helper_scripts/cert_check.sh

+#!/bin/bash
+
+chkdata() {
+	F=$1
+	CRT=$2
+	KEY=$3
+	if [[ "$CRT" != "" && "$KEY" != "" ]] ; then
+		if [[ ! -f "$CRT" ]] ; then
+			echo "[WARN] CERTIFICATE FILE ${CRT} MISSING FOR ${F}" ;
+		else 
+			echo -n "Checking ${CRT}" ;
+			CHK=$(openssl x509 -in "${CRT}" -text -noout >/dev/null 2>&1 ; echo $?);
+			if [[ $CHK -ne 0 ]] ; then
+				echo " FAILED!" ;
+			else
+				echo " OK" ;
+			fi
+		fi
+		if [[ ! -f "$KEY" ]] ; then
+			echo "[WARN] KEY FILE ${KEY} MISSING FOR ${F}" ;
+		else
+			echo -n "Checking ${KEY}" ;
+			CHK=$(openssl rsa -in "${KEY}" -check -noout >/dev/null 2>&1 ; echo $?);
+			if [[ $CHK -ne 0 ]] ; then
+				echo " FAILED!" ;
+			else
+				echo " OK" ;
+			fi
+		fi
+	
+		if [[ -f "$CRT" && -f "$KEY" ]] ; then
+			echo -n "Checking that key and certificate match";
+			MDCRT=$(openssl x509 -noout -modulus -in "${CRT}" | openssl md5) ;
+			MDKEY=$(openssl rsa -noout -modulus -in "${KEY}" | openssl md5) ;
+			if [[ "$MDCRT" != "$MDKEY" ]] ; then
+				echo " FAILED!" ;
+			else
+				echo " OK" ;
+			fi
+		fi
+		echo "---" ;
+	elif [[ "$CRT" != ""  || "$KEY" != "" ]] ; then
+		echo "[WARN] Check SSL config of ${F}";
+		echo "---" ;
+	fi
+}
+
+if [[ -d /etc/apache2/sites-enabled ]] ; then
+	echo "Checking enabled apache vhosts" ;
+	for FIL in /etc/apache2/sites-enabled/* ; do
+		CRT=$(grep 'SSLCertificateFile' "${FIL}" | grep -E -v '^[[:space:]]*#' | awk '{print $2}' | head -n 1) ;
+		KEY=$(grep 'SSLCertificateKeyFile' "${FIL}" | grep -E -v '^[[:space:]]*#' | awk '{print $2}' | head -n 1) ;
+		chkdata "$FIL" "$CRT" "$KEY" ;
+	done
+fi
+
+if [[ -d /etc/nginx/sites-enabled ]] ; then
+	echo "Checking enabled nginx vhosts" ;
+	for FIL in /etc/nginx/sites-enabled/* ; do
+		CRT=$(grep 'ssl_certificate' "${FIL}" | grep -E -v '^[[:space:]]*#' | awk '{print $2}' | head -n 1) ;
+		CRT=${CRT%;}
+		KEY=$(grep 'ssl_certificate_key' "${FIL}" | grep -E -v '^[[:space:]]*#' | awk '{print $2}' | head -n 1) ;
+		KEY=${KEY%;}
+		chkdata "$FIL" "$CRT" "$KEY" ;
+	done
+fi
\ No newline at end of file

helper_scripts/fixcerts

+ #!/bin/bash
+#####################################################################################
+#                                                                                   #
+# Syntax: fixcerts DOMAIN                                                           #
+#                                                                                   #
+# Use: Extend Letsencrypt SSl certificates for commonly grouped services such as    #
+#       Apache,Postfix,Dovecot using Certbot. Useful for keeping all client         #
+#       applications referencing the same virtual domain name, such as auto-config  #
+#       email clients on phones, i.e. mailuser@mydomain.TLD smtp.mydomain.TLD       #
+#       imaps.mydomain.TLD instead of mailuser@mydomain.TLD mail.ISPmaildomain.TLD  #
+#       Also useful when sending mail through services like Gmail that will         #
+#       validate sender through a negotiated TLS encrypted connection.              #
+#                                                                                   #
+#       Ex: sh fixcerts myhosteddomain.com                                          #
+#                                                                                   #
+# Prerequisites:                                                                    #
+#   - A Letsencrypt certificate for the DOMAIN must already exist                   #
+#   - A seperate certificate each for Dovecot and Postfix were previously generated #
+#   - All new host names to add MUST  already exist in DNS at least as a CNAME      #
+#   - Edit the Dovecot/Postfix conf to use the alternate certificate                #
+#   - Set the variable wr_file to a directory that certbot can read and write from  #
+#   - Set the dom_cert=,dv_cert=,pf_cert=,dv_file=, and pf_file= variables          #
+#                                                                                   #
+# In my case, I ran:                                                                #
+#   certbot certonly -webroot /usr/local/ispconfig/interface/acme -d dc.hrst.xyz    #
+#   certbot certonly -webroot /usr/local/ispconfig/interface/acme -d pf.hrst.xyz    #
+#   to create the separate Dovecot and Postscript certificates, then edited and     #
+#   ran the script to extend those certificate, once per hosted domain              #
+#                                                                                   #
+# If you use only one alternate certifcate for both mail services, set both dv_file #
+#     and pf_file to the same file name and set one of  _cert files=""  and         #
+#     use the other. If you don't wish to add to a particular certificate, set the  #
+#     variable ="", such as dom_cert                                                #
+# TODO: Pre-validate desired additions as already existing in DNS                   #
+#       Generate SRV Records and add to DNS to autoconfig clients                   #
+#                                                                                   #
+# Author: tad.hasse@gmail.com                                                       #
+#                                                                                   #
+#####################################################################################
+
+#bail out on error
+set -e
+
+# Hostnames to add to the main domain certificate
+dom_cert="webmail"
+
+# Hostnames to add to the Dovecot domain certificate
+dv_cert="pop3s imap"
+
+# Hostnames to add to the Postfix domain certificate
+pf_cert="mail smtp smtps"
+
+# Name of the certificate file that handles Dovecot
+dv_file="dc.hrst.xyz"
+
+# Name of the certificate file that handles Postfix
+pf_file="pf.hrst.xyz"
+
+# Writeable webroot for certbot (I use ISPConfig,
+wr_file="/usr/local/ispconfig/interface/acme"
+
+new_cert=""
+nanobot=""
+affected_services=""
+
+if [ -z "$1" ]                           # Is parameter #1 zero length?
+   then
+     echo "-No DOMAIN specified"          # Or no parameter passed.
+     exit 1
+   fi
+
+#live_check='/etc/letsencrypt/live/'$1
+if [[ ! -d '/etc/letsencrypt/live/'$1 ]]; then
+    echo "- DOMAIN certificate for \"$1\" not found -"
+    exit 1
+   fi
+
+if [[ ! -d '/etc/letsencrypt/live/'${dv_file} ]]; then
+    echo "- Dovecot/postoffice certificate" ${dv_file}" for \"$1\" not found -"
+    exit 1
+   fi
+
+if [[ ! -d '/etc/letsencrypt/live/'${pf_file} ]]; then
+    echo "- Postfix/mail certificate" ${pf_file}" for \"$1\" not found -"
+    exit 1
+   fi
+
+# Have certbot generate its current certificate list for use as input
+certbot certificates >~/certfile
+
+# Extend base domain certificate which typically only contains the domain.TLD and www.domain.TLD
+if [[ ! -z "${dom_cert}" ]]; then
+    echo
+    new_cert=$(echo $dom_cert| sed -e "s/ /.$1 /g" -e 's/ / -d /g' -e "s/$/.$1 /g" -e 's/^/-d /g')
+    echo "Adding" ${new_cert} " to "$1
+    nanobot=$(grep -A1 "Certificate Name: "$1 certfile |awk -F': ' '{ {getline}; $1=""; print }'|sed  's/ / -d /g')
+    doit_cert=$(echo "certbot certonly --webroot -w ${wr_file}${nanobot} ${new_cert}")
+    ${doit_cert}
+    affected_services=${affected_services}+"A"
+else
+    echo "Domain Certificate unaffected"
+  fi
+
+# Extend the Dovecot certificate
+if [[ ! -z "${dv_cert}" ]]; then
+    echo
+    new_cert=$(echo $dv_cert| sed -e "s/ /.$1 /g" -e 's/ / -d /g' -e "s/$/.$1 /g" -e 's/^/-d /g')
+    echo "Adding" ${new_cert} " to "${dv_file}
+    nanobot=$(grep -A1 "Certificate Name: "${dv_file} certfile |awk -F': ' '{ {getline}; $1=""; print }'|sed  's/ / -d /g')
+    doit_cert=$(echo "certbot certonly --webroot -w ${wr_file}${nanobot} ${new_cert}")
+    ${doit_cert}
+    affected_services=${affected_services}+"D"
+else
+    echo "Dovecot Certificate unaffected"
+  fi
+
+# Extend the Postscript certificate
+if [[ ! -z "{$pf_cert}" ]]; then
+    echo
+    new_cert=$(echo $pf_cert| sed -e "s/ /.$1 /g" -e 's/ / -d /g' -e "s/$/.$1 /g" -e 's/^/-d /g')
+    echo "Adding" ${new_cert} " to " ${pf_file}
+    nanobot=$(grep -A1 "Certificate Name: "${pf_file} certfile |awk -F': ' '{ {getline}; $1=""; print }'|sed  's/ / -d /g')
+    doit_cert=$(echo "certbot certonly --webroot -w ${wr_file}${nanobot} ${new_cert}")
+    ${doit_cert}
+    affected_services=${affected_services}+"P"
+else
+    echo "Postfix Certificate unaffected"
+  fi
+
+  if [[ $affected_services == *"A"* ]]; then
+     echo "Remember to restart the httpd service"
+   fi
+  if [[ $affected_services == *"D"* ]]; then
+    echo "Remember to restart the dovecot/postoffice service"
+   fi
+  if [[ $affected_services == *"P"* ]]; then
+    echo "Remember to restart the postfix/sendmail  service"
+   fi
+
+echo
+echo
+echo "Add the following SRV records to DNS for client setup for "$1
+  if [[ $affected_services == *"D"* ]]; then
+    echo "_imaps._tcp."$1 "SRV 3600  4 60 993 imaps"
+    echo "_pop3s._tcp."$1 "SRV 3600  6 60 995 pop3s"
+    echo "_imap._tcp."$1 " SRV 3600  8 60 143 imap"
+  fi
+if [[ $affected_services == *"P"* ]]; then
+    echo "_smtps._tcp."$1 "SRV 3600  8 60 465 smtps"
+    echo "_smtp._tcp."$1 " SRV 3600 10 60 587 smtp"
+  fi
\ No newline at end of file

helper_scripts/import_dkim.php

+<?php
+
+/**
+ Copyright (c) 2015, Florian Schaal, schaal @it
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without modification,
+ are permitted provided that the following conditions are met:
+
+ * Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+ * Neither the name of ISPConfig nor the names of its contributors
+ may be used to endorse or promote products derived from this software without
+ specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+ */
+
+
+/* define your settings here */
+$username = 'admin';
+$password = 'admin';
+$soap_location = 'http://192.168.0.105:8080/remote/index.php';
+$soap_uri = 'http://192.168.0.105:8080/remote/';
+/* stop editing */
+
+
+error_reporting(E_ALL^ E_WARNING);
+
+exec('which amavisd-new 2> /dev/null', $tmp_output, $tmp_retval);
+if ($tmp_retval != 0) {
+	exec('which amavisd 2> /dev/null', $tmp_output, $tmp_retval);
+	if ($tmp_retval == 0) $amavis = $tmp_output[0];
+} else $amavis = $tmp_output[0];
+
+if (!isset($amavis)) die ("amavisd not found");
+
+
+echo "Importing dkim-settings from amavis.\n\nTo import the settings even when the public-key is not available, use ".$argv[0]." --force\nNOTE: In force-mode dkim will be set to 'no' if no public-key was found.\n\n";
+
+if ( isset($argv) && isset ($argv[1]) && $argv[1] == '--force' ) $force = true; else $force = false;
+
+$client = new SoapClient(null, array('location' => $soap_location,
+	'uri'      => $soap_uri,
+	'trace' => 1,
+	'exceptions' => 1));
+
+
+exec($amavis.' showkeys', $tmp_output, $tmp_retval);
+
+foreach ( $tmp_output as $line ) {
+	//* get domain and private key-file
+	if ( preg_match('#^; key#', $line) ) {
+		$line_array = explode(' ', $line);
+		if ( $line_array[2] = 'domain' ) {
+			$domain = rtrim($line_array[3], ',');
+			$private_keyfile = $line_array[4];
+			//* get the public-key from private-key
+			unset($public_key);
+			unset($pubkey);
+			unset($private_key);
+			$private_key = file_get_contents($private_keyfile);
+			if ( isset($private_key) && !empty($private_key)) {
+				exec('echo '.escapeshellarg($private_key).'|openssl rsa -pubout -outform PEM 2> /dev/null',$pubkey,$result);
+				$public_key='';
+				foreach($pubkey as $values) $public_key=$public_key.$values."\n";
+			}
+		}
+	}
+
+	//* get selector
+	if ( isset($domain) ) {
+		if ( preg_match('/_domainkey.'.$domain.'.* TXT \(/', $line) ) {
+			$line_array = explode(' ', $line);
+			$selector = substr ( $line_array[0], 0, strpos($line_array[0], '.') );
+		}
+	}
+
+	if ( isset($domain) && isset($selector) && isset($private_keyfile) && isset($public_key) ) {
+		
+		try {
+			if ( !$session_id = $client->login($username, $password) ) {
+				echo 'SOAP-ERROR: Cant login';
+			}
+
+			echo "\nprocessing ".$domain."...\n";
+
+			$record = $client->mail_domain_get_by_domain($session_id, $domain);
+
+			if ( !empty($record) ) {
+				$record = $record[0];
+				echo "  OK: domain exists in the database\n";
+				//* check if the public-key is available
+				exec($amavis.' testkeys '.escapeshellarg($domain).'', $test_output, $test_retval);
+				$pub_key = false;
+				if ( preg_match('/^TESTING.*'.$selector.'._domainkey.'.$domain.'.*pass/',$test_output[0]) ) $pub_key = true;
+   				$client_id = $client->client_get_id($session_id, $record['sys_userid']);
+				unset($test_output);
+				if ( $pub_key ) {
+					$record['dkim_selector'] = $selector;
+					$record['dkim'] = 'y';
+					if ( preg_match("/(^-----BEGIN PUBLIC KEY-----)[a-zA-Z0-9\r\n\/\+=]{1,221}(-----END PUBLIC KEY-----(\n|\r)?$)/", $record['dkim_public'] ) ) {
+						$record['dkim_public'] = $public_key;
+						echo "  OK: public key\n";
+					} else {
+						$record['dkim_public'] = '';
+						$record['dkim'] = 'n';
+						echo "  ERROR: public key invalid\n  disable dkim for ".$domain."\n";
+					}
+					if ( preg_match("/(^-----BEGIN RSA PRIVATE KEY-----)[a-zA-Z0-9\r\n\/\+=]{1,850}(-----END RSA PRIVATE KEY-----(\n|\r)?$)/", $private_key) ) {
+						$record['dkim_private'] = $private_key;
+						echo "  OK: private key\n";
+					} else {
+						$record['dkim_private'] = '';
+						$record['dkim'] = 'n';
+						echo "  ERROR: private key invalid\n  disable dkim for ".$domain."\n";
+					}
+					$client->mail_domain_update($session_id, $client_id, $record['domain_id'], $record);
+					echo "  OK: updating database\n";
+				} else {
+					echo "  ERROR: no public-key available - skipping ".$domain."\n";
+				}
+			} else {
+				echo "  ERROR: domain not in the database - skipping ".$domain."\n";
+			}
+			$client->logout($session_id);
+		} catch (SoapFault $e) {
+			echo $client->__getLastResponse();
+			die('SOAP Error: '.$e->getMessage());
+		}
+		unset($domain);
+		unset($selector);
+	}
+}
+?>

helper_scripts/import_dkim.txt

+This scripts stores all dkim-keys from the amavis-config to the ispconfig-database
+
+Create a remote-user with at least rights for mail_domain and clients and adjust the settings for
+
+$username = 'admin';
+$password = 'admin';
+$soap_location = 'http://192.168.0.105:8080/remote/index.php';
+$soap_uri = 'http://192.168.0.105:8080/remote/';
+
+in import_dkim.php

helper_scripts/import_langfile.php

+<?php
+
+/*
+Copyright (c) 2007-2016, Till Brehm, projektfarm Gmbh
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of ISPConfig nor the names of its contributors
+      may be used to endorse or promote products derived from this software without
+      specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require "/usr/local/ispconfig/interface/lib/config.inc.php";
+require "/usr/local/ispconfig/interface/lib/app.inc.php";
+
+set_time_limit(0);
+ini_set('error_reporting', E_ALL & ~E_NOTICE);
+
+//** Get commandline options
+$cmd_opt = getopt('', array('lng:','isppath::'));
+
+if(isset($cmd_opt['lng']) && is_file($cmd_opt['lng'])) {
+	// Language file that shall be imported
+	$lang_file = $cmd_opt['lng'];
+} else {
+	die('Usage example: php import_langfile.php --lng=de.lng --isppath=/usr/local/ispconfig'."\n");
+}
+
+if(isset($cmd_opt['isppath']) && is_dir($cmd_opt['isppath'])) {
+	$ispconfig_path = $cmd_opt['isppath'];
+} else {
+	$ispconfig_path = '/usr/local/ispconfig';
+}
+
+function normalize_string($string, $quote, $allow_special = false) {
+	$escaped = false;
+	$in_string = true;
+	$new_string = '';
+
+	for($c = 0; $c < mb_strlen($string); $c++) {
+		$char = mb_substr($string, $c, 1);
+
+		if($in_string === true && $escaped === false && $char === $quote) {
+			// this marks a string end (e.g. for concatenation)
+			$in_string = false;
+			continue;
+		} elseif($in_string === false) {
+			if($escaped === false && $char === $quote) {
+				$in_string = true;
+				continue;
+			} else {
+				continue; // we strip everything from outside the string!
+			}
+		}
+
+		if($char === '"' && $escaped === true && $quote === '"') {
+			// unescape this
+			$new_string .= $char;
+			$escaped = false;
+			continue;
+		} elseif($char === "'" && $escaped === false && $quote === '"') {
+			// escape this
+			$new_string .= '\\' . $char;
+			continue;
+		}
+
+		if($escaped === true) {
+			// the next character is the escaped one.
+			if($allow_special === true && ($char === 'n' || $char === 'r' || $char === 't')) {
+				$new_string .= '\' . "\\' . $char . '" . \'';
+			} else {
+				$new_string .= '\\' . $char;
+			}
+			$escaped = false;
+		} else {
+			if($char === '\\') {
+				$escaped = true;
+			} else {
+				$new_string .= $char;
+			}
+		}
+	}
+	return $new_string;
+}
+
+function validate_line($line) {
+	$line = trim($line);
+	if($line === '' || $line === '<?php' || $line === '?>') return $line; // don't treat empty lines as malicious
+
+	$ok = preg_match('/^\s*\$wb\[(["\'])(.*?)\\1\]\s*=\s*(["\'])(.*?)\\3\s*;\s*$/', $line, $matches);
+	if(!$ok) return false; // this line has invalid form and could lead to malfunction
+
+	$keyquote = $matches[1]; // ' or "
+	$key = $matches[2];
+	if(strpos($key, '"') !== false || strpos($key, "'") !== false) return false;
+
+	$textquote = $matches[3]; // ' or "
+	$text = $matches[4];
+
+	$new_line = '$wb[\'';
+
+	// validate the language key
+	$key = normalize_string($key, $keyquote);
+
+	$new_line .= $key . '\'] = \'';
+
+	// validate this text to avoid code injection
+	$text = normalize_string($text, $textquote, true);
+
+	$new_line .= $text . '\';';
+
+	return $new_line;
+}
+	
+$lines = file($lang_file);
+
+define('ISPC_ROOT_PATH', $ispconfig_path.'/interface');
+define('ISPC_LIB_PATH', ISPC_ROOT_PATH.'/lib');
+define('ISPC_WEB_PATH', ISPC_ROOT_PATH.'/web');
+
+// initial check
+$parts = explode('|', $lines[0]);
+if($parts[0] == '---' && $parts[1] == 'ISPConfig Language File') {
+	unset($lines[0]);
+
+	$buffer = '';
+	$langfile_path = '';
+	// all other lines
+	$ln = 1;
+	foreach($lines as $line) {
+		$ln++;
+		$parts = explode('|', $line);
+		if(is_array($parts) && count($parts) > 0 && $parts[0] == '--') {
+			// Write language file, if its not the first file
+			if($buffer != '' && $langfile_path != '') {
+				$buffer = trim($buffer)."\n";
+				$msg .= "File written: $langfile_path\n";
+				file_put_contents($langfile_path, $buffer);
+			}
+			// empty buffer and set variables
+			$buffer = '';
+			$module_name = trim($parts[1]);
+			$selected_language = trim($parts[2]);
+			$file_name = trim($parts[3]);
+			if(!preg_match("/^[a-z]{2}$/i", $selected_language)) die("unallowed characters in selected language name: $selected_language");
+			if(!preg_match("/^[a-z_]+$/i", $module_name)) die('unallowed characters in module name.');
+			if(!preg_match("/^[a-z\._\-]+$/i", $file_name) || stristr($file_name, '..')) die("unallowed characters in language file name: '$file_name'");
+			if($module_name == 'global') {
+				$langfile_path = trim(ISPC_LIB_PATH."/lang/".$selected_language.".lng");
+			} else {
+				$langfile_path = trim(ISPC_WEB_PATH.'/'.$module_name.'/lib/lang/'.$file_name);
+			}
+		} elseif(is_array($parts) && count($parts) > 1 && $parts[0] == '---' && $parts[1] == 'EOF') {
+			// EOF line, ignore it.
+		} else {
+			$line = validate_line($line);
+			if($line === false) $error .= "Language file contains invalid language entry on line $ln.\n";
+			else $buffer .= $line."\n";
+		}
+	}
+}
+
+echo $error;
+echo $msg;
+die("finished import.\n");
+
+?>

helper_scripts/multifile_add

+#!/bin/bash
+
+# Adding a new translation string to the files for all languages.
+# If you already added the string to your current language, be sure to deduplicate.
+
+new=$(cat << 'EOD'
+$wb['foo_txt'] = 'Some translation';
+EOD
+)
+
+if [ -z "$1" ]; then
+  echo "Usage: $0 <files>"
+  exit 1
+fi
+
+for f in $*; do
+	# Preserve a php close tag as the last line.
+	close='?>'
+	if [ "$(tail -n 1 $f)" == "$close" ]; then
+		(	
+			head -n -1 $f;
+			echo "$new";
+			echo "?>";
+		) > ${f}.new
+
+		mv ${f}.new $f
+			
+			
+	else
+		echo "$new" >> $f
+	fi
+done

helper_scripts/mydns_to_powerdns_migration.php

@@ -31,11 +31,28 @@ while($row2 = mysql_fetch_array($sql2))
 		{
 			$file2=$row2['data'];
 		}
+
+                //
+                // Fix for 'domain.ext.' apex notation
+                //
+                $record_name_end=substr($row2['name'], -1);
+                if ($record_name_end==".")
+                {
+                       // remove trailing dot from apex
+                       $record_name = substr($row2['name'], 0, strlen($row2['name'])-1);
+                }
+                else
+                {
+                       // add domain to make it a fqdn
+                       $record_name = $row2['name'] . "." . $row3['origin'];
+                }
+
+                print "$row2[name].$row3[origin]" . " $record_name\r\n"; 
 		mysql_select_db("dbispconfig");
 		$sql3 = mysql_query("SELECT substr(origin,1, LENGTH(origin)-1) AS origin FROM dns_soa where id=$row2[zone];");
 		$row3 = mysql_fetch_array($sql3);
 		mysql_select_db("powerdns");
-		mysql_query("INSERT INTO records (domain_id,name,content,ispconfig_id,type,ttl,prio,change_date) values ('$row2[zone]','$row2[name].$row3[origin]','$file2','$row2[id]','$row2[type]','$row2[ttl]','$row2[aux]','1260446221');");
+		mysql_query("INSERT INTO records (domain_id,name,content,ispconfig_id,type,ttl,prio,change_date) values ('$row2[zone]','$record_name','$file2','$row2[id]','$row2[type]','$row2[ttl]','$row2[aux]','1260446221');");
 	}
 	else
 	{

helper_scripts/recreate_webalizer_stats.php

@@ -5,8 +5,8 @@
 //######################################################################################################
 
 
-$sql = "SELECT domain_id, domain, document_root FROM web_domain WHERE server_id = ".$conf["server_id"];
-$records = $app->db->queryAllRecords($sql);
+$sql = "SELECT domain_id, domain, document_root FROM web_domain WHERE server_id = ?";
+$records = $app->db->queryAllRecords($sql, $conf["server_id"]);
 foreach($records as $rec) {
 	$domain = escapeshellcmd($rec["domain"]);
 	$logdir = escapeshellcmd($rec["document_root"].'/log');

helper_scripts/test_install_docker.sh

+#!/bin/sh
+
+# This script is used from .gitlab-ci.yml to do an automated installation inside a docker container for testing.
+
+if [ -f /usr/local/ispconfig/interface/lib/config.inc.php ]; then
+	echo "Found an existing configfile, bailing out!"
+  exit 1
+fi
+
+mysql_install_db
+service mysql start \
+&& echo "UPDATE mysql.user SET Password = PASSWORD('pass') WHERE User = 'root';" | mysql -u root \
+&& echo "UPDATE mysql.user SET plugin='mysql_native_password' where user='root';" | mysql -u root \
+&& echo "DELETE FROM mysql.user WHERE User='';" | mysql -u root \
+&& echo "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');" | mysql -u root \
+&& echo "DROP DATABASE IF EXISTS test;" | mysql -u root \
+&& echo "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';" | mysql -u root \
+&& echo "FLUSH PRIVILEGES;" | mysql -u root
+sed -i "s/^hostname=server1.example.com$/hostname=$HOSTNAME/g" /root/ispconfig3_install/install/autoinstall.ini
+
+service mysql start && php -q $CI_PROJECT_DIR/install/install.php --autoinstall=/root/ispconfig3_install/install/autoinstall.ini

helper_scripts/ubuntu-amavisd-new-2.11.patch

+--- amavisd-new.orig	2017-11-16 11:51:19.000000000 +0100
++++ amavisd-new	2018-05-25 16:53:45.623398108 +0200
+@@ -22829,6 +22829,7 @@
+         }
+         # load policy banks from the 'client_ipaddr_policy' lookup
+         Amavis::load_policy_bank($_,$msginfo) for @bank_names_cl;
++        $msginfo->originating(c('originating'));
+ 
+         $msginfo->client_addr($cl_ip);      # ADDR
+         $msginfo->client_port($cl_port);    # PORT
+@@ -34361,6 +34362,7 @@
+     $sig_ind++;
+   }
+   Amavis::load_policy_bank($_,$msginfo) for @bank_names;
++  $msginfo->originating(c('originating'));
+   $msginfo->dkim_signatures_valid(\@signatures_valid)  if @signatures_valid;
+ # if (ll(5) && $sig_ind > 0) {
+ #   # show which header fields are covered by which signature

install/apps/metronome-init

+#! /bin/sh
+#
+# metronome        Start/stop metronome server
+#
+
+### BEGIN INIT INFO
+# Provides:          metronome
+# Required-Start:    $remote_fs $network $named $time
+# Required-Stop:     $remote_fs $network $named $time
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Starts metronome server
+# Description:       Starts metronome server, an XMPP server written in Lua.
+### END INIT INFO
+
+METRONOME=/usr/bin/metronomectl
+PIDDIR=/var/run/metronome
+NAME=metronome
+
+test -e $METRONOME || exit 0
+
+start()
+{
+        mkdir $PIDDIR -p
+        chown metronome:metronome $PIDDIR
+        chmod 750 $PIDDIR
+
+    $METRONOME start >> /dev/null
+}
+
+stop()
+{
+    $METRONOME stop >> /dev/null
+}
+
+reload()
+{
+    $METRONOME reload >> /dev/null
+}
+
+restart()
+{
+    $METRONOME restart >> /dev/null
+}
+
+case "$1" in
+    start)
+        echo -n "Starting Metronome..."
+        start &
+    ;;
+    stop)
+        echo -n "Stopping Metronome..."
+        stop &
+    ;;
+    reload)
+        echo -n "Reloading Metronome config..."
+        reload &
+    ;;
+    restart)
+        echo -n "Restarting Metronome..."
+        restart &
+    ;;
+    *)
+        echo "Usage: $0 {start|stop|reload|restart}" >&2
+        exit 1
+    ;;
+esac
+
+if [ $? -eq 0 ]; then
+    echo .
+else
+    echo " failed!"
+fi
+
+exit 0

install/apps/metronome_libs/mod_auth_external/authenticate_isp.sh

+#!/bin/bash
+
+IFS=":"
+AUTH_OK=1
+AUTH_FAILED=0
+LOGFILE="/var/log/metronome/auth.log"
+USELOG=true
+
+while read ACTION USER HOST PASS ; do
+
+    [ $USELOG == true ] && { echo "Date: $(date) Action: $ACTION User: $USER Host: $HOST" >> $LOGFILE; }
+
+    case $ACTION in
+        "auth")
+            if [ `/usr/bin/php /usr/lib/metronome/isp-modules/mod_auth_external/db_auth.php $USER $HOST $PASS 2>/dev/null` == 1 ] ; then
+                echo $AUTH_OK
+                [ $USELOG == true ] && { echo "AUTH OK" >> $LOGFILE; }
+            else
+                echo $AUTH_FAILED
+                [ $USELOG == true ] && { echo "AUTH FAILED" >> $LOGFILE; }
+            fi
+        ;;
+        "isuser")
+             if [ `/usr/bin/php /usr/lib/metronome/isp-modules/mod_auth_external/db_isuser.php $USER $HOST 2>/dev/null` == 1 ] ; then
+                echo $AUTH_OK
+                [ $USELOG == true ] && { echo "ISUSER OK" >> $LOGFILE; }
+            else
+                echo $AUTH_FAILED
+                [ $USELOG == true ] && { echo "ISUSER FAILED" >> $LOGFILE; }
+            fi
+        ;;
+        *)
+            echo $AUTH_FAILED
+            [ $USELOG == true ] && { echo "UNKNOWN ACTION GIVEN: $ACTION" >> $LOGFILE; }
+        ;;
+    esac
+
+done

install/apps/metronome_libs/mod_auth_external/db_auth.php

+<?php
+ini_set('display_errors', false);
+require_once('db_conf.inc.php');
+
+try{
+    // Connect database
+    $db = new mysqli($db_host, $db_user, $db_pass, $db_name);
+    result_false(mysqli_connect_errno());
+
+    // Get arguments
+    $arg_email = '';
+    $arg_password = '';
+
+    result_false(count($argv) != 4);
+    $arg_email = $argv[1].'@'.$argv[2];
+    $arg_password = $argv[3];
+
+    // check for existing user
+    $dbmail = $db->real_escape_string($arg_email);
+    $query = $db->prepare("SELECT jid, password FROM xmpp_user WHERE jid LIKE ? AND active='y' AND server_id=?");
+    $query->bind_param('si', $arg_email, $isp_server_id);
+    $query->execute();
+    $query->bind_result($jid, $password);
+    $query->fetch();
+    $query->close();
+
+    result_false(is_null($jid));
+    checkAuth($arg_password, $password);
+}catch(Exception $ex){
+    echo 0;
+    exit();
+}
+
+function result_false($cond = true){
+    if(!$cond) return;
+    echo 0;
+    exit();
+}
+function result_true(){
+    echo 1;
+    exit();
+}
+function checkAuth($pw_arg, $pw_db){
+    if(crypt($pw_arg, $pw_db) == $pw_db)
+        result_true();
+    result_false();
+}
+?>
\ No newline at end of file

install/apps/metronome_libs/mod_auth_external/db_conf.inc.php

+<?php
+$db_user = '{mysql_server_ispconfig_user}';
+$db_pass = '{mysql_server_ispconfig_password}';
+$db_name = '{mysql_server_database}';
+$db_host = '{mysql_server_ip}';
+$isp_server_id = '{server_id}';
\ No newline at end of file

install/apps/metronome_libs/mod_auth_external/db_isuser.php

+<?php
+ini_set('display_errors', false);
+require_once('db_conf.inc.php');
+
+try{
+    // Connect database
+    $db = new mysqli($db_host, $db_user, $db_pass, $db_name);
+    result_false(mysqli_connect_errno());
+
+    // Get arguments
+    $arg_email = '';
+
+    result_false(count($argv) != 3);
+    $arg_email = $argv[1].'@'.$argv[2];
+
+    // check for existing user
+    $dbmail = $db->real_escape_string($arg_email);
+    $query = $db->prepare("SELECT count(*) AS usercount FROM xmpp_user WHERE jid LIKE ? AND active='y' AND server_id=?");
+    $query->bind_param('si', $arg_email, $isp_server_id);
+    $query->execute();
+    $query->bind_result($usercount);
+    $query->fetch();
+    $query->close();
+
+    result_false($usercount != 1);
+    result_true();
+
+}catch(Exception $ex){
+    echo 0;
+    exit();
+}
+
+function result_false($cond = true){
+    if(!$cond) return;
+    echo 0;
+    exit();
+}
+function result_true(){
+    echo 1;
+    exit();
+}
+
+?>

install/apps/metronome_libs/mod_auth_external/mod_auth_external.lua

+local nodeprep = require "util.encodings".stringprep.nodeprep;
+local lpc = require "lpc";
+
+local config = require "core.configmanager";
+local log = module._log;
+local host = module.host;
+local script_type = config.get(host, "external_auth_protocol") or "generic";
+assert(script_type == "ejabberd" or script_type == "generic");
+local command = config.get(host, "external_auth_command") or "";
+assert(type(command) == "string");
+assert(not host:find(":"));
+local usermanager = require "core.usermanager";
+local jid_bare = require "util.jid".bare;
+local new_sasl = require "util.sasl".new;
+
+local pid;
+local readfile;
+local writefile;
+
+local function send_query(text)
+        if pid and lpc.wait(pid,1) ~= nil then
+            log("debug","error, process died, force reopen");
+            pid=nil;
+        end
+        if not pid then
+                log("debug", "Opening process " .. command);
+                pid, writefile, readfile = lpc.run(command);
+        end
+        if not pid then
+                log("debug", "Process failed to open");
+                return nil;
+        end
+
+        writefile:write(text);
+        writefile:flush();
+        if script_type == "ejabberd" then
+                return readfile:read(4);
+        elseif script_type == "generic" then
+                return readfile:read();
+        end
+end
+
+function do_query(kind, username, password)
+        if not username then return nil, "not-acceptable"; end
+        username = nodeprep(username);
+        if not username then return nil, "jid-malformed"; end
+
+        local query = (password and "%s:%s:%s:%s" or "%s:%s:%s"):format(kind, username, host, password);
+        local len = #query
+        if len > 1000 then return nil, "policy-violation"; end
+
+        if script_type == "ejabberd" then
+                local lo = len % 256;
+                local hi = (len - lo) / 256;
+                query = string.char(hi, lo)..query;
+        end
+        if script_type == "generic" then
+                query = query..'\n';
+        end
+
+        local response = send_query(query);
+        if (script_type == "ejabberd" and response == "\0\2\0\0") or
+                (script_type == "generic" and response == "0") then
+                        return nil, "not-authorized";
+        elseif (script_type == "ejabberd" and response == "\0\2\0\1") or
+                (script_type == "generic" and response == "1") then
+                        return true;
+        else
+                log("debug", "Nonsense back");
+                return nil, "internal-server-error";
+        end
+end
+
+function new_external_provider(host)
+        local provider = { name = "external" };
+
+        function provider.test_password(username, password)
+                return do_query("auth", username, password);
+        end
+
+        function provider.set_password(username, password)
+                return do_query("setpass", username, password);
+        end
+
+        function provider.user_exists(username)
+                return do_query("isuser", username);
+        end
+
+        function provider.create_user(username, password) return nil, "Account creation/modification not available."; end
+
+        function provider.get_sasl_handler()
+                local testpass_authentication_profile = {
+                        plain_test = function(sasl, username, password, realm)
+                                return usermanager.test_password(username, realm, password), true;
+                        end,
+                };
+                return new_sasl(module.host, testpass_authentication_profile);
+        end
+
+        function provider.is_admin(jid)
+                local admins = config.get(host, "admins");
+                if admins ~= config.get("*", "admins") then
+                        if type(admins) == "table" then
+                                jid = jid_bare(jid);
+                                for _,admin in ipairs(admins) do
+                                        if admin == jid then return true; end
+                                end
+                        elseif admins then
+                                log("error", "Option 'admins' for host '%s' is not a table", host);
+                        end
+                end
+                return usermanager.is_admin(jid);
+        end
+
+        return provider;
+end
+
+module:add_item("auth-provider", new_external_provider(host));
\ No newline at end of file

install/apps/metronome_libs/mod_discoitems.lua

+-- * Metronome IM *
+--
+-- This file is part of the Metronome XMPP server and is released under the
+-- ISC License, please see the LICENSE file in this source package for more
+-- information about copyright and licensing.
+--
+-- As per the sublicensing clause, this file is also MIT/X11 Licensed.
+-- ** Copyright (c) 2009, Waqas Hussain
+
+local st = require "util.stanza";
+
+local result_query = st.stanza("query", {xmlns = "http://jabber.org/protocol/disco#items"});
+for _, item in ipairs(module:get_option("disco_items") or {}) do
+    result_query:tag("item", {jid = item[1], name = item[2]}):up();
+end
+
+module:hook("iq/host/http://jabber.org/protocol/disco#items:query", function(event)
+    local stanza = event.stanza;
+    local query = stanza.tags[1];
+    if stanza.attr.type == "get" and not query.attr.node then
+        event.origin.send(st.reply(stanza):add_child(result_query));
+        return true;
+    end
+end, 100);