diff --git a/install/dist/lib/fedora.lib.php b/install/dist/lib/fedora.lib.php
index 0cf2141f72ad6c4c478ab8c1fc4982386591ce75..c188ac93a5b32727d28b26e8709621e10193b77e 100644
--- a/install/dist/lib/fedora.lib.php
+++ b/install/dist/lib/fedora.lib.php
@@ -66,6 +66,9 @@ class installer_dist extends installer_base {
//* mysql-virtual_alias_domains.cf
$this->process_postfix_config('mysql-virtual_alias_domains.cf');
+ //* mysql-virtual_alias_maps.cf
+ $this->process_postfix_config('mysql-virtual_alias_maps.cf');
+
//* mysql-virtual_mailboxes.cf
$this->process_postfix_config('mysql-virtual_mailboxes.cf');
diff --git a/install/dist/lib/opensuse.lib.php b/install/dist/lib/opensuse.lib.php
index 1401614c3fd2b4c1dc3a8b6ddf687c50638fc342..da31ad6b571d204836e6b9c5ea878c70ab2ecbb5 100644
--- a/install/dist/lib/opensuse.lib.php
+++ b/install/dist/lib/opensuse.lib.php
@@ -66,6 +66,9 @@ class installer_dist extends installer_base {
//* mysql-virtual_alias_domains.cf
$this->process_postfix_config('mysql-virtual_alias_domains.cf');
+ //* mysql-virtual_alias_maps.cf
+ $this->process_postfix_config('mysql-virtual_alias_maps.cf');
+
//* mysql-virtual_mailboxes.cf
$this->process_postfix_config('mysql-virtual_mailboxes.cf');
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index 10533dd66f9bed87df51632425cf988649aaa8d5..6a4d771e16b184ac23af5d3335d436c98176856a 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -976,6 +976,9 @@ class installer_base {
//* mysql-virtual_alias_domains.cf
$this->process_postfix_config('mysql-virtual_alias_domains.cf');
+ //* mysql-virtual_alias_maps.cf
+ $this->process_postfix_config('mysql-virtual_alias_maps.cf');
+
//* mysql-virtual_mailboxes.cf
$this->process_postfix_config('mysql-virtual_mailboxes.cf');
diff --git a/install/tpl/apache_ispconfig.vhost.master b/install/tpl/apache_ispconfig.vhost.master
index 61e9a588593756e8671c1062ae7dd89eb71ffb51..f90876170bbd6da883fb5fc9dee83a6ffb9b9096 100644
--- a/install/tpl/apache_ispconfig.vhost.master
+++ b/install/tpl/apache_ispconfig.vhost.master
@@ -70,7 +70,7 @@ NameVirtualHost *:<tmpl_var name="vhost_port">
# SSL Configuration
<tmpl_var name="ssl_comment">SSLEngine On
<tmpl_if name='apache_version' op='>=' value='2.3.16' format='version'>
- <tmpl_var name="ssl_comment">SSLProtocol All -SSLv3
+ <tmpl_var name="ssl_comment">SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
<tmpl_else>
<tmpl_var name="ssl_comment">SSLProtocol All -SSLv2 -SSLv3
</tmpl_if>
@@ -78,7 +78,7 @@ NameVirtualHost *:<tmpl_var name="vhost_port">
<tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
<tmpl_var name="ssl_bundle_comment">SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
- <tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+ <tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
<tmpl_var name="ssl_comment">SSLHonorCipherOrder On
<tmpl_if name='apache_version' op='>=' value='2.4.3' format='version'>
<tmpl_var name="ssl_comment">SSLCompression Off
diff --git a/install/tpl/debian6_dovecot2.conf.master b/install/tpl/debian6_dovecot2.conf.master
index 80709cfe36e4b0be34c68b658e396b5c563b4566..1080eeb5599706a7c1361def9500c621e6808480 100644
--- a/install/tpl/debian6_dovecot2.conf.master
+++ b/install/tpl/debian6_dovecot2.conf.master
@@ -7,8 +7,10 @@ mail_privileged_group = vmail
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_dh = </etc/dovecot/dh.pem
-ssl_protocols = !SSLv2 !SSLv3
-ssl_min_protocol = TLSv1
+ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ssl_prefer_server_ciphers = no
auth_verbose = yes
mail_max_userip_connections = 100
mail_plugins = quota
diff --git a/install/tpl/debian_dovecot2.conf.master b/install/tpl/debian_dovecot2.conf.master
index a2925913727ddce3eb053ff045196824b824136b..60a1263e48e3d3e218c8ab9cf7f957a1ffca6fa7 100644
--- a/install/tpl/debian_dovecot2.conf.master
+++ b/install/tpl/debian_dovecot2.conf.master
@@ -7,7 +7,9 @@ mail_privileged_group = vmail
postmaster_address = postmaster@example.com
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
-ssl_protocols = !SSLv2 !SSLv3
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ssl_prefer_server_ciphers = no
auth_verbose = yes
mail_max_userip_connections = 100
mail_plugins = $mail_plugins quota
diff --git a/install/tpl/debian_postfix.conf.master b/install/tpl/debian_postfix.conf.master
index 169826747d01281c3de5838cc869004fc32e68aa..8e3fa50f229239baff06e54f70a2bcedf4d8a9e0 100644
--- a/install/tpl/debian_postfix.conf.master
+++ b/install/tpl/debian_postfix.conf.master
@@ -1,7 +1,7 @@
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
virtual_alias_domains = proxy:mysql:{config_dir}/mysql-virtual_alias_domains.cf
-virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:{config_dir}/mysql-virtual_forwardings.cf, proxy:mysql:{config_dir}/mysql-virtual_alias_domains.cf, proxy:mysql:{config_dir}/mysql-virtual_email2email.cf
+virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:{config_dir}/mysql-virtual_forwardings.cf, proxy:mysql:{config_dir}/mysql-virtual_alias_maps.cf, proxy:mysql:{config_dir}/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:{config_dir}/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:{config_dir}/mysql-virtual_mailboxes.cf
virtual_mailbox_base = {vmail_mailbox_base}
@@ -14,7 +14,7 @@ smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_restriction_classes = greylisting
-greylisting = check_policy_service inet:127.0.0.1:10023
+greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{rbl_list}{greylisting}, check_policy_service unix:private/quota-status
smtpd_use_tls = yes
smtpd_tls_security_level = may
@@ -39,10 +39,13 @@ nested_header_checks = regexp:{config_dir}/nested_header_checks
body_checks = regexp:{config_dir}/body_checks
owner_request_special = no
smtp_tls_security_level = may
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
-smtpd_tls_protocols = !SSLv2,!SSLv3
-smtp_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_protocols = !SSLv2,!SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_protocols = !SSLv2,!SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
+smtpd_tls_mandatory_ciphers = medium
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+tls_preempt_cipherlist = no
# needed for postfix < 3.3 when using reject_unverified_recipient (lmtp):
enable_original_recipient = yes
diff --git a/install/tpl/fedora_dovecot2.conf.master b/install/tpl/fedora_dovecot2.conf.master
index 2acd757fbd36edbc3b9d377b0dfda9671c7fcfbc..4b9bb5c6a9cc1bc142bd45468af930758b598444 100644
--- a/install/tpl/fedora_dovecot2.conf.master
+++ b/install/tpl/fedora_dovecot2.conf.master
@@ -6,7 +6,9 @@ log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
-ssl_protocols = !SSLv2 !SSLv3
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ssl_prefer_server_ciphers = no
auth_verbose = yes
mail_plugins = quota
passdb {
diff --git a/install/tpl/fedora_postfix.conf.master b/install/tpl/fedora_postfix.conf.master
index 1c78e858beb5475f21ee6b85c00785c423f878bb..ffe831286c689cf2779d13fec0b36070c19c5383 100644
--- a/install/tpl/fedora_postfix.conf.master
+++ b/install/tpl/fedora_postfix.conf.master
@@ -1,5 +1,5 @@
virtual_alias_domains = proxy:mysql:{config_dir}/mysql-virtual_alias_domains.cf
-virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:{config_dir}/mysql-virtual_forwardings.cf, proxy:mysql:{config_dir}/mysql-virtual_alias_domains.cf, proxy:mysql:{config_dir}/mysql-virtual_email2email.cf
+virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:{config_dir}/mysql-virtual_forwardings.cf, proxy:mysql:{config_dir}/mysql-virtual_alias_maps.cf, proxy:mysql:{config_dir}/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:{config_dir}/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:{config_dir}/mysql-virtual_mailboxes.cf
virtual_mailbox_base = {vmail_mailbox_base}
@@ -35,10 +35,13 @@ nested_header_checks = regexp:{config_dir}/nested_header_checks
body_checks = regexp:{config_dir}/body_checks
inet_interfaces = all
smtp_tls_security_level = may
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
-smtpd_tls_protocols = !SSLv2,!SSLv3
-smtp_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_protocols = !SSLv2,!SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_protocols = !SSLv2,!SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
+smtpd_tls_mandatory_ciphers = medium
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+tls_preempt_cipherlist = no
# needed for postfix < 3.3 when using reject_unverified_recipient (lmtp):
enable_original_recipient = yes
diff --git a/install/tpl/gentoo_postfix.conf.master b/install/tpl/gentoo_postfix.conf.master
index 84d404d15b0bc63e4b5edb469c04f478b3070018..52b48f92743317c652e22f2792c902a3f96eea5b 100644
--- a/install/tpl/gentoo_postfix.conf.master
+++ b/install/tpl/gentoo_postfix.conf.master
@@ -1,5 +1,5 @@
virtual_alias_domains = proxy:mysql:{config_dir}/mysql-virtual_alias_domains.cf
-virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:{config_dir}/mysql-virtual_forwardings.cf, proxy:mysql:{config_dir}/mysql-virtual_alias_domains.cf, proxy:mysql:{config_dir}/mysql-virtual_email2email.cf
+virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:{config_dir}/mysql-virtual_forwardings.cf, proxy:mysql:{config_dir}/mysql-virtual_alias_maps.cf, proxy:mysql:{config_dir}/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:{config_dir}/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:{config_dir}/mysql-virtual_mailboxes.cf
virtual_mailbox_base = {vmail_mailbox_base}
@@ -34,10 +34,13 @@ nested_header_checks = regexp:{config_dir}/nested_header_checks
body_checks = regexp:{config_dir}/body_checks
inet_interfaces = all
smtp_tls_security_level = may
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
-smtpd_tls_protocols = !SSLv2,!SSLv3
-smtp_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_protocols = !SSLv2,!SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_protocols = !SSLv2,!SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
+smtpd_tls_mandatory_ciphers = medium
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+tls_preempt_cipherlist = no
# needed for postfix < 3.3 when using reject_unverified_recipient (lmtp):
enable_original_recipient = yes
diff --git a/install/tpl/mysql-virtual_alias_domains.cf.master b/install/tpl/mysql-virtual_alias_domains.cf.master
index e55fd8ea8df088457ba43a01c8df62a33e888b6f..26b14ac00da538ba9253fe937cb6a4f79bec5942 100644
--- a/install/tpl/mysql-virtual_alias_domains.cf.master
+++ b/install/tpl/mysql-virtual_alias_domains.cf.master
@@ -2,5 +2,6 @@ user = {mysql_server_ispconfig_user}
password = {mysql_server_ispconfig_password}
dbname = {mysql_server_database}
hosts = {mysql_server_ip}
-query = SELECT destination FROM mail_forwarding
- WHERE source = '@%d' AND type = 'aliasdomain' AND active = 'y' AND server_id = {server_id}
+query = SELECT SUBSTRING_INDEX(destination, '@', -1) FROM mail_forwarding
+ WHERE source = '@%s' AND type = 'aliasdomain' AND active = 'y' AND server_id = {server_id}
+
diff --git a/install/tpl/mysql-virtual_alias_maps.cf.master b/install/tpl/mysql-virtual_alias_maps.cf.master
new file mode 100644
index 0000000000000000000000000000000000000000..e55fd8ea8df088457ba43a01c8df62a33e888b6f
--- /dev/null
+++ b/install/tpl/mysql-virtual_alias_maps.cf.master
@@ -0,0 +1,6 @@
+user = {mysql_server_ispconfig_user}
+password = {mysql_server_ispconfig_password}
+dbname = {mysql_server_database}
+hosts = {mysql_server_ip}
+query = SELECT destination FROM mail_forwarding
+ WHERE source = '@%d' AND type = 'aliasdomain' AND active = 'y' AND server_id = {server_id}
diff --git a/install/tpl/nginx_apps.vhost.master b/install/tpl/nginx_apps.vhost.master
index a22b1aab46b71b28fca3668fdf696154f365ed3f..2680b209a2522b8ef4455ffb73f4f835c3e66477 100644
--- a/install/tpl/nginx_apps.vhost.master
+++ b/install/tpl/nginx_apps.vhost.master
@@ -2,7 +2,7 @@ server {
listen {apps_vhost_port} {ssl_on};
listen [::]:{apps_vhost_port} {ssl_on} ipv6only=on;
- {ssl_comment}ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ {ssl_comment}ssl_protocols TLSv1.2;
{ssl_comment}ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
{ssl_comment}ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;
@@ -115,7 +115,7 @@ server {
location /phpMyAdmin {
rewrite ^/* /phpmyadmin last;
}
-
+
location /squirrelmail {
root /usr/share/;
index index.php index.html index.htm;
diff --git a/install/tpl/nginx_ispconfig.vhost.master b/install/tpl/nginx_ispconfig.vhost.master
index aad670e97a8a74d022eb3c0c11927c559bd858d6..dbe44d7064861eae187731a39e5ced7d120affd3 100644
--- a/install/tpl/nginx_ispconfig.vhost.master
+++ b/install/tpl/nginx_ispconfig.vhost.master
@@ -1,13 +1,13 @@
server {
listen {vhost_port} {ssl_on};
listen [::]:{vhost_port} {ssl_on} ipv6only=on;
-
- {ssl_comment}ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+ {ssl_comment}ssl_protocols TLSv1.2;
{ssl_comment}ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
{ssl_comment}ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;
{ssl_comment}ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
{ssl_comment}ssl_prefer_server_ciphers on;
-
+
# redirect to https if accessed with http
{ssl_comment}error_page 497 https://$host:{vhost_port}$request_uri;
@@ -44,7 +44,7 @@ server {
location ~ /\. {
deny all;
}
-
+
# location /phpmyadmin {
# root /usr/share/;
# index index.php index.html index.htm;
@@ -64,7 +64,7 @@ server {
# location /phpMyAdmin {
# rewrite ^/* /phpmyadmin last;
# }
-#
+#
# location /squirrelmail {
# root /usr/share/;
# index index.php index.html index.htm;
diff --git a/install/tpl/opensuse_dovecot2.conf.master b/install/tpl/opensuse_dovecot2.conf.master
index 62c9939819547aeffe28ebac3a6dfc2135187e9e..9624c05684e4564f49613cf101a5eef60e2fdc8e 100644
--- a/install/tpl/opensuse_dovecot2.conf.master
+++ b/install/tpl/opensuse_dovecot2.conf.master
@@ -6,7 +6,9 @@ log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
-ssl_protocols = !SSLv2 !SSLv3
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ssl_prefer_server_ciphers = no
mail_plugins = quota
passdb {
args = /etc/dovecot/dovecot-sql.conf
@@ -79,7 +81,7 @@ mail_plugins = $mail_plugins quota
#2.3+ group = vmail
#2.3+ mode = 0660
#2.3+ }
-#2.3+
+#2.3+
#2.3+ unix_listener stats-writer {
#2.3+ user = vmail
#2.3+ group = vmail
@@ -122,4 +124,3 @@ namespace inbox {
special_use = \Trash
}
}
-
diff --git a/install/tpl/opensuse_postfix.conf.master b/install/tpl/opensuse_postfix.conf.master
index f2d2a4403b4cc89f79626789b779ae7c3e6d1ab9..545dcb10806b739dd99a394dc55cea986acf85f1 100644
--- a/install/tpl/opensuse_postfix.conf.master
+++ b/install/tpl/opensuse_postfix.conf.master
@@ -1,7 +1,7 @@
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
virtual_alias_domains = proxy:mysql:{config_dir}/mysql-virtual_alias_domains.cf
-virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:{config_dir}/mysql-virtual_forwardings.cf, proxy:mysql:{config_dir}/mysql-virtual_alias_domains.cf, proxy:mysql:{config_dir}/mysql-virtual_email2email.cf
+virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:{config_dir}/mysql-virtual_forwardings.cf, proxy:mysql:{config_dir}/mysql-virtual_alias_maps.cf, proxy:mysql:{config_dir}/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:{config_dir}/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:{config_dir}/mysql-virtual_mailboxes.cf
virtual_mailbox_base = {vmail_mailbox_base}
@@ -37,10 +37,13 @@ nested_header_checks = regexp:{config_dir}/nested_header_checks
body_checks = regexp:{config_dir}/body_checks
inet_interfaces = all
smtp_tls_security_level = may
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
-smtpd_tls_protocols = !SSLv2,!SSLv3
-smtp_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_protocols = !SSLv2,!SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_protocols = !SSLv2,!SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
+smtpd_tls_mandatory_ciphers = medium
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+tls_preempt_cipherlist = no
# needed for postfix < 3.3 when using reject_unverified_recipient (lmtp):
enable_original_recipient = yes
diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php
index 82340587140d9b8c8cc550c9157677adf1cd4889..ca14b737be66bc7b7e77adc5078c713119873de7 100644
--- a/server/plugins-available/apache2_plugin.inc.php
+++ b/server/plugins-available/apache2_plugin.inc.php
@@ -613,7 +613,7 @@ class apache2_plugin {
unset($tmp);
if($app->system->is_blacklisted_web_path($web_folder)) {
- $app->log('Vhost is using a blacklisted web folder: ' . $web_folder, LOGLEVEL_ERROR);
+ $app->log('Vhost ' . $subdomain_host . ' is using a blacklisted web folder: ' . $web_folder, LOGLEVEL_ERROR);
return 0;
}
diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php
index 6483df4eb99555599963ae66254c8b946fa500ea..e4d59a02bbec26a0fcc9fcd25704121584e80f31 100644
--- a/server/plugins-available/nginx_plugin.inc.php
+++ b/server/plugins-available/nginx_plugin.inc.php
@@ -455,7 +455,7 @@ class nginx_plugin {
unset($tmp);
if($app->system->is_blacklisted_web_path($web_folder)) {
- $app->log('Vhost is using a blacklisted web folder: ' . $web_folder, LOGLEVEL_ERROR);
+ $app->log('Vhost ' . $subdomain_host . ' is using a blacklisted web folder: ' . $web_folder, LOGLEVEL_ERROR);
return 0;
}