ISPConfig 3 issueshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues2021-12-21T12:23:38Zhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6239Add ipv6 option for dns_templatezone_add()2021-12-21T12:23:38ZHelmoAdd ipv6 option for dns_templatezone_add()The remote API is missing the ipv6 option.The remote API is missing the ipv6 option.3.2.8HelmoHelmohttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5889Place reject_rbl_client after permit_sasl_authenticated in postfix config2021-12-21T12:16:10ZHelmoPlace reject_rbl_client after permit_sasl_authenticated in postfix configAfter updating a mailserver to 3.2 I noticed that some users were being `blocked using zen.spamhaus.org;` on their authenticated smtp connection.
It looks like the whole subnet of that access provider is on the spamhause list.
I've now...After updating a mailserver to 3.2 I noticed that some users were being `blocked using zen.spamhaus.org;` on their authenticated smtp connection.
It looks like the whole subnet of that access provider is on the spamhause list.
I've now changed it manually in the main.cf, to place permit_sasl_authenticated before the rbl check.
The patch below probably does that for future updates. If you agree I can make a MR that also changes it in the non-debian variants.
```patch
diff --git a/install/tpl/debian_postfix.conf.master b/install/tpl/debian_postfix.conf.master
index b75232e6e..dcd5f592d 100644
--- a/install/tpl/debian_postfix.conf.master
+++ b/install/tpl/debian_postfix.conf.master
@@ -28,7 +28,7 @@ proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virt
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, {reject_unknown_helo_hostname}, permit
smtpd_sender_restrictions = {reject_aslm} check_sender_access regexp:{config_dir}/tag_as_originating.re, permit_mynetworks{reject_slm}, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:{config_dir}/tag_as_foreign.re, check_sender_access proxy:mysql:{config_dir}/mysql-virtual_sender.cf
-smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks{rbl_list}, permit_sasl_authenticated, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
+smtpd_client_restrictions = check_client_access proxy:mysql:{config_dir}/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated{rbl_list}, reject_unauth_pipelining {reject_unknown_client_hostname}, permit
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
smtpd_client_message_rate_limit = 100
```3.2.8https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4792rfe: lmtp for amavis and dovecot2021-11-29T11:48:58ZJesse Norellrfe: lmtp for amavis and dovecotrfe: use lmtp to send mail to amavis and final delivery to dovecot. This gives both services the ability to reply with a dsn for each recipient (improves delivery), and is a little more efficient (not much different for amavis, but dove...rfe: use lmtp to send mail to amavis and final delivery to dovecot. This gives both services the ability to reply with a dsn for each recipient (improves delivery), and is a little more efficient (not much different for amavis, but dovecot saves a fork/exec for every message).
## Changes required
Required config changes are quite simple, in current (eg. 3.1.6) config for postfix + dovecot to send to amavis via lmtp you simply need these in main.cf:
``lmtp_data_done_timeout = 1200
lmtp_send_xforward_command = yes
``
Then change the `amavis` transport name to `lmtp` in the 'tag_as_*.re' files:
``sed -i s/amavis/lmtp/g /etc/postfix/tag_as_*.re
``
The dovecot config is in /etc/dovecot/dovecot.conf:
``protocols = imap pop3 lmtp <---- line #2
lmtp_rcpt_check_quota = yes <---- new
``
And in main.cf change `virtual_transport = lmtp:unix:private/dovecot-lmtp`.
You can then remove the `dovecot` and `amavis` transports in master.cf.3.2https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6224Add DNS api functions for LOC type2021-09-08T09:46:27ZHelmoAdd DNS api functions for LOC typeI noticed that the meta data for the LOC and DS functions was added by mistake ages ago in ecb8fc2c5b3c1b42e15e3e44d287a650ef3b6aa6 but no implementation.
While preparing a MR I noticed that DS functions are already proposed in #6187 so...I noticed that the meta data for the LOC and DS functions was added by mistake ages ago in ecb8fc2c5b3c1b42e15e3e44d287a650ef3b6aa6 but no implementation.
While preparing a MR I noticed that DS functions are already proposed in #6187 so this one just for dns_loc_*
The error I got that triggered me:
`SoapFault: Method dns_ds_add does not exist in SoapClient->__call()`3.2.6https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5732Limit email backup tab through client limits2021-09-07T08:21:17ZThomLimit email backup tab through client limitsAdd option to enable/disable the email backup tab through the backup templates, either with a checkbox or a limit and when set to 0, hide it.
Based on discussion at !451Add option to enable/disable the email backup tab through the backup templates, either with a checkbox or a limit and when set to 0, hide it.
Based on discussion at !4513.2.6ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6213Add support for Debian 112021-09-07T07:07:44ZTill BrehmAdd support for Debian 11Add Debian 11 support in ISPConfig.Add Debian 11 support in ISPConfig.3.2.6Till BrehmTill Brehmhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6167rspamd: enable arc signing2021-08-31T09:16:05ZJesse Norellrspamd: enable arc signingRFE: enable ARC signing in rspamd. With the current rspamd options/implementation I would only enable signing for incoming mail (not authenticated or local), selecting the domain from the recipient addr - these are all default settings ...RFE: enable ARC signing in rspamd. With the current rspamd options/implementation I would only enable signing for incoming mail (not authenticated or local), selecting the domain from the recipient addr - these are all default settings in modules.d/arc.conf - and simply point the selector map and key path map to the same as used for dkim signing.3.2.6Jesse NorellJesse Norellhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6191improve letsencrypt renew hook2021-08-31T09:15:59ZJesse Norellimprove letsencrypt renew hookChange the letsencrypt renew hook to allow a custom script to run in addition to (rather than just instead of) the default one. The pre and post hooks already do this.
https://www.howtoforge.com/community/threads/hook-evolution-for-isp...Change the letsencrypt renew hook to allow a custom script to run in addition to (rather than just instead of) the default one. The pre and post hooks already do this.
https://www.howtoforge.com/community/threads/hook-evolution-for-ispconfig-le-renewal.87185/3.2.6Jesse NorellJesse Norellhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6198clarify "ISPConfig v2 detected" message2021-08-31T09:15:48ZJesse Norellclarify "ISPConfig v2 detected" messageClarify the "ISPConfig v2 detected" message, perhaps a few less support tickets.Clarify the "ISPConfig v2 detected" message, perhaps a few less support tickets.3.2.6https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6210periodically force jailkit update2021-08-31T09:15:39ZJesse Norellperiodically force jailkit updateIt wouldn't hurt to force all jails to update periodically, so eg. changes to sections in jk_init.ini get propogated.It wouldn't hurt to force all jails to update periodically, so eg. changes to sections in jk_init.ini get propogated.3.2.6Jesse NorellJesse Norellhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6130Remove APS Installer limit from limit-Template2021-05-26T22:07:30ZJaldeep LadolaRemove APS Installer limit from limit-TemplateThere is non use APS Installer Limit from limit-Template.There is non use APS Installer Limit from limit-Template.3.2.5ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6155Change OS update function from aptitude to apt2021-05-26T22:07:30ZTill BrehmChange OS update function from aptitude to aptThe OS update function currently uses aptitude to install the updates. We should change that to apt command.The OS update function currently uses aptitude to install the updates. We should change that to apt command.3.2.5ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6160Update readme.md2021-04-26T07:38:22ZThomUpdate readme.md3.2.5ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4961Locking a user through the API should also deactivate their services2021-04-25T15:30:19ZGhost UserLocking a user through the API should also deactivate their servicesIn https://git.ispconfig.org/ispconfig/ispconfig3/issues/1159 a feature was implemented which meant that 'locking' a client would also de-activate all their services (website, ftp user, mail, ...). Locking a client through the API does n...In https://git.ispconfig.org/ispconfig/ispconfig3/issues/1159 a feature was implemented which meant that 'locking' a client would also de-activate all their services (website, ftp user, mail, ...). Locking a client through the API does not do this. Perhaps this is expected behaviour, since the 'locked' and 'canceled' attributes are not documented in `/remoting_client/API-docs/client_update.html`. But imho the API should mimic the web interface behaviour here, so that means:
- document parameters 'locked' and 'canceled' in /remoting_client/API-docs/client_update.html
- when locking a client, also deactivate all their stuff
- when unlocking a client, also activate all their stuff
@tbrehm if you agree, I could send a PRhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6088Hide relay options per mail domain by default2021-04-08T19:15:29ZThomHide relay options per mail domain by defaultHide the settings for a relay host by default - it clutters the UI and most users won't use it.
enable them through main config / server config / client limitsHide the settings for a relay host by default - it clutters the UI and most users won't use it.
enable them through main config / server config / client limits3.2.3ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6027rspamd: redis server and password fields2021-03-31T19:48:28ZJesse Norellrspamd: redis server and password fieldsAdd 4 fields for the redis server and password when using rspamd, the default redis server/password and bayes redis/password (which uses default if unspecified).
This allows specifying unix sockets to talk to the redis server, as well a...Add 4 fields for the redis server and password when using rspamd, the default redis server/password and bayes redis/password (which uses default if unspecified).
This allows specifying unix sockets to talk to the redis server, as well as a password. Having the second optional parameters for bayes allows using a second redis instance with a memory limit to cap the growth of bayes data without evicting non-bayes keys which would happen if using a single redis instance.3.2.4Jesse NorellJesse Norellhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6120Run wget and tar quietly on update2021-03-31T19:47:38ZThomRun wget and tar quietly on updateDon't show the output of wget and tar of the ISPConfig release when running the update script
```
--2021-03-23 15:33:41-- https://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
Resolving www.ispconfig.org (www.ispconfig.org)... ...Don't show the output of wget and tar of the ISPConfig release when running the update script
```
--2021-03-23 15:33:41-- https://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
Resolving www.ispconfig.org (www.ispconfig.org)... 2606:4700:20::681a:bf6, 2606:4700:20::ac43:4b70, 2606:4700:20::681a:af6, ...
Connecting to www.ispconfig.org (www.ispconfig.org)|2606:4700:20::681a:bf6|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4024765 (3.8M) [application/octet-stream]
Saving to: ‘ISPConfig-3.tar.gz’
ISPConfig-3.tar.gz 100%[=================>] 3.84M --.-KB/s in 0.07s
2021-03-23 15:33:41 (55.8 MB/s) - ‘ISPConfig-3.tar.gz’ saved [4024765/4024765]
ispconfig3_install/.phplint.yml
ispconfig3_install/server/
etc
```3.2.4ThomThomhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6117Highlight offline services in table2021-03-25T21:17:35ZHelmoHighlight offline services in tableA bit of color could help here to directly see which services are marked as offline.
![Selection_309](/uploads/1d71c69dc50a03b76e17a1ab0fb81a3a/Selection_309.png)
![Selection_308](/uploads/d748617a573d141a9626770722a7137e/Selection_308...A bit of color could help here to directly see which services are marked as offline.
![Selection_309](/uploads/1d71c69dc50a03b76e17a1ab0fb81a3a/Selection_309.png)
![Selection_308](/uploads/d748617a573d141a9626770722a7137e/Selection_308.png)3.2.4HelmoHelmohttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6094Ignore postfix_custom and dovecot_custom config files in conf-custom check2021-03-10T12:52:09ZThomIgnore postfix_custom and dovecot_custom config files in conf-custom checkIgnore postfix_custom and dovecot_custom config files when checking if there are custom config.
Maybe add a separate warning "You are using custom config for Postfix and Dovecot. Make sure your template does not interfere with breaking ...Ignore postfix_custom and dovecot_custom config files when checking if there are custom config.
Maybe add a separate warning "You are using custom config for Postfix and Dovecot. Make sure your template does not interfere with breaking changes (usually noted in the release notes"3.2.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6061Certbot: Improve predictability of output certificate (use --cert-name instea...2021-03-10T12:51:41ZJanThielCertbot: Improve predictability of output certificate (use --cert-name instead of --expand)## short description
Currently it is mere "luck" which domain will be the "primary" domain for certbot. This will lead to situations, where the LE config file in /renewal/ as well as the certs in /archive/ and /live/ are named "c.tld(.co...## short description
Currently it is mere "luck" which domain will be the "primary" domain for certbot. This will lead to situations, where the LE config file in /renewal/ as well as the certs in /archive/ and /live/ are named "c.tld(.conf|.pem)" when requesting a certificate for a site with the domain "a.tld" containing sub- or alias domains for "b.tld", "b.a.tld" or "c.tld".
We have numerous cases where the same single vhost gets config files and cert files named with one of the additional domains. In addition to that the publicly displayed primary domain of the cert is one of the additional ones. This happens on newly requesting certs, renewing them and just updating them when e.g. adding or removing alias domains.
For instance today we cleaned up 8 stale LE configs and certs for the one primary vhost / site. Those were named "a.tld-0001", "a.tld-0002", "b.tld", "c.tld", "x.a.tld", and so on ...
After deleting **all** of them and creating a brand new LE cert + configs the config and cert file is off again. Instead of the expected "a.tld.conf" and "/live/a.tld/..." + "/archive/a.tld/..." it's all based on the **last** additional domain from the certonly cmd.
## correct behaviour
The primary domain should be the domain of the vhost site. All subdomains, aliases and such should only be added as additional domains. The config as well as the cert files should be named with the primary domain. Also deleting alias or subdomains should update the existing certificate config and file instead of creating new ones.
From the Docs:
```
Consider using --cert-name instead of --expand, as it gives more control over which certificate is modified and it lets you remove domains as well as adding them.
```
## environment
Server OS: centos
Server OS version: centos7
ISPConfig version: 3.2.2
Certbot: 1.11.0
## proposed fix
There are two issues in the current code I stumbled upon refactoring the LE code to allow Mirror Server SSL to work:
1. The cerbot call lacks the `--cert-name` option. Thus certbot tries to guess internally which domain to use as primary domain. This can easily be solved supplying the `--cert-name` option with the primary domain.
2. The current code adds the **last** supplied domain name as the host for the mail address. Haven't checked out whether this has any impact on the certbot guessing, but still I do not think, that this is intended
```
/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@test2.domain.tld --cert-name=test2.domain.tld --webroot-map '{"test.domain.tld":"/usr/local/ispconfig/interface/acme","test2.domain.tld":"/usr/local/ispconfig/interface/acme","test3.domain.tld":"/usr/local/ispconfig/interface/acme"}'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for test.domain.tld and 2 more domains
Performing the following challenges:
http-01 challenge for test2.domain.tld
http-01 challenge for test3.domain.tld
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/test2.domain.tld/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/test2.domain.tld/privkey.pem
```
## references
https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/server/lib/classes/letsencrypt.inc.php#L1653.2.3