ISPConfig 3 issueshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues2021-03-07T13:21:47Zhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6066Enable TLSv1.3 for the panel and apps vhost (nginx)2021-03-07T13:21:47ZThomEnable TLSv1.3 for the panel and apps vhost (nginx)Enable TLSv1.3 if supportedEnable TLSv1.3 if supportedhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6067Add option to disable backup on mirror systems2021-02-22T08:39:24ZTill BrehmAdd option to disable backup on mirror systemsAdd option to disable backup on mirror systems to avoid that web, mail and database backups get written multiple times.Add option to disable backup on mirror systems to avoid that web, mail and database backups get written multiple times.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6073Aliases created by the "Website auto alias" setting are not added to the Lets...2021-03-03T16:43:53ZJudah - MWAliases created by the "Website auto alias" setting are not added to the Lets Encrypt certificate request## Short description
If a value is defined in System > Server Config > Web > Website Auto Alias, it is automatically added as an alias to the site vhost. However it is not added to the LE certificate request.
## Correct behaviour
The a...## Short description
If a value is defined in System > Server Config > Web > Website Auto Alias, it is automatically added as an alias to the site vhost. However it is not added to the LE certificate request.
## Correct behaviour
The auto alias should be part of the certificate request.
(I know some people use auto alias for internal aliases, that would still be fine as the LE check would catch the non-routable alias and discard it.)
## An example
We have `mail.[website_domain]` configured as our auto alias:
![image](/uploads/75f4a0d35fdedf07204a38da6d8c1d28/image.png)
This correctly appears in all _new_ nginx vhosts like so:
```
server_name example.com www.example.com mail.example.com;
```
However it does not get added to the certificate request. Viewing the request in `acme.log` shows it is not included and viewing the certificate afterwards shows this:
```bash
$ openssl x509 -in /var/www/example.com/ssl/example.com-le.crt -text -noout | grep DNS
DNS: example.com, DNS: www.example.com
```
## Environment
Server OS: CentOS 8
ISPConfig version: 3.2.2
Webserver: NGINX
## Proposed fix
Looks like the certificate generation logic is in [server/plugins-available/nginx_plugin.inc.php:1385](https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/server/plugins-available/nginx_plugin.inc.php#L1385)
```php
//* Generate Let's Encrypt SSL certificat
if($data['new']['ssl'] == 'y' && $data['new']['ssl_letsencrypt'] == 'y' && $conf['mirror_server_id'] == 0 && ( // ssl and let's encrypt is active and no mirror server
($data['old']['ssl'] == 'n' || $data['old']['ssl_letsencrypt'] == 'n') // we have new let's encrypt configuration
|| ($data['old']['domain'] != $data['new']['domain']) // we have domain update
|| ($data['old']['subdomain'] != $data['new']['subdomain']) // we have new or update on "auto" subdomain
|| $this->update_letsencrypt == true
)) {
$success = $app->letsencrypt->request_certificates($data, 'nginx');
if($success) {
/* we don't need to store it.
/* Update the DB of the (local) Server */
$app->db->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '', ssl_key = '' WHERE domain = ?", $data['new']['domain']);
$app->db->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']);
/* Update also the master-DB of the Server-Farm */
$app->dbmaster->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '', ssl_key = '' WHERE domain = ?", $data['new']['domain']);
$app->dbmaster->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']);
} else {
$data['new']['ssl_letsencrypt'] = 'n';
if($data['old']['ssl'] == 'n') $data['new']['ssl'] = 'n';
/* Update the DB of the (local) Server */
$app->db->query("UPDATE web_domain SET `ssl` = ?, `ssl_letsencrypt` = ? WHERE `domain` = ? AND `server_id` = ?", $data['new']['ssl'], 'n', $data['new']['domain'], $conf['server_id']);
/* Update also the master-DB of the Server-Farm */
$app->dbmaster->query("UPDATE web_domain SET `ssl` = ?, `ssl_letsencrypt` = ? WHERE `domain` = ?", $data['new']['ssl'], 'n', $data['new']['domain']);
}
}
```
The problem appears to be it simply takes the information straight out of `$data` but the part that deals with the auto alias hasn't been called yet as [it's all the way down on line 1651](https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/server/plugins-available/nginx_plugin.inc.php#L1651):
```php
// get autoalias
$auto_alias = $web_config['website_autoalias'];
if($auto_alias != '') {
// get the client username
$client = $app->db->queryOneRecord("SELECT `username` FROM `client` WHERE `client_id` = ?", $client_id);
$aa_search = array('[client_id]', '[website_id]', '[client_username]', '[website_domain]');
$aa_replace = array($client_id, $data['new']['domain_id'], $client['username'], $data['new']['domain']);
$auto_alias = str_replace($aa_search, $aa_replace, $auto_alias);
unset($client);
unset($aa_search);
unset($aa_replace);
$server_alias[] .= $auto_alias.' ';
}
```
There's not an obvious way to add it to that file, as it just passes the `$data` array off to the letsencrypt library. However we could add it in the LE lib, [maybe after line 365?](https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/server/lib/classes/letsencrypt.inc.php#L365) We'd basically just have to add the above "get auto alias" stuff in there. The only problem with that I can see is if the Apache plugin works differently and is already adding the auto alias, in which case we don't want to duplicate it.
Can anyone confirm if the Apache plugin does that? If not would this method be acceptable?
Thankshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6074Postfix 3.4: TLS SNI Mapping2021-04-27T15:09:13ZColin OgilviePostfix 3.4: TLS SNI Mapping## short description
Postfix 3.4 supports a new feature which enables TLS SNI Mapping to enable each domain to have it's own SSL certificate.
## correct behaviour
It would be good if ISPConfig could support this by default.
## environm...## short description
Postfix 3.4 supports a new feature which enables TLS SNI Mapping to enable each domain to have it's own SSL certificate.
## correct behaviour
It would be good if ISPConfig could support this by default.
## environment
Server OS: Ubuntu
Server OS version: 20.04
ISPConfig version: 3.2.2
## proposed fix
* Allow various options to enable the use of certificates in the domain and include that in the generation of the certificate through LetsEncrypt. This could either be 'mail.domain' or even just domain by default.
* Maintain, or write, the ability to set the `tls_server_sni_maps` variable in Postfix (from SQL if possible)https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6082rspamd white/blacklist using multimap module2022-07-27T01:05:03ZJesse Norellrspamd white/blacklist using multimap moduleNeed to rework the rspamd implementation of white/blacklists to use the multimap module rather than setting want_spam=yes - see notes/comments in https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1411Need to rework the rspamd implementation of white/blacklists to use the multimap module rather than setting want_spam=yes - see notes/comments in https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1411Jesse NorellJesse Norellhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6088Hide relay options per mail domain by default2021-04-08T19:15:29ZThomHide relay options per mail domain by defaultHide the settings for a relay host by default - it clutters the UI and most users won't use it.
enable them through main config / server config / client limitsHide the settings for a relay host by default - it clutters the UI and most users won't use it.
enable them through main config / server config / client limits3.2.3ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6090Remove client IP from sent emails2021-03-08T12:55:49ZThomRemove client IP from sent emailsWhen sending a email out, Postfix adds the following lines: \
`Received: from MBP-van-Thom.localdomain (12-34-56-78.ip.xs4all.nl [12.34.56.78]) (Authenticated sender: thom@example.nl) by mail.example.com (Postfix) with ESMTPSA id D2C8D60...When sending a email out, Postfix adds the following lines: \
`Received: from MBP-van-Thom.localdomain (12-34-56-78.ip.xs4all.nl [12.34.56.78]) (Authenticated sender: thom@example.nl) by mail.example.com (Postfix) with ESMTPSA id D2C8D60059 for <someuser@gmail.com>; Thu, 4 Mar 2021 20:43:53 +0100 (CET)`
I think it would be good to strip these lines from submitted emails, as it exposes the client's IP address.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6092Add Nagios check for ISPconfig2022-05-24T12:28:13ZHelmoAdd Nagios check for ISPconfigThe monitor page in ISPconfig has a nice overview of the system status, but I would like to be alerted when something changes.
In my setup I have Icinga for that, which is Nagios compatible.
I created a Nagios compatible script to expor...The monitor page in ISPconfig has a nice overview of the system status, but I would like to be alerted when something changes.
In my setup I have Icinga for that, which is Nagios compatible.
I created a Nagios compatible script to export data from the monitor page.
It outputs a single line like: `WARNING: (ok: 12, info: system_update, warning: sys_log)`
Usage:
In an NRPE compatible config file:
`command[check_ispconfig]=/usr/bin/sudo /usr/local/ispconfig/server/check_ispconfig.php`
/etc/sudoers.d/ispconfig:
```
Cmnd_Alias CHECK_ISPCONFIG = /usr/local/ispconfig/server/check_ispconfig.php
nagios ALL = NOPASSWD : CHECK_ISPCONFIG
```https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6093Monitor MX records2022-12-27T22:35:12ZHelmoMonitor MX recordsWhen a domain moves to an external mail provider it's important to de-activate or remove the mail domain from ispconfig.
When forgotten this can lead to mails not being delivered.
I've written a perl script to check this in the past and...When a domain moves to an external mail provider it's important to de-activate or remove the mail domain from ispconfig.
When forgotten this can lead to mails not being delivered.
I've written a perl script to check this in the past and now ported that to ispconfig.
It resolves the server name and checks that the MX record for a mail_domain matches one of those IP's. Extra IP's can be added via `$mail_config['additional_smtp_ips']`
On one of my systems I use an extra IP for incomming smtp, so there I had to override the server hostname. There I've put in a `$mail_config['hostname'] = '...'; line in onRunJob() for now. I don't think we have a field for that and it's probably not worth creating it for just me. But I'm open to suggestions.
TODO
- [x] String updates?
- [x] Maybe some layout?
- [x] UI for $mail_config['additional_smtp_ips'] and `$mail_config['additional_smtp_hostnames']`?
- [x] Maybe remove the $app->log warning lines as it might a bit redundant
- [x] translation files
Anyway, feedback welcome.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6094Ignore postfix_custom and dovecot_custom config files in conf-custom check2021-03-10T12:52:09ZThomIgnore postfix_custom and dovecot_custom config files in conf-custom checkIgnore postfix_custom and dovecot_custom config files when checking if there are custom config.
Maybe add a separate warning "You are using custom config for Postfix and Dovecot. Make sure your template does not interfere with breaking ...Ignore postfix_custom and dovecot_custom config files when checking if there are custom config.
Maybe add a separate warning "You are using custom config for Postfix and Dovecot. Make sure your template does not interfere with breaking changes (usually noted in the release notes"3.2.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6095change of jailkit default/site section addition/override and location2021-03-11T10:08:01Zleechange of jailkit default/site section addition/override and locationit's not particularly clear when looking at the jailkit settings on a website options page if any settings configured there are in addition to the default server jailkit settings, or completely override them, so only sections in the site...it's not particularly clear when looking at the jailkit settings on a website options page if any settings configured there are in addition to the default server jailkit settings, or completely override them, so only sections in the site settings get applied.
it's current location also means that admin intervention is required whenever a client wants a particular application added to their site's jailkit, either to add the section to their sites jailkit settings (or to remove it at a later date), or to add the application to the servers jailkit settings so everyone gets the additional application whether they want it or not.
it may be a better option to move the site's jailkit settings to the ssh account creation/settings page, and have additional sections made available for selection by the client user, just like apache or php directives are.
discussion on howtoforge forum: https://www.howtoforge.com/community/threads/quick-question-about-website-jailkit-options.86557/https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6101Discussion: Simplify the UI for end users2022-06-18T14:34:09ZThomDiscussion: Simplify the UI for end usersI just went through the UI to see which things could be confusing for novice clients, and which could be a reason for ISPs not to use ISPConfig. Some things could be hidden for all clients, some only when a specific setting is set in the...I just went through the UI to see which things could be confusing for novice clients, and which could be a reason for ISPs not to use ISPConfig. Some things could be hidden for all clients, some only when a specific setting is set in the main config or client limits.
## Sites
* Website vs subdomain -> some clients will add a subdomain "different.example.com" for a completely different site than the main web, maybe we could rephrase this, or add some explanation to the tab what adding a subdomain does?
* Read-only database user -> Maybe we can add a global option to enable/disable this, or put it within client limits?
* Order of Databases and database users -> Maybe we should put database users first, as this is the first thing you have to create, or allow the creation of a DB user when creating the DB itself?
## Email
* I think it would be good to switch the order of email mailbox and domain, or at least set mailbox as default tab, as this tab is the most used.
* It would be good to add global settings and/or client limits for the following buttons on the mailbox form:
* Copy during delivery
* Spampolicy (inherited from domain by default) (we might hide this on the domain form aswell and let the admin set a default policy)
* Enable receiving
* Disable sending
* Disable (local) delivering
* Enable greylisting
* Disable IMAP
* Disable POP3
## DNS
* #5490
* Almost all the zone settings could be hidden:
* NS
* Email
* Refresh
* Retry
* Expire
* Minimum (negative cache ttl)
* TTL
* Allow zone transfers to these IPs (comma separated list) (as client limit)
* Also Notify (as client limit)
* Serial
This issue is to discuss this - it's not necessarily a feature request.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6105Update GitLab template2023-10-02T09:57:12ZThomUpdate GitLab template- Do not use the incident type
- Read the contribution guidelines
- Don't use the tracker for question/install issues
etc...- Do not use the incident type
- Read the contribution guidelines
- Don't use the tracker for question/install issues
etc...ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6110Improve dns records list2021-03-16T10:19:21ZHelmoImprove dns records listThe type, aux and ttl columns take too much space in the DNS records listing.
The patch below is more of a quick fix until a more comprehensive solution like #5490 gets done.
It reduces the width of these columns ... Which should pro...The type, aux and ttl columns take too much space in the DNS records listing.
The patch below is more of a quick fix until a more comprehensive solution like #5490 gets done.
It reduces the width of these columns ... Which should probably be done via CSS, that's why this is not a MR. Someone else is probably better at finding the proper selector and place for it.
```patch
diff --git a/interface/web/dns/templates/dns_a_list.htm b/interface/web/dns/templates/dns_a_list.htm
index 4d0f3b2b2..a7b94fc96 100755
--- a/interface/web/dns/templates/dns_a_list.htm
+++ b/interface/web/dns/templates/dns_a_list.htm
@@ -58,11 +58,11 @@
<thead class="dark form-group-sm">
<tr>
<th class="tiny-col" data-column="active"><tmpl_var name="active_txt"></th>
- <th data-column="type"><tmpl_var name="type_txt"></th>
+ <th data-column="type" style="width: 12%;"><tmpl_var name="type_txt"></th>
<th data-column="name"><tmpl_var name="name_txt"></th>
<th data-column="data"><tmpl_var name="data_txt"></th>
- <th data-column="aux"><tmpl_var name="aux_txt"></th>
- <th data-column="ttl"><tmpl_var name="ttl_txt"></th>
+ <th data-column="aux" style="width: 8%;"><tmpl_var name="aux_txt"></th>
+ <th data-column="ttl" style="width: 8%;"><tmpl_var name="ttl_txt"></th>
<th class="small-col text-right">{tmpl_var name='search_limit'}</th>
</tr>
<tr>
```https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6112use placeholders for the firewall2021-03-21T09:00:44ZFlorian Schaaluse placeholders for the firewallhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6113Add option to not directly remove deleted mailboxes2022-08-17T12:49:40ZHelmoAdd option to not directly remove deleted mailboxesWhen a mail account is deleted via the interface it's directly removed from the filesystem.
While we have a very nice undo action in the datalog history that does not bring back the data.
A regular backup will probably have a gap betwe...When a mail account is deleted via the interface it's directly removed from the filesystem.
While we have a very nice undo action in the datalog history that does not bring back the data.
A regular backup will probably have a gap between when it finished and when the mailbox is deleted. In which changed can occur which we are not able to recover.
And in some cases it might be a compliance issue to purge mailboxes.
I suggest we add an option to delay the deletion.
One way could be to rename the mail folder to e.g. `exmaple.com/mailuser-20210318222513`. Renaming will not hold-up the task queue with large mailboxes.
A cronjob could then process these further. There are multiple ways to do that and I expect opinions to vary on that.
- remove after x time
- compress into a tar
- sent to an archive location
- leave it and have your own cleanup task
- leave it for manual cleanup
As a bonus we could (under certain conditions) move it back when an undo action is performed.
I've started with code to rename mail_user and mail_domain directories. See the linked MR.
Thoughts?3.2.9https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6116PHPMyAdmin not working when chrooted PHP-FPM is enabled2021-04-17T14:15:11ZThomPHPMyAdmin not working when chrooted PHP-FPM is enabledIt will give a error "File not found", but other files from the PMA folder can be opened.
https://www.howtoforge.com/community/threads/how-is-pma-supposed-to-be-setup-on-a-slave.86629/page-2#post-420195It will give a error "File not found", but other files from the PMA folder can be opened.
https://www.howtoforge.com/community/threads/how-is-pma-supposed-to-be-setup-on-a-slave.86629/page-2#post-420195https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6117Highlight offline services in table2021-03-25T21:17:35ZHelmoHighlight offline services in tableA bit of color could help here to directly see which services are marked as offline.
![Selection_309](/uploads/1d71c69dc50a03b76e17a1ab0fb81a3a/Selection_309.png)
![Selection_308](/uploads/d748617a573d141a9626770722a7137e/Selection_308...A bit of color could help here to directly see which services are marked as offline.
![Selection_309](/uploads/1d71c69dc50a03b76e17a1ab0fb81a3a/Selection_309.png)
![Selection_308](/uploads/d748617a573d141a9626770722a7137e/Selection_308.png)3.2.4HelmoHelmohttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6120Run wget and tar quietly on update2021-03-31T19:47:38ZThomRun wget and tar quietly on updateDon't show the output of wget and tar of the ISPConfig release when running the update script
```
--2021-03-23 15:33:41-- https://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
Resolving www.ispconfig.org (www.ispconfig.org)... ...Don't show the output of wget and tar of the ISPConfig release when running the update script
```
--2021-03-23 15:33:41-- https://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
Resolving www.ispconfig.org (www.ispconfig.org)... 2606:4700:20::681a:bf6, 2606:4700:20::ac43:4b70, 2606:4700:20::681a:af6, ...
Connecting to www.ispconfig.org (www.ispconfig.org)|2606:4700:20::681a:bf6|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4024765 (3.8M) [application/octet-stream]
Saving to: ‘ISPConfig-3.tar.gz’
ISPConfig-3.tar.gz 100%[=================>] 3.84M --.-KB/s in 0.07s
2021-03-23 15:33:41 (55.8 MB/s) - ‘ISPConfig-3.tar.gz’ saved [4024765/4024765]
ispconfig3_install/.phplint.yml
ispconfig3_install/server/
etc
```3.2.4ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6122add smtp error detection/logging to ispcmail class2021-03-23T21:54:28ZJesse Norelladd smtp error detection/logging to ispcmail classWhen smtp errors happen inside the ispcmail class, they are never recorded or reported to anyone, making it harder to troubleshoot mail problems, we should log these and possibly provide a means to report to the caller (when calling send...When smtp errors happen inside the ispcmail class, they are never recorded or reported to anyone, making it harder to troubleshoot mail problems, we should log these and possibly provide a means to report to the caller (when calling send()).