ISPConfig 3 issueshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues2023-02-09T19:13:26Zhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6461Removing jailkit user does not clear jailkit files from web directory2023-02-09T19:13:26ZJensRemoving jailkit user does not clear jailkit files from web directory## Summary
See $Subject
## Steps to reproduce
1. Setup basic ISPconfig 3.2.9 on Ubunto 22.04 using ispc-autoinstaller
2. Create shell user with jailkit
3. Remove this shell user again, wait for ISPconfig cronjob
## Correct behaviour
Th...## Summary
See $Subject
## Steps to reproduce
1. Setup basic ISPconfig 3.2.9 on Ubunto 22.04 using ispc-autoinstaller
2. Create shell user with jailkit
3. Remove this shell user again, wait for ISPconfig cronjob
## Correct behaviour
The web directory should not have any jailkit specific files (hardlinks to /usr, /etc/, etc files) any more.
## Environment
Server OS + version: Ubuntu 22.04 server
ISPConfig version: 3.2.9
## Proposed fix
If jailkit does not provide this functionality (remove jailkit specific hardlinks), we can recreate this by finding all files owned by root with link_count > 1 and removing them, and then removing all non-default empty folders (i.e. exclude everything with +i attribute). Something like this:
```
find $WEBDIR -type f -links +1 | xargs rm
find $WEBDIR -type d | tac | xargs rmdir # rmdir fails on non-empty folders, and tac reverses order
```https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6457Support getmail imap idle option2023-01-27T08:42:10ZKoSSupport getmail imap idle optionIt would be great if the getmail imap idle function would be supported so that IMAP mailboxes do not need to be polled every 5 minutes but mails will arrive immediately.
As this would need to run a system service for every getmail rcco...It would be great if the getmail imap idle function would be supported so that IMAP mailboxes do not need to be polled every 5 minutes but mails will arrive immediately.
As this would need to run a system service for every getmail rcconfig that needs imap idle, it would be a bigger change in how ISPconfig handles the getmail configuration.
See https://pyropus.ca./software/getmail/configuration.html#running-commandline-options and https://work-work.work/blog/2018/12/15/getmail-systemd-imap-idle.htmlhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6439DNSSEC CDS support for automatic key handling2023-04-13T08:04:44ZKoSDNSSEC CDS support for automatic key handlingInstead of having to manually copy the DNSSEC keys to the registrar from ISPconfig, only the "dnssec-policy default;" of BIND needs to be enabled for automatic key handling, see here:
see here https://forum.howtoforge.com/threads/dnssec-...Instead of having to manually copy the DNSSEC keys to the registrar from ISPconfig, only the "dnssec-policy default;" of BIND needs to be enabled for automatic key handling, see here:
see here https://forum.howtoforge.com/threads/dnssec-cds-records.89962/
Changes needed in ISPconfig:
- Add a mutual exclusive checkbox to "Sign zone (DNSSEC)" à la "Enable DNSSEC default policy"
- Fix the apparmor file permission issues
- Write the "dnssec-policy default;" in the config file
- Make sure this feature is only available for newer BIND version (>= 9.17)
Thanks!https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6429Statistics (FTP, traffic ect) displays NAN when no records in DB2023-01-29T20:49:52ZKrzysztof BaranowskiStatistics (FTP, traffic ect) displays NAN when no records in DBWhen account is new or don't have any stats there are NAN everywere.
Sites -> ftp stats, traffic stats, backup stats
Email -> mailbox stats, backup stats, traffic stats
![Screenshot_2022-12-16_at_11-37-04_ISPConfig](/uploads/03158c0ae...When account is new or don't have any stats there are NAN everywere.
Sites -> ftp stats, traffic stats, backup stats
Email -> mailbox stats, backup stats, traffic stats
![Screenshot_2022-12-16_at_11-37-04_ISPConfig](/uploads/03158c0aee0a0ff6d9d9411d5f4863d8/Screenshot_2022-12-16_at_11-37-04_ISPConfig.png)https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6427Dovecot & postfix - add allow_nets setting2022-12-15T11:32:37ZKrzysztof BaranowskiDovecot & postfix - add allow_nets settingFuture request.
Dovecot has security setting called allow_nets that allow only login to mailbox from listed ip.
https://doc.dovecot.org/configuration_manual/authentication/allow_nets/
This setting control not only login to imap, pop3 ...Future request.
Dovecot has security setting called allow_nets that allow only login to mailbox from listed ip.
https://doc.dovecot.org/configuration_manual/authentication/allow_nets/
This setting control not only login to imap, pop3 byt also smtp.
Setting can be done for selected emails.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6426Create API or function to import DNSSEC keys2022-12-14T18:32:00ZTill BrehmCreate API or function to import DNSSEC keysCreate API or function to import DNSSEC keys using remote API and maybe also in the GUI.Create API or function to import DNSSEC keys using remote API and maybe also in the GUI.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6425Include ModSecurity and OWASP ModSecurity Core Rule Set (CRS)2022-12-14T18:30:24ZRaffael LuthigerInclude ModSecurity and OWASP ModSecurity Core Rule Set (CRS)Many websites / CMS systems get attacked on a daily basis. There is an open source project which is providing ModSecurity rules to mitigate many common attacks. It would be great if ModSecurity and the OWASP ModSecurity Core Rule Set (CR...Many websites / CMS systems get attacked on a daily basis. There is an open source project which is providing ModSecurity rules to mitigate many common attacks. It would be great if ModSecurity and the OWASP ModSecurity Core Rule Set (CRS) is included in ISPconfig in the sense that those rules can be enabled or disabled on a per website basis. ModSecurity is available for nginx and apache.
More information about the project:
https://owasp.org/www-project-modsecurity-core-rule-set/ or here
https://coreruleset.org/https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6410Add website php version as alias to the .bashrc file of the web user2023-12-08T11:47:42ZTill BrehmAdd website php version as alias to the .bashrc file of the web userSee: https://forum.howtoforge.com/threads/installed-ispconfig-3.89709/#post-440465See: https://forum.howtoforge.com/threads/installed-ispconfig-3.89709/#post-440465https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6402Feature Request: BorgBackup also for email2022-11-12T16:44:47ZJacco van KollFeature Request: BorgBackup also for emailFirst, I want to say **THANK YOU** for implementing BorgBackup for websites! It works fast, amazing, and saves tons of space! It's great!
Now my humble request: Can BorgBackup also be implemented for mailboxes? This would have a huge im...First, I want to say **THANK YOU** for implementing BorgBackup for websites! It works fast, amazing, and saves tons of space! It's great!
Now my humble request: Can BorgBackup also be implemented for mailboxes? This would have a huge impact on saving storage too!
Thank you in advance!https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6388support multiple logos for resellers2023-09-16T10:48:24ZMattia Rizzolosupport multiple logos for resellersIn my company, we have a bunch of resellers that also allows some of their customers access to the panel.
For those, we have been asked to place their own logos in the login page and at the top of the panel. At this time, we have a loc...In my company, we have a bunch of resellers that also allows some of their customers access to the panel.
For those, we have been asked to place their own logos in the login page and at the top of the panel. At this time, we have a local patch like this:
```diff
--- index.php.bak 2022-09-27 11:23:24.014454894 +0200
+++ index.php 2022-09-27 11:25:56.915375461 +0200
@@ -103,6 +103,10 @@
$base64_logo_txt = $logo['default_logo'];
}
$tmp_base64 = explode(',', $base64_logo_txt, 2);
+if (strpos($_SERVER['HTTP_HOST'], 'example.com')){
+ $im = file_get_contents('themes/default/assets/images/logo_customer_example.png');
+ $base64_logo_txt = 'data:image/png;base64,'.base64_encode($im);
+}
$logo_dimensions = $app->functions->getimagesizefromstring(base64_decode($tmp_base64[1]));
$app->tpl->setVar('base64_logo_width', $logo_dimensions[0].'px');
$app->tpl->setVar('base64_logo_height', $logo_dimensions[1].'px');
--- login/index.php.bak 2022-09-27 11:26:38.029796023 +0200
+++ login/index.php 2022-09-27 11:28:19.584394637 +0200
@@ -485,6 +485,10 @@
$base64_logo_txt = $logo['default_logo'];
}
$tmp_base64 = explode(',', $base64_logo_txt, 2);
+if (strpos($_SERVER['HTTP_HOST'], 'example.com')){
+ $im = file_get_contents('../themes/default/assets/images/logo_customer_example.png');
+ $base64_logo_txt = 'data:image/png;base64,'.base64_encode($im);
+}
$logo_dimensions = $app->functions->getimagesizefromstring(base64_decode($tmp_base64[1]));
$app->tpl->setVar('base64_logo_width', $logo_dimensions[0].'px');
$app->tpl->setVar('base64_logo_height', $logo_dimensions[1].'px');
```
Which is quite not nice for me :smile:
I wonder if it would be possible to upload the reseller logo to their profile, and then somehow associate a domain to them so that it would pick a different logo depending on known domain names used to access the website?
Thank you for considering!https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6387DMARC update just like SPF2023-07-04T21:14:53ZhkendusersDMARC update just like SPF<!-- Before creating a bug report, please:
- Read the contribution guidelines: https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/CONTRIBUTING.md
- Do not ask support questions here. If you are unsure if your problem is a bug,...<!-- Before creating a bug report, please:
- Read the contribution guidelines: https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/CONTRIBUTING.md
- Do not ask support questions here. If you are unsure if your problem is a bug, post a thread on the forum: https://www.howtoforge.com/community/#ispconfig-3.23
- Make sure to remove any content from the description that you did not add. For example, if there are no related log entries, remove the whole "Related log entries" part.
-->
## Summary
<!-- What is happening and what is wrong with that? -->
When I update SPF record by clicking the record (not SPF button), it shows "DNS SPF" editing page.
However if I update DMARC record by clicking the record (not DMARC button), it shows "DNS TXT" editing page but not showing "DNS DMARC" editing page, and it even shows error "DMARC is not allowed. Use the DMARC button" if save it.
Is it OK that DMARC editing just like SPF? Means clicking the record then show "DNS DMARC" editing page directly, it will prevent user's confusion.'
## Environment
Server OS + version: CentOS Stream release 8
ISPConfig version: 3.2.8p1
## Proposed fix
Open /usr/local/ispconfig/interface/web/dns/dns_txt_edit.php
> if ('v=spf1' === mb_substr($this->dataRecord['data'], 0, 6)) {
> header(sprintf('Location: dns_spf_edit.php?id=%d', $this->dataRecord['id']));
> exit;
> }
Update to
> if ('v=spf1' === mb_substr($this->dataRecord['data'], 0, 6)) {
> header(sprintf('Location: dns_spf_edit.php?id=%d', $this->dataRecord['id']));
> exit;
> } else if ("v=DMARC1"== mb_substr($this->dataRecord["data"], 0, 8)) {
> header(sprintf("Location: dns_dmarc_edit.php?id=%d", $this->dataRecord["id"]));
> exit;
> }https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6382Improve supported sieve extensions enabled by default using require2022-10-18T08:10:23ZJudah - MWImprove supported sieve extensions enabled by default using requireThese are the dovecot pigeonhole sieve extensions included in dovecot by default that we don't currently support in custom sieve filters, and the version of pigeonhole which first included them. [This list is from the Dovecot wiki.](htt...These are the dovecot pigeonhole sieve extensions included in dovecot by default that we don't currently support in custom sieve filters, and the version of pigeonhole which first included them. [This list is from the Dovecot wiki.](https://doc.dovecot.org/configuration_manual/sieve/pigeonhole_sieve_interpreter/#supported-features)
| Extension | Supported since |
|---|---|
| body | always |
| duplicate | v0.4.3+ |
| enotify | v0.1.3+ |
| environment | v0.4.0+ |
| foreverypart | v0.4.14+ |
| ihave | v0.2.4+ |
| include | v0.4.0+ |
| index | v0.4.7+ |
| mime | v0.4.14+ |
| extracttext | v0.4.14+ |
| variables | always |
We should definitely be including `body` and `variables` as they are enabled by default and supported in every version of dovecot pigeonhole. Body in particular is vital for many custom filters. For simplicity's sake I'm submitting a merge request for these 2 extensions straight away so it can hopefully become part of %"3.2.9". Having sane defaults is especially important because the list of required extensions can't be updated later in the filter due to a limitation of sieve/pigeonhole: `require commands can only be placed at top level at the beginning of the file` (See #5124)
As for the others, currently the most recent extension we use is `date` with a release version of v0.1.12 from 2010. The most recent pigeonhole version needed to support all these extensions would be v0.4.14 which is from April 2016, over 6 years ago. Could we safely assume that all installations would have at least that version? Perhaps for these more specific extensions we should make no default inclusion and simply carry on letting admins enable them by installing a modified config into `conf-custom`? Some of these extensions also have security considerations such as `include` which allows including other sieve files.
What do you think @jnorell?https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6375Multiserver setup: custom files autoload (e.g. a custom standard_index.html)2022-08-08T19:37:40ZSergioMultiserver setup: custom files autoload (e.g. a custom standard_index.html)Hi, in a Multiserver setup, during installation of a new server, would be useful to have the chance to autoload custom files from the master server, as can be the standard_index.html or a custom service config file, as nginx_vhost.conf.m...Hi, in a Multiserver setup, during installation of a new server, would be useful to have the chance to autoload custom files from the master server, as can be the standard_index.html or a custom service config file, as nginx_vhost.conf.master.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6363rfe: rspamd: add mxroute lists2022-07-15T19:31:14ZJesse Norellrfe: rspamd: add mxroute listsConsider adding https://github.com/mxroute/rspamd_rules/tree/master/lists to rspamd configuration.Consider adding https://github.com/mxroute/rspamd_rules/tree/master/lists to rspamd configuration.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6355rspamd: trusted ARC signers2022-06-27T16:18:59ZJesse Norellrspamd: trusted ARC signersFeature Request: Add to the UI a way to specify trusted ARC signers (rspamd whitelisted_signers_map setting). Ideally we could allow individual domain owners to specify what signers are trusted when mailing their domain, but it may hav...Feature Request: Add to the UI a way to specify trusted ARC signers (rspamd whitelisted_signers_map setting). Ideally we could allow individual domain owners to specify what signers are trusted when mailing their domain, but it may have to be a server/system wide setting, I've not dug into the details).
This will help improve mail authentication for mail forwarded to an ISPConfig system, if the forwarder breaks DMARC (spf usually breaks, DKIM breaks if headers/body/sender is changed) but ARC signed the message that they received, rspamd can ignore the DMARC failure and consider the message authenticated. This feature allows the server/domain admin to specify what ARC forwarders should be trusted.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6349Lost root ssh access, here's how2022-06-17T18:08:06ZSergioLost root ssh access, here's howHi, today I lost the root ssh access to the ISPConfig installation, running on Ubuntu 20.04. When I first installed ISPConfig I removed the prefix for FTP users and Shell users. Today I wanted to test a few customizations on shell users,...Hi, today I lost the root ssh access to the ISPConfig installation, running on Ubuntu 20.04. When I first installed ISPConfig I removed the prefix for FTP users and Shell users. Today I wanted to test a few customizations on shell users, so I created a new user with the same username of the only user on sudoers (it's my name afterall :P), then I deleted it and boom. That action deleted the sudoer user, so I lost the root access to my machine. Nothing really serious, I recovered it, then it was a virtual machine running on my home computer, but I think it shouldn't have happened. In this way a ISPConfig user with create users privileges, could compromise the access to the machine. Maybe there could be a check if the user already exists before creating a new one.
Thanks :smile:https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6341disable AUTH on port 252022-05-02T17:55:25ZJesse Norelldisable AUTH on port 25Add a server setting to disable AUTH on port 25. This of course requires clients to be using proper mail submission ports, but blocks a lot of junk authentication attempts where it can be used.Add a server setting to disable AUTH on port 25. This of course requires clients to be using proper mail submission ports, but blocks a lot of junk authentication attempts where it can be used.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6340disable plaintext email logins2022-05-02T16:13:37ZJesse Norelldisable plaintext email loginsAdd a server setting to disable plaintext email logins, which will help with email account compromises.Add a server setting to disable plaintext email logins, which will help with email account compromises.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6308dns_zone_get_by_user: server_id should be optional2022-03-23T15:31:27ZJesse Norelldns_zone_get_by_user: server_id should be optionalMake the server_id optional in [dns_zone_get_by_user](https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/interface/lib/classes/remote.d/dns.inc.php#L766).
Currently the acme proxy can only update a single DNS server as it mus...Make the server_id optional in [dns_zone_get_by_user](https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/interface/lib/classes/remote.d/dns.inc.php#L766).
Currently the acme proxy can only update a single DNS server as it must supply the server_id, so it can't be used fully in a multi-server install with multiple DNS servers.Jesse NorellJesse Norellhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6292Goaccess retention issue2022-07-31T21:04:05ZLorenzo ValoriGoaccess retention issueHi, i noticed a problem with the goaccess configuration, in a nutshell it does not respect the "Logfiles retention time" parameter.
Let me explain better, i have a web area with the "Logfiles retention time" set to 10 days and in fact t...Hi, i noticed a problem with the goaccess configuration, in a nutshell it does not respect the "Logfiles retention time" parameter.
Let me explain better, i have a web area with the "Logfiles retention time" set to 10 days and in fact the apache logs are correctly rotated, but in the log folder there is the goaccess_db folder which, in my case, has reached occupy 1.6 GB.
I believe thath this issue causes lose control of the space occupied by the statistics even if the log files are rotated.
The "--keep-last" parameter could be implemented in the goaccess configuration to solve the question, what do you think about?