ISPConfig 3 issueshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues2022-12-05T16:55:28Zhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6197Use of want_spam & actions (wblist) in rspamd yields unexpected results2022-12-05T16:55:28ZZakUse of want_spam & actions (wblist) in rspamd yields unexpected results## Summary
User Block-/Allowlist config is generated with both "actions" and "want_spam" present. \
The usage of "actions" renders "want_spam" obsolete und does not honor the function that "want_spam" is supposed to provide. \
If "want_s...## Summary
User Block-/Allowlist config is generated with both "actions" and "want_spam" present. \
The usage of "actions" renders "want_spam" obsolete und does not honor the function that "want_spam" is supposed to provide. \
If "want_spam" is used rspamd is supposed to skip the evaluation of an email. The resulting config might provide the expected result because of "actions", but it still adds the "X-Spamd-Bar" header, which is unwanted behaviour because the header might be used in sieve rules and therefore should not be present (or at least present without a value) on emails that are handled by an entry in the allowlist.
## Steps to reproduce
Using the stock template (slightly modified to also match the from header):
```
spamfilter_wblist-2046 {
priority = 26;
from = "sender@domain.tld";
rcpt = "recipient@domain.tld";
want_spam = yes;
apply {
actions {
reject = null;
"add header" = null;
greylist = null;
"rewrite subject" = null;
}
}
}
spamfilter_wblist-2046.2 {
priority = 26;
mime_from = "sender@domain.tld";
rcpt = "recipient@domain.tld";
want_spam = yes;
apply {
actions {
reject = null;
"add header" = null;
greylist = null;
"rewrite subject" = null;
}
}
}
```
the following is logged by rspamd:
```
2021-07-12 11:03:46 #930(normal) <24ddc3>; task; rspamd_task_write_log: id: <CAP03e=xDdfHS_j7N=7JdzSrOc3fiXA2Efk+oumGrzZ9ugWEwHw@mail.domain.tld>, qid: <4698E3BE9D>, ip: 209.85.160.171, from: <sender@domain.tld>, (default: F (no action): [-0.51/nan] [DMARC_POLICY_ALLOW(-0.50){domain.tld;none;},R_PARTS_DIFFER(0.50){100.0%;},R_DKIM_ALLOW(-0.20){domain.tld:s=20161025;},R_SPF_ALLOW(-0.20){+ip4:209.85.128.0/17;},MIME_GOOD(-0.10){multipart/alternative;text/plain;},MX_GOOD(-0.01){},ALREADY_AV_CHECKED(0.00){},ARC_NA(0.00){},ASN(0.00){asn:15169, ipnet:209.85.128.0/17, country:US;},DKIM_TRACE(0.00){domain.tld:+;},FREEMAIL_ENVFROM(0.00){domain.tld;},FREEMAIL_FROM(0.00){domain.tld;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},MID_RHS_MATCH_FROMTLD(0.00){},MIME_TRACE(0.00){0:+;1:+;2:~;},PREVIOUSLY_DELIVERED(0.00){recipient@domain.tld;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_ALL(0.00){},SENDER_REP_HAM(0.00){asn: 15169(-0.19), country: US(-0.00), ip: 0.0.0.0(-0.50);},TO_DN_ALL(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){},USER_REJECTS_BLACKLISTED_FILES(0.00){recipient@domain.tld;}]), len: 2555, time: 775.295ms, dns req: 21, digest: <4915ae6bed441b333c191c11653f0540>, rcpts: <recipient@domain.tld>, mime_rcpts: <recipient@domain.tld>, settings_id: spamfilter_wblist-2046.2
```
## Correct behaviour
Skip evaluation of an email immediately. \
Using a config without the actions stanza
```
spamfilter_wblist-2046 {
priority = 26;
from = "sender@domain.tld";
rcpt = "recipient@domain.tld";
want_spam = yes;
}
spamfilter_wblist-2046.2 {
priority = 26;
mime_from = "sender@domain.tld";
rcpt = "recipient@domain.tld";
want_spam = yes;
}
```
the following is logged:
```
2021-07-12 11:04:44 #1587(normal) <7a17ab>; task; rspamd_task_write_log: id: <CAP03e=wRW8By+3ONS3BcpcFF=EHqP0Ja9SpDV0gBqubzt2FiMQ@mail.domain.tld>, qid: <BCD863BFA5>, ip: 209.85.219.51, from: <sender@domain.tld>, (default: S (no action): [0.00/15.00] []), len: 2548, time: 1.217ms, dns req: 0, digest: <5eb295da1042112a088cf8f7958bcbe6>, rcpts: <recipient@domain.tld>, mime_rcpts: <recipient@domain.tld>, settings_id: spamfilter_wblist-2046.2
```
Therefore the evaluation is immediately skipped.
## Environment
OS: irrelevant \
ISPConfig up to 3.2.5.
## Proposed fix
Remove "actions from the "rspamd_wblist.inc.conf.master" template. \
(And add a second entry to match the "From header" - I already proposed that in #5419)https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6189Mailuser password malformed when using a umlaut2023-08-08T07:21:10ZThomMailuser password malformed when using a umlaut<!-- Before creating a bug report, please:
- Read the contribution guidelines: https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/CONTRIBUTING.md
- Do not ask support questions here. If you are unsure if your problem is a bug,...<!-- Before creating a bug report, please:
- Read the contribution guidelines: https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/CONTRIBUTING.md
- Do not ask support questions here. If you are unsure if your problem is a bug, post a thread on the forum: https://www.howtoforge.com/community/#ispconfig-3.23
- Make sure to remove any content from the description that you did not add. For example, if there are no related log entries, remove the whole "Related log entries" part.
-->
## Summary
<!-- What is happening and what is wrong with that? -->
Letters with a umlaut in a password for a mailuser, like ä or Ö are malformed. The user can not log in.
## Steps to reproduce
1. Set the password to "ällo3456"
2. Try logging in.
## Correct behaviour
<!-- What should happen instead? -->
The user should be able to log in.
## Environment
Server OS + version: Debian 10 \
ISPConfig version: 3.2.4
<!-- _you can use `grep 'ISPC_APP_VERSION' /usr/local/ispconfig/server/lib/config.inc.php` to get it from the command line_ -->
Software version of the related software:
<!-- You can use 'nginx -v' or 'apachectl -v' to find the webserver version. Use 'php -v' to find the PHP version.> Put this in code blocks, like so: -->3.2.12https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6166private/cron.log, private/cron_error.log are rotated multiple times2023-12-25T13:43:49Zlennartprivate/cron.log, private/cron_error.log are rotated multiple times<!-- Before creating a bug report, please:
- Read the contribution guidelines: https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/CONTRIBUTING.md
- Do not ask support questions here. If you are unsure if your problem is a bug,...<!-- Before creating a bug report, please:
- Read the contribution guidelines: https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/CONTRIBUTING.md
- Do not ask support questions here. If you are unsure if your problem is a bug, post a thread on the forum: https://www.howtoforge.com/community/#ispconfig-3.23
- Make sure to remove any content from the description that you did not add. For example, if there are no related log entries, remove the whole "Related log entries" part.
-->
## Summary
<!-- What is happening and what is wrong with that? -->
Users cron log files private/cron.log, private/cron_error.log, are rotated multiple times every night if there are multiple records in table web_domain of type = 'vhost' or type = 'vhostsubdomain' or type = 'vhostalias'.
## Steps to reproduce
1. [First step]
2. [Second step]
3. [and so on...]
see [https://www.howtoforge.com/community/threads/many-user-cron-log-files.86937/#post-422325](https://www.howtoforge.com/community/threads/many-user-cron-log-files.86937/#post-422325)
## Correct behaviour
<!-- What should happen instead? -->
private/cron.log, private/cron_error.log should be rotated only once every night.
## Environment
Server OS + version: (Debian 10/Ubuntu 20.04/CentOS 8/...) \
ISPConfig version: (3.1.15p3/3.2.3/3.2dev/...)
<!-- _you can use `grep 'ISPC_APP_VERSION' /usr/local/ispconfig/server/lib/config.inc.php` to get it from the command line_ -->
Software version of the related software:
<!-- You can use 'nginx -v' or 'apachectl -v' to find the webserver version. Use 'php -v' to find the PHP version.> Put this in code blocks, like so: -->
```
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
define('ISPC_APP_VERSION', '3.2.4');
$conf['app_version'] = ISPC_APP_VERSION;
Server version: Apache/2.4.38 (Debian)
Server built: 2020-08-25T20:08:29
PHP 7.3.28-1+0~20210503.84+debian10~1.gbp6819da (cli) (built: May 3 2021 11:59:15) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.28, Copyright (c) 1998-2018 Zend Technologies
with the ionCube PHP Loader + ionCube24 v10.4.5, Copyright (c) 2002-2020, by ionCube Ltd.
with Zend OPcache v7.3.28-1+0~20210503.84+debian10~1.gbp6819da, Copyright (c) 1999-2018, by Zend Technologies
```
## Proposed fix
optional, of course.
if you want to post code snippets, please use
```
*** 200-logfiles.inc-orig-324.php 2021-05-09 14:47:49.000000000 +0200
--- 200-logfiles.inc.php 2021-05-09 15:25:34.000000000 +0200
***************
*** 71,76 ****
--- 71,79 ----
$sql = "SELECT domain_id, domain, type, document_root, web_folder, parent_domain_id, log_retention FROM web_domain WHERE (type = 'vhost' or type = 'vhostsubdomain' or type = 'vhostalias') AND server_id = ?";
$records = $app->db->queryAllRecords($sql, $conf['server_id']);
+ // ikasp
+ // rotate user cron files once
+ $cron_logfile_rotated = [];
foreach($records as $rec) {
//* create traffic statistics based on yesterdays access log file
***************
*** 126,131 ****
--- 129,139 ----
foreach($cron_logfiles as $cron_logfile) {
$cron_logfile = $rec['document_root'].'/private/' . $cron_logfile;
+ // ikasp
+ // check if already rotated
+ if (isset($cron_logfile_rotated[$cron_logfile]) and $cron_logfile_rotated[$cron_logfile]) continue;
+ $cron_logfile_rotated[$cron_logfile] = true;
+
// rename older files (move up by one)
$num = $log_retention;
while($num >= 1) {
```
or attach a code file. Best is to create a merge request of course.
## References
if you know of related bugs or feature requests, please reference them by using `#<issuenumber>`, e. g. #6105
if you have done a merge request already, please reference it by using `!<mergenumber>`, e. g. !1444
if you know of a forum post on howtoforge.com that deals with this topic, just add the link to the forum topic here
## Screenshots
optional, of course.
Add screenshots of the problem by clicking "Attach a file" on the bottom right.
## Related log entrieshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6161php-fpm wrong sock file creation and configuration2021-10-10T16:01:12ZFco. David Ferraes Feriaphp-fpm wrong sock file creation and configurationIn a multiple php-fpm version setup, when you change from one version to another the webXX.sock and the vhost configuration has incorrect paths of the new php-fpm-sock directory.
To reproduce this behaviour yo need:
1. Multiple php-fp...In a multiple php-fpm version setup, when you change from one version to another the webXX.sock and the vhost configuration has incorrect paths of the new php-fpm-sock directory.
To reproduce this behaviour yo need:
1. Multiple php-fpm versions configured for example:
PHP-FPM 7.0
Path to the PHP-FPM init script: /etc/init.d/php7.0-fpm
Path to the php.ini directory: /etc/php/7.0/fpm/php.ini
Path to the PHP-FPM pool directory: /etc/php/7.0/fpm/pool.d/
PHP-FPM socket directory: /var/lib/php7.0-fpm/
PHP-FPM 7.4
Path to the PHP-FPM init script: /etc/init.d/php7.4-fpm
Path to the php.ini directory: /etc/php/7.4/fpm/php.ini
Path to the PHP-FPM pool directory: /etc/php/7.4/fpm/pool.d/
PHP-FPM socket directory: /var/lib/php7.4-fpm/
2. Select a different version of php-fpm on vhost configuration
3. The webxx.sock was created in the right place.
/etc/php/7.0/fpm/pool.d# ls -l
total 28
-rw-r--r-- 1 root root 1013 abr 27 14:23 web6.conf
4. But the contents was wrong
[web6]
listen = /var/lib/php7.4-fpm/web6.sock
listen.owner = web6
listen.group = www-data
listen.mode = 0660
...
5. The sock was created according this configuration
/etc/php/7.0/fpm/pool.d# ls -l /var/lib/php7.4-fpm/web6.sock
srw-rw---- 1 web6 www-data 0 abr 27 12:59 /var/lib/php7.4-fpm/web6.sock
6. And the vhost has the same error:
/etc/apache2/sites-available# grep FastCgiExternalServer xxxxxxxx.net.vhost
FastCgiExternalServer /var/www/clients/client3/web6/cgi-bin/php-fcgi-*-80-xxxxxxx.net -idle-timeout 300 -socket /var/lib/php7.4-fpm/web6.sock -pass-header Authorization -pass-header Content-Type
FastCgiExternalServer /var/www/clients/client3/web6/cgi-bin/php-fcgi-*-443-xxxxxxx.net -idle-timeout 300 -socket /var/lib/php7.4-fpm/web6.sock -pass-header Authorization -pass-header Content-Type
7. But the php versión is ok
PHP Version 7.0.33-47+ubuntu20.04.1+deb.sury.org+1
System Linux vsweb01 5.11.16-arch1-1 #1 SMP PREEMPT Wed, 21 Apr 2021 17:22:13 +0000 x86_64
Build Date Feb 23 2021 15:04:06
Server API FPM/FastCGI
Virtual Directory Support disabled
Configuration File (php.ini) Path /etc/php/7.0/fpm
Loaded Configuration File /etc/php/7.0/fpm/php.ini
Scan this dir for additional .ini files /etc/php/7.0/fpm/conf.d
...
open_basedir /var/www/clients/client3/web6/web:/var/www/clients/client3/web6/private:/var/www/clients/client3/web6/tmp:/var/www/recupera.net/web:/srv/www/recupera.net/web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/dev/random:/dev/urandom
8. In the creation of the vhost no error was reported:
mar 27 abr 2021 14:23:01 CDT 27.04.2021-19:23 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
mar 27 abr 2021 14:23:01 CDT 27.04.2021-19:23 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
mar 27 abr 2021 14:23:01 CDT 27.04.2021-19:23 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client3/web6' - return code: 0
mar 27 abr 2021 14:23:01 CDT chattr: Operation not permitted while setting flags on /var/www/clients/client3/web6
mar 27 abr 2021 14:23:01 CDT 27.04.2021-19:23 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client3/web6' - return code: 1
mar 27 abr 2021 14:23:01 CDT 27.04.2021-19:23 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client3/web6'|awk 'END{print $2,$NF}' - return code: 0
mar 27 abr 2021 14:23:01 CDT 27.04.2021-19:23 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
mar 27 abr 2021 14:23:01 CDT 27.04.2021-19:23 - DEBUG - safe_exec cmd: setquota -u 'web6' '0' '0' 0 0 -a &> /dev/null - return code: 0
mar 27 abr 2021 14:23:01 CDT 27.04.2021-19:23 - DEBUG - safe_exec cmd: setquota -T -u 'web6' 604800 604800 -a &> /dev/null - return code: 0
mar 27 abr 2021 14:23:01 CDT chattr: Operation not permitted while setting flags on /var/www/clients/client3/web6
mar 27 abr 2021 14:23:01 CDT 27.04.2021-19:23 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client3/web6' - return code: 1
mar 27 abr 2021 14:23:01 CDT 27.04.2021-19:23 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
mar 27 abr 2021 14:23:01 CDT 27.04.2021-19:23 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
mar 27 abr 2021 14:23:01 CDT 27.04.2021-19:23 - DEBUG - Enable SSL for: recupera.net
mar 27 abr 2021 14:23:01 CDT 27.04.2021-19:23 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/recupera.net.vhost
mar 27 abr 2021 14:23:01 CDT 27.04.2021-19:23 - DEBUG - Creating symlink: /etc/apache2/sites-enabled/100-recupera.net.vhost->/etc/apache2/sites-available/recupera.net.vhost
mar 27 abr 2021 14:23:01 CDT 27.04.2021-19:23 - DEBUG - Created GoAccess config file: /var/www/clients/client3/web6/log/goaccess.conf
mar 27 abr 2021 14:23:01 CDT 27.04.2021-19:23 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
mar 27 abr 2021 14:23:02 CDT 27.04.2021-19:23 - DEBUG - Writing the PHP-FPM config file: /etc/php/7.0/fpm/pool.d/web6.conf
mar 27 abr 2021 14:23:03 CDT 27.04.2021-19:23 - DEBUG - Calling function 'restartPHP_FPM' from module 'web_module'.
mar 27 abr 2021 14:23:03 CDT 27.04.2021-19:23 - DEBUG - Restarting php-fpm: systemctl reload php7.0-fpm.service
mar 27 abr 2021 14:23:03 CDT 27.04.2021-19:23 - DEBUG - Apache status is: running
mar 27 abr 2021 14:23:03 CDT 27.04.2021-19:23 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
mar 27 abr 2021 14:23:03 CDT 27.04.2021-19:23 - DEBUG - Restarting httpd: systemctl restart apache2.service
mar 27 abr 2021 14:23:03 CDT 27.04.2021-19:23 - DEBUG - Apache restart return value is: 0
mar 27 abr 2021 14:23:05 CDT 27.04.2021-19:23 - DEBUG - Apache online status after restart is: running
mar 27 abr 2021 14:23:05 CDT 27.04.2021-19:23 - DEBUG - Processed datalog_id 97
The correct behaviour is:
1. The webxxx.sock file will be created on the right PHP-FPM socket directory.
2. In the vhost configuration, the parameter FastCgiExternalServer and all other parameters related to php-fpm configuration will be pointed to the right webxxx.sock configuration.
No problem was detected with this configuration, the correct version of php-fpm selected was working but this get some confusion.
My environment is:
Server OS + version: Ubuntu 20.04
ISPConfig version: 3.2.4
Thanks in advance.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6132dns: better cname checks2022-05-09T17:33:41ZJesse Norelldns: better cname checksNeed to implement more/better checking for CNAME records to prevent invalid records. Eg. not long ago someone reported an issue which was caused by creating CAA records for a hostname which had a CNAME records. Just now I created a CNA...Need to implement more/better checking for CNAME records to prevent invalid records. Eg. not long ago someone reported an issue which was caused by creating CAA records for a hostname which had a CNAME records. Just now I created a CNAME record for a hostname which already had a TXT record, which is invalid. We should look up the exact set of what is allowed to be present with CNAME and only allow those.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6126Add mail_plugins to separate dovecot config file which is included earlier2021-05-21T12:35:34ZThomAdd mail_plugins to separate dovecot config file which is included earlierUpdate: mail_plugins (and postmaster address?) are refered to in the service blocks from the ISPConfig template. A script should grab them from the conf-custom file, comment them out in the `99-ispconfig-custom-config.conf` file and add ...Update: mail_plugins (and postmaster address?) are refered to in the service blocks from the ISPConfig template. A script should grab them from the conf-custom file, comment them out in the `99-ispconfig-custom-config.conf` file and add them to a new file `98-ispconfig-custom-config.conf` or something like that. This file should be included in the ISPConfig template before the service blocks.
~~I am now looking to the code of !1459 - This will break the implementation~~
~~Because it is included earlier, values after it will override the custom config, but the custom config should override the config in dovecot.conf ofcourse.
I tested the order before the original MR.~~
~~$mail_plugins should be added, that's good!~~https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6125cp user passwords mishandled2022-03-17T23:03:22ZJesse Norellcp user passwords mishandledI generated a random password and change the 'admin' password via System > CP Users, and afterwards could not login with the new password. (I did verify the sys_user.passwort value changed.) The password was: 'u^iv9nbV(SU\KE[gj I te...I generated a random password and change the 'admin' password via System > CP Users, and afterwards could not login with the new password. (I did verify the sys_user.passwort value changed.) The password was: 'u^iv9nbV(SU\KE[gj I tested the same procedure with a simpler alphanumeric password and I was able to login, so the UI is mishandling the password when saving it.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6104Creating DNS secondary zone fails if name has ÅÄÖ characters and name without...2022-06-17T12:51:22ZTapio LehtonenCreating DNS secondary zone fails if name has ÅÄÖ characters and name without umlauts exists## short description
Trying to create DNS secondary zone for a zone where zone name has non ASCII characters fails. Looks like if there is zone name with Ö replaced by O or Ä replaced by A adding fails with error
There is already a reco...## short description
Trying to create DNS secondary zone for a zone where zone name has non ASCII characters fails. Looks like if there is zone name with Ö replaced by O or Ä replaced by A adding fails with error
There is already a record for this zone.
## correct behaviour
It should work so also those zones get secondary.
Example: I have primary zone hääyöaie.fi. Adding secondary for that works.
I remove the secondary zone, create new primary zone haayoaie.fi, create secondary zone fo haayoaie.fi. Now creating secondary zone for hääyöaie.fi fails with error "There is already a record for this zone."
How to work around the bug: Create the secondary zone where name has ÅÄÖ characters first. Then adding secondary zone with umlauts removed works.
I'm guessing ISPConfig checks for existing secondary zone by removing umlauts. It does not add umlauts when checking so changing order of creating secondary zones helps
## environment
root@posti:~# cat /etc/debian_version
10.8
ISPConfig 3.2.2
If it might be related to the problem
```
insert the output of `nginx -v` or `apachectl -v` here
root@posti:~# apachectl -v
Server version: Apache/2.4.38 (Debian)
Server built: 2020-08-25T20:08:29
```
```
insert the output of `php -v` here
root@posti:~# php -v
PHP 7.3.27-9+0~20210227.82+debian10~1.gbpa4a3d6 (cli) (built: Feb 27 2021 15:50:50) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.27, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.3.27-9+0~20210227.82+debian10~1.gbpa4a3d6, Copyright (c) 1999-2018, by Zend Technologies
root@posti:~#
```https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6087Apache vhost config invalid when using redirect: proxy and to-https2022-06-17T11:16:13ZPetr MifekApache vhost config invalid when using redirect: proxy and to-https## short description
Using both Redirect Type: proxy and Rewrite HTTP to HTTPS with Apache results in invalid configuration - Apache returns status 500. Site is configured on server with Apache and SSL with Letsencrypt enabled.
## corre...## short description
Using both Redirect Type: proxy and Rewrite HTTP to HTTPS with Apache results in invalid configuration - Apache returns status 500. Site is configured on server with Apache and SSL with Letsencrypt enabled.
## correct behaviour
The request should be handled with a rewrite to HTTPS and then proxied.
```
# Generated (faulting) config snippet (Apache non-ssl part of the config):
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
RewriteRule ^ - [END]
RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
RewriteRule ^/(.*)$ http://1.2.3.4/$1 [proxy]
RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
RewriteRule ^/(.*)$ http://1.2.3.4/$1 [proxy]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NE]
```
```
# Updated (working) config snippet (Apache non-ssl part of the config):
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
RewriteRule ^ - [END]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NE]
RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
RewriteRule ^/(.*)$ http://1.2.3.4/$1 [proxy]
RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
RewriteRule ^/(.*)$ http://1.2.3.4/$1 [proxy]
```
## environment
Server OS: debian
Server OS version: buster
ISPConfig version: 3.2.2/nightly
## proposed fix
Move the HTTP-to-HTTPS rewrite up just after the acme challenge exemption:
Patch:
```
--- ispconfig/server/conf/vhost.conf.master 2021-03-04 01:17:38.371357346 +0000
+++ ispconfig/server/conf/vhost.conf.master.fix_tossl_and_proxy 2021-03-04 01:16:47.113325799 +0000
@@ -493,6 +493,15 @@
RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
RewriteRule ^ - [END]
</tmpl_if>
+<tmpl_if name='ssl_enabled'>
+<tmpl_else>
+<tmpl_if name='rewrite_to_https' op='==' value='y'>
+ RewriteCond %{HTTPS} off
+ <tmpl_if name='apache_version' op='<' value='2.4' format='version'>RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
+</tmpl_if>
+ RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NE]
+</tmpl_if>
+</tmpl_if>
<tmpl_if name='seo_redirect_enabled'>
RewriteCond %{HTTP_HOST} <tmpl_var name='seo_redirect_operator'>^<tmpl_var name='seo_redirect_origin_domain'>$ [NC]
<tmpl_if name='apache_version' op='<' value='2.4' format='version'>
@@ -521,15 +530,6 @@
RewriteRule ^/(.*)$ <tmpl_var name='rewrite_target'><tmpl_if name="rewrite_add_path" op="==" value="y">$1</tmpl_if> <tmpl_var name='rewrite_type'>
</tmpl_loop>
-<tmpl_if name='ssl_enabled'>
-<tmpl_else>
-<tmpl_if name='rewrite_to_https' op='==' value='y'>
- RewriteCond %{HTTPS} off
- <tmpl_if name='apache_version' op='<' value='2.4' format='version'>RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
-</tmpl_if>
- RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NE]
-</tmpl_if>
-</tmpl_if>
</tmpl_if>
# add support for apache mpm_itk
```
## screenshots
![ApacheRedirProxyAndHttpsResultsInStatus500](/uploads/578e36743df07352654ae7c2d349250c/ApacheRedirProxyAndHttpsResultsInStatus500.jpg)https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6079Mailboxpassword Encoding not correct2023-08-08T07:21:26ZDominikMailboxpassword Encoding not correct## short description
Setting Mailboxpasswords with some special chars (like e.g. §) doesn't work on Ubuntu/MariaDB. Password is set, but Login isn't possible with web-clients like roundcube - i already discussed this with Florian, but al...## short description
Setting Mailboxpasswords with some special chars (like e.g. §) doesn't work on Ubuntu/MariaDB. Password is set, but Login isn't possible with web-clients like roundcube - i already discussed this with Florian, but also after that, I don't come to a solution or the real reason, why it is, like it is... So maybe somebody out there has the same issue with this setup and might have an idea.
## environment
Server OS: Ubuntu 20.04
ISPConfig version: 3.2.2 (also seen with 3.1.x)
If I change the following in /interface/lib/classes/auth.inc.php, Line 272
```
public function crypt_password($cleartext_password, $charset = 'UTF-8') {
if($charset != 'UTF-8') {
//$cleartext_password = mb_convert_encoding($cleartext_password, $charset, 'UTF-8');
}
```
this means removing the mb_convert_encoding
everything works fine!!
additionally if I add this:
```
public function crypt_password($cleartext_password, $charset = 'UTF-8') {
if(($charset != 'UTF-8') && (mb_detect_encoding($cleartext_password) != 'UTF-8)) {
$cleartext_password = mb_convert_encoding($cleartext_password, $charset, 'UTF-8');
}
```
it also works fine!!
this means in my setup encoding IS already UTF-8, and doesn't need a second encoding...
But I don't know, if this is the solution - since the function is explicitly called with parameter $charset='ISO-8859-1'
this happens in file
/interface/lib/classes/tform_base.inc.php
in Line 1373
and I don't understand the Comment that was added there:
```
} elseif(isset($field['encryption']) && $field['encryption'] == 'CRYPTMAIL') {
// The password for the mail system needs to be converted to latin1 before it is hashed.
$record[$key] = $app->auth->crypt_password(stripslashes($record[$key]),'ISO-8859-1');
$sql_insert_val .= "'".$app->db->quote($record[$key])."', ";
}
```
so it seems like: nobody looks on the real encoding of the incoming password, but it is "simulated" to ISO-8859-1 and as a consequence it is encoed....
## proposed fix
change this line:
/interface/lib/classes/tform_base.inc.php - Line 1373
```
$entry = stripslashes($record[$key]);
$record[$key] = $app->auth->crypt_password($entry,mb_detect_encoding($entry));
```
## additional comment
What I found to my astonishment
The Problem with wrong encoded password doesn't seem to be a problem for Mailclient Thunderbird. If you access such a double encoded password-mailbox with Thunderbird you find a password-missmatch log-entry in postfix-log, but Thunderbird seems to retry and change some things and always (reproducible) in the third try, Thunderbird can access... But Roundcube for example only tries once and cannot access....
If i change the things above, in both cases login works on the first try...3.2.12https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6078Default server PHP handler used even if client does not have the handler in h...2021-03-01T12:04:34ZThomDefault server PHP handler used even if client does not have the handler in his limitsIf the server's default is FastCGI (or any other mode), and the client creates a web, the default PHP handler is set, even if it is not within the client's limits.If the server's default is FastCGI (or any other mode), and the client creates a web, the default PHP handler is set, even if it is not within the client's limits.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6025adding dns zone should add DKIM records2021-01-22T07:21:01ZJesse Norelladding dns zone should add DKIM recordsWhen adding a DNS zone, if a corresponding mail zone exists with a DKIM record set, that DKIM record should be added to DNS records. (Applies both to the dns wizard and adding a zone manually.)
Background:
Having found that many of our...When adding a DNS zone, if a corresponding mail zone exists with a DKIM record set, that DKIM record should be added to DNS records. (Applies both to the dns wizard and adding a zone manually.)
Background:
Having found that many of our DNS zones to not have DKIM records even though they are configured in the Email domain, the likely reason is the order of adding them - if you add an Email domain first, including a DKIM records, and add the DNS zone second, you will not have any DKIM record created in DNS. Mail will still be signed with the DKIM key, just not verifiable.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6024change shell user Base Dir creates warning2022-09-25T19:19:23ZJesse Norellchange shell user Base Dir creates warningWhen changing the shell user Base dir, in my case from /var/www/clients/client1/web20 to /var/www/clients/client1/web20/blah, I see this error:
```
21.01.2021-13:08 - DEBUG - Calling function 'update' from plugin 'shelluser_base_plugin' ...When changing the shell user Base dir, in my case from /var/www/clients/client1/web20 to /var/www/clients/client1/web20/blah, I see this error:
```
21.01.2021-13:08 - DEBUG - Calling function 'update' from plugin 'shelluser_base_plugin' raised by event 'shell_user_update'.
21.01.2021-13:08 - DEBUG - Homedir New: /var/www/clients/client1/web20/blah
21.01.2021-13:08 - DEBUG - Homedir Old: /var/www/clients/client1/web20
21.01.2021-13:08 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client1/web20' - return code: 0
PHP Warning: rename(/var/www/clients/client1/web20,/var/www/clients/client1/web20/blah): Invalid argument in /usr/local/ispconfig/server/lib/classes/
system.inc.php on line 894
```
(From https://www.howtoforge.com/community/threads/the-following-changes-are-not-yet-populated-to-all-servers.86171/#post-416503)Jesse NorellJesse Norellhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6004private/quota-status is dovecot-only2022-03-01T21:36:41ZJesse Norellprivate/quota-status is dovecot-onlyThe private/quota-status service is always configured (in smtpd_recipient_restrictions), need to remove that if using courier.
https://www.howtoforge.com/community/threads/ispconfig-3-2-with-courier-incoming-mails-are-undelivered.86045/The private/quota-status service is always configured (in smtpd_recipient_restrictions), need to remove that if using courier.
https://www.howtoforge.com/community/threads/ispconfig-3-2-with-courier-incoming-mails-are-undelivered.86045/https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5979symlinked pure-ftpd.pem to ispserver.pem not chmod 6002021-03-09T01:29:22ZHj Ahmad Rasyid Hj Ismailsymlinked pure-ftpd.pem to ispserver.pem not chmod 600I finally upgraded Ubuntu 18.04 to 20.04 (nginx) and everything when smooth EXCEPT:
pureftpd-pem that is symlinked to ispserver.pem is not defaulted to 600, as ispserver.pem, as it should be, resulting services relying on it failed.
Th...I finally upgraded Ubuntu 18.04 to 20.04 (nginx) and everything when smooth EXCEPT:
pureftpd-pem that is symlinked to ispserver.pem is not defaulted to 600, as ispserver.pem, as it should be, resulting services relying on it failed.
This is also reported in the forum by someone else: https://www.howtoforge.com/community/threads/monit-and-ispconfig3-2.85509
I am making a MR for it at https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1370 anyway, and open it for further discussions.
Edited and added: Upon auto renewal of LE SSL certs for the server, ispserver.pem regenerated but the permission is not changed to 600. So the issue persisted unless resolved but the issue may not be on ISPConfig installer / updater.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5953Reverse proxy Lets Encrypt Acme snippet2023-09-28T20:33:47ZXaver MaierhoferReverse proxy Lets Encrypt Acme snippet## short description
If Redirect Type proxy is used lets encrypt fail won't work.
The vhost has no acme part.
(No custom templates in use)
## correct behaviour
Add the snippet if lets encrypt is enabled.
## environment
Server OS: debi...## short description
If Redirect Type proxy is used lets encrypt fail won't work.
The vhost has no acme part.
(No custom templates in use)
## correct behaviour
Add the snippet if lets encrypt is enabled.
## environment
Server OS: debian
Server OS version: 10
ISPConfig version: 3.2.1
Webserver: nginx3.2.12https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5946backup unmount script errors on mail server2020-12-04T13:52:26ZJesse Norellbackup unmount script errors on mail serverRecent 3.2 backup changes cause errors about unmount scripts failing.
Some discussion/info in https://www.howtoforge.com/community/threads/backup-directory-var-backup-could-not-be-unmounted.85701/
I see this error email from our mail s...Recent 3.2 backup changes cause errors about unmount scripts failing.
Some discussion/info in https://www.howtoforge.com/community/threads/backup-directory-var-backup-could-not-be-unmounted.85701/
I see this error email from our mail server node every night. The above discussion seems to be involving mail servers as well. I believe I do not see this error from our web/db server node (which uses the same mount/unmount scripts, to shared storage).https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/59413.2.1 update configured postfix on non-mail node2021-03-23T16:53:53ZJesse Norell3.2.1 update configured postfix on non-mail nodeOn a nameserver-only node, postfix is installed for local use, but was configured by the installer during a 3.1->3.2.1 update (so mail is now broken, with no amavis, etc.).
This was a debian 9 box. A second nameserver (mirror of the fi...On a nameserver-only node, postfix is installed for local use, but was configured by the installer during a 3.1->3.2.1 update (so mail is now broken, with no amavis, etc.).
This was a debian 9 box. A second nameserver (mirror of the first one) has been updated to debian 10 and did not have this problem (postfix is installed there, too).https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5932When update ISPConfig, if a custom port is setted for apps domain it returns ...2022-12-03T23:05:07ZSergioWhen update ISPConfig, if a custom port is setted for apps domain it returns to the default 8081, only on the config file (remains custom on the web panel)## short description
When updating ISPConfig if App Domain have a non standard value it come back on the default 8081 even if the Web Panel reports the custom port.
## correct behaviour
App domain should remain on the custom port as set...## short description
When updating ISPConfig if App Domain have a non standard value it come back on the default 8081 even if the Web Panel reports the custom port.
## correct behaviour
App domain should remain on the custom port as setted on the web panel.
## environment
Server OS: Ubuntu
Server OS version: 20.04.01
ISPConfig version: <= 3.2.1https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5895"PHP Version is invalid" When hiding default php version2020-11-19T09:41:42ZPascal Dreissen"PHP Version is invalid" When hiding default php versionWhen you select in System -> Server config -> <server> -> Web -> PHP Settings = Hide Default PHP-Version in selectbox. Selecting Mod_PHP in a site config you cannot save and ISPConfig states: "PHP Version is invalid."
When you deselect ...When you select in System -> Server config -> <server> -> Web -> PHP Settings = Hide Default PHP-Version in selectbox. Selecting Mod_PHP in a site config you cannot save and ISPConfig states: "PHP Version is invalid."
When you deselect the hide default option you can select Mod_PHP and save again.