Skip to content
Hide whitespace changes
Inline Side-by-side
install/tpl/apache_ispconfig.vhost.master
View file @ 2f21ecee
......@@ -4,7 +4,6 @@
######################################################
<tmpl_var name="vhost_port_listen"> Listen <tmpl_var name="vhost_port">
<tmpl_if name='apache_version' op='<' value='2.4' format='version'>NameVirtualHost *:<tmpl_var name="vhost_port"></tmpl_if>
<VirtualHost _default_:<tmpl_var name="vhost_port">>
ServerAdmin webmaster@localhost
......@@ -33,12 +32,7 @@
SetHandler fcgid-script
</FilesMatch>
FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
Require all granted
<tmpl_else>
Order allow,deny
Allow from all
</tmpl_if>
</Directory>
IPCCommTimeout 7200
MaxRequestLen 15728640
......@@ -52,12 +46,7 @@
# php_admin_value open_basedir "/usr/local/ispconfig/interface:/usr/share:/tmp"
Options +FollowSymLinks
AllowOverride None
<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
Require all granted
<tmpl_else>
Order allow,deny
Allow from all
</tmpl_if>
php_value magic_quotes_gpc 0
</Directory>
</IfModule>
......@@ -81,7 +70,7 @@
<tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
<tmpl_var name="ssl_bundle_comment">SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
<tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
<tmpl_var name="ssl_comment">SSLCipherSuite TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
<tmpl_var name="ssl_comment">SSLHonorCipherOrder On
<tmpl_if name='apache_version' op='>=' value='2.4.3' format='version'>
<tmpl_var name="ssl_comment">SSLCompression Off
......@@ -91,8 +80,19 @@
</tmpl_if>
<IfModule mod_headers.c>
Header always add Strict-Transport-Security "max-age=15768000"
RequestHeader unset Proxy early
# ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
Header set X-Content-Type-Options: nosniff
Header set X-Frame-Options: SAMEORIGIN
Header set X-XSS-Protection: "1; mode=block"
Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
<IfVersion >= 2.4.7>
Header setifempty Strict-Transport-Security "max-age=15768000"
</IfVersion>
<IfVersion < 2.4.7>
Header set Strict-Transport-Security "max-age=15768000"
</IfVersion>
RequestHeader unset Proxy early
</IfModule>
<tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
......@@ -110,20 +110,10 @@
<Directory /var/www/php-cgi-scripts>
AllowOverride None
<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
Require all denied
<tmpl_else>
Order Deny,Allow
Deny from all
</tmpl_if>
</Directory>
<Directory /var/www/php-fcgi-scripts>
AllowOverride None
<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
Require all denied
<tmpl_else>
Order Deny,Allow
Deny from all
</tmpl_if>
</Directory>
install/tpl/apps_php_fpm_pool.conf.master deleted 100644 → 0
View file @ e661a603
[{fpm_pool}-{fpm_domain}]
listen = {fpm_socket}
listen.owner = {fpm_user}
listen.group = {fpm_group}
listen.mode = 0660
user = {fpm_user}
group = {fpm_group}
pm = dynamic
pm.max_children = 500
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 5
chdir = /
; php_admin_value[open_basedir] = /var/www/apps:/srv/www/apps:/usr/share
php_admin_flag[magic_quotes_gpc] = off
\ No newline at end of file
install/tpl/apps_php_fpm_pool.conf.master 0 → 120000
View file @ 2f21ecee
../../server/conf/apps_php_fpm_pool.conf.master
\ No newline at end of file
install/tpl/bastille-firewall.cfg.master deleted 100644 → 0
View file @ e661a603
#
# /etc/bastille-firewall.cfg
#
# Configuration file for both 2.2/ipchains and 2.4/netfilter scripts
#
# $Source: /cvsroot/bastille-linux/dev/working_tree/Bastille/bastille-firewall.cfg,v $
# Modified by: $Author: peterw $
# $Date: 2002/01/04 13:34:18 $
# $Revision: 1.7 $
#
# Copyright (C) 1999-2001 Peter Watkins
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# Thanks to David Ranch, Brad A, Don G, and others for their suggestions
# the configuration values should be whitespace-delimited lists of
# appropriate values, e.g.
# TCP_PUBLIC_SERVICES="80 smtp ssh"
# lists Web (port 80), SMTP mail, and Secure Shell ports
#
# This script is suitable for workstations or simple NAT firewalls;
# you may want to add more "output" restrictions for serious servers
# 0) DNS servers (Linux 2.2/ipchains only)
# You must list your DNS servers here so that
# the firewall will allow them to service your lookup requests
#
# List of DNS servers/networks to allow "domain" responses from
# This _could_ be nameservers as a list of <ip-address>/32 entries
#DNS_SERVERS="a.b.c.d/32 e.f.g.h/32"
# If you are running a caching nameserver, you'll need to allow from
# "0.0.0.0/0" so named can query any arbitrary nameserver
# (To enable a caching nameserver, you will also probably need to
# add "domain" to the TCP and UDP public service lists.)
#DNS_SERVERS="0.0.0.0/0"
#
# To have the DNS servers parsed from /etc/resolv.conf at runtime,
# as normal workstations will want, make this variable empty
#DNS_SERVERS=""
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
DNS_SERVERS="{DNS_SERVERS}"
# 1) define your interfaces (all systems)
# Note a "+" acts as a wildcard, e.g. ppp+ would match any PPP
# interface
#
# list internal/trusted interfaces
# traffic from these interfaces will be allowed
# through the firewall, no restrictions
#TRUSTED_IFACES="lo" # MINIMAL/SAFEST
#
# list external/untrusted interfaces
#PUBLIC_IFACES="eth+ ppp+ slip+" # SAFEST
#
# list internal/partially-trusted interfaces
# e.g. if this acts as a NAT/IP Masq server and you
# don't want clients on those interfaces having
# full network access to services running on this
# server (as the TRUSTED_IFACES allows)
#INTERNAL_IFACES="" # SAFEST
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
TRUSTED_IFACES="lo" # MINIMAL/SAFEST
PUBLIC_IFACES="eth+ ppp+ slip+ venet+ bond+ en+" # SAFEST
INTERNAL_IFACES="" # SAFEST
# 2) services for which we want to log access attempts to syslog (all systems)
# Note this only audits connection attempts from public interfaces
#
# Also see item 12, LOG_FAILURES
#
#TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
# anyone probing for BackOrifice?
#UDP_AUDIT_SERVICES="31337"
# how about ICMP?
#ICMP_AUDIT_TYPES=""
#ICMP_AUDIT_TYPES="echo-request" # ping/MS tracert
#
# To enable auditing, you must have syslog configured to log "kern"
# messages of "info" level; typically you'd do this with a line in
# syslog.conf like
# kern.info /var/log/messages
# though the Bastille port monitor will normally want these messages
# logged to a named pipe instead, and the Bastille script normally
# configures syslog for "kern.*" which catches these messages
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
#TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
#UDP_AUDIT_SERVICES="31337"
#ICMP_AUDIT_TYPES=""
# 3) services we allow connections to (all systems)
#
# FTP note:
# To allow your machine to service "passive" FTP clients,
# you will need to make allowances for the passive data
# ports; Bastille users should read README.FTP for more
# information
#
# "public" interfaces:
# TCP services that "public" hosts should be allowed to connect to
#TCP_PUBLIC_SERVICES="" # MINIMAL/SAFEST
#
# UDP services that "public" hosts should be allowed to connect to
#UDP_PUBLIC_SERVICES="" # MINIMAL/SAFEST
#
# "internal" interfaces:
# (NB: you will need to repeat the "public" services if you want
# to allow "internal" hosts to reach those services, too.)
# TCP services that internal clients can connect to
#TCP_INTERNAL_SERVICES="" # MINIMAL/SAFEST
#
# UDP services that internal clients can connect to
#UDP_INTERNAL_SERVICES="" # MINIMAL/SAFEST
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
TCP_PUBLIC_SERVICES="{TCP_PUBLIC_SERVICES}" # MINIMAL/SAFEST
UDP_PUBLIC_SERVICES="{UDP_PUBLIC_SERVICES}" # MINIMAL/SAFEST
TCP_INTERNAL_SERVICES="" # MINIMAL/SAFEST
UDP_INTERNAL_SERVICES="" # MINIMAL/SAFEST
# 4) passive/active FTP (Linux 2.2/ipchains only)
# FTP is a firewall nightmare; if you allow "normal" FTP connections,
# you must be careful to block any TCP services that are listening
# on high ports; it's safer to require your FTP clients to use
# "passive" mode.
#
# Note this will also force clients on machines
# that use this one for NAT/IP Masquerading to use passive mode
# for connections that go through this server (e.g. from the
# internal network to public Internet machines
#
# For more information about FTP, see the Bastille README.FTP doc
#
#FORCE_PASV_FTP="N"
#FORCE_PASV_FTP="Y" # SAFEST
#
FORCE_PASV_FTP="Y" # SAFEST
# 5) Services to explicitly block. (Linux 2.2/ipchains only)
# See FTP note above
# Note that ranges of ports are specified with colons, and you
# can specify an open range by using only one number, e.g.
# 1024: means ports >= 1024 and :6000 means ports <= 6000
#
# TCP services on high ports that should be blocked if not forcing passive FTP
# This should include X (6000:6010) and anything else revealed by 'netstat -an'
# (this does not matter unless you're not forcing "passive" FTP)
#TCP_BLOCKED_SERVICES="6000:6020"
#
# UDP services to block: this should be UDP services on high ports.
# Your only vulnerability from public interfaces are the DNS and
# NTP servers/networks (those with 0.0.0.0 for DNS servers should
# obviously be very careful here!)
#UDP_BLOCKED_SERVICES="2049"
#
# types of ICMP packets to allow
#ICMP_ALLOWED_TYPES="destination-unreachable" # MINIMAL/SAFEST
# the following allows you to ping/traceroute outbound
#ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded"
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
TCP_BLOCKED_SERVICES="6000:6020"
UDP_BLOCKED_SERVICES="2049"
ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded echo-request"
# 6) Source Address Verification (all Linux systems)
# This helps prevent "IP Spoofing" attacks
#
ENABLE_SRC_ADDR_VERIFY="Y" # SAFEST
# 7) IP Masquerading / NAT. (all systems)
# List your internal/masq'ed networks here
#
# Also see item 4, FORCE_PASV_FTP, as that setting affects
# clients using IP Masquerading through this machine
#
# Set this variable if you're using IP Masq / NAT for a local network
#IP_MASQ_NETWORK="" # DISABLE/SAFEST
#IP_MASQ_NETWORK="10.0.0.0/8" # example
#IP_MASQ_NETWORK="192.168.0.0/16" # example
#
# Have lots of masq hosts? uncomment the following six lines
# and list the hosts/networks in /etc/firewall-masqhosts
# the script assumes any address without a "/" netmask afterwards
# is an individual address (netmask /255.255.255.255):
#if [ -f /etc/firewall-masqhosts ]; then
# echo "Reading list of masq hosts from /etc/firewall-masqhosts"
# # Read the file, but use 'awk' to strip comments
# # Note the sed bracket phrase includes a space and tab char
# IP_MASQ_NETWORK=`cat /etc/firewall-masqhosts | awk -F\# '/\// {print $1; next} /[0-9]/ {print $1"/32"}' |sed 's:[ ]*::g'`
#fi
#
# Masq modules
# NB: The script will prepend "ip_masq_" to each module name
#IP_MASQ_MODULES="cuseeme ftp irc quake raudio vdolive" # ALL (?)
#IP_MASQ_MODULES="ftp raudio vdolive" # RECOMMENDED
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
IP_MASQ_NETWORK="" # DISABLE/SAFEST
IP_MASQ_MODULES="ftp raudio vdolive" # RECOMMENDED
# 8) How to react to disallowed packets (all systems)
# whether to "REJECT" or "DROP" disallowed packets; if you're running any
# public services, you probably ought to use "REJECT"; if in serious stealth
# mode, choose "DROP" so simple probes don't know if there's anything out there
# NOTE: disallowed ICMP packets are discarded with "DROP", as
# it would not make sense to "reject" the packet if you're
# trying to disallow ping/traceroute
# NOTE: the scripts that set up the filter rules will interpret these
# keywords as needed, e.g. "DROP" becomes "DENY" for Linux 2.2/ipchains
#
REJECT_METHOD="DROP"
# 9) DHCP (Linux 2.2/ipchains only)
# In case your server needs to get a DHCP address from some other
# machine (e.g. cable modem)
#DHCP_IFACES="eth0" # example, to allow you to query on eth0
#DHCP_IFACES="" # DISABLED
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
DHCP_IFACES="" # DISABLED
# 10) NTP servers (Linux 2.2/ipchains only)
# more UDP fun. List IP addresses or network space of NTP servers
#
#NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST
#NTP_SERVERS="a.b.c.d/32 e.f.g.h/32" # example, to allow querying 2 servers
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST
# 11) more ICMP. (Linux 2.2/ipchains only)
# Control the outbound ICMP to make yourself invisible to
# traceroute probes
#
#ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"
# 12) Logging (all systems)
# With this enabled, ipchains will log all blocked packets.
# ** this could generate huge logs **
# This is primarily intended for the port mointoring system;
# also note that you probably do not want to "AUDIT" any services
# that you are not allowing, as doing so would mean duplicate
# logging
LOG_FAILURES="N" # do not log blocked packets
# 13) Block fragmented packets (all systems)
# There's no good reason to allow these
#ALLOW_FRAGMENTS="N" # safest
ALLOW_FRAGMENTS="Y" # old behavior
# 14) Prevent SMB broadcasts from leaking out NAT setup (all systems)
# Windows machines will poll teh net with SMB broadcasts,
# basically advertising their existence. Most folks agree
# that this traffic should be dropped
#DROP_SMB_NAT_BCAST="N" # allow them (are you sure?)
DROP_SMB_NAT_BCAST="Y" # drop those packets
# 15) Log level (iptables/netfilter/Linux 2.4 only)
# Control what level of logging is used when the firewall logs
# information. Default is warning (4). Lowest priority is
# debug (7); highest is emergency (0). To prevent syslog
# from copying iptables error messages to the console, set
# this to 6 (7 would also work, but 6 is recommended)
# You can also stop syslogd/klogd from printing kernel
# messages to the console by issuing the command
# setterm -msg off
#IP_LOG_LEVEL=6 # level used in 2.2/ipchains
IP_LOG_LEVEL=4 # iptables/netfilter default
# 16) Always attempt to use stateful features for inbound connections
# Always using state will allow the firewall to reject invalid
# packets sent to otherwise open TCP services, e.g. XMAS, NULL
# and SIN/FYN scans. The downside to choosing this behavior is that
# services may become unreachable if the packet filter's state
# table becomes full.
IP_ALWAYS_USE_STATE="N" # default, ensures services remain available
#IP_ALWAYS_USE_STATE="Y" # disallow invalid packets
\ No newline at end of file
install/tpl/bastille-firewall.cfg.master 0 → 120000
View file @ 2f21ecee
../../server/conf/bastille-firewall.cfg.master
\ No newline at end of file
install/tpl/config.inc.php.master
View file @ 2f21ecee
......@@ -56,7 +56,7 @@ $revision = str_replace(array('Revision:','$',' '), '', $svn_revision);
//** Application
define('ISPC_APP_TITLE', 'ISPConfig');
define('ISPC_APP_VERSION', '3.1dev');
define('ISPC_APP_VERSION', '3.2.0dev');
define('DEVSYSTEM', 0);
......
install/tpl/debian6_dovecot2.conf.master
View file @ 2f21ecee
......@@ -8,6 +8,7 @@ ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_protocols = !SSLv2 !SSLv3
mail_max_userip_connections = 100
mail_plugins = quota
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
......@@ -66,7 +67,6 @@ protocol lmtp {
postmaster_address = webmaster@localhost
mail_plugins = quota sieve
}
mail_plugins = $mail_plugins quota
imap_capability=+SEPCIAL-USE XLIST
namespace inbox {
inbox = yes
......
install/tpl/debian_dovecot2.conf.master
View file @ 2f21ecee
......@@ -9,6 +9,7 @@ ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_protocols = !SSLv2 !SSLv3
mail_max_userip_connections = 100
mail_plugins = quota
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
......@@ -64,7 +65,6 @@ protocol lmtp {
postmaster_address = webmaster@localhost
mail_plugins = quota sieve
}
mail_plugins = $mail_plugins quota
imap_capability=+SEPCIAL-USE XLIST
namespace inbox {
inbox = yes
......
install/tpl/debian_postfix.conf.master
View file @ 2f21ecee
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
virtual_alias_domains =
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:{config_dir}/mysql-virtual_forwardings.cf, proxy:mysql:{config_dir}/mysql-virtual_email2email.cf
virtual_alias_maps = proxy:mysql:{config_dir}/mysql-virtual_forwardings.cf, proxy:mysql:{config_dir}/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:{config_dir}/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:{config_dir}/mysql-virtual_mailboxes.cf
virtual_mailbox_base = {vmail_mailbox_base}
......@@ -14,13 +12,13 @@ smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination{rbl_list}, check_recipient_access mysql:{config_dir}/mysql-virtual_recipient.cf{greylisting}
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_cert_file = {config_dir}/smtpd.cert
smtpd_tls_key_file = {config_dir}/smtpd.key
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:{config_dir}/mysql-virtual_transports.cf
transport_maps = proxy:mysql:{config_dir}/mysql-virtual_transports.cf
relay_domains = mysql:{config_dir}/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
......
install/tpl/fedora_dovecot2.conf.master
View file @ 2f21ecee
......@@ -7,6 +7,7 @@ mail_privileged_group = vmail
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_protocols = !SSLv2 !SSLv3
mail_plugins = quota
passdb {
args = /etc/dovecot-sql.conf
driver = sql
......@@ -61,7 +62,6 @@ protocol lmtp {
postmaster_address = webmaster@localhost
mail_plugins = quota sieve
}
mail_plugins = $mail_plugins quota
imap_capability=+SEPCIAL-USE XLIST
namespace inbox {
inbox = yes
......
install/tpl/fedora_postfix.conf.master
View file @ 2f21ecee
virtual_alias_domains =
virtual_alias_maps = hash:/etc/mailman/virtual-mailman, proxy:mysql:{config_dir}/mysql-virtual_forwardings.cf, proxy:mysql:{config_dir}/mysql-virtual_email2email.cf
virtual_alias_maps = proxy:mysql:{config_dir}/mysql-virtual_forwardings.cf, proxy:mysql:{config_dir}/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:{config_dir}/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:{config_dir}/mysql-virtual_mailboxes.cf
virtual_mailbox_base = {vmail_mailbox_base}
......@@ -16,7 +16,7 @@ smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_cert_file = {config_dir}/smtpd.cert
smtpd_tls_key_file = {config_dir}/smtpd.key
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:{config_dir}/mysql-virtual_transports.cf
transport_maps = proxy:mysql:{config_dir}/mysql-virtual_transports.cf
relay_domains = mysql:{config_dir}/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
......
install/tpl/gentoo_postfix.conf.master
View file @ 2f21ecee
......@@ -15,7 +15,7 @@ smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_cert_file = {config_dir}/smtpd.cert
smtpd_tls_key_file = {config_dir}/smtpd.key
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:{config_dir}/mysql-virtual_transports.cf
transport_maps = proxy:mysql:{config_dir}/mysql-virtual_transports.cf
relay_domains = mysql:{config_dir}/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
......
install/tpl/mailfilter.master deleted 100644 → 0
View file @ e661a603
#
# Import variables
#
LOGNAME=tolower("$LOGNAME")
EXTENSION="$1"
RECIPIENT=tolower("$2")
USER=tolower("$3")
HOST=tolower("$4")
SENDER="$5"
DEFAULT="{dist_postfix_vmail_mailbox_base}/$HOST/$USER/."
# Workaround for broken tolower function in some current fedora releases
if(!$USER)
{
USER=$3
}
if(!$HOST)
{
HOST=$4
}
if ( "$EXTENSION" ne "" )
{
DELIMITER="+"
}
if (!$SENDER)
{
SENDER = "<>"
}
#
# Autocreate maildir, if not existant
#
#`test -e {dist_postfix_vmail_mailbox_base}/$HOST`
#if ( $RETURNCODE != 0 )
#{
# `mkdir {dist_postfix_vmail_mailbox_base}/$HOST`
#}
#`test -e {dist_postfix_vmail_mailbox_base}/$HOST/$USER`
#if ( $RETURNCODE != 0 )
#{
# `maildirmake {dist_postfix_vmail_mailbox_base}/$HOST/$USER`
# `chmod -R 0700 {dist_postfix_vmail_mailbox_base}/$HOST`
#}
# Check if the user has a autoresponder enabled
`test -f {dist_postfix_vmail_mailbox_base}/mailfilters/$HOST/$USER/.autoresponder`
if ( $RETURNCODE == 0 )
{
include "{dist_postfix_vmail_mailbox_base}/mailfilters/$HOST/$USER/.autoresponder"
}
# Create a mailsize file
`test -e {dist_postfix_vmail_mailbox_base}/$HOST/$USER`
if ( $RETURNCODE == 0 )
{
`echo $SIZE >> {dist_postfix_vmail_mailbox_base}/$HOST/$USER/ispconfig_mailsize`
}
#
# Test if the user has his own maildrop include,
# if not available, check if $DEFAULT is set
# (newer maildrop get's that from the DB and updates
# it) and deliver or fail temporarily if not available
#
`test -f {dist_postfix_vmail_mailbox_base}/mailfilters/$HOST/$USER/.mailfilter`
if ( $RETURNCODE == 0 )
{
include "{dist_postfix_vmail_mailbox_base}/mailfilters/$HOST/$USER/.mailfilter"
}
else
{
if ( "$DEFAULT" ne "" )
{
to "$DEFAULT"
}
else
{
EXITCODE=75
exit
}
}
\ No newline at end of file
install/tpl/mailman-virtual_to_transport.sh deleted 100644 → 0
View file @ e661a603
#!/bin/sh
sed -r -e 's/(^[^#]\S+\s+).+$/\1local/' $1 > /var/lib/mailman/data/transport-mailman
/usr/sbin/postmap /var/lib/mailman/data/transport-mailman
\ No newline at end of file
install/tpl/mlmmj.conf.master deleted 100644 → 0
View file @ e661a603
# Path of the skeleton for mailing lists
skel_dir = /usr/share/mlmmj/text.skel
# Where to store ML data and archive
spool_dir = /var/spool/mlmmj
\ No newline at end of file
install/tpl/mm_cfg.py.master deleted 100644 → 0
View file @ e661a603
# -*- python -*-
# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301 USA
"""This is the module which takes your site-specific settings.
From a raw distribution it should be copied to mm_cfg.py. If you
already have an mm_cfg.py, be careful to add in only the new settings
you want. The complete set of distributed defaults, with annotation,
are in ./Defaults. In mm_cfg, override only those you want to
change, after the
from Defaults import *
line (see below).
Note that these are just default settings - many can be overridden via the
admin and user interfaces on a per-list or per-user basis.
Note also that some of the settings are resolved against the active list
setting by using the value as a format string against the
list-instance-object's dictionary - see the distributed value of
DEFAULT_MSG_FOOTER for an example."""
#######################################################
# Here's where we get the distributed defaults. #
from Defaults import *
##############################################################
# Put YOUR site-specific configuration below, in mm_cfg.py . #
# See Defaults.py for explanations of the values. #
#-------------------------------------------------------------
# The name of the list Mailman uses to send password reminders
# and similar. Don't change if you want mailman-owner to be
# a valid local part.
MAILMAN_SITE_LIST = 'mailman'
#-------------------------------------------------------------
# If you change these, you have to configure your http server
# accordingly (Alias and ScriptAlias directives in most httpds)
DEFAULT_URL_PATTERN = 'https://%s/cgi-bin/mailman/'
PRIVATE_ARCHIVE_URL = '/cgi-bin/mailman/private'
IMAGE_LOGOS = '/images/mailman/'
#-------------------------------------------------------------
# Default domain for email addresses of newly created MLs
DEFAULT_EMAIL_HOST = '{hostname}'
#-------------------------------------------------------------
# Default host for web interface of newly created MLs
DEFAULT_URL_HOST = '{hostname}'
#-------------------------------------------------------------
# Required when setting any of its arguments.
add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)
#-------------------------------------------------------------
# The default language for this server.
DEFAULT_SERVER_LANGUAGE = {default_language}
#-------------------------------------------------------------
# Iirc this was used in pre 2.1, leave it for now
USE_ENVELOPE_SENDER = 0 # Still used?
#-------------------------------------------------------------
# Unset send_reminders on newly created lists
DEFAULT_SEND_REMINDERS = 0
#-------------------------------------------------------------
# Uncomment this if you configured your MTA such that it
# automatically recognizes newly created lists.
# (see /usr/share/doc/mailman/README.Exim4.Debian or
# /usr/share/mailman/postfix-to-mailman.py)
# MTA=None # Misnomer, suppresses alias output on newlist
#-------------------------------------------------------------
# Uncomment if you use Postfix virtual domains (but not
# postfix-to-mailman.py), but be sure to see
# /usr/share/doc/mailman/README.Debian first.
MTA='Postfix'
POSTFIX_STYLE_VIRTUAL_DOMAINS = [{virtual_domains}]
#-------------------------------------------------------------
# Uncomment if you want to filter mail with SpamAssassin. For
# more information please visit this website:
# http://www.jamesh.id.au/articles/mailman-spamassassin/
# GLOBAL_PIPELINE.insert(1, 'SpamAssassin')
POSTFIX_MAP_CMD = '/etc/mailman/virtual_to_transport.sh'
# Note - if you're looking for something that is imported from mm_cfg, but you
# didn't find it above, it's probably in /usr/lib/mailman/Mailman/Defaults.py.
\ No newline at end of file
install/tpl/mysql_clientdb.conf.master
View file @ 2f21ecee
......@@ -3,5 +3,6 @@
$clientdb_host = '{hostname}';
$clientdb_user = '{username}';
$clientdb_password = '{password}';
$clientdb_port = '{port}';
?>
\ No newline at end of file
install/tpl/nginx_apps.vhost.master deleted 100644 → 0
View file @ e661a603
server {
listen {apps_vhost_port};
listen [::]:{apps_vhost_port} ipv6only=on;
ssl {ssl_on};
{ssl_comment}ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
{ssl_comment}ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
{ssl_comment}ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;
# redirect to https if accessed with http
{ssl_comment}error_page 497 https://$host:{vhost_port}$request_uri;
server_name {apps_vhost_servername};
root {apps_vhost_dir};
client_max_body_size 100M;
location / {
index index.php index.html;
}
# serve static files directly
location ~* ^.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt)$ {
access_log off;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param HTTP_PROXY "";
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
fastcgi_pass unix:{fpm_socket};
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
location ~ /\. {
deny all;
}
location /phpmyadmin {
root /usr/share/;
index index.php index.html index.htm;
location ~ ^/phpmyadmin/(.+\.php)$ {
try_files $uri =404;
root /usr/share/;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# To access phpMyAdmin, the default user (like www-data on Debian/Devuan/Ubuntu) must be used
{use_tcp}fastcgi_pass 127.0.0.1:9000;
{use_socket}fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_read_timeout 1200;
}
location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
root /usr/share/;
}
}
location /phpMyAdmin {
rewrite ^/* /phpmyadmin last;
}
location /squirrelmail {
root /usr/share/;
index index.php index.html index.htm;
location ~ ^/squirrelmail/(.+\.php)$ {
try_files $uri =404;
root /usr/share/;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# To access SquirrelMail, the default user (like www-data on Debian/Devuan/Ubuntu) must be used
{use_tcp}fastcgi_pass 127.0.0.1:9000;
{use_socket}fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
location ~* ^/squirrelmail/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
root /usr/share/;
}
}
location /webmail {
rewrite ^/* /squirrelmail last;
}
location /cgi-bin/mailman {
root /usr/lib/;
fastcgi_split_path_info (^/cgi-bin/mailman/[^/]*)(.*)$;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_intercept_errors on;
fastcgi_pass unix:{cgi_socket};
}
location /images/mailman {
alias /usr/share/images/mailman;
}
location /pipermail {
alias /var/lib/mailman/archives/public;
autoindex on;
}
}
install/tpl/nginx_apps.vhost.master 0 → 120000
View file @ 2f21ecee
../../server/conf/nginx_apps.vhost.master
\ No newline at end of file
install/tpl/nginx_ispconfig.vhost.master
View file @ 2f21ecee
server {
listen {vhost_port};
listen [::]:{vhost_port} ipv6only=on;
ssl {ssl_on};
listen {vhost_port}{ssl_on};
listen [::]:{vhost_port} ipv6only=on{ssl_on};
{ssl_comment}ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
{ssl_comment}ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
{ssl_comment}ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;
{ssl_comment}ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
{ssl_comment}ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
{ssl_comment}ssl_prefer_server_ciphers on;
# redirect to https if accessed with http
......