ISPConfig 3 issueshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues2020-07-22T12:48:28Zhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5368Apache SSL settings in vhost.conf.master outdated. (disable TLSv1-1.1 enable ...2020-07-22T12:48:28ZThCTLoApache SSL settings in vhost.conf.master outdated. (disable TLSv1-1.1 enable TLSv1.3)the current apache SSL settings are outdated.
TLSv1 TLSv1.1 should be disabled, we should NOT respect outdated systems.
The following settings allow TLSv1.2 and TLSv1.3 on Debian Buster with letsencrypt enabled sites.
Resulting in A...the current apache SSL settings are outdated.
TLSv1 TLSv1.1 should be disabled, we should NOT respect outdated systems.
The following settings allow TLSv1.2 and TLSv1.3 on Debian Buster with letsencrypt enabled sites.
Resulting in A+.
```
tmpl_if name='ssl_enabled
SSLEngine on
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLCipherSuite 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
# Optional add : SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/apache-dhparams.pem"
SSLOptions +StrictRequire
<IfModule mod_headers.c>
Header always add Strict-Transport-Security "max-age=15768000"
</IfModule>
```
For an A+ you must enable : Strict Transport Security (HSTS).
These result in A+ 100 100 90 90 on ssllabs.com
Cipher Suites
# TLS 1.3 (suites in server-preferred order)
TLS_AES_128_GCM_SHA256 (0x1301) ECDH x25519 (eq. 3072 bits RSA) FS 128
TLS_AES_256_GCM_SHA384 (0x1302) ECDH x25519 (eq. 3072 bits RSA) FS 256
TLS_CHACHA20_POLY1305_SHA256 (0x1303) ECDH x25519 (eq. 3072 bits RSA) FS 256
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH x25519 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH x25519 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) ECDH x25519 (eq. 3072 bits RSA) FS 256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 4096 bits FS 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 4096 bits FS 256
Sidenote on the TLS ciphers.
I've set the 128bit before the 256 to gain performance and reduce load.
If you preffer strongest first.
use :
SSLCipherSuite 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256'
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
Not supported.
IE 11 / Win Phone 8.1 R Server sent fatal alert: handshake_failure
Safari 6 / iOS 6.0.1 Server sent fatal alert: handshake_failure
Safari 7 / iOS 7.1 R Server sent fatal alert: handshake_failure
Safari 7 / OS X 10.9 R Server sent fatal alert: handshake_failure
Safari 8 / iOS 8.4 R Server sent fatal alert: handshake_failure
Safari 8 / OS X 10.10 R Server sent fatal alert: handshake_failure
# Not simulated clients (Protocol mismatch)
Android 2.3.7 No SNI 2 Protocol mismatch (not simulated)
Android 4.0.4 Protocol mismatch (not simulated)
Android 4.1.1 Protocol mismatch (not simulated)
Android 4.2.2 Protocol mismatch (not simulated)
Android 4.3 Protocol mismatch (not simulated)
Baidu Jan 2015 Protocol mismatch (not simulated)
IE 6 / XP No FS 1 No SNI 2 Protocol mismatch (not simulated)
IE 7 / Vista Protocol mismatch (not simulated)
IE 8 / XP No FS 1 No SNI 2 Protocol mismatch (not simulated)
IE 8-10 / Win 7 R Protocol mismatch (not simulated)
IE 10 / Win Phone 8.0 Protocol mismatch (not simulated)
Java 6u45 No SNI 2 Protocol mismatch (not simulated)
Java 7u25 Protocol mismatch (not simulated)
OpenSSL 0.9.8y Protocol mismatch (not simulated)
Safari 5.1.9 / OS X 10.6.8 Protocol mismatch (not simulated)
Safari 6.0.4 / OS X 10.8.4 R Protocol mismatch (not simulated)
While running this, enable website redirection for Protocol mismatches to a landing page saying that the current browers/os version is marked as insecure and not supported.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5329Cannot create a SPF dns entry for a subdomain2020-05-26T14:41:25ZJustinCannot create a SPF dns entry for a subdomainNow that SPF records are not managed as regular TXT records, I encounter the limitation to add SPF records for a subdomain/hostname other than the APEX.
Tested in 3.1.13Now that SPF records are not managed as regular TXT records, I encounter the limitation to add SPF records for a subdomain/hostname other than the APEX.
Tested in 3.1.133.2https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5222Automatic (BIND native) slave zones2020-09-25T22:30:23ZBlonďákAutomatic (BIND native) slave zonesI wrote skeleton of bind_slave_plugin, which utilize RNDC to create slave zones on non-ispconfiged servers [bind_slave_plugin.php](/uploads/90d24f2da2b2f8626023ec2d9bac4bf2/bind_slave_plugin.php) I have no idea how to configure slave ser...I wrote skeleton of bind_slave_plugin, which utilize RNDC to create slave zones on non-ispconfiged servers [bind_slave_plugin.php](/uploads/90d24f2da2b2f8626023ec2d9bac4bf2/bind_slave_plugin.php) I have no idea how to configure slave servers in ISPCONFIG, so they are hardcoded, but if someone know, how to wire it with ispconfig feel free to use this pluginhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5194Add checkbox to turn on/off admin protection for websites2020-08-17T21:46:36ZTill BrehmAdd checkbox to turn on/off admin protection for websitesAdd checkbox to turn on/off admin protection for websites on the options tab of the website.Add checkbox to turn on/off admin protection for websites on the options tab of the website.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5135add option to upload / change the logo2020-08-16T11:23:45ZFlorian Schaaladd option to upload / change the logohttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5071OpenSuSE and apparmor expect dovecot certs to be in /etc/ssl/private2020-09-08T16:05:47ZMarc ChamberlinOpenSuSE and apparmor expect dovecot certs to be in /etc/ssl/private## short description
ISPConfig setup script expects SSL certs to be in /etc/postfix but apparmor prevents dovecot from reading them in that directory.
## correct behaviour
The certificates should be placed by ISPConfig.sh in /etc/ssl/p...## short description
ISPConfig setup script expects SSL certs to be in /etc/postfix but apparmor prevents dovecot from reading them in that directory.
## correct behaviour
The certificates should be placed by ISPConfig.sh in /etc/ssl/private. By default apparmor allows dovecot read access there.
## environment
Server OS: OpenSuSE
Server OS version: Leap 42.3
ISPConfig version: 3.1.12
If it might be related to the problem
```
insert the output of `nginx -v` or `apachectl -v` here
apachectl -v
Server version: Apache/2.4.23 (Linux/SUSE)
Server built: 2018-05-07 12:56:20.000000000 +0000
insert the output of `php -v` here
php -v
Created directory: /var/lib/net-snmp
Created directory: /var/lib/net-snmp/cert_indexes
Created directory: /var/lib/net-snmp/mib_indexes
PHP 5.5.14 (cli)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies
## proposed fix
## references
see https://www.howtoforge.com/community/threads/dovecot-doesnt-like-the-smtpd-cert-file-for-some-reason.79325/
## screenshots
## log entrieshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5036add features: node.js, django2020-12-13T12:06:51Zbrodyadd features: node.js, djangoif you add node.js and django integration, it will make ispconfig very popular :)if you add node.js and django integration, it will make ispconfig very popular :)https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4873Add ability to select which services should be mirrored2020-09-25T21:58:09ZBaptiste Velan2447-Batman@users.noreply.git.ispconfig.orgAdd ability to select which services should be mirroredIt would be great if we could select which services to mirror on a slave server.
Is mirror of Server?
then a select services option: like DNS - so we could only replicate DNS or anything else we need
Would that be possible to implemen...It would be great if we could select which services to mirror on a slave server.
Is mirror of Server?
then a select services option: like DNS - so we could only replicate DNS or anything else we need
Would that be possible to implement?!![ispconfig-git](/uploads/37cfd81ee475143a2baf0bdb5aabff62/ispconfig-git.jpg)https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4826Add neutral gender option for clients / Title2021-01-09T21:55:49ZAndreas SpeckAdd neutral gender option for clients / TitleAt present while not a required entry, if you want to add a title for a client, you only have the options Mr./Ms.. This is exclusive of non-binary identified people, and it would be good to add Mx (see https://en.oxforddictionaries.com/d...At present while not a required entry, if you want to add a title for a client, you only have the options Mr./Ms.. This is exclusive of non-binary identified people, and it would be good to add Mx (see https://en.oxforddictionaries.com/definition/mx), which in the database could be represented as an 'x'.
Another option would be to turn title (or salutation) into a free text field, but that might more complex in a multi-lingual environment.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4823Feature request : Semi-Automatic dns records2020-12-26T10:06:13ZRich StarkieFeature request : Semi-Automatic dns recordsHi @tbrehm at team,
I was wondering how feasible it would be to somewhat automate the DNS record creation
Naturally records would be easily changeable on the DNS tab
Eg create a website, checks for dns record, if not found automatica...Hi @tbrehm at team,
I was wondering how feasible it would be to somewhat automate the DNS record creation
Naturally records would be easily changeable on the DNS tab
Eg create a website, checks for dns record, if not found automatically a dns record is created, but only with A records + standard entries (ie no mail)
Create a mail domain, checks for dns record, if not found creates record same as above but no www / A records only mail. and MX + standard entries of course. If DNS is found it adds to that recordhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4727Add total web and mail client quota to dashboard2019-08-22T12:21:21ZJulianAdd total web and mail client quota to dashboardIf there is a web and/or mail quota set for a client this should be visible to the client on the dashboard.
Maybe this could be added to the "Account limits" table.If there is a web and/or mail quota set for a client this should be visible to the client on the dashboard.
Maybe this could be added to the "Account limits" table.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4715Show last email login2020-08-18T17:48:31ZJulianShow last email loginCan you please add a column for the last login of a mail account to the mail account overview? It would help a lot to find dead mailboxes and with customer support ("i don't get any new mails" - "yep, no surprise, your last login was 2 w...Can you please add a column for the last login of a mail account to the mail account overview? It would help a lot to find dead mailboxes and with customer support ("i don't get any new mails" - "yep, no surprise, your last login was 2 weeks ago, is google.com also unavailable for you?") ;-)
It should not be much work with the Dovecot plugin and an extra column in the mysql mail_user table.
https://wiki2.dovecot.org/Plugins/LastLogin
Debian Stretch and Jessie Backports already have this plugin in their packages.
If I can help, please let me know :)https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4704Remove LE certiticate when delete Websites.2020-06-05T17:42:31ZAndyPLRemove LE certiticate when delete Websites.ISPC 3.1.5 and older ver. of ISPC does not remove the LE certificate when delete WebsitesISPC 3.1.5 and older ver. of ISPC does not remove the LE certificate when delete Websiteshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4655Add more details to the Let's Encrypt warning e-mail2020-08-08T13:27:18ZAntalAdd more details to the Let's Encrypt warning e-mailThe current e-mail only states WARNING - Let's Encrypt SSL Cert for: domain.tld could not be issued.
Please add more detailed information why the certificate could not be issued as we can find in the cron.log.The current e-mail only states WARNING - Let's Encrypt SSL Cert for: domain.tld could not be issued.
Please add more detailed information why the certificate could not be issued as we can find in the cron.log.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4626Can't add DKIM entry using TXT field2018-12-12T17:37:43ZPaweł G.Can't add DKIM entry using TXT fieldChange introduced in commit 378d8326bfb5b5713caf74c370dd14fd547f9c21 causes that you can't add DKIM record to your DNS zone using TXT type.
`DKIM is not allowed. Use the DKIM button`
But I can't use DKIM button when I don't have mai...Change introduced in commit 378d8326bfb5b5713caf74c370dd14fd547f9c21 causes that you can't add DKIM record to your DNS zone using TXT type.
`DKIM is not allowed. Use the DKIM button`
But I can't use DKIM button when I don't have mail support in ispconfig (mail is hosted in some other place).
There should be done one of two things:
1. allow adding DKIM record with TXT type - simply remove in file `interface/web/dns/form/dns_txt.tform.php ` validator number 1 (lines 113-117) for field "data"
2. allow insert DKIM entries in DKIM button. Right now you can here only fetch data from mail section.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4567Global setting for mail domain for greylisting2020-09-14T09:45:36ZDanieleGlobal setting for mail domain for greylistingWould be useful have a setting in the mail domain (and also in Limit-template) to enable or disable graylisting for all email boxes of the domain.
The link to the Limit-template would be useful so you can offer or not the function to th...Would be useful have a setting in the mail domain (and also in Limit-template) to enable or disable graylisting for all email boxes of the domain.
The link to the Limit-template would be useful so you can offer or not the function to the hosting plan you are selling.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4490Add option to disable admin protection feature2020-07-20T16:08:36ZTill BrehmAdd option to disable admin protection featureAdd option to disable admin protection feature globally and an option to disable it for a single website on the options tab.Add option to disable admin protection feature globally and an option to disable it for a single website on the options tab.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4423Additional PHP Versions Monitoring2020-05-25T12:29:58ZoNdsenAdditional PHP Versions MonitoringNeed an Option to see which Websites are using the selected Additional PHP VersionNeed an Option to see which Websites are using the selected Additional PHP Versionhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4370Extended client delete dialog2020-07-29T22:52:27Znon7topExtended client delete dialogAfter pressing delete client icon there is no detailed information about what will be deleted (websites, users, etc).After pressing delete client icon there is no detailed information about what will be deleted (websites, users, etc).3.2https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4325Disable http to https redirect when ssl is off2020-09-15T11:56:07ZTill BrehmDisable http to https redirect when ssl is offDisable http to https redirect when ssl is offDisable http to https redirect when ssl is off3.2