ISPConfig 3 issueshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues2022-02-26T17:33:35Zhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5722Add spam/junk functions from mailbox settings for mailusers2022-02-26T17:33:35ZThomAdd spam/junk functions from mailbox settings for mailusersThese settings should be available for mailusers:
![image](/uploads/5f69417379e7fb07b98ff3727ab857b3/image.png)These settings should be available for mailusers:
![image](/uploads/5f69417379e7fb07b98ff3727ab857b3/image.png)https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6280Make Cron Jobs list template accurate2022-01-27T10:16:30ZDimiMake Cron Jobs list template accurateHi,
I'm not a specialist in filling such requests, however as an IT guy, who manages more than 20 ISPConfig installs, with more than 500 sites on them i would like to add my opinion, which is one of the very often used and very not UI ...Hi,
I'm not a specialist in filling such requests, however as an IT guy, who manages more than 20 ISPConfig installs, with more than 500 sites on them i would like to add my opinion, which is one of the very often used and very not UI friendly done in ISPconfig.
When there are hundreds of CRON jobs - there is no way you can find what you need and check what is where. Huge gabs(paddings) between timings, very small spaces for command and site name, and whats worst - the text of command and sitename is CROPPED! , which makes the list absolutely unreadable and in fact unusable :disappointed:
I suggest -
1. Make filter bar INDEPENDANT of display area - thus you wont need giving that much space for one symbol time/day/week stars/numbers.
2. Squeeze the display area , and make at least 30-40% of space dedicated for the command to be shown fully
3. DO not crop command/website names- better use multiline
I'm sure theres clever people who can suggest how it can be done even better, but this is really one of the functionality which is a "disfunctionality" for now :)
![cron](/uploads/f52a00fb75218a74647aaf14bf0da549/cron.jpg)https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6261MySQL Backup - Add option to allow single-transaction mode for huge InnoDB da...2021-12-10T10:29:07ZJanThielMySQL Backup - Add option to allow single-transaction mode for huge InnoDB databases## Summary (Feature Request)
Running DB Backups on sites with large databases will cause the database being locked for some time and thus make the underlying app not usable.
This is due to the current `mysqldump` command being executed.
...## Summary (Feature Request)
Running DB Backups on sites with large databases will cause the database being locked for some time and thus make the underlying app not usable.
This is due to the current `mysqldump` command being executed.
https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/server/lib/classes/backup.inc.php#L1216
For sites only having InnoDB tables MySQL recommends to run mysqldump with `--quick` AND `--single-transaction` for huge databases.
As this flag can lead to inconsistent states when MyISAM used, I would suggest to add this as an option.
## Steps to reproduce
1. Enable the DB backup on a huge DB
2. Check the sites at the time of the DB dump, they will be unresponsive due to the locked database as long as `mysqldump` run
## Correct behaviour
The DB dump should not effect the websites uptime
## Proposed fix
1. Add a "Huge Database?" Checkbox to the backup options in the website config
2. If enabled use this command / add `--single-transaction` to the `mysqldump` call
```
$command = "mysqldump -h ? -u ? -p? -c --add-drop-table --create-options --quick --single-transaction --max_allowed_packet=512M " . $mysqldump_routines . " --result-file=? ?";
```
## References
https://serversforhackers.com/c/mysqldump-with-modern-mysql
https://dev.mysql.com/doc/refman/8.0/en/mysqldump.html#option_mysqldump_single-transactionhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6260Special backup method: "Manifest creator" or "Delegated backup"2021-12-03T18:16:24ZClaude DuvergierSpecial backup method: "Manifest creator" or "Delegated backup"_Note: I know there is an issue to add support for [BorgBackup](https://borgbackup.readthedocs.io) (#6202) to ISPConfig and I must admit I came with the following idea as a workaround to use Borg to backup my ISPConfig setups. But bear w..._Note: I know there is an issue to add support for [BorgBackup](https://borgbackup.readthedocs.io) (#6202) to ISPConfig and I must admit I came with the following idea as a workaround to use Borg to backup my ISPConfig setups. But bear with me to understand how this proposal could help "third party" integration._
When I started using ISPConfig I needed a way to backup my websites (both files and databases) using my own existing scripts but because ISPConfig has built-in various full (id. A to Z) methods for backuping the data it manages there was no way to integrate with other tools/scripts (and I understant why: it was not needed).
Put it simply the situation is:
* ISPConfig knows (using the users' settings/preferences):
* where are the data and how to access them
* how often it must be backuped (backups frequency)
* how long (backups retention)
* My backup scripts knows what to do with files and SQL tables (read, compress, de-duplicate, encrypt, send to remote storage, etc.)
From that, my idea is to make ISPConfig "tell" other systems (an existing well-known tool, a self made script, ...) what the user wants to backup, and hence delegate the backup.
So I suggest the creation of a backup method for both websites files and databases that does not backup, compress nor encrypt anything, it would just create a manifest of what to backup.
For the files of a website, the manifest file would provide:
* Website name (eg. for naming the backups)
* The backup interval (the frequency)
* Number of backup copies (the retention)
* The full/absolute path of the base directory to backup
* The list of paths to exclude (cf. the "Excluded Directories" setting) as full/absolute paths.
For the database, the manifest file would provide:
* Database name (eg. for naming the backups)
* The backup interval (the frequency)
* Number of backup copies (the retention)
* Credentials to connect to the database server (as the backup/read-only user)
The manifest files would be recreated by ISPConfig when backup settings (frequency, retention, paths, databases, credentials, exclusions, etc.) are changed.
Then ISPConfig work is done and it's up to the other system/script to do the job, the way it detects changes to manifest files is not ISPConfig's business.
Some blur zones (non-exhaustive list):
* Backup triggers: I choose to write the backup frequency in the manifest so the backup tool/script can be aware of this frequency and run accordingly (eg. re-schedule itself or run everyday but detect when was the last execution and skip if not needed yet). But I think ISPConfig could trigger the backup, by executing a well-known command (eg. `/usr/bin/ispconfig/delegate-backup.sh /path/to/one/manifest-file`).
* The fact the manifest file will contains the credentials and could be read by other. So I was thinking ISPConfig could write the credentials only when backup must be run and let the backup tool/script delete it.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6250chrooted: localhost not reachable & php mail2021-12-02T22:23:28ZNinoschrooted: localhost not reachable & php mail## Summary
php mail() is not working on chrooted websites (php-fpm), still after changing `SMTP = localhost` to `SMTP = 127.0.0.1` in php.ini-file. localhost is not reachable via chrooted, but that's not the problem with php mail() I thi...## Summary
php mail() is not working on chrooted websites (php-fpm), still after changing `SMTP = localhost` to `SMTP = 127.0.0.1` in php.ini-file. localhost is not reachable via chrooted, but that's not the problem with php mail() I think.
## Steps to reproduce
1. Enable chroot-option for website
2. Run example php sendmail script on website
3. Check mail logs
## Correct behaviour
php mail() should also work in chrooted.
## Environment
Server Debian 11 latest
ISPConfig version: 3.2.7p1
## Proposed fix
Open /etc/php/VERSION/fpm/php.ini & change:
```
SMTP = localhost
```
to:
```
SMTP = 127.0.0.1
```
After that I have no more clue (fix for first step) :Dhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4483Allow 32 charactes for user names2021-10-28T06:45:12ZDanielAllow 32 charactes for user namesSince MySQL 5.7.8, user names can be up to 32 characters long.
I have searched on ISPConfig to avoid this limitation with MySQL 5.7.8 or higher, and I found the 16 characters limitation is in file database_user_edit.php, so changing the...Since MySQL 5.7.8, user names can be up to 32 characters long.
I have searched on ISPConfig to avoid this limitation with MySQL 5.7.8 or higher, and I found the 16 characters limitation is in file database_user_edit.php, so changing the limit to 32 is working.
I propose to add a new "Database" tab in "Server Config" to allow decide the ipsconfig administrator to use 16 or 32 characters length, with an information description about supported databases. Default value should be 16.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/3940Add SFTP (via SSH) as (better) alternative to FTP(S) Users2021-09-28T16:32:10ZJens GrohAdd SFTP (via SSH) as (better) alternative to FTP(S) UsersAdd the Option to create an SFTP User instead of having to run pure-ftpd and use this age-old protocol. FTP/S is an OK'ish workaround for secure transmission of data, but having the option to use SFTP for file transfer uploads would be m...Add the Option to create an SFTP User instead of having to run pure-ftpd and use this age-old protocol. FTP/S is an OK'ish workaround for secure transmission of data, but having the option to use SFTP for file transfer uploads would be much better.
SFTP could be used via an addition to the OpenSSH server configuration by adding an option set for a specific group or groups (e.g. sftponly) to force those upload account to only be used for SFTP and not provide a login shell.
As the "webXY" users already exist and point to a directory (/var/www/clients/clientXX/webXY) that is owned by root:root, the requirements for SFTP chrooting are already given. Those SFTP accounts could be created just like the Shell Users function with the exceptions given above.
The following snippet would provide a safe chroot environment
# SFTP Only Users
Match Group sftponly
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp
A user (e.g. sftp19_webspace) would just get its homedir (e.g. /var/www/clients/client5/web19) without providing a shell (in /etc/passwd) and would get sftp-only as group so to force the chroot active.
Planned featureshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2780add ssl support in mysqli db library.2021-09-21T18:11:35ZTill Brehmadd ssl support in mysqli db library.http://php.net/manual/en/mysqli.ssl-set.phphttp://php.net/manual/en/mysqli.ssl-set.php3.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5841Limit access to mail tabs via customer template2021-09-07T21:05:00ZMichaelLimit access to mail tabs via customer templateCurrent behaviour is that the access to the mail tabs (filters, autoresponder, backup etc) are controlled by a system-wide configuration option. It would be convenient to manage those via the customer template.Current behaviour is that the access to the mail tabs (filters, autoresponder, backup etc) are controlled by a system-wide configuration option. It would be convenient to manage those via the customer template.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6225Possible Alternative to disable LE check for natted servers.2021-09-03T08:00:13ZChrisPossible Alternative to disable LE check for natted servers.As an ISPConfig user that is behind a nat router (I have not yet figured nat hairpinning in cisco routers) I propose the following as an alternative to just disabling the LE check.
Instead, it would be possible to request an external se...As an ISPConfig user that is behind a nat router (I have not yet figured nat hairpinning in cisco routers) I propose the following as an alternative to just disabling the LE check.
Instead, it would be possible to request an external service verify the host/domain is indeed accessible.
How I see this in practice:
Ispconfig > system > server config > ssl > NAT Router (checkbox) (as oppose to disable LE check)
When performing the check, if the NAT box is checked, Call out to verification server.
[It could be a service hosted by ISPConfig but could just as easily be any of the "is this site up" services that has a free user api. (with a quick google, I see that: check-host.net for example has an array of check types that could be used for this.)
Get the result and proceed with cert creation or report back an issue.
In summary:
I believe this approach would be more effective than just disabling the check because it will mean misconfigured hostnames/domains, missing dns or websites, wrong server used for a site, firewall woes and the rest of the usual suspects will not result in a failed cert request to LE.
One or two fails may not be an issue but we know there is a rate limit so whatever we can do to keep the failures from occurring in the first place would be a bonus.
Essentially this will allow ISPConfig to still pre-empt failures and would only affect those that have the NAT configuration set in server configs. For everybody else you can just perform the normal check.
An option in the installer that allows for enabling the option from the outset would be preferable although that would just be a small bonus addition to the overall feature.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2658Enable relay recipient list for clients when transports are allowed2021-08-19T16:22:12ZTill BrehmEnable relay recipient list for clients when transports are allowedEnable relay recipient list for clients when transports are allowed and add a limit in client limits for relay recipients.Enable relay recipient list for clients when transports are allowed and add a limit in client limits for relay recipients.Planned featureshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6211Selected PHP Version in Jail2021-08-18T13:29:54ZGhost UserSelected PHP Version in JailTaken from /etc/jailkit/jk_init.ini:
```
# Debian 10 default php version is 7.3 (Debian 9 is 7.0)
# Todo: set default version in ISPConfig installer,
# but install the php cli version matching the website
```
In this case, should switch...Taken from /etc/jailkit/jk_init.ini:
```
# Debian 10 default php version is 7.3 (Debian 9 is 7.0)
# Todo: set default version in ISPConfig installer,
# but install the php cli version matching the website
```
In this case, should switching the PHP version remove the old PHP version from the jail? To me it looks like that would be hard to implement, considering ISPConfig doesn't remove redundant things (aka sections or applications I removed from System > Server Config > Jailkit that were previously there) from jails after re-syncing shell users.
If this is the specific reason it wasn't implemented yet, I think an easier approach would be including all PHP versions in the jail, and just modify the php (no version number) binaries to be symlinked to the right version like `sudo update-alternatives --config php` does (this command only works outside of the jail).https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5419white/blacklist using rspamd matches against "smtp from" only2021-08-06T22:55:53ZZakwhite/blacklist using rspamd matches against "smtp from" onlyI'am not sure how this is handled when using amavis, but in rspamd the generated config matches against the "smtp from" - instead of the "header from".\
Althought this might be more precise, a lot of end users don't even have knowledge o...I'am not sure how this is handled when using amavis, but in rspamd the generated config matches against the "smtp from" - instead of the "header from".\
Althought this might be more precise, a lot of end users don't even have knowledge of the smtp from/return-path header and in times of SRS it's pretty much impossible to get a match when not using regex matching anyway.\
Furthermore there is no guarantee that "smtp from" and the "header from" are equal or even using the same domain. Hence the black/whitelisting might not have the desired effect from the end user perspective.
## proposed fix
Since no "or" matching is available in rspamd (at least not between different attributes), a second stanza matching the from header could be introduced:
`header = { "From" = "sender@domain.tld"; }`Jesse NorellJesse Norellhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6206Interface setting > mail > max backup copies2021-07-30T13:17:26ZFrançois GrizzlyDevInterface setting > mail > max backup copiesRegarding this commit, which enabled to retain up to 30 backup copies (previously limited to 10): aa1eed46b3d03746640a73db6df7d163ba036df3
The goal of this merge request is to add an interface setting in order to limit (below 30) the ma...Regarding this commit, which enabled to retain up to 30 backup copies (previously limited to 10): aa1eed46b3d03746640a73db6df7d163ba036df3
The goal of this merge request is to add an interface setting in order to limit (below 30) the maximum backup copies (for **email** only), so clients' options would be globally limited when accessing the "Backup" tab.
Before going any further, my guess is to add an [interface setting](https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/CONTRIBUTING.md#interface-settings).
And obviously enforce the limit in the `mail_user.backup_copies` SQL column when this setting is changed. This could be done using some feature such as the setting input "custom" validator, for example: https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/interface/web/admin/form/system_config.tform.php#L224
For this last point especially, I am not sure this is the way to go, comments are welcome!https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/3794Dovecot SNI support2021-06-25T08:17:14ZNapDovecot SNI supportWith Lets Encrypt, it would be nice to incorporate Dovecot SNI configuration through ISPConfig.
Send and Receive works with my installation across a number of domains when using Outlook 2007 and iPhone4 (iOS7).
My iPhone complains abou...With Lets Encrypt, it would be nice to incorporate Dovecot SNI configuration through ISPConfig.
Send and Receive works with my installation across a number of domains when using Outlook 2007 and iPhone4 (iOS7).
My iPhone complains about the LE certificate, but after accepting it, all mail functions work fine.
My VPS system:
(Ubuntu 14.04 LTS, Kernel 3.15.4-x86_64, Apache 2.4.7, MariaDB Server 5.5.40, MariaDB Client 5.5.41, PHP 5.5.9, ISPConfig 3.0.5.4p8, Webmin, PureFTP & Quota, phpMyAdmin, postfix, dovecot, amavis, clamav, spamassassin, awstats, fail2ban, Jailkit, bind9, vlogger, webalizer)https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6184rspamd: don't use secure_ip2021-06-21T15:47:39ZJesse Norellrspamd: don't use secure_ipWe currently setup rspamd with a password for worker-controller, with secure_ip set to localhost; that is probably fine for a dedicated mail server, but allows access to the controller by all clients for systems which share web and mail ...We currently setup rspamd with a password for worker-controller, with secure_ip set to localhost; that is probably fine for a dedicated mail server, but allows access to the controller by all clients for systems which share web and mail services (eg. single-server), as addresses in secure_ip do not require a password. We should drop the use of secure_ip, and preferably switch to using unix sockets to talk to all rspamd daemons.
Also provide examples of how to configure reverse proxies to connect and authenticate (eg. add a Password header and use unix rather than tcp socket).https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6188Add field for FPM-Chroot Docroot2021-06-21T13:49:21ZPatrick OmlandAdd field for FPM-Chroot DocrootIf Chroot FPM is selected, add a Field for Custom Docroot. When there is detected a Custom Docroot Input change FPM Pool config with new Docroot. Like Openbasedir Field no Input = Change nothing and / Custom Input = Change Docroot in Poo...If Chroot FPM is selected, add a Field for Custom Docroot. When there is detected a Custom Docroot Input change FPM Pool config with new Docroot. Like Openbasedir Field no Input = Change nothing and / Custom Input = Change Docroot in Pool config
See this Thread (German)
https://forum.howtoforge.de/threads/docroot-unter-chroot-fpm.12662/#post-62035https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6171rspamd config errors (harmless) during install2021-06-20T18:53:47ZJesse Norellrspamd config errors (harmless) during installI have a server running amavis, which I'm updating prior to converting to rspamd, however rspamd is installed - during ispconfig update some (harmless) errors showed configuring rspamd, probably due to my current install/config state, bu...I have a server running amavis, which I'm updating prior to converting to rspamd, however rspamd is installed - during ispconfig update some (harmless) errors showed configuring rspamd, probably due to my current install/config state, but can easily be hidden or avoided:
```
Configuring Postfix
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Rspamd
chgrp: cannot access '/etc/rspamd/local.d/worker-controller.inc': No such file or directory
chmod: cannot access '/etc/rspamd/local.d/worker-controller.inc': No such file or directory
Configuring Getmail
...
```https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6170Always log a warning/error when LE + SSL is disabled because of a failure2021-05-20T19:16:21ZThomAlways log a warning/error when LE + SSL is disabled because of a failureCurrently, a warning is logged if the Let's Encrypt check is enabled (default behaviour) and it couldn't create the cert. But when there is a setting roll back, it is not logged. See the discussion on #5042Currently, a warning is logged if the Let's Encrypt check is enabled (default behaviour) and it couldn't create the cert. But when there is a setting roll back, it is not logged. See the discussion on #5042https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4846Integrate Cloudflare & StopTheHacker website Addition2021-05-20T14:24:44ZRich StarkieIntegrate Cloudflare & StopTheHacker website AdditionIs it possible to add in the ability to add a website (and automatically configure dns) to cloudflare and/or stopthehacker naturally only free plan sites could be added.
An API is available, I assume, as the facility is available in t...Is it possible to add in the ability to add a website (and automatically configure dns) to cloudflare and/or stopthehacker naturally only free plan sites could be added.
An API is available, I assume, as the facility is available in the likes of cPanel and PleskPlanned features