ISPConfig 3 issueshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues2023-12-08T11:27:23Zhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5952Server php adding custom fpm_socket_dir2023-12-08T11:27:23ZJozef SrokaServer php adding custom fpm_socket_dirIt's can be good to add adding custom fpm_socket_dir for server php.
I also created a merge request !1343 . This merge request solve problem with php-fpm in CentOs and Fedora. During restarting php-fpm services is removed /run/php-fpm fo...It's can be good to add adding custom fpm_socket_dir for server php.
I also created a merge request !1343 . This merge request solve problem with php-fpm in CentOs and Fedora. During restarting php-fpm services is removed /run/php-fpm folder with others sockets.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5954Center quota % usage2020-12-28T13:53:15ZThomCenter quota % usage![image](/uploads/16a91fc94c42fc1c91bd28f5f307e840/image.png)
I propose to center the value because it looks weird when the usage is low.
cc @pdreissen![image](/uploads/16a91fc94c42fc1c91bd28f5f307e840/image.png)
I propose to center the value because it looks weird when the usage is low.
cc @pdreissen3.2.2Pascal DreissenPascal Dreissenhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5955Add GoAccess real-time support to ISPConfig2020-12-24T14:09:01ZMichaelAdd GoAccess real-time support to ISPConfigBased on the discussion https://www.howtoforge.com/community/threads/real-time-support-for-goaccess.85807Based on the discussion https://www.howtoforge.com/community/threads/real-time-support-for-goaccess.85807https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5956Remove log/ folder exclude from backup routine2020-12-10T10:26:44ZMichaelRemove log/ folder exclude from backup routineAs the title states, currently the backup routine excludes the log folder.
Imho the log folder should be included in the backup since, beside the vhost log files, there is in this folder also the webalizer and goaccess.conf located as ...As the title states, currently the backup routine excludes the log folder.
Imho the log folder should be included in the backup since, beside the vhost log files, there is in this folder also the webalizer and goaccess.conf located as well as the GoAccess database files saved.3.2.2Jesse NorellJesse Norellhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5958jailkit update of /sys and /proc2021-01-08T14:27:35ZJesse Norelljailkit update of /sys and /procHaving /sys mounted inside the jail causes a lot of errors during jailkit cleanup:
https://www.howtoforge.com/community/threads/ispconfig3-2-1-var-log-ispconfig-cron-log-is-flooded-with-messages-14g.85824/
Also related, /proc is not in...Having /sys mounted inside the jail causes a lot of errors during jailkit cleanup:
https://www.howtoforge.com/community/threads/ispconfig3-2-1-var-log-ispconfig-cron-log-is-flooded-with-messages-14g.85824/
Also related, /proc is not included in jailkit directories. Possibly just remove /sys from those, or handle both /sys and /proc (and any others?) special (process for cleanup if regular directories, but ignore if they are mount points?).https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5959Remove TLSv1 and TLSv1.1 from Postfix2020-12-09T11:07:50ZThomRemove TLSv1 and TLSv1.1 from PostfixTLSv1 and TLSv1.1 are deprecated and we should remove support for it, not now, as discussed in #5770, but it has to happen sometime.
I have run some tests on the biggest webmail providers, dutch mail providers, dutch ISPs, and french I...TLSv1 and TLSv1.1 are deprecated and we should remove support for it, not now, as discussed in #5770, but it has to happen sometime.
I have run some tests on the biggest webmail providers, dutch mail providers, dutch ISPs, and french ISPs, and I only found 2 providers (out of 64) who don't support TLSv1.2: Orange (french ISP) and Excite.com. Orange only supports SSLv3 and TLSv1, Excite only supports TLSv1 and TLSv1.1. None of the tested mailservers have TLSv1 and TLSv1.1 disabled yet.
Question is mostly when - are we waiting for a big provider to start the movement? Do we just wait a little more and do it at the end of 2021?https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5965Do OS-Update - Red Hat family2020-12-18T21:16:37ZJozef SrokaDo OS-Update - Red Hat familyIt's can be good to add update os command fro "Red Hat family". I also created a merge request !1356It's can be good to add update os command fro "Red Hat family". I also created a merge request !13563.2.2https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5967sender_login_maps should read email.cc2020-12-18T21:15:25ZJesse Norellsender_login_maps should read email.ccWhen a mailbox forwards to other mailboxes via the cc ("send copy to") field, those destination accounts should be able to send mail as the original account, just like an alias/forward.
Use cases for not just using an alias/forward are ...When a mailbox forwards to other mailboxes via the cc ("send copy to") field, those destination accounts should be able to send mail as the original account, just like an alias/forward.
Use cases for not just using an alias/forward are when you want an autoresponder or filters for the mailbox.
It can use the 'disabledeliver' field to more or less emulate current behavior; if disabledeliver='y' (no local delivery, it's acting like an alias/forward), this new behavior will happen; if disabledeliver='n' (local delivery does happen), it's acting more like a standard mailbox and retains current/legacy behavior.3.2.2Jesse NorellJesse Norellhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5968LE SSL certificates cannot be created on Web-Mirror Servers2021-02-15T15:43:48ZJanThielLE SSL certificates cannot be created on Web-Mirror Servers## short description
https://www.howtoforge.com/community/threads/letsencrypt-multi-web-server-setup-cert-symlinks-not-created-on-mirror.85850/
## correct behaviour
LE SSL Certs should be correctly setup on all mirror servers as well
#...## short description
https://www.howtoforge.com/community/threads/letsencrypt-multi-web-server-setup-cert-symlinks-not-created-on-mirror.85850/
## correct behaviour
LE SSL Certs should be correctly setup on all mirror servers as well
## environment
Server OS: centos
Server OS version: centos
ISPConfig version: 3.2.1https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5974Provide a way to adapt custom templates on ISPconfig upgrade2020-12-23T17:51:14ZKoSProvide a way to adapt custom templates on ISPconfig upgradeIt would be great if on an ispconfig_update the update procedure would show what changed on the original templates files so that the custom template could easily be adapted with the changes too. Similar like you have when upgrading Debia...It would be great if on an ispconfig_update the update procedure would show what changed on the original templates files so that the custom template could easily be adapted with the changes too. Similar like you have when upgrading Debian packages and you see the differences between your version of the file and the developers version.
See https://www.howtoforge.com/community/threads/autoresponder-start-end-ignored.85929/https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5980Docker Integration2020-12-24T10:19:12ZJozef SrokaDocker IntegrationHi,
I would like to do experimental docker integration. Just a few basic features
* Container - run, stop, kill, status ..
* Image - pull, remove
* Network list
* Volumes list
something like as openvz
Would be interest from ispconfig ...Hi,
I would like to do experimental docker integration. Just a few basic features
* Container - run, stop, kill, status ..
* Image - pull, remove
* Network list
* Volumes list
something like as openvz
Would be interest from ispconfig community ?https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5983Show rendered bind dns zone in extra tab2022-01-18T11:41:20ZHelmoShow rendered bind dns zone in extra tabI like to show the 'finished' zone to users. Both for transparency, and data portability.
The code in !1379 adds a third tab and prints the zonefile, stored in the database after rendering in the backend.I like to show the 'finished' zone to users. Both for transparency, and data portability.
The code in !1379 adds a third tab and prints the zonefile, stored in the database after rendering in the backend.3.2.8HelmoHelmohttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5985Don't use md5 on admin password2021-01-04T14:24:32ZMarius BurkardDon't use md5 on admin passwordThe installer still uses `md5` hashing on admin password. This should be changed to the new crypt algo. Also on first login with a md5 hashed password it should be rewritten to new algo.The installer still uses `md5` hashing on admin password. This should be changed to the new crypt algo. Also on first login with a md5 hashed password it should be rewritten to new algo.3.2.2Marius BurkardMarius Burkardhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5986Don't use md5 hashing for remote user passwords2021-01-04T13:56:12ZMarius BurkardDon't use md5 hashing for remote user passwordsChange remote user password encryption to `CRYPT`Change remote user password encryption to `CRYPT`3.2.2Marius BurkardMarius Burkardhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5988Add files for custom lines Postfix & Dovecot2021-02-27T11:10:13ZThomAdd files for custom lines Postfix & DovecotAfter updating to 3.2.2, I saw my whole Dovecot config was overwritten. Luckily I keep versioned backups so my dsync setup and stuff like that wasn't lost. But to make upgrading more easy, I think it would be a good idea to let the insta...After updating to 3.2.2, I saw my whole Dovecot config was overwritten. Luckily I keep versioned backups so my dsync setup and stuff like that wasn't lost. But to make upgrading more easy, I think it would be a good idea to let the installer use 2 files from conf-custom (if they exist) that take precedence with the lines set it in, like we already do for configuration that's postfix version dependent.
So we could have a `custom_postfix.cf` and `custom_dovecot.conf` in the conf-custom folder with only our own custom lines.
e.g. for postfix:
`message_size_limit = 31457280` \
`smtpd_tls_mandatory_ciphers = high` \
which will overrule the parameters we set in our templates.
for dovecot, we could let it overrule and if the line doesn't exist, add it.
Not sure how difficult this would be to implement in the installer. I'm curious what others think about this.
I think this would make upgrading for our users a more fluent task so they do it without hestitating in the future.3.2.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6002Sort fields in debian_postfix.conf.master2021-01-07T11:02:32ZTony GSort fields in debian_postfix.conf.masterThis is a suggestion/request to sort the fields in the postfix main.cf config template - and only those where sorting makes sense.
Example where sorting might not make sense:
- Someone might prefer that the smtp_*_restrictions are sort...This is a suggestion/request to sort the fields in the postfix main.cf config template - and only those where sorting makes sense.
Example where sorting might not make sense:
- Someone might prefer that the smtp_*_restrictions are sorted in order of their application, which is not alphabetical.
In the case of proxy_read_maps, which is an aggregate of other fields, it's still OK to sort this field starting with 'p' before it's included fields, like those starting with 's', because the order of the fields in the file does not matter.
Reasoning:
- It's much easier to find a setting when it's in sorted order.
- As a practical example, it's taken me a long time to work out the delta/diff between the most recent update (3.2.2) and my own settings. If settings are sorted it's much easier to diff tpl, conf-custom, and the main.cf files.
- Related - I have many fields in main.cf that are not in the default template. It's much easier to see if there are related changes in the template if both the tpl and the conf-custom versions are in the same order.
If approved, I'll post a MR with a suggested sorting. This will only include the default tpl fields.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6003tpl debian_postfix.conf.master includes hard-coded /etc/postfix2021-01-08T14:31:18ZTony Gtpl debian_postfix.conf.master includes hard-coded /etc/postfixThe {config_dir} placeholder is used in the debian_postfix.conf.master file, replaced with /etc/postfix in main.cf. There are a couple instances of the literal text `/etc/postfix` in the settings. I have no idea if this would affect any ...The {config_dir} placeholder is used in the debian_postfix.conf.master file, replaced with /etc/postfix in main.cf. There are a couple instances of the literal text `/etc/postfix` in the settings. I have no idea if this would affect any sites. But the file was made configurable for a reason, so I'm noting that this would be an error for a site that relies on a non-default config_dir.
If approved, this can be assigned to me.Tony GTony Ghttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6005New feature to create a new tpl and tpl-custom folder?2021-01-20T18:16:14ZHj Ahmad Rasyid Hj IsmailNew feature to create a new tpl and tpl-custom folder?https://www.howtoforge.com/community/threads/new-feature-to-create-a-new-tpl-and-tpl-custom-folder.86053/
This is a mere suggestion which I think could be useful to all users.
What do you all think if ISPConfig 3.2 /tpl/ folder in inst...https://www.howtoforge.com/community/threads/new-feature-to-create-a-new-tpl-and-tpl-custom-folder.86053/
This is a mere suggestion which I think could be useful to all users.
What do you all think if ISPConfig 3.2 /tpl/ folder in installation package is also copied to the ISPConfig directory?
What I had early in my mind is /usr/local/ispconfig/server/conf/tpl/ or /usr/local/ispconfig/server/conf-tpl/. I don't know which one is preferred but I think it is best to copy latest tpl folder to ISPConfig folder for users' customization needs, if any.
I think this is quite easy to implement via ISPConfig installer so if there is any need to customize any of its files, one can copy and move it to /conf-custom/install/ folder, almost like the /conf/ folder itself.
Or may be introduce /usr/local/ispconfig/server/tpl/ and /usr/local/ispconfig/server/tpl-custom/ ?
Your comments, suggestions and feedback are most welcomed.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6006Add config file changes to UI2021-01-09T14:37:56ZTony GAdd config file changes to UIThis is another feature enhancement suggestion that might be easier than others. I'm hoping it can just be added to the pile of such suggestions for consideration.
The feature for adding Apache Directives can be used as a model for /etc...This is another feature enhancement suggestion that might be easier than others. I'm hoping it can just be added to the pile of such suggestions for consideration.
The feature for adding Apache Directives can be used as a model for /etc/postfix/main.cf and /etc/dovecot/dovecot.conf. In System Config>Mail provide a textarea for Additional Postfix Settings, and another for Additional Dovecot Settings. On Save the resulting config files will have a distinctive #! comment to separate these sections from existing settings. Example:
```
#! Set by ISPConfig Template: ...
smtp_helo_timeout = 15s
smtp_mail_timeout = 15s
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
#! ISPConfig Overrides
smtp_mail_timeout = 30s
smtpd_tls_loglevel = 1
smtp_tls_security_level = dane
```
On Save, scan for `^#! ISPConfig Overrides$`, remove anything below it, and insert the new content.
For consistency that pattern can be used for Postfix and Dovecot, but for Dovecot it can be made more elegant: In the tpl config, add the single line `!include conf.d/93-ispconfig.conf` and then create that file. Just replace that file with the UI textarea. At some point if Postfix supports an `include` directive then the same mechanism can be used.
Rather than using postconf for update, for this mechanism just reload Postfix whenever the related textarea changes. An admin using multi-line settings and comments is more free to write the config as they please, for better or worse.
ISPConfig itself could use this same mechanism, where defaults set by install/update are in the config file under comment `#! Set by ISPConfig Template`, updates made through the UI or API are echoed under that with comment `#! Set in ISPConfig` and then under that the manual overrides can follow. This would allow the admin to easily see only fields that are defined with ISPConfig, rather than using postconf or doveconf statements which return all possible settings.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6008Remove "Form to ..." from forms of system module2021-03-09T19:37:43ZThomRemove "Form to ..." from forms of system module3.2.3ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6010allow custom rspamd url2021-03-09T19:36:50ZFlorian Schaalallow custom rspamd urlhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6012Update README.md2021-01-13T09:57:28ZThomUpdate README.mdUpdate the read me with up to date information on the project (any pointers?)Update the read me with up to date information on the project (any pointers?)3.2.3ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6013SSL ISPConfig Installer / Updater Code May Be Repetitive2021-02-18T15:12:16ZHj Ahmad Rasyid Hj IsmailSSL ISPConfig Installer / Updater Code May Be RepetitiveI have been revisiting ISPConfig installer_base.lib.php as well as install.php and update.php files and I think the code with regards to SSL may be repetitive and most of them, if not all, may be avoided if the SSL request for the server...I have been revisiting ISPConfig installer_base.lib.php as well as install.php and update.php files and I think the code with regards to SSL may be repetitive and most of them, if not all, may be avoided if the SSL request for the server and its services can be made before configure_postfix (include creation of smtpd.cert and smtpd.key) and configure_dovecot (include creation of dhparam file dh.pem).
Reading on dovecot, I think it is not necessary to use ssl-parameters.dat and convert it as dhparam file (dh.pem) even if it is meant for v2.2 as using it was only a mere suggestion to ease creating creating the same but using openssl to issue it should also work as well and pure-ftpd is using one that can be symlinked.
Since symlinks can be made to all of them whether by using self-signed or LE SSL certs or others, if it is possible to rearrange the priority in those files especially install.php and update.php, we may avoid such a repetition and may be make the install / update process a little bit faster?
A thought to be discussed further before any decision could be made.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6026resync should setup dkim record2021-01-22T07:06:56ZJesse Norellresync should setup dkim recordRelated to #6025, it would be nice if the Resync tool could correct missing DKIM records. The propogation of DKIM record from mail_domain to dns_rr is currently a feature of the user interface, and neither resyncing dns nor resyncing ma...Related to #6025, it would be nice if the Resync tool could correct missing DKIM records. The propogation of DKIM record from mail_domain to dns_rr is currently a feature of the user interface, and neither resyncing dns nor resyncing mail domains will ensure that the DKIM record is setup in dns, you must edit each email domain in the ui (a pain with admin protection, where you must switch to the client, then edit, then switch back....).https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6027rspamd: redis server and password fields2021-03-31T19:48:28ZJesse Norellrspamd: redis server and password fieldsAdd 4 fields for the redis server and password when using rspamd, the default redis server/password and bayes redis/password (which uses default if unspecified).
This allows specifying unix sockets to talk to the redis server, as well a...Add 4 fields for the redis server and password when using rspamd, the default redis server/password and bayes redis/password (which uses default if unspecified).
This allows specifying unix sockets to talk to the redis server, as well as a password. Having the second optional parameters for bayes allows using a second redis instance with a memory limit to cap the growth of bayes data without evicting non-bayes keys which would happen if using a single redis instance.3.2.4Jesse NorellJesse Norellhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6032API event support2022-01-18T11:43:10ZCédricAPI event supportHello Guys,
Original post : https://www.howtoforge.com/community/threads/working-with-plugin-control-panel-vs-api.86218/
It's appear the API have some event support missing.
![image](/uploads/56395a33728b5d28334ad4eb1a4b44a5/image.png)...Hello Guys,
Original post : https://www.howtoforge.com/community/threads/working-with-plugin-control-panel-vs-api.86218/
It's appear the API have some event support missing.
![image](/uploads/56395a33728b5d28334ad4eb1a4b44a5/image.png)
How to try it:
1. Add error login to your ispconfig vhost (/etc/apache2/sites-enabled/000-ispconfig.vhost)
- add / edit the line : ErrorLog /var/log/ispconfig/httpd/YourVHOST.DOMAIN.TLS/error.log
2. Plugin demonstration :
```php
<?php
class exemple_plugin {
var $plugin_name = 'exemple_plugin';
var $class_name = 'exemple_plugin';
function onLoad() {
global $app;
$app->plugin->registerEvent('mail:mail_user:on_before_insert', 'exemple_plugin', 'fonction_edit');
$app->plugin->registerEvent('mail:mail_user:on_before_update', 'exemple_plugin', 'fonction_edit');
$app->plugin->registerEvent('mail:mail_user:on_before_delete', 'exemple_plugin', 'fonction_del');
}
function fonction_edit($event_name, $page_form){
error_log('You should see this line in the log when you add / edit an email');
}
function fonction_del($event_name, $page_form){
error_log('You should see this line in the log when you remove an email');
}
}
```
3. IMPORTANT : Relog into your ISPConfig control panel
4. Time to try
1. Go to Ispconfig;
- Email > Email Mailbox > Select an existing mailbox > Change something > Save
- When you do that you should see this inside your logfile ![image](/uploads/d64e220d0b9665ce5535c9a3f998cf36/image.png)
2. When you make the same change by the API, nothing is wrote inside the logfile.
- That mean the plugin isn't call by the API.
Also the support of multi event would be great (before/after)
Regards,3.2.8https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6034Configure SSL CA Cert in Dovecot2023-05-03T12:43:56ZTill BrehmConfigure SSL CA Cert in DovecotCurrently, the SSL ca (bundle) SSL cert is not configured in dovecot.conf file. This may lead to connection issues with some older clients. We should add the line:
ssl_ca = </usr/local/ispconfig/interface/ssl/ispserver.bundle
in doveco...Currently, the SSL ca (bundle) SSL cert is not configured in dovecot.conf file. This may lead to connection issues with some older clients. We should add the line:
ssl_ca = </usr/local/ispconfig/interface/ssl/ispserver.bundle
in dovecot.conf, when the file /usr/local/ispconfig/interface/ssl/ispserver.bundle exists on the server.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6035After a password reset you land on the same reset form2021-01-29T10:37:38ZHelmoAfter a password reset you land on the same reset formWhen you click the confirmation link during the password reset process you end up on the same form to reset the password again.
That's confusing and it seems more logical to go to the login form.
I'm preparing a merge request for this ...When you click the confirmation link during the password reset process you end up on the same form to reset the password again.
That's confusing and it seems more logical to go to the login form.
I'm preparing a merge request for this to make it look like:
![Selection_283](/uploads/7f88eca8846fbbac425e4c4e107aaf1a/Selection_283.png)3.2.3HelmoHelmohttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6037Rspamd configured to learn bayes ham and spam by user2021-02-01T17:08:02ZMarius BurkardRspamd configured to learn bayes ham and spam by userISPConfig configures rspamd to bayes learn ham and spam by user. This is not good for most of the use-cases (just for some very big mail servers that need per-user bayes scores).ISPConfig configures rspamd to bayes learn ham and spam by user. This is not good for most of the use-cases (just for some very big mail servers that need per-user bayes scores).3.2.3Marius BurkardMarius Burkardhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6043jailkit: xauth error at login2021-02-13T20:40:00ZJesse Norelljailkit: xauth error at loginWhen logging in to a chroot shell user, xauth prints a message showing the non-chroot path (and possibly would not find the correct .Xauthority file?). Mostly harmless, but perhaps an env var (HOME?) could be set earlier before xauth ru...When logging in to a chroot shell user, xauth prints a message showing the non-chroot path (and possibly would not find the correct .Xauthority file?). Mostly harmless, but perhaps an env var (HOME?) could be set earlier before xauth runs, and at least get the correct chrooted path?
```
$ ssh client_user1f@ispc.hoster.tld
kentec_asdf@ispc.hoster.tld's password:
Linux srv-cp 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
/usr/bin/xauth: file /var/www/clients/client1/web2/./home/client_user1/.Xauthority does not exist
```https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6046BREXIT - Update country list2021-03-09T15:52:21ZTill BrehmBREXIT - Update country listUpdate country list to reflect that the UK is no longer a member of the European Union.Update country list to reflect that the UK is no longer a member of the European Union.3.2.3Till BrehmTill Brehmhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6049Update the contributing doc2023-04-25T16:11:27ZThomUpdate the contributing doc3.2.3ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6051Trigger junk move by Subject line impacts forwarded emails2021-03-09T19:37:11ZKoSTrigger junk move by Subject line impacts forwarded emailsThe "Move Spam Emails to Junk folder" option creates a sieve filter line that targets the Subject line of the mail:
`if anyof (header :contains "X-Spam-Flag" "YES", header :contains "X-Spam" "Yes", header :contains "subject" "*** SPAM **...The "Move Spam Emails to Junk folder" option creates a sieve filter line that targets the Subject line of the mail:
`if anyof (header :contains "X-Spam-Flag" "YES", header :contains "X-Spam" "Yes", header :contains "subject" "*** SPAM ***", header :contains "subject" "***SPAM***")`
(see https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/server/conf/sieve_filter.master#L10)
The problem with the subject line is, that if such an email (e.g. a false positive) is being forwarded to another user, it ends up again in the Junk folder, because the subject still matches the "*** SPAM ***", as long as the user didn't remove it manually.
I suggest to remove the subject check, but only rely on header lines added by rspamd (and spamassassin), e.g. by adding the check `header :contains "X-Spam-Status" "yes"` too.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6052vHost Alias / vHost Subdomain: Recursive chmod and chown can hang the cron on...2021-03-09T19:37:03ZJanThielvHost Alias / vHost Subdomain: Recursive chmod and chown can hang the cron on large / network filesystems## short description
Creating a vhost alias triggers a chown and chmod on the complete web root. If the webroot is huge and/or on a slow FS this takes some time and is not required at all.
## correct behaviour
It should be considered on...## short description
Creating a vhost alias triggers a chown and chmod on the complete web root. If the webroot is huge and/or on a slow FS this takes some time and is not required at all.
## correct behaviour
It should be considered on vHost Alias / vHost Subdomain to no call chmod and chmod recursive on the /web folder
## environment
Server OS: centos
Server OS version: centos7
ISPConfig version: 3.2.2
CLI PHP: 7.2
## proposed fix
If vhostalias or vhostsubdomain, call the following lines NOT recursive:
https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/server/plugins-available/nginx_plugin.inc.php#L822
```
$app->system->exec_safe('chmod -R a+r ?', $data['new']['document_root'].'/' . $web_folder . '/');
```
https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/server/plugins-available/nginx_plugin.inc.php#L877
```
$app->system->exec_safe('chown -R ?:? ?', $username, $groupname, $data['new']['document_root'].'/' . $web_folder);
```
## The Cron log
You can see the cron working for 13 minutes on each of the operations.
```
Mi 10. Feb 16:45:02 CET 2021 10.02.2021-16:45 - DEBUG - Calling function 'ssl' from plugin 'nginx_plugin' raised by event 'web_domain_insert'.
Mi 10. Feb 16:45:02 CET 2021 10.02.2021-16:45 - DEBUG - Calling function 'insert' from plugin 'nginx_plugin' raised by event 'web_domain_insert'.
Mi 10. Feb 16:45:02 CET 2021 10.02.2021-16:45 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client1/web1' - return code: 0
Mi 10. Feb 16:45:03 CET 2021 10.02.2021-16:45 - DEBUG - safe_exec cmd: mkdir -p '/var/log/ispconfig/httpd/domain.de' - return code: 0
Mi 10. Feb 16:45:03 CET 2021 10.02.2021-16:45 - DEBUG - safe_exec cmd: mount --bind '/var/log/ispconfig/httpd/domain.de' '/var/www/clients/client1/web1/log/domain.de' - return code: 0
Mi 10. Feb 16:45:03 CET 2021 10.02.2021-16:45 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
Mi 10. Feb 16:45:03 CET 2021 10.02.2021-16:45 - DEBUG - safe_exec cmd: ln -s '/var/www/clients/client1/web1/' '/var/www/domain.de' - return code: 0
Mi 10. Feb 16:45:04 CET 2021 10.02.2021-16:45 - DEBUG - Creating symlink: ln -s /var/www/clients/client1/web1/ /var/www/domain.de
Mi 10. Feb 16:45:04 CET 2021 10.02.2021-16:45 - DEBUG - safe_exec cmd: ln -s '/var/www/clients/client1/web1/' '/var/www/clients/client1/domain.de' - return code: 0
Mi 10. Feb 16:45:04 CET 2021 10.02.2021-16:45 - DEBUG - Creating symlink: ln -s /var/www/clients/client1/web1/ /var/www/clients/client1/domain.de
Mi 10. Feb 16:45:04 CET 2021 10.02.2021-16:45 - DEBUG - safe_exec cmd: cp '/usr/local/ispconfig/server/conf-custom/error/'*.html '/var/www/clients/client1/web1/web/error/' - return code: 0
Mi 10. Feb 16:45:04 CET 2021 10.02.2021-16:45 - DEBUG - safe_exec cmd: chmod -R a+r '/var/www/clients/client1/web1/web/error/' - return code: 0
Mi 10. Feb 16:46:01 CET 2021 10.02.2021-16:46 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 16:47:02 CET 2021 10.02.2021-16:47 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 16:48:01 CET 2021 10.02.2021-16:48 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 16:49:01 CET 2021 10.02.2021-16:49 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 16:50:01 CET 2021 10.02.2021-16:50 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 16:51:01 CET 2021 10.02.2021-16:51 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 16:52:01 CET 2021 10.02.2021-16:52 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 16:53:02 CET 2021 10.02.2021-16:53 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 16:54:01 CET 2021 10.02.2021-16:54 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 16:55:01 CET 2021 10.02.2021-16:55 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 16:56:01 CET 2021 10.02.2021-16:56 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 16:57:01 CET 2021 10.02.2021-16:57 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 16:58:02 CET 2021 10.02.2021-16:58 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 16:58:40 CET 2021 10.02.2021-16:58 - DEBUG - safe_exec cmd: chmod -R a+r '/var/www/clients/client1/web1/web/' - return code: 0
Mi 10. Feb 16:59:01 CET 2021 10.02.2021-16:59 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 17:00:01 CET 2021 10.02.2021-17:00 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 17:01:01 CET 2021 10.02.2021-17:01 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 17:02:01 CET 2021 10.02.2021-17:02 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 17:03:01 CET 2021 10.02.2021-17:03 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 17:04:01 CET 2021 10.02.2021-17:04 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 17:05:01 CET 2021 10.02.2021-17:05 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 17:06:02 CET 2021 10.02.2021-17:06 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 17:07:01 CET 2021 10.02.2021-17:07 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 17:08:01 CET 2021 10.02.2021-17:08 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 17:09:01 CET 2021 10.02.2021-17:09 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 17:10:02 CET 2021 10.02.2021-17:10 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 17:11:01 CET 2021 10.02.2021-17:11 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 17:12:02 CET 2021 10.02.2021-17:12 - WARNING - There is already an instance of server.php running with pid 1920.
Mi 10. Feb 17:12:16 CET 2021 10.02.2021-17:12 - DEBUG - safe_exec cmd: chown -R 'web1':'client1' '/var/www/clients/client1/web1/web' - return code: 0
Mi 10. Feb 17:12:17 CET 2021 10.02.2021-17:12 - DEBUG - safe_exec cmd: chown 'web1':'client1' '/var/www/clients/client1/web1/web' - return code: 0
Mi 10. Feb 17:12:17 CET 2021 10.02.2021-17:12 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
```https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6054Add underscore to database names (and usernames)2021-02-15T10:20:47ZThomAdd underscore to database names (and usernames)If we add a underscore to the default DB (user) names, they will be nicely grouped in PMAIf we add a underscore to the default DB (user) names, they will be nicely grouped in PMAhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6055Disable client (/admin) protection by default2021-02-11T19:28:58ZThomDisable client (/admin) protection by defaultAny opinions wether this should be enabled by default or not?Any opinions wether this should be enabled by default or not?https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6056system->cp users possible data loss warning unclear2021-03-09T15:48:13Zleesystem->cp users possible data loss warning unclear
it seems that some users still find the warning message on the cp users page a little confusing and are unsure about what they can and can't do there. https://www.howtoforge.com/community/threads/safe-usage-of-user-management-cp-users.8...
it seems that some users still find the warning message on the cp users page a little confusing and are unsure about what they can and can't do there. https://www.howtoforge.com/community/threads/safe-usage-of-user-management-cp-users.86362
so to make the message a bit clearer, maybe that warning should be modified to read:
WARNING: Do not edit or modify any client settings here. Use the Client- and Reseller settings in the Client module instead. Modifying or changing client users or groups here may cause data loss!
and to let them know what they can do there, maybe add another sentence along the lines of:
use this page only to create a new admin user, or to modify an existing admin users settings.3.2.3ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6059Added directive to `custom_php_ini` to add fpm pool directives2021-02-14T08:31:34ZKreso PendicAdded directive to `custom_php_ini` to add fpm pool directivesHi, I needed to add directives for php fpm 'OPTIONS' tab -> inside existing php.ini settings textarea:
process.priority
pm.status_path
etc..
and that are fpm pool directives but the issue is that plugin `nginx_plugin.inc.ph...Hi, I needed to add directives for php fpm 'OPTIONS' tab -> inside existing php.ini settings textarea:
process.priority
pm.status_path
etc..
and that are fpm pool directives but the issue is that plugin `nginx_plugin.inc.php` file wrappes it in `php_admin_value[]` so I ended up with solution to prefix line with 'POOL' keyword and escaped ithttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6061Certbot: Improve predictability of output certificate (use --cert-name instea...2021-03-10T12:51:41ZJanThielCertbot: Improve predictability of output certificate (use --cert-name instead of --expand)## short description
Currently it is mere "luck" which domain will be the "primary" domain for certbot. This will lead to situations, where the LE config file in /renewal/ as well as the certs in /archive/ and /live/ are named "c.tld(.co...## short description
Currently it is mere "luck" which domain will be the "primary" domain for certbot. This will lead to situations, where the LE config file in /renewal/ as well as the certs in /archive/ and /live/ are named "c.tld(.conf|.pem)" when requesting a certificate for a site with the domain "a.tld" containing sub- or alias domains for "b.tld", "b.a.tld" or "c.tld".
We have numerous cases where the same single vhost gets config files and cert files named with one of the additional domains. In addition to that the publicly displayed primary domain of the cert is one of the additional ones. This happens on newly requesting certs, renewing them and just updating them when e.g. adding or removing alias domains.
For instance today we cleaned up 8 stale LE configs and certs for the one primary vhost / site. Those were named "a.tld-0001", "a.tld-0002", "b.tld", "c.tld", "x.a.tld", and so on ...
After deleting **all** of them and creating a brand new LE cert + configs the config and cert file is off again. Instead of the expected "a.tld.conf" and "/live/a.tld/..." + "/archive/a.tld/..." it's all based on the **last** additional domain from the certonly cmd.
## correct behaviour
The primary domain should be the domain of the vhost site. All subdomains, aliases and such should only be added as additional domains. The config as well as the cert files should be named with the primary domain. Also deleting alias or subdomains should update the existing certificate config and file instead of creating new ones.
From the Docs:
```
Consider using --cert-name instead of --expand, as it gives more control over which certificate is modified and it lets you remove domains as well as adding them.
```
## environment
Server OS: centos
Server OS version: centos7
ISPConfig version: 3.2.2
Certbot: 1.11.0
## proposed fix
There are two issues in the current code I stumbled upon refactoring the LE code to allow Mirror Server SSL to work:
1. The cerbot call lacks the `--cert-name` option. Thus certbot tries to guess internally which domain to use as primary domain. This can easily be solved supplying the `--cert-name` option with the primary domain.
2. The current code adds the **last** supplied domain name as the host for the mail address. Haven't checked out whether this has any impact on the certbot guessing, but still I do not think, that this is intended
```
/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@test2.domain.tld --cert-name=test2.domain.tld --webroot-map '{"test.domain.tld":"/usr/local/ispconfig/interface/acme","test2.domain.tld":"/usr/local/ispconfig/interface/acme","test3.domain.tld":"/usr/local/ispconfig/interface/acme"}'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for test.domain.tld and 2 more domains
Performing the following challenges:
http-01 challenge for test2.domain.tld
http-01 challenge for test3.domain.tld
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/test2.domain.tld/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/test2.domain.tld/privkey.pem
```
## references
https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/server/lib/classes/letsencrypt.inc.php#L1653.2.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6063problem with mail_user_add api call when missing mohedir and maildir attributes2021-03-04T19:23:17ZJiri Slezkaproblem with mail_user_add api call when missing mohedir and maildir attributes## short description
I am trying add mail user through mail_user_add api call but it behaves strange when I omit some attributes (homedir, maildir).
Mail user dir is created on disk in right place (/var/vmail/example.cz/test) but homedi...## short description
I am trying add mail user through mail_user_add api call but it behaves strange when I omit some attributes (homedir, maildir).
Mail user dir is created on disk in right place (/var/vmail/example.cz/test) but homedir and maildir in db is empty. Also when quota is specified other than 0 (for example 1024MB), every mail is rejected with "Quota exceeded (mailbox for user is full)". .quotausage file is created in right place and it contains
```
priv/quota/messages
6494
priv/quota/storage
1073743931
```
## correct behaviour
homedir and maildir should be generated on ISPConfig side (if missing)
## environment
Server OS: CentOS
Server OS version: CentOS7
ISPConfig version: (3.2.2)
## log entries
maillog
```
Feb 18 09:06:02 server dovecot: lda(test@example.cz): Error: User test@example.cz doesn't have home dir set, disabling duplicate database
Feb 18 09:06:02 server dovecot: lda(test@example.cz): msgid=<20210218080602.616B0249A54@smtp.example.cz>: save failed to INBOX: Quota exceeded (mailbox for user is full)
Feb 18 09:06:02 server dovecot: lda(test@example.cz): msgid=<20210218080602.616B0249A54@smtp.example.cz>: rejected: Quota exceeded (mailbox for user is full)
```https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6065Enable http/2 for the panel (nginx)2021-02-27T11:09:48ZThomEnable http/2 for the panel (nginx)3.2.3ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6066Enable TLSv1.3 for the panel and apps vhost (nginx)2021-03-07T13:21:47ZThomEnable TLSv1.3 for the panel and apps vhost (nginx)Enable TLSv1.3 if supportedEnable TLSv1.3 if supportedhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6067Add option to disable backup on mirror systems2021-02-22T08:39:24ZTill BrehmAdd option to disable backup on mirror systemsAdd option to disable backup on mirror systems to avoid that web, mail and database backups get written multiple times.Add option to disable backup on mirror systems to avoid that web, mail and database backups get written multiple times.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6073Aliases created by the "Website auto alias" setting are not added to the Lets...2021-03-03T16:43:53ZJudah - MWAliases created by the "Website auto alias" setting are not added to the Lets Encrypt certificate request## Short description
If a value is defined in System > Server Config > Web > Website Auto Alias, it is automatically added as an alias to the site vhost. However it is not added to the LE certificate request.
## Correct behaviour
The a...## Short description
If a value is defined in System > Server Config > Web > Website Auto Alias, it is automatically added as an alias to the site vhost. However it is not added to the LE certificate request.
## Correct behaviour
The auto alias should be part of the certificate request.
(I know some people use auto alias for internal aliases, that would still be fine as the LE check would catch the non-routable alias and discard it.)
## An example
We have `mail.[website_domain]` configured as our auto alias:
![image](/uploads/75f4a0d35fdedf07204a38da6d8c1d28/image.png)
This correctly appears in all _new_ nginx vhosts like so:
```
server_name example.com www.example.com mail.example.com;
```
However it does not get added to the certificate request. Viewing the request in `acme.log` shows it is not included and viewing the certificate afterwards shows this:
```bash
$ openssl x509 -in /var/www/example.com/ssl/example.com-le.crt -text -noout | grep DNS
DNS: example.com, DNS: www.example.com
```
## Environment
Server OS: CentOS 8
ISPConfig version: 3.2.2
Webserver: NGINX
## Proposed fix
Looks like the certificate generation logic is in [server/plugins-available/nginx_plugin.inc.php:1385](https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/server/plugins-available/nginx_plugin.inc.php#L1385)
```php
//* Generate Let's Encrypt SSL certificat
if($data['new']['ssl'] == 'y' && $data['new']['ssl_letsencrypt'] == 'y' && $conf['mirror_server_id'] == 0 && ( // ssl and let's encrypt is active and no mirror server
($data['old']['ssl'] == 'n' || $data['old']['ssl_letsencrypt'] == 'n') // we have new let's encrypt configuration
|| ($data['old']['domain'] != $data['new']['domain']) // we have domain update
|| ($data['old']['subdomain'] != $data['new']['subdomain']) // we have new or update on "auto" subdomain
|| $this->update_letsencrypt == true
)) {
$success = $app->letsencrypt->request_certificates($data, 'nginx');
if($success) {
/* we don't need to store it.
/* Update the DB of the (local) Server */
$app->db->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '', ssl_key = '' WHERE domain = ?", $data['new']['domain']);
$app->db->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']);
/* Update also the master-DB of the Server-Farm */
$app->dbmaster->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '', ssl_key = '' WHERE domain = ?", $data['new']['domain']);
$app->dbmaster->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']);
} else {
$data['new']['ssl_letsencrypt'] = 'n';
if($data['old']['ssl'] == 'n') $data['new']['ssl'] = 'n';
/* Update the DB of the (local) Server */
$app->db->query("UPDATE web_domain SET `ssl` = ?, `ssl_letsencrypt` = ? WHERE `domain` = ? AND `server_id` = ?", $data['new']['ssl'], 'n', $data['new']['domain'], $conf['server_id']);
/* Update also the master-DB of the Server-Farm */
$app->dbmaster->query("UPDATE web_domain SET `ssl` = ?, `ssl_letsencrypt` = ? WHERE `domain` = ?", $data['new']['ssl'], 'n', $data['new']['domain']);
}
}
```
The problem appears to be it simply takes the information straight out of `$data` but the part that deals with the auto alias hasn't been called yet as [it's all the way down on line 1651](https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/server/plugins-available/nginx_plugin.inc.php#L1651):
```php
// get autoalias
$auto_alias = $web_config['website_autoalias'];
if($auto_alias != '') {
// get the client username
$client = $app->db->queryOneRecord("SELECT `username` FROM `client` WHERE `client_id` = ?", $client_id);
$aa_search = array('[client_id]', '[website_id]', '[client_username]', '[website_domain]');
$aa_replace = array($client_id, $data['new']['domain_id'], $client['username'], $data['new']['domain']);
$auto_alias = str_replace($aa_search, $aa_replace, $auto_alias);
unset($client);
unset($aa_search);
unset($aa_replace);
$server_alias[] .= $auto_alias.' ';
}
```
There's not an obvious way to add it to that file, as it just passes the `$data` array off to the letsencrypt library. However we could add it in the LE lib, [maybe after line 365?](https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/server/lib/classes/letsencrypt.inc.php#L365) We'd basically just have to add the above "get auto alias" stuff in there. The only problem with that I can see is if the Apache plugin works differently and is already adding the auto alias, in which case we don't want to duplicate it.
Can anyone confirm if the Apache plugin does that? If not would this method be acceptable?
Thankshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6074Postfix 3.4: TLS SNI Mapping2021-04-27T15:09:13ZColin OgilviePostfix 3.4: TLS SNI Mapping## short description
Postfix 3.4 supports a new feature which enables TLS SNI Mapping to enable each domain to have it's own SSL certificate.
## correct behaviour
It would be good if ISPConfig could support this by default.
## environm...## short description
Postfix 3.4 supports a new feature which enables TLS SNI Mapping to enable each domain to have it's own SSL certificate.
## correct behaviour
It would be good if ISPConfig could support this by default.
## environment
Server OS: Ubuntu
Server OS version: 20.04
ISPConfig version: 3.2.2
## proposed fix
* Allow various options to enable the use of certificates in the domain and include that in the generation of the certificate through LetsEncrypt. This could either be 'mail.domain' or even just domain by default.
* Maintain, or write, the ability to set the `tls_server_sni_maps` variable in Postfix (from SQL if possible)https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6082rspamd white/blacklist using multimap module2022-07-27T01:05:03ZJesse Norellrspamd white/blacklist using multimap moduleNeed to rework the rspamd implementation of white/blacklists to use the multimap module rather than setting want_spam=yes - see notes/comments in https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1411Need to rework the rspamd implementation of white/blacklists to use the multimap module rather than setting want_spam=yes - see notes/comments in https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1411Jesse NorellJesse Norellhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6088Hide relay options per mail domain by default2021-04-08T19:15:29ZThomHide relay options per mail domain by defaultHide the settings for a relay host by default - it clutters the UI and most users won't use it.
enable them through main config / server config / client limitsHide the settings for a relay host by default - it clutters the UI and most users won't use it.
enable them through main config / server config / client limits3.2.3ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6090Remove client IP from sent emails2021-03-08T12:55:49ZThomRemove client IP from sent emailsWhen sending a email out, Postfix adds the following lines: \
`Received: from MBP-van-Thom.localdomain (12-34-56-78.ip.xs4all.nl [12.34.56.78]) (Authenticated sender: thom@example.nl) by mail.example.com (Postfix) with ESMTPSA id D2C8D60...When sending a email out, Postfix adds the following lines: \
`Received: from MBP-van-Thom.localdomain (12-34-56-78.ip.xs4all.nl [12.34.56.78]) (Authenticated sender: thom@example.nl) by mail.example.com (Postfix) with ESMTPSA id D2C8D60059 for <someuser@gmail.com>; Thu, 4 Mar 2021 20:43:53 +0100 (CET)`
I think it would be good to strip these lines from submitted emails, as it exposes the client's IP address.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6092Add Nagios check for ISPconfig2022-05-24T12:28:13ZHelmoAdd Nagios check for ISPconfigThe monitor page in ISPconfig has a nice overview of the system status, but I would like to be alerted when something changes.
In my setup I have Icinga for that, which is Nagios compatible.
I created a Nagios compatible script to expor...The monitor page in ISPconfig has a nice overview of the system status, but I would like to be alerted when something changes.
In my setup I have Icinga for that, which is Nagios compatible.
I created a Nagios compatible script to export data from the monitor page.
It outputs a single line like: `WARNING: (ok: 12, info: system_update, warning: sys_log)`
Usage:
In an NRPE compatible config file:
`command[check_ispconfig]=/usr/bin/sudo /usr/local/ispconfig/server/check_ispconfig.php`
/etc/sudoers.d/ispconfig:
```
Cmnd_Alias CHECK_ISPCONFIG = /usr/local/ispconfig/server/check_ispconfig.php
nagios ALL = NOPASSWD : CHECK_ISPCONFIG
```https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6093Monitor MX records2022-12-27T22:35:12ZHelmoMonitor MX recordsWhen a domain moves to an external mail provider it's important to de-activate or remove the mail domain from ispconfig.
When forgotten this can lead to mails not being delivered.
I've written a perl script to check this in the past and...When a domain moves to an external mail provider it's important to de-activate or remove the mail domain from ispconfig.
When forgotten this can lead to mails not being delivered.
I've written a perl script to check this in the past and now ported that to ispconfig.
It resolves the server name and checks that the MX record for a mail_domain matches one of those IP's. Extra IP's can be added via `$mail_config['additional_smtp_ips']`
On one of my systems I use an extra IP for incomming smtp, so there I had to override the server hostname. There I've put in a `$mail_config['hostname'] = '...'; line in onRunJob() for now. I don't think we have a field for that and it's probably not worth creating it for just me. But I'm open to suggestions.
TODO
- [x] String updates?
- [x] Maybe some layout?
- [x] UI for $mail_config['additional_smtp_ips'] and `$mail_config['additional_smtp_hostnames']`?
- [x] Maybe remove the $app->log warning lines as it might a bit redundant
- [x] translation files
Anyway, feedback welcome.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6094Ignore postfix_custom and dovecot_custom config files in conf-custom check2021-03-10T12:52:09ZThomIgnore postfix_custom and dovecot_custom config files in conf-custom checkIgnore postfix_custom and dovecot_custom config files when checking if there are custom config.
Maybe add a separate warning "You are using custom config for Postfix and Dovecot. Make sure your template does not interfere with breaking ...Ignore postfix_custom and dovecot_custom config files when checking if there are custom config.
Maybe add a separate warning "You are using custom config for Postfix and Dovecot. Make sure your template does not interfere with breaking changes (usually noted in the release notes"3.2.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6095change of jailkit default/site section addition/override and location2021-03-11T10:08:01Zleechange of jailkit default/site section addition/override and locationit's not particularly clear when looking at the jailkit settings on a website options page if any settings configured there are in addition to the default server jailkit settings, or completely override them, so only sections in the site...it's not particularly clear when looking at the jailkit settings on a website options page if any settings configured there are in addition to the default server jailkit settings, or completely override them, so only sections in the site settings get applied.
it's current location also means that admin intervention is required whenever a client wants a particular application added to their site's jailkit, either to add the section to their sites jailkit settings (or to remove it at a later date), or to add the application to the servers jailkit settings so everyone gets the additional application whether they want it or not.
it may be a better option to move the site's jailkit settings to the ssh account creation/settings page, and have additional sections made available for selection by the client user, just like apache or php directives are.
discussion on howtoforge forum: https://www.howtoforge.com/community/threads/quick-question-about-website-jailkit-options.86557/https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6101Discussion: Simplify the UI for end users2022-06-18T14:34:09ZThomDiscussion: Simplify the UI for end usersI just went through the UI to see which things could be confusing for novice clients, and which could be a reason for ISPs not to use ISPConfig. Some things could be hidden for all clients, some only when a specific setting is set in the...I just went through the UI to see which things could be confusing for novice clients, and which could be a reason for ISPs not to use ISPConfig. Some things could be hidden for all clients, some only when a specific setting is set in the main config or client limits.
## Sites
* Website vs subdomain -> some clients will add a subdomain "different.example.com" for a completely different site than the main web, maybe we could rephrase this, or add some explanation to the tab what adding a subdomain does?
* Read-only database user -> Maybe we can add a global option to enable/disable this, or put it within client limits?
* Order of Databases and database users -> Maybe we should put database users first, as this is the first thing you have to create, or allow the creation of a DB user when creating the DB itself?
## Email
* I think it would be good to switch the order of email mailbox and domain, or at least set mailbox as default tab, as this tab is the most used.
* It would be good to add global settings and/or client limits for the following buttons on the mailbox form:
* Copy during delivery
* Spampolicy (inherited from domain by default) (we might hide this on the domain form aswell and let the admin set a default policy)
* Enable receiving
* Disable sending
* Disable (local) delivering
* Enable greylisting
* Disable IMAP
* Disable POP3
## DNS
* #5490
* Almost all the zone settings could be hidden:
* NS
* Email
* Refresh
* Retry
* Expire
* Minimum (negative cache ttl)
* TTL
* Allow zone transfers to these IPs (comma separated list) (as client limit)
* Also Notify (as client limit)
* Serial
This issue is to discuss this - it's not necessarily a feature request.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6105Update GitLab template2023-10-02T09:57:12ZThomUpdate GitLab template- Do not use the incident type
- Read the contribution guidelines
- Don't use the tracker for question/install issues
etc...- Do not use the incident type
- Read the contribution guidelines
- Don't use the tracker for question/install issues
etc...ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6110Improve dns records list2021-03-16T10:19:21ZHelmoImprove dns records listThe type, aux and ttl columns take too much space in the DNS records listing.
The patch below is more of a quick fix until a more comprehensive solution like #5490 gets done.
It reduces the width of these columns ... Which should pro...The type, aux and ttl columns take too much space in the DNS records listing.
The patch below is more of a quick fix until a more comprehensive solution like #5490 gets done.
It reduces the width of these columns ... Which should probably be done via CSS, that's why this is not a MR. Someone else is probably better at finding the proper selector and place for it.
```patch
diff --git a/interface/web/dns/templates/dns_a_list.htm b/interface/web/dns/templates/dns_a_list.htm
index 4d0f3b2b2..a7b94fc96 100755
--- a/interface/web/dns/templates/dns_a_list.htm
+++ b/interface/web/dns/templates/dns_a_list.htm
@@ -58,11 +58,11 @@
<thead class="dark form-group-sm">
<tr>
<th class="tiny-col" data-column="active"><tmpl_var name="active_txt"></th>
- <th data-column="type"><tmpl_var name="type_txt"></th>
+ <th data-column="type" style="width: 12%;"><tmpl_var name="type_txt"></th>
<th data-column="name"><tmpl_var name="name_txt"></th>
<th data-column="data"><tmpl_var name="data_txt"></th>
- <th data-column="aux"><tmpl_var name="aux_txt"></th>
- <th data-column="ttl"><tmpl_var name="ttl_txt"></th>
+ <th data-column="aux" style="width: 8%;"><tmpl_var name="aux_txt"></th>
+ <th data-column="ttl" style="width: 8%;"><tmpl_var name="ttl_txt"></th>
<th class="small-col text-right">{tmpl_var name='search_limit'}</th>
</tr>
<tr>
```https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6112use placeholders for the firewall2021-03-21T09:00:44ZFlorian Schaaluse placeholders for the firewallhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6113Add option to not directly remove deleted mailboxes2022-08-17T12:49:40ZHelmoAdd option to not directly remove deleted mailboxesWhen a mail account is deleted via the interface it's directly removed from the filesystem.
While we have a very nice undo action in the datalog history that does not bring back the data.
A regular backup will probably have a gap betwe...When a mail account is deleted via the interface it's directly removed from the filesystem.
While we have a very nice undo action in the datalog history that does not bring back the data.
A regular backup will probably have a gap between when it finished and when the mailbox is deleted. In which changed can occur which we are not able to recover.
And in some cases it might be a compliance issue to purge mailboxes.
I suggest we add an option to delay the deletion.
One way could be to rename the mail folder to e.g. `exmaple.com/mailuser-20210318222513`. Renaming will not hold-up the task queue with large mailboxes.
A cronjob could then process these further. There are multiple ways to do that and I expect opinions to vary on that.
- remove after x time
- compress into a tar
- sent to an archive location
- leave it and have your own cleanup task
- leave it for manual cleanup
As a bonus we could (under certain conditions) move it back when an undo action is performed.
I've started with code to rename mail_user and mail_domain directories. See the linked MR.
Thoughts?3.2.9https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6116PHPMyAdmin not working when chrooted PHP-FPM is enabled2021-04-17T14:15:11ZThomPHPMyAdmin not working when chrooted PHP-FPM is enabledIt will give a error "File not found", but other files from the PMA folder can be opened.
https://www.howtoforge.com/community/threads/how-is-pma-supposed-to-be-setup-on-a-slave.86629/page-2#post-420195It will give a error "File not found", but other files from the PMA folder can be opened.
https://www.howtoforge.com/community/threads/how-is-pma-supposed-to-be-setup-on-a-slave.86629/page-2#post-420195https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6117Highlight offline services in table2021-03-25T21:17:35ZHelmoHighlight offline services in tableA bit of color could help here to directly see which services are marked as offline.
![Selection_309](/uploads/1d71c69dc50a03b76e17a1ab0fb81a3a/Selection_309.png)
![Selection_308](/uploads/d748617a573d141a9626770722a7137e/Selection_308...A bit of color could help here to directly see which services are marked as offline.
![Selection_309](/uploads/1d71c69dc50a03b76e17a1ab0fb81a3a/Selection_309.png)
![Selection_308](/uploads/d748617a573d141a9626770722a7137e/Selection_308.png)3.2.4HelmoHelmohttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6120Run wget and tar quietly on update2021-03-31T19:47:38ZThomRun wget and tar quietly on updateDon't show the output of wget and tar of the ISPConfig release when running the update script
```
--2021-03-23 15:33:41-- https://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
Resolving www.ispconfig.org (www.ispconfig.org)... ...Don't show the output of wget and tar of the ISPConfig release when running the update script
```
--2021-03-23 15:33:41-- https://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
Resolving www.ispconfig.org (www.ispconfig.org)... 2606:4700:20::681a:bf6, 2606:4700:20::ac43:4b70, 2606:4700:20::681a:af6, ...
Connecting to www.ispconfig.org (www.ispconfig.org)|2606:4700:20::681a:bf6|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4024765 (3.8M) [application/octet-stream]
Saving to: ‘ISPConfig-3.tar.gz’
ISPConfig-3.tar.gz 100%[=================>] 3.84M --.-KB/s in 0.07s
2021-03-23 15:33:41 (55.8 MB/s) - ‘ISPConfig-3.tar.gz’ saved [4024765/4024765]
ispconfig3_install/.phplint.yml
ispconfig3_install/server/
etc
```3.2.4ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6122add smtp error detection/logging to ispcmail class2021-03-23T21:54:28ZJesse Norelladd smtp error detection/logging to ispcmail classWhen smtp errors happen inside the ispcmail class, they are never recorded or reported to anyone, making it harder to troubleshoot mail problems, we should log these and possibly provide a means to report to the caller (when calling send...When smtp errors happen inside the ispcmail class, they are never recorded or reported to anyone, making it harder to troubleshoot mail problems, we should log these and possibly provide a means to report to the caller (when calling send()).https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6129spam scanning: default to add header2021-03-26T20:05:15ZJesse Norellspam scanning: default to add headerCurrently spamfilter policies default to changing the subject, which breaks DKIM signatures, we should change the default behavior to adding a header. (Would affect mail that is scanned by ISPConfig then forwarded to another server/acco...Currently spamfilter policies default to changing the subject, which breaks DKIM signatures, we should change the default behavior to adding a header. (Would affect mail that is scanned by ISPConfig then forwarded to another server/account.)https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6130Remove APS Installer limit from limit-Template2021-05-26T22:07:30ZJaldeep LadolaRemove APS Installer limit from limit-TemplateThere is non use APS Installer Limit from limit-Template.There is non use APS Installer Limit from limit-Template.3.2.5ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6131rspamd: allow mismatch hdrfrom/username2021-03-29T15:41:45ZJesse Norellrspamd: allow mismatch hdrfrom/usernameI propose we set `allow_hdrfrom_mismatch = true;` and `allow_username_mismatch = true;' in `/etc/rspamd/local.d/dkim_signing.conf` if reject_sender_login_mismatch is in use.
https://www.howtoforge.com/community/threads/rspamd-not-signi...I propose we set `allow_hdrfrom_mismatch = true;` and `allow_username_mismatch = true;' in `/etc/rspamd/local.d/dkim_signing.conf` if reject_sender_login_mismatch is in use.
https://www.howtoforge.com/community/threads/rspamd-not-signing-email-alias-with-dkim.86690/https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6143postfix: custom reject message2022-03-04T23:44:23ZJesse Norellpostfix: custom reject messageAdd a field for custom reject message to postfix blacklist entries.Add a field for custom reject message to postfix blacklist entries.Planned featuresJesse NorellJesse Norellhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6150rspamd greylisting2022-06-17T12:51:14ZJesse Norellrspamd greylistingNot sure if this is a bug or feature request, but currently when using rspamd, the greylisting setting of the users' spamfilter policy is not respected, if the "Enable greylisting" checkbox is disabled, then greylisting within rspamd is ...Not sure if this is a bug or feature request, but currently when using rspamd, the greylisting setting of the users' spamfilter policy is not respected, if the "Enable greylisting" checkbox is disabled, then greylisting within rspamd is explicitly disabled as well; if "Enable greylisting" is enabled, things are setup correctly in rspamd settings, but also postgrey is set to always greylist, which is not what I want. I want to use rpsamd's greylisting at the policy specified threshold, and not greylist everything via postgrey.
I can see a use case/expectations case for the current behavior as well, ie. "Enable greylisting" is not checked, you might expect it to be disabled in rspamd even if the selected policy specifies it should be used.
2 solutions come to mind, I'd probably favor #2 unless #1 is pretty unanimously agreed to be the correct behavior:
1) Change the wording of "Enable greylisting" to something more like "Always greylist" ("Force enable greylisting" ?), and have the checkbox only control the use of postgrey (so rspamd's policy settings (greylist level) are always used).
2) Add a server config setting to allow the admin to choose whether the "Enable greylisting" button should override the spamfilter policy or not.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6151Make default DNS template selectable in user limits2021-04-17T20:07:02ZDannyMake default DNS template selectable in user limitsMake default DNS template to be a choice in user/reseller limits or even make it selectable which templates they will see. This will make sure clients/resellers uses the correct template. Now i have clients that uses my default which is ...Make default DNS template to be a choice in user/reseller limits or even make it selectable which templates they will see. This will make sure clients/resellers uses the correct template. Now i have clients that uses my default which is not ment for them to use.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6152Config for protected folders in Apache should be done in vhost file2021-04-17T20:07:26ZJohannesConfig for protected folders in Apache should be done in vhost fileCurrently a .htaccess file is used to realize folder protection which is not recommended (https://httpd.apache.org/docs/2.4/howto/htaccess.html#when). This should be done directly in the vhost file with an additional `<directory>` direct...Currently a .htaccess file is used to realize folder protection which is not recommended (https://httpd.apache.org/docs/2.4/howto/htaccess.html#when). This should be done directly in the vhost file with an additional `<directory>` directive. The .htpasswd file could go for example to `/var/www/.../private` and not be accessible via web even if the user makes a strange config (or stay where it is).
(Background is that I had a user who set the option "Apache AllowOverride=none" for performance reasons without realizing that this disables the password protection)https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6153Make firewall config more userfriendly2021-04-17T20:06:46ZJohannesMake firewall config more userfriendlyCurrently there is just one line each to open ports for UDP and TCP, respectively. Each port has to be added in a comma-separated list. I would like to have something like a sorted table of ports where I can choose tcp/upd and add a comm...Currently there is just one line each to open ports for UDP and TCP, respectively. Each port has to be added in a comma-separated list. I would like to have something like a sorted table of ports where I can choose tcp/upd and add a comment.
For example:
| Port | TCP | UDP | Comment |
| ------ | ------ | ------ | ------ |
| 22 | x | | SSH |
| 8080 | x | | IspConfig Interface |
| 9987 | | x | Teamspeak3 |
| 30033 | x | x | Teamspeak3 |
| 54321 | x | | Custom Python server for User xyz|
...https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6154Extra single quote when creating wildcart certs in SSL tab2023-09-16T14:46:24ZHj Ahmad Rasyid Hj IsmailExtra single quote when creating wildcart certs in SSL tab## Summary
Wildcard subdomain created certs has single quotes in uts filename instead of not having it.
## Steps to reproduce
1. Go to Sites tab
1. Click on any website e.g. domain.tld
1. Select its SSL tab
1. Select \*.domain.tld
1. ...## Summary
Wildcard subdomain created certs has single quotes in uts filename instead of not having it.
## Steps to reproduce
1. Go to Sites tab
1. Click on any website e.g. domain.tld
1. Select its SSL tab
1. Select \*.domain.tld
1. Create SSL
1. Certs created in ssl folder but with single quote in its file name e.g. '\*.domain.tld.ext'
## Correct behaviour
The files' name should just be \*.domain.tld.ext (without any quotes) instead of '\*.domain.tld.ext' (with single quotes)
## Environment
Server OS + version: Ubuntu 20.04 ISPConfig version: 3.2.4https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6155Change OS update function from aptitude to apt2021-05-26T22:07:30ZTill BrehmChange OS update function from aptitude to aptThe OS update function currently uses aptitude to install the updates. We should change that to apt command.The OS update function currently uses aptitude to install the updates. We should change that to apt command.3.2.5ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6156Remove dnssec-lookaside auto; from named.conf.options.master2022-02-26T17:28:57ZThomRemove dnssec-lookaside auto; from named.conf.options.masterRemove obsolete setting `dnssec-lookaside auto;` from the named config and put a note in the release notes to update BIND.Remove obsolete setting `dnssec-lookaside auto;` from the named config and put a note in the release notes to update BIND.3.2.5ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6159Add support for CentOS Stream to OS detection code2022-09-06T09:13:54ZTill BrehmAdd support for CentOS Stream to OS detection code
https://www.howtoforge.com/community/threads/centos8-amavis-and-clamd-scan-not-point-to-same-sock-file.86819/#post-421711
https://www.howtoforge.com/community/threads/centos8-amavis-and-clamd-scan-not-point-to-same-sock-file.86819/#post-421711https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6160Update readme.md2021-04-26T07:38:22ZThomUpdate readme.md3.2.5ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6164Make IPv6 address inselectable when * is set for IPv4 address for vhost.2021-05-12T12:55:06ZThomMake IPv6 address inselectable when * is set for IPv4 address for vhost.<!-- Before creating a bug report, please:
- Read the contribution guidelines: https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/CONTRIBUTING.md
- Do not ask support questions here. If you are unsure if your problem is a bug,...<!-- Before creating a bug report, please:
- Read the contribution guidelines: https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/CONTRIBUTING.md
- Do not ask support questions here. If you are unsure if your problem is a bug, post a thread on the forum: https://www.howtoforge.com/community/#ispconfig-3.23
- Make sure to remove any content from the description that you did not add. For example, if there are no related log entries, remove the whole "Related log entries" part.
-->
## Summary
When creating a new site and selecting "*" for IPv4 address, you can still select a IPv6 address. This option should be blurred out (and set to none), and maybe we should show a text like "Vhost is listening on all server addresses" to the IPv6 field.
## References
https://www.howtoforge.com/community/threads/2-ipv6-addresses-which-one.86944/https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6167rspamd: enable arc signing2021-08-31T09:16:05ZJesse Norellrspamd: enable arc signingRFE: enable ARC signing in rspamd. With the current rspamd options/implementation I would only enable signing for incoming mail (not authenticated or local), selecting the domain from the recipient addr - these are all default settings ...RFE: enable ARC signing in rspamd. With the current rspamd options/implementation I would only enable signing for incoming mail (not authenticated or local), selecting the domain from the recipient addr - these are all default settings in modules.d/arc.conf - and simply point the selector map and key path map to the same as used for dkim signing.3.2.6Jesse NorellJesse Norellhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6169Generalised 3rd party service integration (to support Cloudflare DNS)2022-10-02T09:23:50ZJudah - MWGeneralised 3rd party service integration (to support Cloudflare DNS)Details
=======
Hi all, we would like to integrate Cloudflare (DNS specifically) with ISPConfig so that ISPC can be the master source of truth for DNS (and still continue to run named) but can keep separate CF DNS accounts in sync with ...Details
=======
Hi all, we would like to integrate Cloudflare (DNS specifically) with ISPConfig so that ISPC can be the master source of truth for DNS (and still continue to run named) but can keep separate CF DNS accounts in sync with DNS changes. At the moment we have to make DNS changes twice, once in ISPC and then replicated to CF which is slow and error prone.
In doing some research for this oft-requested feature we found this open feature request: #4846 and [this HowToForge thread.](https://www.howtoforge.com/community/threads/dns-cloudflare-sync.84504/)
At the bottom of that HowToForge thread, @jnorell suggests generalising the system so it is provider agnostic and can then work with multiple DNS providers, which makes a lot of sense to me. It could even be generalised further so that it isn't just limited to linking DNS with external systems but also potentially websites with CDNs, etc.
So I guess I'd like to know: does that sound like something that fits nicely into ISPC? If I started on it would it be something you'd accept as a contribution? Do you have any guidance on the design/implementation? Are there any other ongoing efforts to do something similar I could take part in?
Finally, what would be preferable:
1. A Cloudflare specific integration.
2. A DNS specific integration (but 3rd party API agnostic, like Jesse suggested.)
3. A completely general 3rd party framework (not limited to DNS.)
How it could work
=================
Server
------
- Server plugin for 3rd parties which imports 3rd party specific libraries.
- Server library for Cloudflare imported as above which registers the right event listeners.
- New DB table `third_party_connection` used by the plugin to store generic 3rd party connections.
Interface
---------
- New tab in Settings > Server config > called "3rd party connections" where the administrator can provide Cloudflare Reseller credentials, they are stored in the generic `third_party_connection` database as type `cloudflare_reseller`.
- New limits in limit template to enable 3rd party access for clients.
- New tab on DNS zone "External DNS" with dropdown menu to select a 3rd party integration, then option to supply email/API key and even a "New account" button if reseller credentials are installed on server. (Creds also stored in `third_party_connection` table.
- New tab on DNS record "External DNS", allowing setting specific settings such as Cloudflare proxy status. (Where would that info be stored? Tricky. Extend the DNS record table to include a new column `third_party_data` (to keep it general)? Or a new table `third_party_data` to store all extra data?)
I'd appreciate your feedback on the approach before I start to see if I'm barking up the wrong tree, and also to see if anyone would like to help.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6170Always log a warning/error when LE + SSL is disabled because of a failure2021-05-20T19:16:21ZThomAlways log a warning/error when LE + SSL is disabled because of a failureCurrently, a warning is logged if the Let's Encrypt check is enabled (default behaviour) and it couldn't create the cert. But when there is a setting roll back, it is not logged. See the discussion on #5042Currently, a warning is logged if the Let's Encrypt check is enabled (default behaviour) and it couldn't create the cert. But when there is a setting roll back, it is not logged. See the discussion on #5042https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6171rspamd config errors (harmless) during install2021-06-20T18:53:47ZJesse Norellrspamd config errors (harmless) during installI have a server running amavis, which I'm updating prior to converting to rspamd, however rspamd is installed - during ispconfig update some (harmless) errors showed configuring rspamd, probably due to my current install/config state, bu...I have a server running amavis, which I'm updating prior to converting to rspamd, however rspamd is installed - during ispconfig update some (harmless) errors showed configuring rspamd, probably due to my current install/config state, but can easily be hidden or avoided:
```
Configuring Postfix
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Rspamd
chgrp: cannot access '/etc/rspamd/local.d/worker-controller.inc': No such file or directory
chmod: cannot access '/etc/rspamd/local.d/worker-controller.inc': No such file or directory
Configuring Getmail
...
```https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6174DNS doesn't accept single character domain2021-08-17T22:53:30ZDominikDNS doesn't accept single character domainWith several new TLDs it is possible to use a single character Domain. Even with some of the old well-known domains including .de in meanwhile it is possible to have a domain with only one character like "a.de". One of my customer owns s...With several new TLDs it is possible to use a single character Domain. Even with some of the old well-known domains including .de in meanwhile it is possible to have a domain with only one character like "a.de". One of my customer owns such a domain with one of the new generic domains (in this case: .cymru). My solution was really simple:
I changed the corresponding regex in /usr/local/ispconfig/interface/web/dns/form/dns_soa.tform.php and dns_slave.tform.php and then it worked.
Unfortunatelly it is not allowed to have a single character domain in all TLDs - so there are TLDs out there that still allow only two-character domains and even some that allow only three-character domains. So what is the right solution now? Including an intelligence that knows the minimal length for all TLDs? Or just my simple solution and allow one character in every case?3.2.6ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6184rspamd: don't use secure_ip2021-06-21T15:47:39ZJesse Norellrspamd: don't use secure_ipWe currently setup rspamd with a password for worker-controller, with secure_ip set to localhost; that is probably fine for a dedicated mail server, but allows access to the controller by all clients for systems which share web and mail ...We currently setup rspamd with a password for worker-controller, with secure_ip set to localhost; that is probably fine for a dedicated mail server, but allows access to the controller by all clients for systems which share web and mail services (eg. single-server), as addresses in secure_ip do not require a password. We should drop the use of secure_ip, and preferably switch to using unix sockets to talk to all rspamd daemons.
Also provide examples of how to configure reverse proxies to connect and authenticate (eg. add a Password header and use unix rather than tcp socket).https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6187DS RECORD functions for API2022-01-21T23:14:44Zfrancois parreaux-eyDS RECORD functions for APIHello,
Following below discussion (link) I propose to add DS RECORD functions for API
https://www.howtoforge.com/community/threads/dnssec-cascade-inside-ispconfig.86988/#post-423182
code added in 'interface/lib/classes/remote.d/dns.i...Hello,
Following below discussion (link) I propose to add DS RECORD functions for API
https://www.howtoforge.com/community/threads/dnssec-cascade-inside-ispconfig.86988/#post-423182
code added in 'interface/lib/classes/remote.d/dns.inc.php'
// ----------------------------------------------------------------------------------------------------------------
//* Get record details
public function dns_ds_get($session_id, $primary_id) {
return $this->dns_rr_get($session_id, $primary_id, 'DS');
}
//* Add a record
public function dns_ds_add($session_id, $client_id, $params, $update_serial=false) {
return $this->dns_rr_add($session_id, $client_id, $params, $update_serial, 'DS');
}
//* Update a record
public function dns_ds_update($session_id, $client_id, $primary_id, $params, $update_serial=false) {
return $this->dns_rr_update($session_id, $client_id, $primary_id, $params, $update_serial, 'DS');
}
//* Delete a record
public function dns_ds_delete($session_id, $primary_id, $update_serial=false) {
return $this->dns_rr_delete($session_id, $primary_id, $update_serial, 'DS');
}
As a reminder, in case you want to have a cascade of zones using DNSSEC, you need to :
1. let's create child.dom.tld
1.a Create zone with 'dnssec_wanted=y'
2. in parent zone ie dom.tld
2.a. Create DS_record pointing to child zone (this is the aim of the functions I am adding)
2.b. Create 2 NS_records pointing to child zone
3. update parent zone dom.tld to have zone signing updated
4. don't forget to create secondary Zones on your secondary bind server
Many thanks for your trust
francoisPE3.2.8francois parreaux-eyfrancois parreaux-eyhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6188Add field for FPM-Chroot Docroot2021-06-21T13:49:21ZPatrick OmlandAdd field for FPM-Chroot DocrootIf Chroot FPM is selected, add a Field for Custom Docroot. When there is detected a Custom Docroot Input change FPM Pool config with new Docroot. Like Openbasedir Field no Input = Change nothing and / Custom Input = Change Docroot in Poo...If Chroot FPM is selected, add a Field for Custom Docroot. When there is detected a Custom Docroot Input change FPM Pool config with new Docroot. Like Openbasedir Field no Input = Change nothing and / Custom Input = Change Docroot in Pool config
See this Thread (German)
https://forum.howtoforge.de/threads/docroot-unter-chroot-fpm.12662/#post-62035https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6191improve letsencrypt renew hook2021-08-31T09:15:59ZJesse Norellimprove letsencrypt renew hookChange the letsencrypt renew hook to allow a custom script to run in addition to (rather than just instead of) the default one. The pre and post hooks already do this.
https://www.howtoforge.com/community/threads/hook-evolution-for-isp...Change the letsencrypt renew hook to allow a custom script to run in addition to (rather than just instead of) the default one. The pre and post hooks already do this.
https://www.howtoforge.com/community/threads/hook-evolution-for-ispconfig-le-renewal.87185/3.2.6Jesse NorellJesse Norellhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6198clarify "ISPConfig v2 detected" message2021-08-31T09:15:48ZJesse Norellclarify "ISPConfig v2 detected" messageClarify the "ISPConfig v2 detected" message, perhaps a few less support tickets.Clarify the "ISPConfig v2 detected" message, perhaps a few less support tickets.3.2.6https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6202Support for borg archive in backups2022-11-12T19:39:41ZJorge MuñozSupport for borg archive in backupsAdd support for borg archive as backup, this is a must for large file systems where a common backup format would take forever and fill up all space real quick. Borg format is an archive format supporting differential backups and per-file...Add support for borg archive as backup, this is a must for large file systems where a common backup format would take forever and fill up all space real quick. Borg format is an archive format supporting differential backups and per-file diffs.3.2.8Jorge MuñozJorge Muñozhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6206Interface setting > mail > max backup copies2021-07-30T13:17:26ZFrançois GrizzlyDevInterface setting > mail > max backup copiesRegarding this commit, which enabled to retain up to 30 backup copies (previously limited to 10): aa1eed46b3d03746640a73db6df7d163ba036df3
The goal of this merge request is to add an interface setting in order to limit (below 30) the ma...Regarding this commit, which enabled to retain up to 30 backup copies (previously limited to 10): aa1eed46b3d03746640a73db6df7d163ba036df3
The goal of this merge request is to add an interface setting in order to limit (below 30) the maximum backup copies (for **email** only), so clients' options would be globally limited when accessing the "Backup" tab.
Before going any further, my guess is to add an [interface setting](https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/CONTRIBUTING.md#interface-settings).
And obviously enforce the limit in the `mail_user.backup_copies` SQL column when this setting is changed. This could be done using some feature such as the setting input "custom" validator, for example: https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/interface/web/admin/form/system_config.tform.php#L224
For this last point especially, I am not sure this is the way to go, comments are welcome!https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6210periodically force jailkit update2021-08-31T09:15:39ZJesse Norellperiodically force jailkit updateIt wouldn't hurt to force all jails to update periodically, so eg. changes to sections in jk_init.ini get propogated.It wouldn't hurt to force all jails to update periodically, so eg. changes to sections in jk_init.ini get propogated.3.2.6Jesse NorellJesse Norellhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6211Selected PHP Version in Jail2021-08-18T13:29:54ZGhost UserSelected PHP Version in JailTaken from /etc/jailkit/jk_init.ini:
```
# Debian 10 default php version is 7.3 (Debian 9 is 7.0)
# Todo: set default version in ISPConfig installer,
# but install the php cli version matching the website
```
In this case, should switch...Taken from /etc/jailkit/jk_init.ini:
```
# Debian 10 default php version is 7.3 (Debian 9 is 7.0)
# Todo: set default version in ISPConfig installer,
# but install the php cli version matching the website
```
In this case, should switching the PHP version remove the old PHP version from the jail? To me it looks like that would be hard to implement, considering ISPConfig doesn't remove redundant things (aka sections or applications I removed from System > Server Config > Jailkit that were previously there) from jails after re-syncing shell users.
If this is the specific reason it wasn't implemented yet, I think an easier approach would be including all PHP versions in the jail, and just modify the php (no version number) binaries to be symlinked to the right version like `sudo update-alternatives --config php` does (this command only works outside of the jail).https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6213Add support for Debian 112021-09-07T07:07:44ZTill BrehmAdd support for Debian 11Add Debian 11 support in ISPConfig.Add Debian 11 support in ISPConfig.3.2.6Till BrehmTill Brehmhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6222Make reproducible release tarballs2023-12-03T21:07:13ZDaniel JagszentMake reproducible release tarballsI check the SHA sum of the ISPConfig tarballs before I install them.
The SHA 256 sum of the 3.2.5 release at https://www.ispconfig.org/downloads/ISPConfig-3.2.5.tar.gz changed from `c071f975e0f570c58fd14f517b4e42e350a2123625650f6365796e4...I check the SHA sum of the ISPConfig tarballs before I install them.
The SHA 256 sum of the 3.2.5 release at https://www.ispconfig.org/downloads/ISPConfig-3.2.5.tar.gz changed from `c071f975e0f570c58fd14f517b4e42e350a2123625650f6365796e416b8242d5` to `b18e992f9ac81acb30e9536f6cff4e6deebf631fc3ec126b897314c4a03891b9`.
That made me suspicious (could have easily been a hack that replaced the original release with a malicious one) – but the two tarballs extract to the very same directory tree (I had the earlier version laying around to check).
Looks like the tarball was re-created recently (maybe to test !1496?). The tar and gzip file format include metadata (like the current PID or the current time) that make two tar+gzip archives of the same directory tree binary different even if they extract to the same directory tree.
Please consider to either
* never ever overwrite a published release (e.g. skip uploading if there is a file with the same name) or
* make the tarballs [reproducible](https://reproducible-builds.org/docs/archives/).
Also, "offical" SHA 256 sums in the release blog post would be wonderful :smile:Daniel JagszentDaniel Jagszenthttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6224Add DNS api functions for LOC type2021-09-08T09:46:27ZHelmoAdd DNS api functions for LOC typeI noticed that the meta data for the LOC and DS functions was added by mistake ages ago in ecb8fc2c5b3c1b42e15e3e44d287a650ef3b6aa6 but no implementation.
While preparing a MR I noticed that DS functions are already proposed in #6187 so...I noticed that the meta data for the LOC and DS functions was added by mistake ages ago in ecb8fc2c5b3c1b42e15e3e44d287a650ef3b6aa6 but no implementation.
While preparing a MR I noticed that DS functions are already proposed in #6187 so this one just for dns_loc_*
The error I got that triggered me:
`SoapFault: Method dns_ds_add does not exist in SoapClient->__call()`3.2.6https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6225Possible Alternative to disable LE check for natted servers.2021-09-03T08:00:13ZChrisPossible Alternative to disable LE check for natted servers.As an ISPConfig user that is behind a nat router (I have not yet figured nat hairpinning in cisco routers) I propose the following as an alternative to just disabling the LE check.
Instead, it would be possible to request an external se...As an ISPConfig user that is behind a nat router (I have not yet figured nat hairpinning in cisco routers) I propose the following as an alternative to just disabling the LE check.
Instead, it would be possible to request an external service verify the host/domain is indeed accessible.
How I see this in practice:
Ispconfig > system > server config > ssl > NAT Router (checkbox) (as oppose to disable LE check)
When performing the check, if the NAT box is checked, Call out to verification server.
[It could be a service hosted by ISPConfig but could just as easily be any of the "is this site up" services that has a free user api. (with a quick google, I see that: check-host.net for example has an array of check types that could be used for this.)
Get the result and proceed with cert creation or report back an issue.
In summary:
I believe this approach would be more effective than just disabling the check because it will mean misconfigured hostnames/domains, missing dns or websites, wrong server used for a site, firewall woes and the rest of the usual suspects will not result in a failed cert request to LE.
One or two fails may not be an issue but we know there is a rate limit so whatever we can do to keep the failures from occurring in the first place would be a bonus.
Essentially this will allow ISPConfig to still pre-empt failures and would only affect those that have the NAT configuration set in server configs. For everybody else you can just perform the normal check.
An option in the installer that allows for enabling the option from the outset would be preferable although that would just be a small bonus addition to the overall feature.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6230Copy email address to clipboard2022-08-16T11:41:09ZHelmoCopy email address to clipboardWhen creating or editing a mail account I sometimes would like to get the email address in my copy/paste buffer.
The patch below adds that in a quick and dirty way.
Is there interest for this?
If so then we can add translation and a be...When creating or editing a mail account I sometimes would like to get the email address in my copy/paste buffer.
The patch below adds that in a quick and dirty way.
Is there interest for this?
If so then we can add translation and a better icon...
```patch
diff --git a/interface/web/mail/templates/mail_user_mailbox_edit.htm b/interface/web/mail/templates/mail_user_mailbox_edit.htm
index 170ab15db..93ff6e04d 100644
--- a/interface/web/mail/templates/mail_user_mailbox_edit.htm
+++ b/interface/web/mail/templates/mail_user_mailbox_edit.htm
@@ -12,6 +12,9 @@
<select name="email_domain" id="email_domain" class="form-control" style="height:50px;min-width:170px;">{tmpl_var name='email_domain'}</select>
</div>
</div>
+ <a class="btn btn-default formbutton-narrow" href="javascript: navigator.clipboard.writeText(document.getElementById('email_local_part').value + '@' + document.getElementById('email_domain').value);" title="Copy to clipboard">
+ <span class="icon icon-bulb"></span>
+ </a>
</div>
</div>
<tmpl_if name="enable_custom_login"><div class="form-group">
```3.2.9https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6233Fix socket path on PHP 7 systems Starts with oldest version2022-02-28T16:20:34ZCollin MachineFix socket path on PHP 7 systems Starts with oldest versionBasically the "Fix socket path on PHP 7 systems" section of /usr/local/ispconfig/server/plugins-available/apps_vhost_plugin.inc.php is written so that it replaces the socket path of PHP5 for the PHP7 socket paths but if multiple versions...Basically the "Fix socket path on PHP 7 systems" section of /usr/local/ispconfig/server/plugins-available/apps_vhost_plugin.inc.php is written so that it replaces the socket path of PHP5 for the PHP7 socket paths but if multiple versions of PHP7 exist on the system, it uses the oldest version, as it performs a string replace on the $content variable and the string is no longer found when later PHP7 sockets are found and a replace is attempted.
## Summary
I would assume you'd want the socket for the latest version of PHP7, and possible PHP8 to be added as well?
## Steps to reproduce
Pretty self-explanatory
## Correct behaviour
Perhaps rewrite to a if/elseif statement, starting with the newest version working backwards, as the other lines are useless if the string replace has already occurred on $content
## Environment
Server OS + version: Ubuntu 20.04
ISPConfig version: 3.2.6
Software version of the related software:
Server version: Apache/2.4.48 (Ubuntu)
Server built: 2021-07-01T19:16:08
PHP 7.4.23 (cli) (built: Aug 26 2021 15:51:37) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
with Zend OPcache v7.4.23, Copyright (c), by Zend Technologies
## Proposed fix
I don't know if this is how you want to do it but maybe something like this:
```
// Fix socket path on PHP 7 systems
$php7_socket = false;
if(file_exists('/var/run/php/php7.4-fpm.sock')) {
$php7_socket = '/var/run/php/php7.4-fpm.sock';
} elseif(file_exists('/var/run/php/php7.3-fpm.sock')) {
$php7_socket = '/var/run/php/php7.3-fpm.sock';
} elseif(file_exists('/var/run/php/php7.2-fpm.sock')) {
$php7_socket = '/var/run/php/php7.2-fpm.sock';
} elseif(file_exists('/var/run/php/php7.1-fpm.sock')) {
$php7_socket = '/var/run/php/php7.1-fpm.sock';
} elseif(file_exists('/var/run/php/php7.0-fpm.sock')) {
$php7_socket = '/var/run/php/php7.0-fpm.sock';
}
if(!empty($php7_socket)) $content = str_replace('/var/run/php5-fpm.sock', $php7_socket, $content);
```
--- Notice the $php7_socket variable is set to false by default just because if you do decide to add PHP8 to the beginning of this set, it doesn't throw an error for undefined variable.3.2.8ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6235Feature Request LSWS LiteSpeed2022-11-22T20:08:23ZTrimilurFeature Request LSWS LiteSpeedDear developers,
I herewith request litespeed webserver support for ispconfig. LSWS is highly compatibly to apache configurations and very performant. It also natively supports HTTP/3 and should be a big benefit to this project.
RegardsDear developers,
I herewith request litespeed webserver support for ispconfig. LSWS is highly compatibly to apache configurations and very performant. It also natively supports HTTP/3 and should be a big benefit to this project.
Regardshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6239Add ipv6 option for dns_templatezone_add()2021-12-21T12:23:38ZHelmoAdd ipv6 option for dns_templatezone_add()The remote API is missing the ipv6 option.The remote API is missing the ipv6 option.3.2.8HelmoHelmohttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6240Create symlinks for conveniance, SFTP user should not land in an empty dir.2022-01-14T12:01:05ZHelmoCreate symlinks for conveniance, SFTP user should not land in an empty dir.Title says it all... for some users it's weird to land in an empty directory when connection via sftp.
I've grown the habit of placing a few symlinks there... MR coming.Title says it all... for some users it's weird to land in an empty directory when connection via sftp.
I've grown the habit of placing a few symlinks there... MR coming.3.2.8https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6250chrooted: localhost not reachable & php mail2021-12-02T22:23:28ZNinoschrooted: localhost not reachable & php mail## Summary
php mail() is not working on chrooted websites (php-fpm), still after changing `SMTP = localhost` to `SMTP = 127.0.0.1` in php.ini-file. localhost is not reachable via chrooted, but that's not the problem with php mail() I thi...## Summary
php mail() is not working on chrooted websites (php-fpm), still after changing `SMTP = localhost` to `SMTP = 127.0.0.1` in php.ini-file. localhost is not reachable via chrooted, but that's not the problem with php mail() I think.
## Steps to reproduce
1. Enable chroot-option for website
2. Run example php sendmail script on website
3. Check mail logs
## Correct behaviour
php mail() should also work in chrooted.
## Environment
Server Debian 11 latest
ISPConfig version: 3.2.7p1
## Proposed fix
Open /etc/php/VERSION/fpm/php.ini & change:
```
SMTP = localhost
```
to:
```
SMTP = 127.0.0.1
```
After that I have no more clue (fix for first step) :Dhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6258Purge email from Inbox after X amount of days2022-01-07T11:47:11ZDannyPurge email from Inbox after X amount of daysI have a feature request:
I would like to be able to purge email after X amount of days from ISPConfig. I have some monitoring mailboxes that are not maintained, but need some kind of history to be kept until purging it (thus X days).I have a feature request:
I would like to be able to purge email after X amount of days from ISPConfig. I have some monitoring mailboxes that are not maintained, but need some kind of history to be kept until purging it (thus X days).