.gitlab-ci.yml

@@ -90,7 +90,7 @@ build:package:
         - if [[ "$VER" == "" ]] ; then VER="3.2dev"$(date +%s) ; fi
         - if [[ "$VER" != "" ]] ; then echo "Replacing 3.2dev by $VER" ; sed -i -r 's/3\.2dev/'${VER}'/g' install/tpl/config.inc.php.master install/sql/ispconfig3.sql ; fi
         - RET=0
-        - tar -cpzf ISPConfig-${VER}.tar.gz --exclude "ISPConfig-${VER}.tar.gz" --exclude ".git*" --exclude ".phplint.yml" --transform 's,^\./,ispconfig3_install/,' . || RET=$?
+        - tar -cpzf ISPConfig-${VER}.tar.gz --exclude "ISPConfig-${VER}.tar.gz" --exclude ".git*" --exclude ".phplint.yml" --transform 's,^\./,ispconfig3_install/,' --mode='0775' ./* || RET=$?
         - if [[ $RET > 1 ]] ; then exit $RET ; fi
         - echo "Listing tar contents for verification"
         - tar -tvf ISPConfig-${VER}.tar.gz
@@ -101,4 +101,4 @@ build:package:
         - echo "Download url is https://download.ispconfig.org/ISPConfig-${VER}.tar.gz"
         
     needs: ["syntax:lint"]
-    allow_failure: false
+    allow_failure: false
\ No newline at end of file

install/dist/conf/gentoo.conf.php

@@ -51,6 +51,8 @@ $conf['services']['dns'] = true;
 $conf['services']['file'] = true;
 $conf['services']['db'] = true;
 $conf['services']['vserver'] = true;
+$conf['services']['proxy'] = false;
+$conf['services']['firewall'] = false;
 
 //* MySQL
 $conf['mysql']['installed'] = false; // will be detected automatically during installation
@@ -80,7 +82,7 @@ $conf['apache']['installed'] = false; // will be detected automatically during i
 $conf['apache']['user'] = 'apache';
 $conf['apache']['group'] = 'apache';
 $conf['apache']['init_script'] = 'apache2';
-$conf['apache']['version'] = '2.2';
+$conf['apache']['version'] = '2.4';
 $conf['apache']['config_dir'] = '/etc/apache2';
 $conf['apache']['config_file'] = $conf['apache']['config_dir'] .'/httpd.conf';
 $conf['apache']['ssl_dir'] = '/etc/ssl/apache2';
@@ -88,8 +90,8 @@ $conf['apache']['vhost_conf_dir'] = $conf['apache']['config_dir'] . '/vhosts.d';
 $conf['apache']['vhost_conf_enabled_dir'] = $conf['apache']['vhost_conf_dir'];
 $conf['apache']['vhost_default'] = '00_default_vhost.conf';
 $conf['apache']['vhost_port'] = '8080';
-$conf['apache']['php_ini_path_apache'] = '/etc/php/apache2-php5/php.ini';
-$conf['apache']['php_ini_path_cgi'] = '/etc/php/cgi-php5/php.ini';
+$conf['apache']['php_ini_path_apache'] = '/etc/php/apache2-php7.4/php.ini';
+$conf['apache']['php_ini_path_cgi'] = '/etc/php/cgi-php7.4/php.ini';
 
 //* Website base settings
 $conf['web']['website_basedir'] = '/var/www';
@@ -110,7 +112,7 @@ $conf['awstats']['pl'] = '/usr/bin/awstats.pl';
 $conf['awstats']['buildstaticpages_pl'] = '/usr/bin/awstats_buildstaticpages.pl';
 
 //* Fastcgi
-$conf['fastcgi']['fastcgi_phpini_path'] = '/etc/php/cgi-php5';
+$conf['fastcgi']['fastcgi_phpini_path'] = '/etc/php/cgi-php7.4';
 $conf['fastcgi']['fastcgi_starter_path'] = '/var/www/php-fcgi-scripts/[system_user]/';
 $conf['fastcgi']['fastcgi_bin'] = '/usr/bin/php-cgi';
 
@@ -131,6 +133,10 @@ $conf['mailman']['installed'] = false; // will be detected automatically during
 $conf['mailman']['config_dir'] = '/etc/mailman';
 $conf['mailman']['init_script'] = 'mailman';
 
+//* mlmmj
+$conf['mlmmj']['installed'] = false; // will be detected automatically during installation
+$conf['mlmmj']['config_dir'] = '/etc/mlmmj';
+
 //* Getmail
 $conf['getmail']['installed'] = false; // will be detected automatically during installation
 $conf['getmail']['user'] = 'getmail';
@@ -176,6 +182,7 @@ $conf['pureftpd']['installed'] = false; // will be detected automatically during
 $conf['pureftpd']['config_file'] = '/etc/conf.d/pure-ftpd';
 $conf['pureftpd']['mysql_config_file'] = '/etc/pureftpd-mysql.conf';
 $conf['pureftpd']['init_script'] = 'pure-ftpd';
+$conf['pureftpd']['main_config_file'] = '/etc/pure-ftpd.conf';
 
 //* MyDNS
 $conf['mydns']['installed'] = false; // will be detected automatically during installation
@@ -226,6 +233,13 @@ $conf['nginx']['php_fpm_pool_dir'] = '/etc/php5/fpm/pool.d';
 $conf['nginx']['php_fpm_start_port'] = 9010;
 $conf['nginx']['php_fpm_socket_dir'] = '/var/lib/php5-fpm';
 
+//* OpenVZ
+$conf['openvz']['installed'] = false;
+
+//*Bastille-Firwall
+$conf['bastille']['installed'] = false;
+$conf['bastille']['config_dir'] = '/etc/Bastille';
+
 //* vlogger
 $conf['vlogger']['config_dir'] = '/etc/vlogger';
 
@@ -235,10 +249,12 @@ $conf['cron']['crontab_dir'] = '/etc/cron.d';
 $conf['cron']['group'] = 'cron';
 $conf['cron']['wget'] = '/usr/bin/wget';
 
-//* OpenVZ
-$conf['openvz']['installed'] = false;
+//* Metronome XMPP
+$conf['xmpp']['installed'] = false;
+$conf['xmpp']['init_script'] = 'metronome';
 
 // AppArmor
 $conf['apparmor']['installed'] = false;
 
+
 ?>

install/dist/tpl/gentoo/apache_ispconfig.vhost.master

@@ -6,7 +6,7 @@
 
 {vhost_port_listen} Listen {vhost_port}
 <tmpl_if name='apache_version' op='<' value='2.4' format='version'>
-  NameVirtualHost *:{vhost_port}
+  # NameVirtualHost *:{vhost_port}
 </tmpl_if>
 
 <VirtualHost _default_:{vhost_port}>

install/lib/installer_base.lib.php

@@ -52,7 +52,7 @@ class installer_base {
 	}
 
 	public function update_acme() {
-		$acme = explode("\n", shell_exec('which acme.sh /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh'));
+		$acme = explode("\n", shell_exec('which acme.sh /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh 2> /dev/null'));
 		$acme = reset($acme);
 		$val = 0;
 
@@ -892,6 +892,20 @@ class installer_base {
 	public function configure_mailman($status = 'insert') {
 		global $conf;
 
+		// Fix for #6314: bug on Debian 11 systems where Mailman3 is not available and broken routes exist in the Mailman config
+		$data_dir = '/var/lib/mailman';
+		if (($conf['mailman']['installed'] != true) && is_dir($data_dir)) {
+			rename($data_dir, $data_dir . '-bk');
+			//* Create the mailman files
+			if(!is_dir('/var/lib/mailman/data')) exec('mkdir -p /var/lib/mailman/data');
+			if(!is_file('/var/lib/mailman/data/aliases')) touch('/var/lib/mailman/data/aliases');
+			exec('postmap /var/lib/mailman/data/aliases');
+			if(!is_file('/var/lib/mailman/data/virtual-mailman')) touch('/var/lib/mailman/data/virtual-mailman');
+			exec('postmap /var/lib/mailman/data/virtual-mailman');
+			if(!is_file('/var/lib/mailman/data/transport-mailman')) touch('/var/lib/mailman/data/transport-mailman');
+			exec('postmap /var/lib/mailman/data/transport-mailman');
+		}
+
 		$config_dir = $conf['mailman']['config_dir'].'/';
 		$full_file_name = $config_dir.'mm_cfg.py';
 		//* Backup exiting file
@@ -1653,7 +1667,7 @@ class installer_base {
 		//* These postconf commands will be executed on installation and update
 		$server_ini_rec = $this->db->queryOneRecord("SELECT mail_server, config FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . '.server', $conf['server_id']);
 		$server_ini_array = ini_to_array(stripslashes($server_ini_rec['config']));
-		$mail_server = ($server_ini_rec['mail_server']) ? true : false;
+		$mail_server = $conf['services']['mail'];
 		unset($server_ini_rec);
 
 		// amavisd user config file
@@ -1777,7 +1791,7 @@ class installer_base {
 		//* These postconf commands will be executed on installation and update
 		$server_ini_rec = $this->db->queryOneRecord("SELECT mail_server, config FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . '.server', $conf['server_id']);
 		$server_ini_array = ini_to_array(stripslashes($server_ini_rec['config']));
-		$mail_server = ($server_ini_rec['mail_server']) ? true : false;
+		$mail_server = $conf['services']['mail'];
 		unset($server_ini_rec);
 
 		$config_dir = $conf['postfix']['config_dir'];
@@ -1981,8 +1995,13 @@ class installer_base {
 
 		exec('chmod a+r /etc/rspamd/local.d/* /etc/rspamd/local.d/maps.d/* /etc/rspamd/override.d/*');
 		# protect passwords in these files
-		exec('chgrp _rspamd /etc/rspamd/local.d/redis.conf /etc/rspamd/local.d/classifier-bayes.conf /etc/rspamd/local.d/worker-controller.inc');
-		exec('chmod 640 /etc/rspamd/local.d/redis.conf /etc/rspamd/local.d/classifier-bayes.conf /etc/rspamd/local.d/worker-controller.inc');
+		exec('chgrp _rspamd /etc/rspamd/local.d/redis.conf /etc/rspamd/local.d/classifier-bayes.conf');
+		exec('chmod 640 /etc/rspamd/local.d/redis.conf /etc/rspamd/local.d/classifier-bayes.conf');
+
+		if(file_exists('/etc/rspamd/local.d/worker-controller.inc')) {
+			exec('chgrp _rspamd /etc/rspamd/local.d/worker-controller.inc');
+			exec('chmod 640 /etc/rspamd/local.d/worker-controller.inc');
+		}
 
 		# unneccesary, since this was done above?
 		$command = 'usermod -a -G amavis _rspamd';
@@ -3847,6 +3866,10 @@ class installer_base {
 			$root_cron_jobs[] = "0 0 * * * ".$install_dir."/server/scripts/create_daily_nginx_access_logs.sh &> /dev/null";
 		}
 
+		if ($conf['services']['mail'] == 1) {
+			$root_cron_jobs[] = "30 23 * * * ".$install_dir."/server/scripts/handle_mailbox_soft_deleted.sh &> /dev/null";
+		}
+
 		foreach($root_cron_jobs as $cron_job) {
 			if(!in_array($cron_job."\n", $existing_root_cron_jobs)) {
 				$existing_root_cron_jobs[] = $cron_job."\n";

install/tpl/apache_apps.vhost.master

-######################################################
-# This virtual host contains the configuration
-# for the ISPConfig apps vhost
-######################################################
-
-{tmpl_var name='vhost_port_listen'} Listen {tmpl_var name='apps_vhost_port'}
-# NameVirtualHost *:{tmpl_var name='apps_vhost_port'}
-
-<VirtualHost {tmpl_var name='apps_vhost_ip'}:{tmpl_var name='apps_vhost_port'}>
-  ServerAdmin webmaster@localhost
-  {tmpl_var name='apps_vhost_servername'}
-  
-  <Directory {tmpl_var name='apps_vhost_dir'}>
-    <FilesMatch "\.ph(p3?|tml)$">
-      SetHandler None
-    </FilesMatch>
-  </Directory>
-
-  # SSL Configuration
-  <tmpl_var name="ssl_comment">SSLEngine On
-  <tmpl_if name='apache_version' op='>=' value='2.3.16' format='version'>
-  <tmpl_var name="ssl_comment">SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
-  <tmpl_else>
-  <tmpl_var name="ssl_comment">SSLProtocol All -SSLv2 -SSLv3
-  </tmpl_if>
-  <tmpl_var name="ssl_comment">SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
-  <tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
-  <tmpl_var name="ssl_bundle_comment">SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
-
-  <tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-  <tmpl_var name="ssl_comment">SSLHonorCipherOrder On
-  <tmpl_if name='apache_version' op='>=' value='2.4.3' format='version'>
-  <tmpl_var name="ssl_comment">SSLCompression Off
-  </tmpl_if>
-  <tmpl_if name='apache_version' op='>=' value='2.4.11' format='version'>
-  <tmpl_var name="ssl_comment">SSLSessionTickets Off
-  </tmpl_if>
-
-  <IfModule mod_headers.c>
-    # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
-    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
-    <tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
-    Header set X-Content-Type-Options: nosniff
-    Header set X-Frame-Options: SAMEORIGIN
-    Header set X-XSS-Protection: "1; mode=block"
-    Header always edit Set-Cookie (.*) "$1; HTTPOnly"
-    <tmpl_var name="ssl_comment">Header always edit Set-Cookie (.*) "$1; Secure"
-    <IfVersion >= 2.4.7>
-        Header setifempty Strict-Transport-Security "max-age=15768000"
-    </IfVersion>
-    <IfVersion < 2.4.7>
-        Header set Strict-Transport-Security "max-age=15768000"
-    </IfVersion>
-    RequestHeader unset Proxy early
-  </IfModule>
-
-  <tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
-  <tmpl_var name="ssl_comment">SSLUseStapling On
-  <tmpl_var name="ssl_comment">SSLStaplingResponderTimeout 5
-  <tmpl_var name="ssl_comment">SSLStaplingReturnResponderErrors Off
-  </tmpl_if>
-
-  <IfModule mod_headers.c>
-	RequestHeader unset Proxy early
-  </IfModule>
-
-  <IfModule mod_php5.c>
-    DocumentRoot {tmpl_var name='apps_vhost_dir'}
-    AddType application/x-httpd-php .php
-    <Directory {tmpl_var name='apps_vhost_dir'}>
-		Options FollowSymLinks
-		AllowOverride None
-		<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
-		Require all granted
-		<tmpl_else>
-		Order allow,deny
-		Allow from all
-		</tmpl_if>
-    </Directory>
-  </IfModule>
-
-  <IfModule mod_php7.c>
-    DocumentRoot {tmpl_var name='apps_vhost_dir'}
-    AddType application/x-httpd-php .php
-    <Directory {tmpl_var name='apps_vhost_dir'}>
-		Options FollowSymLinks
-		AllowOverride None
-		<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
-		Require all granted
-		<tmpl_else>
-		Order allow,deny
-		Allow from all
-		</tmpl_if>
-    </Directory>
-  </IfModule>
-
-  <IfModule mod_fcgid.c>
-    DocumentRoot {tmpl_var name='apps_vhost_dir'}
-    SuexecUserGroup ispapps ispapps
-    <Directory {tmpl_var name='apps_vhost_dir'}>
-		Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
-		AllowOverride AuthConfig Indexes Limit Options FileInfo
-	    <FilesMatch "\.php$">
-		  SetHandler fcgid-script
-	    </FilesMatch>
-		FCGIWrapper {tmpl_var name='apps_vhost_basedir'}/php-fcgi-scripts/apps/.php-fcgi-starter .php
-		<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
-		Require all granted
-		<tmpl_else>
-		Order allow,deny
-		Allow from all
-		</tmpl_if>
-    </Directory>
-    IPCCommTimeout  7200
-    MaxRequestLen 15728640 
-  </IfModule>
-
-{tmpl_if name="use_rspamd"}
-  <Location /rspamd>
-        Order allow,deny
-        Allow from all
-  </Location>
-  RewriteEngine On
-  RewriteRule ^/rspamd$ /rspamd/ [R,L]
-  RewriteRule ^/rspamd/(.*) http://127.0.0.1:11334/$1 [P]
-{/tmpl_if}
-
-</VirtualHost>
-
-<tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
-<IfModule mod_ssl.c>
-  <tmpl_var name="ssl_comment">SSLStaplingCache shmcb:/var/run/ocsp(128000)
-</IfModule>
-</tmpl_if>

install/tpl/apache_apps.vhost.master

+server/conf/apache_apps.vhost.master
\ No newline at end of file

install/tpl/debian6_dovecot-sql.conf.master

 # http://wiki.dovecot.org/AuthDatabase/SQL
-#
-# CREATE TABLE users (
-#     userid VARCHAR(128) NOT NULL,
-#     password VARCHAR(64) NOT NULL,
-#     home VARCHAR(255) NOT NULL,
-#     uid INTEGER NOT NULL,
-#     gid INTEGER NOT NULL,
-#     active CHAR(1) DEFAULT 'Y' NOT NULL
-# );
 
 driver = mysql
 connect = host={mysql_server_host} dbname={mysql_server_database} user={mysql_server_ispconfig_user} password={mysql_server_ispconfig_password} port={mysql_server_port}
@@ -20,4 +11,4 @@ user_query = SELECT email as user, maildir as home, CONCAT( maildir_format, ':',
 
 # The iterate_query is required for the doveadm command only and works only on dovecot 2 servers.
 # Do not enable it on Dovecot 1.x servers
-# iterate_query = SELECT email as user FROM mail_user WHERE server_id = '{server_id}'
+# iterate_query = SELECT email as user FROM mail_user WHERE disabledoveadm='n' AND server_id = '{server_id}'

install/tpl/debian_dovecot-sql.conf.master

-# This file is opened as root, so it should be owned by root and mode 0600.
-#
 # http://wiki.dovecot.org/AuthDatabase/SQL
-#
-# For the sql passdb module, you'll need a database with a table that
-# contains fields for at least the userid and password. If you want to
-# use the user@domain syntax, you might want to have a separate domain
-# field as well.
-#
-# If your users all have the same uig/gid, and have predictable home
-# directories, you can use the static userdb module to generate the home
-# dir based on the userid and domain. In this case, you won't need fields
-# for home, uid, or gid in the database.
-#
-# If you prefer to use the sql userdb module, you'll want to add fields
-# for home, uid, and gid. Here is an example table:
-#
-# CREATE TABLE users (
-#     userid VARCHAR(128) NOT NULL,
-#     password VARCHAR(64) NOT NULL,
-#     home VARCHAR(255) NOT NULL,
-#     uid INTEGER NOT NULL,
-#     gid INTEGER NOT NULL,
-#     active CHAR(1) DEFAULT 'Y' NOT NULL
-# );
-
-# Database driver: mysql, pgsql, sqlite
-#driver = 
-
-# Database connection string. This is driver-specific setting.
-#
-# pgsql:
-#   For available options, see the PostgreSQL documention for the
-#   PQconnectdb function of libpq.
-#
-# mysql:
-#   Basic options emulate PostgreSQL option names:
-#     host, port, user, password, dbname
-#
-#   But also adds some new settings:
-#     client_flags        - See MySQL manual
-#     ssl_ca, ssl_ca_path - Set either one or both to enable SSL
-#     ssl_cert, ssl_key   - For sending client-side certificates to server
-#     ssl_cipher          - Set minimum allowed cipher security (default: HIGH)
-# 
-#   You can connect to UNIX sockets by using host: host=/var/run/mysqld/mysqld.sock
-#   Note that currently you can't use spaces in parameters.
-#
-# sqlite:
-#   The path to the database file.
-#
-# Examples:
-#   connect = host=192.168.1.1 dbname=users
-#   connect = host=sql.example.com dbname=virtual user=virtual password=blarg
-#   connect = /etc/dovecot/authdb.sqlite
-#
-#connect = dbname=virtual user=virtual
-
-# Default password scheme.
-#
-# List of supported schemes is in
-# http://wiki.dovecot.org/Authentication/PasswordSchemes
-#
-#default_pass_scheme = PLAIN-MD5
-
-# Query to retrieve the password.
-#
-# This query must return only one row with "user" and "password" columns.
-# The query can also return other fields which have a special meaning, see
-# http://wiki.dovecot.org/PasswordDatabase/ExtraFields
-#
-# The "user" column is needed to make sure the username gets used with exactly
-# the same casing as it's in the database. Note that if you store username and
-# domain in separate fields, you most likely want to return a combination of
-# them as the "user" column, otherwise the domain gets stripped.
-#
-# Commonly used available substitutions (see
-# http://wiki.dovecot.org/Variables for full list):
-#   %u = entire userid
-#   %n = user part of user@domain
-#   %d = domain part of user@domain
-# 
-# Note that these can be used only as input to SQL query. If the query outputs
-# any of these substitutions, they're not touched. Otherwise it would be
-# difficult to have eg. usernames containing '%' characters.
-#
-# Example:
-#   password_query = SELECT concat(userid, '@', domain) AS user, password FROM users WHERE userid = '%n' AND domain = '%d'
-#   password_query = SELECT pw AS password FROM users WHERE userid = '%u' AND active = 'Y'
-#
-#password_query = SELECT userid as user, password FROM users WHERE userid = '%u'
-
-# Query to retrieve the user information.
-#
-# The query must return only one row. Commonly returned columns are:
-#   uid - System UID
-#   gid - System GID
-#   home - Home directory
-#   mail - Mail location
-#
-# Either home or mail is required. uid and gid are required. If more than one
-# row is returned or there are missing fields, the login will fail. For a list
-# of all fields that can be returned, see 
-# http://wiki.dovecot.org/UserDatabase/ExtraFields
-#
-# Examples
-#   user_query = SELECT home, uid, gid FROM users WHERE userid = '%n' AND domain = '%d'
-#   user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
-#   user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
-#
-#user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
-
-# If you wish to avoid two SQL lookups (passdb + userdb), you can use
-# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
-# also have to return userdb fields in password_query prefixed with "userdb_"
-# string. For example:
-#password_query = SELECT userid as user, password, home as userdb_home, uid as userdb_uid, gid as userdb_gid FROM users WHERE userid = '%u'
 
 driver = mysql
 connect = host={mysql_server_host} dbname={mysql_server_database} user={mysql_server_ispconfig_user} password={mysql_server_ispconfig_password} port={mysql_server_port}
@@ -127,5 +11,4 @@ user_query = SELECT email as user, maildir as home, CONCAT( maildir_format, ':',
 
 # The iterate_query is required for the doveadm command only and works only on dovecot 2 servers.
 # Do not enable it on Dovecot 1.x servers
-# iterate_query = SELECT email as user FROM mail_user WHERE server_id = '{server_id}'
-
+# iterate_query = SELECT email as user FROM mail_user WHERE disabledoveadm='n' AND server_id = '{server_id}'

install/tpl/fedora_dovecot-sql.conf.master

-# This file is opened as root, so it should be owned by root and mode 0600.
-#
 # http://wiki.dovecot.org/AuthDatabase/SQL
-#
-# For the sql passdb module, you'll need a database with a table that
-# contains fields for at least the username and password. If you want to
-# use the user@domain syntax, you might want to have a separate domain
-# field as well.
-#
-# If your users all have the same uig/gid, and have predictable home
-# directories, you can use the static userdb module to generate the home
-# dir based on the username and domain. In this case, you won't need fields
-# for home, uid, or gid in the database.
-#
-# If you prefer to use the sql userdb module, you'll want to add fields
-# for home, uid, and gid. Here is an example table:
-#
-# CREATE TABLE users (
-#     username VARCHAR(128) NOT NULL,
-#     domain VARCHAR(128) NOT NULL,
-#     password VARCHAR(64) NOT NULL,
-#     home VARCHAR(255) NOT NULL,
-#     uid INTEGER NOT NULL,
-#     gid INTEGER NOT NULL,
-#     active CHAR(1) DEFAULT 'Y' NOT NULL
-# );
-
-# Database driver: mysql, pgsql, sqlite
-#driver = 
-
-# Database connection string. This is driver-specific setting.
-#
-# pgsql:
-#   For available options, see the PostgreSQL documention for the
-#   PQconnectdb function of libpq.
-#
-# mysql:
-#   Basic options emulate PostgreSQL option names:
-#     host, port, user, password, dbname
-#
-#   But also adds some new settings:
-#     client_flags        - See MySQL manual
-#     ssl_ca, ssl_ca_path - Set either one or both to enable SSL
-#     ssl_cert, ssl_key   - For sending client-side certificates to server
-#     ssl_cipher          - Set minimum allowed cipher security (default: HIGH)
-#     option_file         - Read options from the given file instead of
-#                           the default my.cnf location
-#     option_group        - Read options from the given group (default: client)
-# 
-#   You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
-#   Note that currently you can't use spaces in parameters.
-#
-#   MySQL supports multiple host parameters for load balancing / HA.
-#
-# sqlite:
-#   The path to the database file.
-#
-# Examples:
-#   connect = host=192.168.1.1 dbname=users
-#   connect = host=sql.example.com dbname=virtual user=virtual password=blarg
-#   connect = /etc/dovecot/authdb.sqlite
-#
-#connect =
-
-# Default password scheme.
-#
-# List of supported schemes is in
-# http://wiki.dovecot.org/Authentication/PasswordSchemes
-#
-#default_pass_scheme = MD5
-
-# passdb query to retrieve the password. It can return fields:
-#   password - The user's password. This field must be returned.
-#   user - user@domain from the database. Needed with case-insensitive lookups.
-#   username and domain - An alternative way to represent the "user" field.
-#
-# The "user" field is often necessary with case-insensitive lookups to avoid
-# e.g. "name" and "nAme" logins creating two different mail directories. If
-# your user and domain names are in separate fields, you can return "username"
-# and "domain" fields instead of "user".
-#
-# The query can also return other fields which have a special meaning, see
-# http://wiki.dovecot.org/PasswordDatabase/ExtraFields
-#
-# Commonly used available substitutions (see http://wiki.dovecot.org/Variables
-# for full list):
-#   %u = entire user@domain
-#   %n = user part of user@domain
-#   %d = domain part of user@domain
-# 
-# Note that these can be used only as input to SQL query. If the query outputs
-# any of these substitutions, they're not touched. Otherwise it would be
-# difficult to have eg. usernames containing '%' characters.
-#
-# Example:
-#   password_query = SELECT userid AS user, pw AS password \
-#     FROM users WHERE userid = '%u' AND active = 'Y'
-#
-#password_query = \
-#  SELECT username, domain, password \
-#  FROM users WHERE username = '%n' AND domain = '%d'
-
-# userdb query to retrieve the user information. It can return fields:
-#   uid - System UID (overrides mail_uid setting)
-#   gid - System GID (overrides mail_gid setting)
-#   home - Home directory
-#   mail - Mail location (overrides mail_location setting)
-#
-# None of these are strictly required. If you use a single UID and GID, and
-# home or mail directory fits to a template string, you could use userdb static
-# instead. For a list of all fields that can be returned, see
-# http://wiki.dovecot.org/UserDatabase/ExtraFields
-#
-# Examples:
-#   user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
-#   user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
-#   user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
-#
-#user_query = \
-#  SELECT home, uid, gid \
-#  FROM users WHERE username = '%n' AND domain = '%d'
-
-# If you wish to avoid two SQL lookups (passdb + userdb), you can use
-# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
-# also have to return userdb fields in password_query prefixed with "userdb_"
-# string. For example:
-#password_query = \
-#  SELECT userid AS user, password, \
-#    home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
-#  FROM users WHERE userid = '%u'
 
 driver = mysql
 connect = host={mysql_server_host} dbname={mysql_server_database} user={mysql_server_ispconfig_user} password={mysql_server_ispconfig_password} port={mysql_server_port}
@@ -140,4 +11,4 @@ user_query = SELECT email as user, maildir as home, CONCAT( maildir_format, ':',
 
 # The iterate_query is required for the doveadm command only and works only on dovecot 2 servers.
 # Do not enable it on Dovecot 1.x servers
-# iterate_query = SELECT email as user FROM mail_user WHERE server_id = '{server_id}'
+# iterate_query = SELECT email as user FROM mail_user WHERE disabledoveadm='n' AND server_id = '{server_id}'

install/tpl/opensuse_dovecot-sql.conf.master

-# This file is opened as root, so it should be owned by root and mode 0600.
-#
 # http://wiki.dovecot.org/AuthDatabase/SQL
-#
-# For the sql passdb module, you'll need a database with a table that
-# contains fields for at least the username and password. If you want to
-# use the user@domain syntax, you might want to have a separate domain
-# field as well.
-#
-# If your users all have the same uig/gid, and have predictable home
-# directories, you can use the static userdb module to generate the home
-# dir based on the username and domain. In this case, you won't need fields
-# for home, uid, or gid in the database.
-#
-# If you prefer to use the sql userdb module, you'll want to add fields
-# for home, uid, and gid. Here is an example table:
-#
-# CREATE TABLE users (
-#     username VARCHAR(128) NOT NULL,
-#     domain VARCHAR(128) NOT NULL,
-#     password VARCHAR(64) NOT NULL,
-#     home VARCHAR(255) NOT NULL,
-#     uid INTEGER NOT NULL,
-#     gid INTEGER NOT NULL,
-#     active CHAR(1) DEFAULT 'Y' NOT NULL
-# );
-
-# Database driver: mysql, pgsql, sqlite
-#driver = 
-
-# Database connection string. This is driver-specific setting.
-#
-# pgsql:
-#   For available options, see the PostgreSQL documention for the
-#   PQconnectdb function of libpq.
-#
-# mysql:
-#   Basic options emulate PostgreSQL option names:
-#     host, port, user, password, dbname
-#
-#   But also adds some new settings:
-#     client_flags        - See MySQL manual
-#     ssl_ca, ssl_ca_path - Set either one or both to enable SSL
-#     ssl_cert, ssl_key   - For sending client-side certificates to server
-#     ssl_cipher          - Set minimum allowed cipher security (default: HIGH)
-#     option_file         - Read options from the given file instead of
-#                           the default my.cnf location
-#     option_group        - Read options from the given group (default: client)
-# 
-#   You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
-#   Note that currently you can't use spaces in parameters.
-#
-#   MySQL supports multiple host parameters for load balancing / HA.
-#
-# sqlite:
-#   The path to the database file.
-#
-# Examples:
-#   connect = host=192.168.1.1 dbname=users
-#   connect = host=sql.example.com dbname=virtual user=virtual password=blarg
-#   connect = /etc/dovecot/authdb.sqlite
-#
-#connect =
-
-# Default password scheme.
-#
-# List of supported schemes is in
-# http://wiki.dovecot.org/Authentication/PasswordSchemes
-#
-#default_pass_scheme = MD5
-
-# passdb query to retrieve the password. It can return fields:
-#   password - The user's password. This field must be returned.
-#   user - user@domain from the database. Needed with case-insensitive lookups.
-#   username and domain - An alternative way to represent the "user" field.
-#
-# The "user" field is often necessary with case-insensitive lookups to avoid
-# e.g. "name" and "nAme" logins creating two different mail directories. If
-# your user and domain names are in separate fields, you can return "username"
-# and "domain" fields instead of "user".
-#
-# The query can also return other fields which have a special meaning, see
-# http://wiki.dovecot.org/PasswordDatabase/ExtraFields
-#
-# Commonly used available substitutions (see http://wiki.dovecot.org/Variables
-# for full list):
-#   %u = entire user@domain
-#   %n = user part of user@domain
-#   %d = domain part of user@domain
-# 
-# Note that these can be used only as input to SQL query. If the query outputs
-# any of these substitutions, they're not touched. Otherwise it would be
-# difficult to have eg. usernames containing '%' characters.
-#
-# Example:
-#   password_query = SELECT userid AS user, pw AS password \
-#     FROM users WHERE userid = '%u' AND active = 'Y'
-#
-#password_query = \
-#  SELECT username, domain, password \
-#  FROM users WHERE username = '%n' AND domain = '%d'
-
-# userdb query to retrieve the user information. It can return fields:
-#   uid - System UID (overrides mail_uid setting)
-#   gid - System GID (overrides mail_gid setting)
-#   home - Home directory
-#   mail - Mail location (overrides mail_location setting)
-#
-# None of these are strictly required. If you use a single UID and GID, and
-# home or mail directory fits to a template string, you could use userdb static
-# instead. For a list of all fields that can be returned, see
-# http://wiki.dovecot.org/UserDatabase/ExtraFields
-#
-# Examples:
-#   user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
-#   user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
-#   user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
-#
-#user_query = \
-#  SELECT home, uid, gid \
-#  FROM users WHERE username = '%n' AND domain = '%d'
-
-# If you wish to avoid two SQL lookups (passdb + userdb), you can use
-# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
-# also have to return userdb fields in password_query prefixed with "userdb_"
-# string. For example:
-#password_query = \
-#  SELECT userid AS user, password, \
-#    home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
-#  FROM users WHERE userid = '%u'
 
 driver = mysql
 connect = host={mysql_server_host} dbname={mysql_server_database} user={mysql_server_ispconfig_user} password={mysql_server_ispconfig_password} port={mysql_server_port}
@@ -140,4 +11,4 @@ user_query = SELECT email as user, maildir as home, CONCAT( maildir_format, ':',
 
 # The iterate_query is required for the doveadm command only and works only on dovecot 2 servers.
 # Do not enable it on Dovecot 1.x servers
-# iterate_query = SELECT email as user FROM mail_user WHERE server_id = '{server_id}'
+# iterate_query = SELECT email as user FROM mail_user WHERE disabledoveadm='n' AND server_id = '{server_id}'

install/tpl/server.ini.master

@@ -56,6 +56,7 @@ relayhost_user=
 relayhost_password=
 mailbox_size_limit=0
 message_size_limit=0
+mailbox_soft_delete=n
 mailbox_quota_stats=y
 realtime_blackhole_list=zen.spamhaus.org
 overquota_notify_threshold=90
@@ -139,6 +140,7 @@ php_fpm_default_chroot=n
 bind_user=root
 bind_group=bind
 bind_zonefiles_dir=/etc/bind
+bind_keyfiles_dir=/etc/bind
 named_conf_path=/etc/bind/named.conf
 named_conf_local_path=/etc/bind/named.conf.local
 disable_bind_log=n

install/tpl/system.ini.master

@@ -39,6 +39,7 @@ web_php_options=no,fast-cgi,mod,php-fpm
 show_aps_menu=n
 client_protection=y
 ssh_authentication=
+le_caa_autocreate_options=y
 
 
 [tools]

install/uninstall.php

@@ -98,6 +98,7 @@ if($do_uninstall == 'yes') {
 	@exec('chattr -i /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter');
 	@unlink("/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter");
 	@unlink("/var/www/php-fcgi-scripts/ispconfig");
+	@unlink("/etc/ssl/private/pure-ftpd.pem");
 
 	echo "Backups in /var/backup/ and log files in /var/log/ispconfig are not deleted.";
 	echo "Finished uninstalling.\n";

interface/lib/classes/functions.inc.php

@@ -334,6 +334,14 @@ class functions {
 			$domain = substr($domain, strrpos($domain, '@') + 1);
 		}
 
+		// idn_to_* chokes on leading dots, but we need them for amavis, so remove it for later
+		if(substr($domain, 0, 1) === '.') {
+			$leading_dot = true;
+			$domain = substr($domain, 1);
+		} else {
+			$leading_dot = false;
+		}
+
 		if($encode == true) {
 			if(function_exists('idn_to_ascii')) {
 				if(defined('IDNA_NONTRANSITIONAL_TO_ASCII') && defined('INTL_IDNA_VARIANT_UTS46') && constant('IDNA_NONTRANSITIONAL_TO_ASCII')) {
@@ -378,6 +386,10 @@ class functions {
 			}
 		}
 
+		if($leading_dot == true) {
+			$domain = '.' . $domain;
+		}
+
 		if($user_part !== false) return $user_part . '@' . $domain;
 		else return $domain;
 	}

interface/lib/classes/ids.inc.php

@@ -77,7 +77,7 @@ class ids {
 				$line = trim($line);
 				if(substr($line,0,1) != '#') {
 					list($user,$path,$varname) = explode(':',$line);
-					if($current_script_name == $path) {
+					if($current_script_name == $path || $path == '*') {
 						if($user = 'any' 
 							|| ($user == 'user' && ($_SESSION['s']['user']['typ'] == 'user' || $_SESSION['s']['user']['typ'] == 'admin')) 
 							|| ($user == 'admin' && $_SESSION['s']['user']['typ'] == 'admin')) {
@@ -100,7 +100,7 @@ class ids {
 				$line = trim($line);
 				if(substr($line,0,1) != '#') {
 					list($user,$path,$varname) = explode(':',$line);
-					if($current_script_name == $path) {
+					if($current_script_name == $path || $path == '*') {
 						if($user = 'any' 
 							|| ($user == 'user' && ($_SESSION['s']['user']['typ'] == 'user' || $_SESSION['s']['user']['typ'] == 'admin')) 
 							|| ($user == 'admin' && $_SESSION['s']['user']['typ'] == 'admin')) {

interface/lib/classes/remote.d/client.inc.php

@@ -397,6 +397,8 @@ class remoting_client extends remoting {
 			return false;
 		}
 
+		// DUPLICATE CODE IN interface/web/client/client_del.php
+
 		$client_id = $app->functions->intval($client_id);
 
 		if($client_id > 0) {
@@ -413,7 +415,7 @@ class remoting_client extends remoting {
 			$app->db->query("DELETE FROM sys_user WHERE client_id = ?", $client_id);
 
 			//* Delete all records (sub-clients, mail, web, etc....)  of this client.
-			$tables = 'cron,dns_rr,dns_soa,dns_slave,ftp_user,mail_access,mail_content_filter,mail_domain,mail_forwarding,mail_get,mail_user,mail_user_filter,shell_user,spamfilter_users,support_message,web_database,web_database_user,web_domain,web_traffic,domain,mail_mailinglist,client,spamfilter_wblist';
+			$tables = 'cron,dns_rr,dns_soa,dns_slave,ftp_user,mail_access,mail_content_filter,mail_forwarding,mail_get,mail_user,mail_user_filter,shell_user,spamfilter_users,mail_domain,support_message,web_database,web_database_user,web_domain,web_traffic,domain,mail_mailinglist,client,spamfilter_wblist';
 			$tables_array = explode(',', $tables);
 			$client_group_id = $app->functions->intval($client_group['groupid']);
 			if($client_group_id > 1) {

interface/lib/classes/remote.d/mail.inc.php

@@ -196,6 +196,24 @@ class remoting_mail extends remoting {
 		return $app->remoting_lib->getDataRecord($primary_id);
 	}
 
+	//* Get mail user details for all account that belong to a client.
+	public function mail_user_get_all_by_client($session_id, $client_id)
+	{
+		global $app;
+
+		if(!$this->checkPerm($session_id, 'mail_user_get_all_by_client')) {
+			throw new SoapFault('permission_denied', 'You do not have the permissions to access this function.');
+			return false;
+		}
+		$app->uses('remoting_lib');
+		$sql = "SELECT u.* FROM `mail_user` u
+			LEFT JOIN `sys_group` g ON (u.sys_groupid=g.groupid)
+			WHERE g.client_id=?";
+		$params[] = $client_id;
+
+		$result = $app->db->queryAllRecords($sql, true, $params);
+		return $result;
+	}
 
 	//* Add mail domain
 	public function mail_user_add($session_id, $client_id, $params){
@@ -1110,4 +1128,4 @@ class remoting_mail extends remoting {
 
 }
 
-?>
+?>
\ No newline at end of file

interface/lib/plugins/system_config_dns_ca_plugin.inc.php

@@ -65,9 +65,11 @@ class system_config_dns_ca_plugin {
 	} 
 
 	function web_vhost_domain_edit($event_name, $page_form) {
-		global $app;
+		global $app, $conf;
+		
+		$global_config = $app->getconf->get_global_config('sites');
 
-		if($page_form->dataRecord['ssl_letsencrypt'] == 'y') {
+		if(($page_form->dataRecord['ssl_letsencrypt'] == 'y') && ($global_config['le_caa_autocreate_options'] != 'n')) {
 			$domain = $page_form->dataRecord['domain'];
 			$subdomain = $page_form->dataRecord['subdomain'];
 			$temp=$app->db->queryAllRecords("SELECT * FROM dns_rr WHERE type = 'CAA' AND (name = ? OR name = ?) AND data like ?", $domain.'.', $subdomain.'.'.$domain.'.', '%letsencrypt%');

interface/web/admin/form/server_config.tform.php

@@ -734,6 +734,12 @@ $form["tabs"]['mail'] = array(
 			'default' => 'y',
 			'value' => array(0 => 'n', 1 => 'y')
 		),
+		'mailbox_soft_delete' => array (
+			'datatype' => 'VARCHAR',
+			'formtype' => 'CHECKBOX',
+			'default' => 'n',
+			'value' => array(0 => 'n', 1 => 'y')
+		),
 		'mailbox_quota_stats' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'CHECKBOX',
@@ -1646,6 +1652,20 @@ $form["tabs"]['dns'] = array(
 			'width' => '40',
 			'maxlength' => '255'
 		),
+		'bind_keyfiles_dir' => array(
+			'datatype' => 'VARCHAR',
+			'formtype' => 'TEXT',
+			'default' => '',
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'bind_keyfiles_dir_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{1,128}$/',
+										'errmsg'=> 'bind_keyfiles_dir_error_regex'),
+			),
+			'value' => '',
+			'width' => '40',
+			'maxlength' => '255'
+		),
 		'named_conf_path' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',

interface/web/admin/form/system_config.tform.php

@@ -246,7 +246,13 @@ $form["tabs"]['sites'] = array (
 			'formtype' => 'SELECT',
 			'default' => '',
 			'value'  => array('' => 'ssh_authentication_password_key', 'password' => 'ssh_authentication_password', 'key' => 'ssh_authentication_key')
-		)
+		),
+		'le_caa_autocreate_options' => array (
+			'datatype' => 'VARCHAR',
+			'formtype' => 'CHECKBOX',
+			'default' => 'y',
+			'value'  => array(0 => 'n', 1 => 'y')
+		),	
 		//#################################
 		// END Datatable fields
 		//#################################