base {
//* mysql-virtual_forwardings.cf
$this->process_postfix_config('mysql-virtual_forwardings.cf');
//* mysql-virtual_alias_domains.cf
$this->process_postfix_config('mysql-virtual_alias_domains.cf');
//* mysql-virtual_alias_maps.cf
$this->process_postfix_config('mysql-virtual_alias_maps.cf');
//* mysql-virtual_mailboxes.cf
$this->process_postfix_config('mysql-virtual_mailboxes.cf');
......@@ -80,7 +86,7 @@ class installer_dist extends installer_base {
//* mysql-virtual_sender_login_maps.cf
$this->process_postfix_config('mysql-virtual_sender_login_maps.cf');
//* mysql-virtual_client.cf
$this->process_postfix_config('mysql-virtual_client.cf');
......@@ -99,6 +105,9 @@ class installer_dist extends installer_base {
//* mysql-virtual_uids.cf
$this->process_postfix_config('mysql-virtual_uids.cf');
//* mysql-virtual_alias_domains.cf
$this->process_postfix_config('mysql-verify_recipients.cf');
//* postfix-dkim
$filename='tag_as_originating.re';
$full_file_name=$config_dir.'/'.$filename;
......@@ -112,12 +121,6 @@ class installer_dist extends installer_base {
$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/postfix-'.$filename.'.master', 'tpl/postfix-'.$filename.'.master');
wf($full_file_name, $content);
//* Changing mode and group of the new created config files.
caselog('chmod o= '.$config_dir.'/mysql-virtual_*.cf* &> /dev/null',
__FILE__, __LINE__, 'chmod on mysql-virtual_*.cf*', 'chmod on mysql-virtual_*.cf* failed');
caselog('chgrp '.$cf['group'].' '.$config_dir.'/mysql-virtual_*.cf* &> /dev/null',
__FILE__, __LINE__, 'chgrp on mysql-virtual_*.cf*', 'chgrp on mysql-virtual_*.cf* failed');
if(!is_dir($cf['vmail_mailbox_base'])) mkdir($cf['vmail_mailbox_base']);
//* Creating virtual mail user and group
......@@ -159,13 +162,20 @@ class installer_dist extends installer_base {
if($conf['postgrey']['installed'] == true) {
$greylisting = ', check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf';
}
$reject_sender_login_mismatch = '';
$reject_authenticated_sender_login_mismatch = '';
if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
$reject_sender_login_mismatch = ', reject_authenticated_sender_login_mismatch';
$reject_sender_login_mismatch = ', reject_sender_login_mismatch';
$reject_authenticated_sender_login_mismatch = 'reject_authenticated_sender_login_mismatch, ';
}
# placeholder includes comment char
$stress_adaptive_placeholder = '#{stress_adaptive} ';
$stress_adaptive = (isset($server_ini_array['mail']['stress_adaptive']) && ($server_ini_array['mail']['stress_adaptive'] == 'y')) ? '' : $stress_adaptive_placeholder;
unset($server_ini_array);
$postconf_placeholders = array('{config_dir}' => $config_dir,
'{vmail_mailbox_base}' => $cf['vmail_mailbox_base'],
'{vmail_userid}' => $cf['vmail_userid'],
......@@ -173,8 +183,10 @@ class installer_dist extends installer_base {
'{rbl_list}' => $rbl_list,
'{greylisting}' => $greylisting,
'{reject_slm}' => $reject_sender_login_mismatch,
'{reject_aslm}' => $reject_authenticated_sender_login_mismatch,
$stress_adaptive_placeholder => $stress_adaptive,
);
$postconf_tpl = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/opensuse_postfix.conf.master', 'tpl/opensuse_postfix.conf.master');
$postconf_tpl = strtr($postconf_tpl, $postconf_placeholders);
$postconf_commands = array_filter(explode("\n", $postconf_tpl)); // read and remove empty lines
......@@ -378,13 +390,13 @@ class installer_dist extends installer_base {
$virtual_transport = 'dovecot';
$configure_lmtp = false;
// check if virtual_transport must be changed
if ($this->is_update) {
$tmp = $this->db->queryOneRecord("SELECT * FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . ".server", $conf['server_id']);
$ini_array = ini_to_array(stripslashes($tmp['config']));
// ini_array needs not to be checked, because already done in update.php -> updateDbAndIni()
if(isset($ini_array['mail']['mailbox_virtual_uidgid_maps']) && $ini_array['mail']['mailbox_virtual_uidgid_maps'] == 'y') {
$virtual_transport = 'lmtp:unix:private/dovecot-lmtp';
$configure_lmtp = true;
......@@ -487,7 +499,7 @@ class installer_dist extends installer_base {
exec("chmod 600 $config_dir/$configfile");
exec("chown root:root $config_dir/$configfile");
// Dovecot shall ignore mounts in website directory
if(is_installed('doveadm')) exec("doveadm mount add '/srv/www/*' ignore > /dev/null 2> /dev/null");
......@@ -659,7 +671,7 @@ class installer_dist extends installer_base {
if($conf['apache']['installed'] == false) return;
//* Create the logging directory for the vhost logfiles
exec('mkdir -p /var/log/ispconfig/httpd');
//* enable apache logio module
exec('a2enmod logio');
......@@ -690,16 +702,16 @@ class installer_dist extends installer_base {
$tpl = new tpl('apache_ispconfig.conf.master');
$tpl->setVar('apache_version',getapacheversion());
if($this->is_update == true) {
$tpl->setVar('logging',get_logging_state());
} else {
$tpl->setVar('logging','yes');
}
$records = $this->db->queryAllRecords("SELECT * FROM ?? WHERE server_id = ? AND virtualhost = 'y'", $conf['mysql']['master_database'] . '.server_ip', $conf['server_id']);
$ip_addresses = array();
if(is_array($records) && count($records) > 0) {
foreach($records as $rec) {
if($rec['ip_type'] == 'IPv6') {
......@@ -718,7 +730,7 @@ class installer_dist extends installer_base {
}
}
}
if(count($ip_addresses) > 0) $tpl->setLoop('ip_adresses',$ip_addresses);
wf($vhost_conf_dir.'/ispconfig.conf', $tpl->grab());
......@@ -823,7 +835,7 @@ class installer_dist extends installer_base {
//* add a sshusers group
$command = 'groupadd sshusers';
if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
// add anonymized log option to nginxx.conf file
$nginx_conf_file = $conf['nginx']['config_dir'].'/nginx.conf';
if(is_file($nginx_conf_file)) {
......@@ -925,14 +937,14 @@ class installer_dist extends installer_base {
//* copy the ISPConfig server part
$command = "cp -rf ../server $install_dir";
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* Make a backup of the security settings
if(is_file('/usr/local/ispconfig/security/security_settings.ini')) copy('/usr/local/ispconfig/security/security_settings.ini','/usr/local/ispconfig/security/security_settings.ini~');
//* copy the ISPConfig security part
$command = 'cp -rf ../security '.$install_dir;
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* Apply changed security_settings.ini values to new security_settings.ini file
if(is_file('/usr/local/ispconfig/security/security_settings.ini~')) {
$security_settings_old = ini_to_array(file_get_contents('/usr/local/ispconfig/security/security_settings.ini~'));
......@@ -1090,15 +1102,15 @@ class installer_dist extends installer_base {
//* chown the interface files to the ispconfig user and group
$command = 'chown -R ispconfig:ispconfig '.$install_dir.'/interface';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* chown the server files to the root user and group
$command = 'chown -R root:root '.$install_dir.'/server';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* chown the security files to the root user and group
$command = 'chown -R root:root '.$install_dir.'/security';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* chown the security directory and security_settings.ini to root:ispconfig
$command = 'chown root:ispconfig '.$install_dir.'/security/security_settings.ini';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
......@@ -1112,7 +1124,7 @@ class installer_dist extends installer_base {
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
$command = 'chown root:ispconfig '.$install_dir.'/security/nginx_directives.blacklist';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
//* Make the global language file directory group writable
exec("chmod -R 770 $install_dir/interface/lib/lang");
......@@ -1153,12 +1165,12 @@ class installer_dist extends installer_base {
exec("chmod 600 $install_dir/server/lib/mysql_clientdb.conf");
exec("chown root:root $install_dir/server/lib/mysql_clientdb.conf");
}
if(is_dir($install_dir.'/interface/invoices')) {
exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices'));
exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices'));
}
exec('chown -R root:root /usr/local/ispconfig/interface/ssl');
// TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing
......@@ -1192,7 +1204,7 @@ class installer_dist extends installer_base {
$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
$this->db->query($sql, $conf['interface_password']);
}
if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
//* Copy the ISPConfig vhost for the controlpanel
// TODO: These are missing! should they be "vhost_dist_*_dir" ?
......@@ -1221,7 +1233,7 @@ class installer_dist extends installer_base {
} else {
$tpl->setVar('ssl_bundle_comment','#');
}
$tpl->setVar('apache_version',getapacheversion());
$content = $tpl->grab();
......@@ -1233,10 +1245,12 @@ class installer_dist extends installer_base {
$content = str_replace('{fastcgi_bin}', $conf['fastcgi']['fastcgi_bin'], $content);
$content = str_replace('{fastcgi_phpini_path}', $conf['fastcgi']['fastcgi_phpini_path'], $content);
exec('mkdir -p /srv/www/php-fcgi-scripts/ispconfig');
$this->set_immutable('/srv/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', false);
wf('/srv/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', $content);
exec('chmod +x /srv/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter');
exec('ln -s /usr/local/ispconfig/interface/web /srv/www/ispconfig');
exec('chown -R ispconfig:ispconfig /srv/www/php-fcgi-scripts/ispconfig');
$this->set_immutable('/srv/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', true);
//}
......@@ -1362,10 +1376,10 @@ class installer_dist extends installer_base {
//* Remove Domain module as its functions are available in the client module now
if(@is_dir('/usr/local/ispconfig/interface/web/domain')) exec('rm -rf /usr/local/ispconfig/interface/web/domain');
// Add symlink for patch tool
if(!is_link('/usr/local/bin/ispconfig_patch')) exec('ln -s /usr/local/ispconfig/server/scripts/ispconfig_patch /usr/local/bin/ispconfig_patch');
// Change mode of a few files from amavisd
if(is_file($conf['amavis']['config_dir'].'/conf.d/50-user')) chmod($conf['amavis']['config_dir'].'/conf.d/50-user', 0640);
if(is_file($conf['amavis']['config_dir'].'/50-user~')) chmod($conf['amavis']['config_dir'].'/50-user~', 0400);
......
......@@ -95,6 +95,10 @@ function get_distname() {
$mainver = current($mainver).'.'.next($mainver);
}
switch ($mainver){
case "20.04":
$relname = "(Focal Fossa)";
$distconfid = 'ubuntu2004';
break;
case "18.04":
$relname = "(Bionic Beaver)";
$distconfid = 'ubuntu1804';
......@@ -186,7 +190,7 @@ function get_distname() {
break;
default:
$relname = "UNKNOWN";
$distconfid = 'ubuntu1804';
$distconfid = 'ubuntu2004';
}
$distver = $ver.$lts." ".$relname;
swriteln("Operating System: ".$distname.' '.$distver."\n");
......@@ -341,15 +345,15 @@ function get_distname() {
$distid = 'centos72';
}
swriteln("Operating System: CentOS $var\n");
} elseif(stristr($content, 'CentOS Linux release 8')) {
$distname = 'CentOS';
$distver = 'Unknown';
$distbaseid = 'fedora';
} elseif(stristr($content, 'CentOS Linux release 8')) {
$distname = 'CentOS';
$distver = 'Unknown';
$distbaseid = 'fedora';
$distid = 'centos80';
$var=explode(" ", $content);
$var=explode(".", $var[3]);
$var=$var[0].".".$var[1];
swriteln("Operating System: CentOS $var\n");
$var=explode(" ", $content);
$var=explode(".", $var[3]);
$var=$var[0].".".$var[1];
swriteln("Operating System: CentOS $var\n");
} else {
$distname = 'Redhat';
$distver = 'Unknown';
......@@ -471,29 +475,38 @@ function rf($file){
}
function wf($file, $content){
mkdirs(dirname($file));
if(!$ret_val = mkdirs(dirname($file))) return false;
if(!$fp = fopen($file, 'wb')){
ilog('WARNING: could not open file '.$file);
// implicitly returned false because the following fwrite and fclose both fail,
// but to be explicit:
$ret_val = false;
}
fwrite($fp, $content);
fclose($fp);
fwrite($fp, $content) or $ret_val = false;
fclose($fp) or $ret_val = false;
return $ret_val;
}
function af($file, $content){
mkdirs(dirname($file));
if(!$ret_val = mkdirs(dirname($file))) return false;
if(!$fp = fopen($file, 'ab')){
ilog('WARNING: could not open file '.$file);
$ret_val = false;
}
fwrite($fp, $content);
fclose($fp);
fwrite($fp, $content) or $ret_val = false;
fclose($fp) or $ret_val = false;
return $ret_val;
}
function aftsl($file, $content){
$ret_val = true;
if(!$fp = fopen($file, 'ab')){
ilog('WARNING: could not open file '.$file);
$ret_val = false;
}
fwrite($fp, $content);
fclose($fp);
fwrite($fp, $content) or $ret_val = false;
fclose($fp) or $ret_val = false;
return $ret_val;
}
function unix_nl($input){
......@@ -678,8 +691,7 @@ function ini_to_array($ini) {
//* Converts a config array to a string
function array_to_ini($config_array = '') {
if($config_array == '') $config_array = $this->config;
function array_to_ini($config_array) {
$content = '';
foreach($config_array as $section => $data) {
$content .= "[$section]\n";
......
This diff is collapsed.
......@@ -192,6 +192,8 @@ class db
}
private function _query($sQuery = '') {
$aArgs = func_get_args();
$this->do_connect();
if ($sQuery == '') {
......@@ -227,7 +229,6 @@ class db
}
} while($ok == false);
$aArgs = func_get_args();
$sQuery = call_user_func_array(array(&$this, '_build_query_string'), $aArgs);
$this->_iQueryId = mysqli_query($this->_iConnId, $sQuery);
......@@ -283,10 +284,17 @@ class db
* @return array result row or NULL if none found
*/
public function queryOneRecord($sQuery = '') {
if(!preg_match('/limit \d+\s*,\s*\d+$/i', $sQuery)) $sQuery .= ' LIMIT 0,1';
$aArgs = func_get_args();
$oResult = call_user_func_array(array(&$this, 'query'), $aArgs);
if(!empty($aArgs)) {
$sQuery = array_shift($aArgs);
if($sQuery && !preg_match('/limit \d+(\s*,\s*\d+)?$/i', $sQuery)) {
$sQuery .= ' LIMIT 0,1';
}
array_unshift($aArgs, $sQuery);
}
$oResult = call_user_func_array([&$this, 'query'], $aArgs);
if(!$oResult) return null;
$aReturn = $oResult->get();
......@@ -956,7 +964,7 @@ class fakedb_result {
if(!is_array($this->aLimitedData)) return $aItem;
if(list($vKey, $aItem) = each($this->aLimitedData)) {
foreach($this->aLimitedData as $vKey => $aItem) {
if(!$aItem) $aItem = null;
}
return $aItem;
......
-- folder_directive_snippets was missing in incremental, inserted for fixing older installations
ALTER TABLE `web_domain` ADD `folder_directive_snippets` TEXT NULL AFTER `https_port`;
ALTER TABLE `web_domain` CHANGE `folder_directive_snippets` `folder_directive_snippets` TEXT CHARACTER SET utf8 COLLATE utf8_general_ci NULL;
ALTER TABLE `web_domain` ADD `log_retention` INT NOT NULL DEFAULT '30' AFTER `https_port`;
ALTER TABLE `web_domain` CHANGE `stats_type` `stats_type` VARCHAR(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT 'awstats';
......
......@@ -20,9 +20,59 @@ UPDATE `dns_ssl_ca` SET `ca_name` = 'Sectigo / Comodo CA' WHERE `ca_issue` = 'co
-- default php-fpm to ondemand mode
ALTER TABLE `web_domain` ALTER pm SET DEFAULT 'ondemand';
ALTER TABLE `mail_user`
ALTER TABLE `mail_user`
ADD `purge_trash_days` INT NOT NULL DEFAULT '0' AFTER `move_junk`,
ADD `purge_junk_days` INT NOT NULL DEFAULT '0' AFTER `purge_trash_days`;
-- doveadm should be enabled for all mailboxes
UPDATE `mail_user` set `disabledoveadm` = 'n';
-- add disablequota-status for quota-status policy daemon
ALTER TABLE `mail_user` ADD `disablequota-status` ENUM('n','y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'n' AFTER `disabledoveadm`;
-- add disableindexer-worker for solr search
ALTER TABLE `mail_user` ADD `disableindexer-worker` ENUM('n','y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'n' AFTER `disablequota-status`;
-- add SSHFP and DNAME record
ALTER TABLE `dns_rr` CHANGE `type` `type` ENUM('A','AAAA','ALIAS','CNAME','DNAME','CAA','DS','HINFO','LOC','MX','NAPTR','NS','PTR','RP','SRV','SSHFP','TXT','TLSA','DNSKEY') NULL DEFAULT NULL AFTER `name`;
-- change cc and sender_cc column type
ALTER TABLE `mail_user` CHANGE `cc` `cc` TEXT CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT '';
-- remove SPDY option
ALTER TABLE `web_domain` DROP COLUMN `enable_spdy`;
-- was missing in incremental, inserted for fixing older installations
ALTER TABLE `web_domain` ADD `folder_directive_snippets` TEXT NULL AFTER `https_port`;
ALTER TABLE `web_domain` ADD `server_php_id` INT(11) UNSIGNED NOT NULL DEFAULT 0;
UPDATE `web_domain` as w LEFT JOIN sys_group as g ON (g.groupid = w.sys_groupid) INNER JOIN `server_php` as p ON (w.fastcgi_php_version = CONCAT(p.name, ':', p.php_fastcgi_binary, ':', p.php_fastcgi_ini_dir) AND p.server_id IN (0, w.server_id) AND p.client_id IN (0, g.client_id)) SET w.server_php_id = p.server_php_id, w.fastcgi_php_version = '' WHERE 1;
UPDATE `web_domain` as w LEFT JOIN sys_group as g ON (g.groupid = w.sys_groupid) INNER JOIN `server_php` as p ON (w.fastcgi_php_version = CONCAT(p.name, ':', p.php_fpm_init_script, ':', p.php_fpm_ini_dir, ':', p.php_fpm_pool_dir) AND p.server_id IN (0, w.server_id) AND p.client_id IN (0, g.client_id)) SET w.server_php_id = p.server_php_id, w.fastcgi_php_version = '' WHERE 1;
-- we have to decide whether to delete the column or leave it there for investigating not-converted entries
-- ALTER TABLE `web_domain` DROP COLUMN `fastcgi_php_version`;
ALTER TABLE `web_domain` CHANGE `apache_directives` `apache_directives` mediumtext NULL DEFAULT NULL;
ALTER TABLE `web_domain` CHANGE `nginx_directives` `nginx_directives` mediumtext NULL DEFAULT NULL;
-- add move to junk before/after option, default to after
ALTER TABLE `mail_user` MODIFY `move_junk` enum('y','a','n') NOT NULL DEFAULT 'y';
-- Change id_rsa column to TEXT format
ALTER TABLE `client` CHANGE `id_rsa` `id_rsa` TEXT CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT '';
ALTER TABLE `directive_snippets` ADD `update_sites` ENUM('y','n') NOT NULL DEFAULT 'n' ;
-- Add DNSSEC Algorithm setting
ALTER TABLE `dns_soa` ADD `dnssec_algo` SET('NSEC3RSASHA1','ECDSAP256SHA256') NULL DEFAULT NULL AFTER `dnssec_wanted`;
UPDATE `dns_soa` SET `dnssec_algo` = 'NSEC3RSASHA1' WHERE `dnssec_algo` IS NULL AND dnssec_initialized = 'Y';
UPDATE `dns_soa` SET `dnssec_algo` = 'ECDSAP256SHA256' WHERE `dnssec_algo` IS NULL AND dnssec_initialized = 'N';
ALTER TABLE `dns_soa` CHANGE `dnssec_algo` `dnssec_algo` SET('NSEC3RSASHA1','ECDSAP256SHA256') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'ECDSAP256SHA256';
-- Fix issue #5635
ALTER TABLE `client_template` CHANGE `ssh_chroot` `ssh_chroot` VARCHAR(255) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT '';
ALTER TABLE `client_template` CHANGE `web_php_options` `web_php_options` VARCHAR(255) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT '';
This diff is collapsed.
######################################################
# This virtual host contains the configuration
# for the ISPConfig apps vhost
......@@ -10,20 +9,58 @@
<VirtualHost {tmpl_var name='apps_vhost_ip'}:{tmpl_var name='apps_vhost_port'}>
ServerAdmin webmaster@localhost
{tmpl_var name='apps_vhost_servername'}
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
# SSL Configuration
<tmpl_var name="ssl_comment">SSLEngine On
<tmpl_if name='apache_version' op='>=' value='2.3.16' format='version'>
<tmpl_var name="ssl_comment">SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
<tmpl_else>
<tmpl_var name="ssl_comment">SSLProtocol All -SSLv2 -SSLv3
</tmpl_if>
<tmpl_var name="ssl_comment">SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
<tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
<tmpl_var name="ssl_bundle_comment">SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
<tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
<tmpl_var name="ssl_comment">SSLHonorCipherOrder On
<tmpl_if name='apache_version' op='>=' value='2.4.3' format='version'>
<tmpl_var name="ssl_comment">SSLCompression Off
</tmpl_if>
<tmpl_if name='apache_version' op='>=' value='2.4.11' format='version'>
<tmpl_var name="ssl_comment">SSLSessionTickets Off
</tmpl_if>
<IfModule mod_headers.c>
RequestHeader unset Proxy early
# ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
<tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
Header set X-Content-Type-Options: nosniff
Header set X-Frame-Options: SAMEORIGIN
Header set X-XSS-Protection: "1; mode=block"
Header always edit Set-Cookie (.*) "$1; HTTPOnly"
<tmpl_var name="ssl_comment">Header always edit Set-Cookie (.*) "$1; Secure"
<IfVersion >= 2.4.7>
Header setifempty Strict-Transport-Security "max-age=15768000"
</IfVersion>
<IfVersion < 2.4.7>
Header set Strict-Transport-Security "max-age=15768000"
</IfVersion>
RequestHeader unset Proxy early
</IfModule>
{tmpl_if name="enable_spdy" op="==" value="y"}
<IfModule spdy_module>
SpdyEnabled on
<tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
<tmpl_var name="ssl_comment">SSLUseStapling On
<tmpl_var name="ssl_comment">SSLStaplingResponderTimeout 5
<tmpl_var name="ssl_comment">SSLStaplingReturnResponderErrors Off
</tmpl_if>
<IfModule mod_headers.c>
RequestHeader unset Proxy early
</IfModule>
{/tmpl_if}
<IfModule mod_php5.c>
DocumentRoot {tmpl_var name='apps_vhost_dir'}
......@@ -39,7 +76,7 @@
</tmpl_if>
</Directory>
</IfModule>
<IfModule mod_php7.c>
DocumentRoot {tmpl_var name='apps_vhost_dir'}
AddType application/x-httpd-php .php
......@@ -54,7 +91,7 @@
</tmpl_if>
</Directory>
</IfModule>
<IfModule mod_fcgid.c>
DocumentRoot {tmpl_var name='apps_vhost_dir'}
SuexecUserGroup ispapps ispapps
......@@ -84,8 +121,4 @@
RewriteRule ^/rspamd/(.*) http://127.0.0.1:11334/$1 [P]
{/tmpl_if}
</VirtualHost>
......@@ -35,6 +35,10 @@ CustomLog "| /usr/local/ispconfig/server/scripts/vlogger -s access.log -t \"%Y%m
</tmpl_if>
</Directory>
<Directory /var/www>
Options -Indexes
</Directory>
<Directory /var/www/conf>
AllowOverride None
<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
......@@ -142,3 +146,28 @@ NameVirtualHost *:443
NameVirtualHost {tmpl_var name="ip_address"}:{tmpl_var name="port"}
</tmpl_loop>
<tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
<IfModule mod_ssl.c>
<tmpl_var name="ssl_comment">SSLStaplingCache shmcb:/var/run/ocsp(128000)
</IfModule>
</tmpl_if>
<Directory /var/www/php-cgi-scripts>
AllowOverride None
<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
Require all denied
<tmpl_else>
Order Deny,Allow
Deny from all
</tmpl_if>
</Directory>
<Directory /var/www/php-fcgi-scripts>
AllowOverride None
<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
Require all denied
<tmpl_else>
Order Deny,Allow
Deny from all
</tmpl_if>
</Directory>
......@@ -70,7 +70,7 @@ NameVirtualHost *:<tmpl_var name="vhost_port">
# SSL Configuration
<tmpl_var name="ssl_comment">SSLEngine On
<tmpl_if name='apache_version' op='>=' value='2.3.16' format='version'>
<tmpl_var name="ssl_comment">SSLProtocol All -SSLv3
<tmpl_var name="ssl_comment">SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
<tmpl_else>
<tmpl_var name="ssl_comment">SSLProtocol All -SSLv2 -SSLv3
</tmpl_if>
......@@ -78,7 +78,7 @@ NameVirtualHost *:<tmpl_var name="vhost_port">
<tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
<tmpl_var name="ssl_bundle_comment">SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
<tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
<tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
<tmpl_var name="ssl_comment">SSLHonorCipherOrder On
<tmpl_if name='apache_version' op='>=' value='2.4.3' format='version'>
<tmpl_var name="ssl_comment">SSLCompression Off
......@@ -89,11 +89,13 @@ NameVirtualHost *:<tmpl_var name="vhost_port">
<IfModule mod_headers.c>
# ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
<tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
Header set X-Content-Type-Options: nosniff
Header set X-Frame-Options: SAMEORIGIN
Header set X-XSS-Protection: "1; mode=block"
<tmpl_var name="ssl_comment">Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
Header always edit Set-Cookie (.*) "$1; HTTPOnly"
<tmpl_var name="ssl_comment">Header always edit Set-Cookie (.*) "$1; Secure"
<IfVersion >= 2.4.7>
Header setifempty Strict-Transport-Security "max-age=15768000"
</IfVersion>
......@@ -109,29 +111,3 @@ NameVirtualHost *:<tmpl_var name="vhost_port">
<tmpl_var name="ssl_comment">SSLStaplingReturnResponderErrors Off
</tmpl_if>
</VirtualHost>
<tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
<IfModule mod_ssl.c>
<tmpl_var name="ssl_comment">SSLStaplingCache shmcb:/var/run/ocsp(128000)
</IfModule>
</tmpl_if>
<Directory /var/www/php-cgi-scripts>
AllowOverride None
<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
Require all denied
<tmpl_else>
Order Deny,Allow
Deny from all
</tmpl_if>
</Directory>
<Directory /var/www/php-fcgi-scripts>
AllowOverride None
<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
Require all denied
<tmpl_else>
Order Deny,Allow
Deny from all
</tmpl_if>
</Directory>
......@@ -45,7 +45,6 @@ if( !empty($_SERVER['DOCUMENT_ROOT']) ) {
}
//** Set a few php.ini values
if(get_magic_quotes_runtime()) set_magic_quotes_runtime(false);
if(isset($app)) unset($app);
if(isset($conf)) unset($conf);
......
......@@ -57,7 +57,14 @@ plugin {
# the maildir quota does not need to be set.
# You do not need: quota = maildir
# no longer needed, as 'sieve' is in userdb extra fields:
sieve=/var/vmail/%d/%n/.sieve
sieve_before=/var/vmail/%d/%n/.ispconfig-before.sieve
sieve_after=/var/vmail/%d/%n/.ispconfig.sieve
sieve_max_script_size = 2M
sieve_max_actions = 100
sieve_max_redirects = 25
}
......
......@@ -7,9 +7,13 @@ mail_privileged_group = vmail
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_dh = </etc/dovecot/dh.pem
ssl_protocols = !SSLv2 !SSLv3
ssl_min_protocol = TLSv1
ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_prefer_server_ciphers = no
auth_verbose = yes
mail_max_userip_connections = 100
mail_plugins = quota
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
......@@ -23,7 +27,14 @@ userdb {
}
plugin {
quota = dict:user::file:/var/vmail/%d/%n/.quotausage
# no longer needed, as 'sieve' is in userdb extra fields:
sieve=/var/vmail/%d/%n/.sieve
sieve_before=/var/vmail/%d/%n/.ispconfig-before.sieve
sieve_after=/var/vmail/%d/%n/.ispconfig.sieve
sieve_max_script_size = 2M
sieve_max_actions = 100
sieve_max_redirects = 25
}
service auth {
......@@ -44,11 +55,12 @@ service lmtp {
group = postfix
mode = 0600
user = postfix
# For higher volume sites, it may be desirable to increase the number of active listener processes.
# For higher volume sites, it may be desirable to increase the number of active listener processes.
# A range of 5 to 20 is probably good for most sites
# process_min_avail = 5
}
}
lmtp_rcpt_check_quota = yes
service imap-login {
client_limit = 1000
process_limit = 512
......@@ -75,7 +87,7 @@ protocol lmtp {
#2.3+ group = vmail
#2.3+ mode = 0660
#2.3+ }
#2.3+
#2.3+
#2.3+ unix_listener stats-writer {
#2.3+ user = vmail
#2.3+ group = vmail
......@@ -83,3 +95,38 @@ protocol lmtp {
#2.3+ }
#2.3+ }
service quota-status {
executable = quota-status -p postfix
unix_listener /var/spool/postfix/private/quota-status {
group = postfix
mode = 0660
user = postfix
}
client_limit = 1
}
plugin {
quota_status_success = DUNNO
quota_status_nouser = DUNNO
quota_status_overquota = "552 5.2.2 Mailbox is full"
}
imap_capability=+SEPCIAL-USE XLIST
namespace inbox {
inbox = yes
separator = .
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
}
......@@ -682,7 +682,7 @@ protocol managesieve {
# the sieve storage directory. This must match the SIEVE setting used by
# deliver (refer to http://wiki.dovecot.org/LDA/Sieve#location for more
# info). Variable substitution with % is recognized.
sieve=~/.dovecot.sieve
sieve=~/.sieve
# This specifies the path to the directory where the uploaded scripts must
# be stored. In terms of '%' variable substitution it is identical to
......@@ -1144,4 +1144,10 @@ plugin {
# they're moved to a 3rd namespace. The mails won't be counted in quota,
# and they're not deleted automatically (use a cronjob or something).
#lazy_expunge = .EXPUNGED/ .DELETED/ .DELETED/.EXPUNGED/
sieve_before=/var/vmail/%d/%n/.ispconfig-before.sieve
sieve_after=/var/vmail/%d/%n/.ispconfig.sieve
sieve_max_script_size = 2M
sieve_max_actions = 100
sieve_max_redirects = 25
}