ISPConfig 3 issueshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues2024-03-29T11:07:16Zhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6673Add support for Ubuntu 24.042024-03-29T11:07:16ZTill BrehmAdd support for Ubuntu 24.04Add changes to ISPConfig that are needed to support Ubuntu 24.04.Add changes to ISPConfig that are needed to support Ubuntu 24.04.3.2.12https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6665security.txt2024-03-15T12:15:01ZSteffan Noordsecurity.txtRequest to adopt security.txt to the panel
idee is to I add a default security.txt to the .well-known folders of all domains, and clients can eddit it in the panel
https://www.rfc-editor.org/rfc/rfc9116Request to adopt security.txt to the panel
idee is to I add a default security.txt to the .well-known folders of all domains, and clients can eddit it in the panel
https://www.rfc-editor.org/rfc/rfc9116https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6655Detect and add new IP addresses to ISPConfig2024-02-26T11:14:52ZHairyDetect and add new IP addresses to ISPConfig## Summary
On the very first and only the very first install of ISPConfig, the installer will detect and add the IP addresses of the server.
After installing ISPConfig, I have added additional IP addresses to the server.
After recently u...## Summary
On the very first and only the very first install of ISPConfig, the installer will detect and add the IP addresses of the server.
After installing ISPConfig, I have added additional IP addresses to the server.
After recently updating ISPConfig to the latest version, my new IP addresses were not added to ISPConfig.
ISPConfig should be able to scan for new IP addresses and add them to ISPConfig.
This single feature should be available from at least three places.
Additionally, I think you should be asked whether you want to scan for server IP addresses to add when installing and updating ISPConfig.
Currently, the installer forces you to add the new IP addresses whether you want to or not.
First, the feature should be fixed in the file /install/install.php, directly above the Restarting services section.
Second, the feature should be added to the file /install/update.php, directly above the Restarting services section.
Third, the feature should be added to the ISPConfig admin interface, under System->Server IP Addresses, with a new button labeled "Detect and Add New IPs."
## Proposed fix
I think I can fix this by changing or implementing the following code in the /install/install.php and /install/update.php files:
```
// Detect and add server IP addresses to ISPconfig
$detect_ips_answer = $inst->simple_query('Detect and add server IPs to ISPConfig?', array('yes', 'no'), 'no','detect_ips');
if($detect_ips_answer == 'yes') {
swriteln('Detecting IP addresses');
$inst->detect_ips();
}
```
I think the field server_ip.ip_address should be changed to unique to prevent duplicate entries.
Perhaps in time, I can offer more information for the button in the admin interface.
Maybe someone else can push a commit for the button before I can get to it.
## Environment
ISPConfig 3.2.11p2
Debian 11
## Related log entries
issue-fix-detect-ips-on-install
issue-add-detect-ips-on-update
issue-add-detect-ips-sysadmin-buttonhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6649Parse options from php.ini settings to php pool file directly2024-02-13T16:54:44ZKreso PendicParse options from php.ini settings to php pool file directly3.2.12https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6627Wrong CNAME DNS Validation2024-01-10T07:04:45Zteuto.netWrong CNAME DNS ValidationThe current cname validation only checks if there is already an entry with the same name.
There i no validation for DNS entry's like name.origin.The current cname validation only checks if there is already an entry with the same name.
There i no validation for DNS entry's like name.origin.teuto.netteuto.nethttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6626Mirror server IP not automatically added to database Remote Access IPs list2024-01-09T19:17:02ZHelmoMirror server IP not automatically added to database Remote Access IPs listThe webserver's IP is auto added to the list of Remote Access IPs when the database is not on the same host.
However when that host has a mirror server those IP's are not added. MR incoming ...
It annoyed me that a huge chunk of code w...The webserver's IP is auto added to the list of Remote Access IPs when the database is not on the same host.
However when that host has a mirror server those IP's are not added. MR incoming ...
It annoyed me that a huge chunk of code was duplicated there so I first created #6625HelmoHelmohttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6625De-duplicate onBeforeUpdate and onBeforeInsert in database_edit.php2024-01-09T19:17:19ZHelmoDe-duplicate onBeforeUpdate and onBeforeInsert in database_edit.phpIt annoyed me that a huge chunk of code was duplicated between onBeforeUpdate() and onBeforeInsert() in database_edit.php, and a few subtle differences had already crept up... bugs.
E.g. on Insert we were not checking is a database_user...It annoyed me that a huge chunk of code was duplicated between onBeforeUpdate() and onBeforeInsert() in database_edit.php, and a few subtle differences had already crept up... bugs.
E.g. on Insert we were not checking is a database_user was filled in, but in the update method we call an error database_user_missing_txt for it.HelmoHelmohttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6623LDAP Acces feature request2023-12-27T08:51:18ZImad DaouLDAP Acces feature requestDear ISPConfig Team,
Is there a way to have ISPConfig works with LDAP the way OPNSense does?
https://docs.opnsense.org/manual/how-tos/user-ldap.html
That would be great, this way we can have Enterprise LDAP platform like Active direc...Dear ISPConfig Team,
Is there a way to have ISPConfig works with LDAP the way OPNSense does?
https://docs.opnsense.org/manual/how-tos/user-ldap.html
That would be great, this way we can have Enterprise LDAP platform like Active directory use ISPConfig for mailboxes; I strongly believe ISPConfig can do great at the enterprise level, especially if AD users can use ISPConfig for mailboxes.
Thank you!https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6620Restart memcached after a backup restore2023-12-10T16:24:09ZSergioRestart memcached after a backup restoreHi,
Working on WordPress (but I assume it's happening on other applications) happens that when I restore from a backup, some options remain in the state before the restore. This happens because the old data is still in memcached (if enab...Hi,
Working on WordPress (but I assume it's happening on other applications) happens that when I restore from a backup, some options remain in the state before the restore. This happens because the old data is still in memcached (if enabled). So I believe that after restoring a backup ISPConfig should automatically restart memcached so that the queries left in memory are deleted. If possible, it would also good to have some sort of feedback when the restore is complete.
Thank you for all your great work.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6617Show DKIM status when editing mail_domain2024-03-26T09:51:12ZHelmoShow DKIM status when editing mail_domainSimilar to #6539 I would like to show the user what the DKIM dns status is. E.g. if the dns record is resolving OK.
This should also help to detect copy/paste errors when using external DNS.
The OK state:
![image](/uploads/4554cceb7f7f...Similar to #6539 I would like to show the user what the DKIM dns status is. E.g. if the dns record is resolving OK.
This should also help to detect copy/paste errors when using external DNS.
The OK state:
![image](/uploads/4554cceb7f7f5c02aa2da8360fc9db0f/image.png)
For a not added to DNS state:
![image](/uploads/adebce3ce00ab90f362f5109eb80a095/image.png)
For a failure scenario:
![image](/uploads/442b3b21d636873ca3541c9ceae19c4e/image.png)
This icon might be a bit too subtle? Thoughts?HelmoHelmohttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6616Question for creating SSL cert when updating2023-12-03T21:37:14ZThomQuestion for creating SSL cert when updating* Set default to no when updating (always)
* Fix format: `Do you want to create SSL certs for your server? (yes,no) [no]:` instead of `Do you want to create SSL certs for your server? (y,n) [y]:`* Set default to no when updating (always)
* Fix format: `Do you want to create SSL certs for your server? (yes,no) [no]:` instead of `Do you want to create SSL certs for your server? (y,n) [y]:`3.2.12ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6615Add New Prefix Type CUSTOMERNO2023-12-03T16:44:36ZChristopher KaschigAdd New Prefix Type CUSTOMERNO\[This is a feature request but even with following the link 'http://bugtracker.ispconfig.org/index.php?do=newtask&project=3&task_type=2' I am not able to get a non-issue ticke inserted here - sorry\]
I know / assume I could remove the ...\[This is a feature request but even with following the link 'http://bugtracker.ispconfig.org/index.php?do=newtask&project=3&task_type=2' I am not able to get a non-issue ticke inserted here - sorry\]
I know / assume I could remove the prefixes in whole by modifying the FTP user prefix (eg) in the Main Config. But I am a fan of automatisms, as they reduce faulty input.
For this I would like to suggest - in addition to existing 'CLIENTNAME', 'CLIENTID', 'DOMAINID' - a new prefix key 'CUSTOMERNO', which replaces the keyword \[CUSTOMERNO\] by the customer number of the current selected (or user assigned) client.
Following changes work for me, but I would really prefer if this could be adjusted to fit into ISPConfig development best practices:
\[modifiying **/interface/lib/classes/tools_sites.inc.php**\]
\[line 37\]
old:
```plaintext
$keywordlist=array('CLIENTNAME', 'CLIENTID', 'DOMAINID');
```
new:
```plaintext
$keywordlist=array('CLIENTNAME', 'CLIENTID', 'DOMAINID', 'CUSTOMERNO');
```
\[line 40 foreach added case\]
```plaintext
case 'CUSTOMERNO':
$name=str_replace('['.$keyword.']', $this->getCustomerNo($dataRecord), $name);
break;
```
\[new\]
```plaintext
function getCustomerNo($dataRecord) {
global $app, $conf;
$clientId=$this->getClientID($dataRecord);
if ($clientId == '[CLIENTID]') {
return '[CUSTOMERNO]';
} elseif ($clientId == '') {
return 'default';
}
$tmp = $app->db->queryOneRecord("SELECT customer_no FROM client WHERE client_id = ?", $clientId);
$customerNo = $tmp['customer_no'];
if ($customerNo == '') $customerNo = 'default';
$customerNo = $this->convertCustomerNo($customerNo);
return $customerNo;
}
```
\[new - duplicated from function convertClientName for further flexibility, not necessarily needed to be a separate function\]
```plaintext
function convertCustomerNo($customerNo){
$allowed = 'abcdefghijklmnopqrstuvwxyz0123456789_';
$res = '';
$customerNo = strtolower(trim($customerNo));
for ($i=0; $i < strlen($customerNo); $i++){
if ($customerNo[$i] == ' ') continue;
if (strpos($allowed, $customerNo[$i]) !== false){
$res .= $customerNo[$i];
}
else {
$res .= '_';
}
}
return $res;
}
```https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6609Make website http and https port configurable for Apache servers2023-11-19T17:48:23ZTill BrehmMake website http and https port configurable for Apache serversThe website ports are already configurable for Nginx on the options tab. This request is to port this feature to the Apache plugin too.The website ports are already configurable for Nginx on the options tab. This request is to port this feature to the Apache plugin too.3.2.12https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6608Set account in certbot if multiple accounts are present2023-11-18T12:44:55ZTill BrehmSet account in certbot if multiple accounts are presenthttps://forum.howtoforge.com/threads/playing-with-debian-12-some-issues.91311/page-3https://forum.howtoforge.com/threads/playing-with-debian-12-some-issues.91311/page-33.2.12https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6604Enhance ssh keys textarea with Javascript2024-03-27T14:27:09ZHelmoEnhance ssh keys textarea with JavascriptWith multiple (or long) ssh public keys the textarea to enter them for SSH/SFTP account is not ideal.
What about a Javascript enhancement?
![image.png](/uploads/3810a8d251c01cfa6d740a19686f3d59/image.png)
![image.png](/uploads/e0571a5...With multiple (or long) ssh public keys the textarea to enter them for SSH/SFTP account is not ideal.
What about a Javascript enhancement?
![image.png](/uploads/3810a8d251c01cfa6d740a19686f3d59/image.png)
![image.png](/uploads/e0571a587a15e081bad5852b39130c83/image.png)
Patches to improve e.g. the styling are very welcome ;)https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6602Add a post-update hook script2023-11-09T09:40:17ZTill BrehmAdd a post-update hook scriptAdd a script that runs after an ISPConfig update to make customizations easier.Add a script that runs after an ISPConfig update to make customizations easier.3.2.12Till BrehmTill Brehmhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6601Unify, validate and/or robustly parse autoinstall.ini syntax2023-11-09T08:05:27ZJohan EhnbergUnify, validate and/or robustly parse autoinstall.ini syntax## Summary
Currently the syntax of autoinstall.ini varies especially for yes/no statements. This can be seen in the example file: https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/docs/autoinstall_samples/autoinstall.ini.sam...## Summary
Currently the syntax of autoinstall.ini varies especially for yes/no statements. This can be seen in the example file: https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/docs/autoinstall_samples/autoinstall.ini.sample?ref_type=heads. Currently the value is also not validated.
Looking at the code, it is also likely that syntax mistake failures vary; I stumbled on one mistake that caused a silent hang.
## Example failing case:
```
echo "reconfigure_permissions_in_master_database=n" >> autoinstall.ini
php -q update.php --autoinstall=autoinstall.ini
<hangs forever with php process at 100% CPU>
```
The fix was obviously to instead declare `reconfigure_permissions_in_master_database=no` (note last character) but it took quite long to figure that out.
## Suggested approaches
Any combination of:
- Unify syntax
- Add validator function
- Pre-parse using the common [Yy]* and [Nn]* approachhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6600Support for SVCB and HTTPS DNS types (for HTTP/3)2023-11-04T08:31:40ZTill BrehmSupport for SVCB and HTTPS DNS types (for HTTP/3)Bind9 and PowerDNS are supporting SVCB and HTTPS types in the last years.
- Bind9 -> from 9.16.21 (minimum: Ubuntu Jammy)
- PowerDNS -> from 4.4.x (minimum: Ubuntu Jammy)
Nginx is supporting HTTP/3 in the last mainline versions (will be ...Bind9 and PowerDNS are supporting SVCB and HTTPS types in the last years.
- Bind9 -> from 9.16.21 (minimum: Ubuntu Jammy)
- PowerDNS -> from 4.4.x (minimum: Ubuntu Jammy)
Nginx is supporting HTTP/3 in the last mainline versions (will be default in stable in weeks or months).
https://forum.howtoforge.com/threads/support-for-svcb-and-https-dns-types-for-http-3.91390/https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6594Feature Request: Option to automatically renew DKIM (for improved plausible d...2023-10-21T18:45:21ZAbacop UGFeature Request: Option to automatically renew DKIM (for improved plausible deniability)after reading an article of the magazine c't (https://www.heise.de/select/ct/2023/24/2325412023268630029 or https://www.heise.de/ratgeber/Kaputt-und-unersetzbar-So-steht-es-um-das-dezentrale-System-E-Mail-9328711.html) I realized that it...after reading an article of the magazine c't (https://www.heise.de/select/ct/2023/24/2325412023268630029 or https://www.heise.de/ratgeber/Kaputt-und-unersetzbar-So-steht-es-um-das-dezentrale-System-E-Mail-9328711.html) I realized that it would be great if ISPConfig would have an option to automatically renew the DKIM-keys after publishing the the old private keys (for example by loading them into a specific directory or by forwarding them them to a script that does the rest.
Since the linked articles are behind a paywall here a quote (german) of the relevant parts that let to this feature request:
> Nicht meine Mail!
>
> Manche Neuerung, die an SMTP angebaut wurde, bringt ungeahnte Nebenwirkungen mit. Eine solche ist eine eher unbekannte Eigenschaft von DKIM, der „Domain Keys Identified Mail“.
>
> [...]
>
> Um das Problem zu erfassen, das diese serverseitige Signatur auslöst, muss man eine Ecke weiterdenken: Der Nutzer hat in diesem Verfahren keinerlei Kontrolle, ob eine Nachricht mit DKIM signiert wird. Sobald er die Mail über den
> Server abschicken lässt, enthält sie einen kryptografischen Beweis, dass sie von einem Server verschickt wurde, den er nutzt. Gerät die Mail später mal an die Öffentlichkeit, ist es für ihn verdammt schwer, glaubhaft abzustreiten, dass er sie geschrieben hat. „Plausible deniability“ nennen Sicherheitsforscher diese wünschenswerte Eigenschaft eines Systems. Denn sobald Mails DKIM-Header enthalten, ist es für Angreifer verdammt attraktiv, Mailpostfächer zu erbeuten und zu veröffentlichen – zum Beispiel von Politikern und Prominenten. Zu verifizieren, dass die Inhalte wirklich von einem Mailserver verschickt wurden und keine plumpen Fälschungen sind, ist dank DKIM leicht. Für solche Fälle hat das Investigativ-Team von Associated Press sogar ein Open-Source-Werkzeug gebaut (siehe ct.de/ybrc). 2020 traf es Hunter Biden, den Sohn des US-Präsidenten Joe Biden, der zusehen musste, wie Experten anhand von DKIM bestätigten, dass geleakte Mails authentisch, weil signiert, sind.
>
> Wie man dieses Problem umgeht?
> Dafür müssten die Betreiber von Mailservern das Problem zunächst mal als Problem anerkennen. Was gegen fehlende Deniability hilft, wäre eine simple Automatik: Wenn die alle paar Monate das Schlüsselpaar automatisch austauscht, einen neuen öffentlichen Schlüssel im DNS hinterlegt und kurz darauf den alten privaten Schlüssel für alle Welt veröffentlicht, ist es vorbei mit dem späteren Echtheitsbeweis. Die Nachricht hätte dann jeder fälschen und signieren können. Die Funktion von DKIM gefährdet das nachträgliche Veröffentlichen indes nicht, weil der Schlüssel nur im Moment des Versands geheim sein muss.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6587Rspamd config overrides for rbl_group.conf & surbl_group.conf2023-12-02T10:25:28ZZakRspamd config overrides for rbl_group.conf & surbl_group.confIn ISPConfig up to 3.2.11 two overrides for rspamd are generated. Namely rbl_group.conf & surbl_group.conf.
These files render the stock "scores" and local configuration useless, since it activly overwrites the whole config from scores.d...In ISPConfig up to 3.2.11 two overrides for rspamd are generated. Namely rbl_group.conf & surbl_group.conf.
These files render the stock "scores" and local configuration useless, since it activly overwrites the whole config from scores.d/rbl_group.conf & scores.d/surbl_group.conf - and even more problematic it ignores the config under local.d. \
I consider this a bug, since it interferes with stock and a possibly present custom configuration as well. \
\
I do see, that a couple of symbols where scored down, a lot of symbols where removed and only three where added (RBL_SPAMHAUS_XBL_ANY, RAMBLER_URIBL & RAMBLER_EMAILBL).
\
I can only guess that this is a remnant from the introduction of rspamd support. \
\
Please remove the generation of the overrides. It's the admins job to get the scores right and customize the spam protection.3.2.12ThomThom