Skip to content
...@@ -4,7 +4,6 @@ ...@@ -4,7 +4,6 @@
###################################################### ######################################################
<tmpl_var name="vhost_port_listen"> Listen <tmpl_var name="vhost_port"> <tmpl_var name="vhost_port_listen"> Listen <tmpl_var name="vhost_port">
<tmpl_if name='apache_version' op='<' value='2.4' format='version'>NameVirtualHost *:<tmpl_var name="vhost_port"></tmpl_if>
<VirtualHost _default_:<tmpl_var name="vhost_port">> <VirtualHost _default_:<tmpl_var name="vhost_port">>
ServerAdmin webmaster@localhost ServerAdmin webmaster@localhost
...@@ -33,12 +32,7 @@ ...@@ -33,12 +32,7 @@
SetHandler fcgid-script SetHandler fcgid-script
</FilesMatch> </FilesMatch>
FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
Require all granted Require all granted
Order allow,deny
Allow from all
</Directory> </Directory>
IPCCommTimeout 7200 IPCCommTimeout 7200
MaxRequestLen 15728640 MaxRequestLen 15728640
...@@ -52,12 +46,7 @@ ...@@ -52,12 +46,7 @@
# php_admin_value open_basedir "/usr/local/ispconfig/interface:/usr/share:/tmp" # php_admin_value open_basedir "/usr/local/ispconfig/interface:/usr/share:/tmp"
Options +FollowSymLinks Options +FollowSymLinks
AllowOverride None AllowOverride None
<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
Require all granted Require all granted
Order allow,deny
Allow from all
php_value magic_quotes_gpc 0 php_value magic_quotes_gpc 0
</Directory> </Directory>
</IfModule> </IfModule>
...@@ -81,7 +70,7 @@ ...@@ -81,7 +70,7 @@
<tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key <tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
<tmpl_var name="ssl_bundle_comment">SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/ispserver.bundle <tmpl_var name="ssl_bundle_comment">SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
<tmpl_var name="ssl_comment">SSLHonorCipherOrder On <tmpl_var name="ssl_comment">SSLHonorCipherOrder On
<tmpl_if name='apache_version' op='>=' value='2.4.3' format='version'> <tmpl_if name='apache_version' op='>=' value='2.4.3' format='version'>
<tmpl_var name="ssl_comment">SSLCompression Off <tmpl_var name="ssl_comment">SSLCompression Off
...@@ -91,8 +80,19 @@ ...@@ -91,8 +80,19 @@
</tmpl_if> </tmpl_if>
<IfModule mod_headers.c> <IfModule mod_headers.c>
Header always add Strict-Transport-Security "max-age=15768000" # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
RequestHeader unset Proxy early Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
Header set X-Content-Type-Options: nosniff
Header set X-Frame-Options: SAMEORIGIN
Header set X-XSS-Protection: "1; mode=block"
Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
<IfVersion >= 2.4.7>
Header setifempty Strict-Transport-Security "max-age=15768000"
<IfVersion < 2.4.7>
Header set Strict-Transport-Security "max-age=15768000"
RequestHeader unset Proxy early
</IfModule> </IfModule>
<tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'> <tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
...@@ -110,20 +110,10 @@ ...@@ -110,20 +110,10 @@
<Directory /var/www/php-cgi-scripts> <Directory /var/www/php-cgi-scripts>
AllowOverride None AllowOverride None
<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
Require all denied Require all denied
Order Deny,Allow
Deny from all
</Directory> </Directory>
<Directory /var/www/php-fcgi-scripts> <Directory /var/www/php-fcgi-scripts>
AllowOverride None AllowOverride None
<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
Require all denied Require all denied
Order Deny,Allow
Deny from all
</Directory> </Directory>
listen = {fpm_socket}
listen.owner = {fpm_user} = {fpm_group}
listen.mode = 0660
user = {fpm_user}
group = {fpm_group}
pm = dynamic
pm.max_children = 500
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 5
chdir = /
; php_admin_value[open_basedir] = /var/www/apps:/srv/www/apps:/usr/share
php_admin_flag[magic_quotes_gpc] = off
\ No newline at end of file
\ No newline at end of file
# /etc/bastille-firewall.cfg
# Configuration file for both 2.2/ipchains and 2.4/netfilter scripts
# $Source: /cvsroot/bastille-linux/dev/working_tree/Bastille/bastille-firewall.cfg,v $
# Modified by: $Author: peterw $
# $Date: 2002/01/04 13:34:18 $
# $Revision: 1.7 $
# Copyright (C) 1999-2001 Peter Watkins
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
# Thanks to David Ranch, Brad A, Don G, and others for their suggestions
# the configuration values should be whitespace-delimited lists of
# appropriate values, e.g.
# TCP_PUBLIC_SERVICES="80 smtp ssh"
# lists Web (port 80), SMTP mail, and Secure Shell ports
# This script is suitable for workstations or simple NAT firewalls;
# you may want to add more "output" restrictions for serious servers
# 0) DNS servers (Linux 2.2/ipchains only)
# You must list your DNS servers here so that
# the firewall will allow them to service your lookup requests
# List of DNS servers/networks to allow "domain" responses from
# This _could_ be nameservers as a list of <ip-address>/32 entries
#DNS_SERVERS="a.b.c.d/32 e.f.g.h/32"
# If you are running a caching nameserver, you'll need to allow from
# "" so named can query any arbitrary nameserver
# (To enable a caching nameserver, you will also probably need to
# add "domain" to the TCP and UDP public service lists.)
# To have the DNS servers parsed from /etc/resolv.conf at runtime,
# as normal workstations will want, make this variable empty
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
# 1) define your interfaces (all systems)
# Note a "+" acts as a wildcard, e.g. ppp+ would match any PPP
# interface
# list internal/trusted interfaces
# traffic from these interfaces will be allowed
# through the firewall, no restrictions
# list external/untrusted interfaces
#PUBLIC_IFACES="eth+ ppp+ slip+" # SAFEST
# list internal/partially-trusted interfaces
# e.g. if this acts as a NAT/IP Masq server and you
# don't want clients on those interfaces having
# full network access to services running on this
# server (as the TRUSTED_IFACES allows)
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
PUBLIC_IFACES="eth+ ppp+ slip+ venet+ bond+ en+" # SAFEST
# 2) services for which we want to log access attempts to syslog (all systems)
# Note this only audits connection attempts from public interfaces
# Also see item 12, LOG_FAILURES
#TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
# anyone probing for BackOrifice?
# how about ICMP?
#ICMP_AUDIT_TYPES="echo-request" # ping/MS tracert
# To enable auditing, you must have syslog configured to log "kern"
# messages of "info" level; typically you'd do this with a line in
# syslog.conf like
# /var/log/messages
# though the Bastille port monitor will normally want these messages
# logged to a named pipe instead, and the Bastille script normally
# configures syslog for "kern.*" which catches these messages
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
#TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
# 3) services we allow connections to (all systems)
# FTP note:
# To allow your machine to service "passive" FTP clients,
# you will need to make allowances for the passive data
# ports; Bastille users should read README.FTP for more
# information
# "public" interfaces:
# TCP services that "public" hosts should be allowed to connect to
# UDP services that "public" hosts should be allowed to connect to
# "internal" interfaces:
# (NB: you will need to repeat the "public" services if you want
# to allow "internal" hosts to reach those services, too.)
# TCP services that internal clients can connect to
# UDP services that internal clients can connect to
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
# 4) passive/active FTP (Linux 2.2/ipchains only)
# FTP is a firewall nightmare; if you allow "normal" FTP connections,
# you must be careful to block any TCP services that are listening
# on high ports; it's safer to require your FTP clients to use
# "passive" mode.
# Note this will also force clients on machines
# that use this one for NAT/IP Masquerading to use passive mode
# for connections that go through this server (e.g. from the
# internal network to public Internet machines
# For more information about FTP, see the Bastille README.FTP doc
# 5) Services to explicitly block. (Linux 2.2/ipchains only)
# See FTP note above
# Note that ranges of ports are specified with colons, and you
# can specify an open range by using only one number, e.g.
# 1024: means ports >= 1024 and :6000 means ports <= 6000
# TCP services on high ports that should be blocked if not forcing passive FTP
# This should include X (6000:6010) and anything else revealed by 'netstat -an'
# (this does not matter unless you're not forcing "passive" FTP)
# UDP services to block: this should be UDP services on high ports.
# Your only vulnerability from public interfaces are the DNS and
# NTP servers/networks (those with for DNS servers should
# obviously be very careful here!)
# types of ICMP packets to allow
#ICMP_ALLOWED_TYPES="destination-unreachable" # MINIMAL/SAFEST
# the following allows you to ping/traceroute outbound
#ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded"
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded echo-request"
# 6) Source Address Verification (all Linux systems)
# This helps prevent "IP Spoofing" attacks
# 7) IP Masquerading / NAT. (all systems)
# List your internal/masq'ed networks here
# Also see item 4, FORCE_PASV_FTP, as that setting affects
# clients using IP Masquerading through this machine
# Set this variable if you're using IP Masq / NAT for a local network
#IP_MASQ_NETWORK="" # example
#IP_MASQ_NETWORK="" # example
# Have lots of masq hosts? uncomment the following six lines
# and list the hosts/networks in /etc/firewall-masqhosts
# the script assumes any address without a "/" netmask afterwards
# is an individual address (netmask /
#if [ -f /etc/firewall-masqhosts ]; then
# echo "Reading list of masq hosts from /etc/firewall-masqhosts"
# # Read the file, but use 'awk' to strip comments
# # Note the sed bracket phrase includes a space and tab char
# IP_MASQ_NETWORK=`cat /etc/firewall-masqhosts | awk -F\# '/\// {print $1; next} /[0-9]/ {print $1"/32"}' |sed 's:[ ]*::g'`
# Masq modules
# NB: The script will prepend "ip_masq_" to each module name
#IP_MASQ_MODULES="cuseeme ftp irc quake raudio vdolive" # ALL (?)
#IP_MASQ_MODULES="ftp raudio vdolive" # RECOMMENDED
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
IP_MASQ_MODULES="ftp raudio vdolive" # RECOMMENDED
# 8) How to react to disallowed packets (all systems)
# whether to "REJECT" or "DROP" disallowed packets; if you're running any
# public services, you probably ought to use "REJECT"; if in serious stealth
# mode, choose "DROP" so simple probes don't know if there's anything out there
# NOTE: disallowed ICMP packets are discarded with "DROP", as
# it would not make sense to "reject" the packet if you're
# trying to disallow ping/traceroute
# NOTE: the scripts that set up the filter rules will interpret these
# keywords as needed, e.g. "DROP" becomes "DENY" for Linux 2.2/ipchains
# 9) DHCP (Linux 2.2/ipchains only)
# In case your server needs to get a DHCP address from some other
# machine (e.g. cable modem)
#DHCP_IFACES="eth0" # example, to allow you to query on eth0
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
# 10) NTP servers (Linux 2.2/ipchains only)
# more UDP fun. List IP addresses or network space of NTP servers
#NTP_SERVERS="a.b.c.d/32 e.f.g.h/32" # example, to allow querying 2 servers
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
# 11) more ICMP. (Linux 2.2/ipchains only)
# Control the outbound ICMP to make yourself invisible to
# traceroute probes
#ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"
# 12) Logging (all systems)
# With this enabled, ipchains will log all blocked packets.
# ** this could generate huge logs **
# This is primarily intended for the port mointoring system;
# also note that you probably do not want to "AUDIT" any services
# that you are not allowing, as doing so would mean duplicate
# logging
LOG_FAILURES="N" # do not log blocked packets
# 13) Block fragmented packets (all systems)
# There's no good reason to allow these
ALLOW_FRAGMENTS="Y" # old behavior
# 14) Prevent SMB broadcasts from leaking out NAT setup (all systems)
# Windows machines will poll teh net with SMB broadcasts,
# basically advertising their existence. Most folks agree
# that this traffic should be dropped
#DROP_SMB_NAT_BCAST="N" # allow them (are you sure?)
DROP_SMB_NAT_BCAST="Y" # drop those packets
# 15) Log level (iptables/netfilter/Linux 2.4 only)
# Control what level of logging is used when the firewall logs
# information. Default is warning (4). Lowest priority is
# debug (7); highest is emergency (0). To prevent syslog
# from copying iptables error messages to the console, set
# this to 6 (7 would also work, but 6 is recommended)
# You can also stop syslogd/klogd from printing kernel
# messages to the console by issuing the command
# setterm -msg off
#IP_LOG_LEVEL=6 # level used in 2.2/ipchains
IP_LOG_LEVEL=4 # iptables/netfilter default
# 16) Always attempt to use stateful features for inbound connections
# Always using state will allow the firewall to reject invalid
# packets sent to otherwise open TCP services, e.g. XMAS, NULL
# and SIN/FYN scans. The downside to choosing this behavior is that
# services may become unreachable if the packet filter's state
# table becomes full.
IP_ALWAYS_USE_STATE="N" # default, ensures services remain available
#IP_ALWAYS_USE_STATE="Y" # disallow invalid packets
\ No newline at end of file
\ No newline at end of file
...@@ -56,7 +56,7 @@ $revision = str_replace(array('Revision:','$',' '), '', $svn_revision); ...@@ -56,7 +56,7 @@ $revision = str_replace(array('Revision:','$',' '), '', $svn_revision);
//** Application //** Application
define('ISPC_APP_TITLE', 'ISPConfig'); define('ISPC_APP_TITLE', 'ISPConfig');
define('ISPC_APP_VERSION', '3.1dev'); define('ISPC_APP_VERSION', '3.2.0dev');
define('DEVSYSTEM', 0); define('DEVSYSTEM', 0);
...@@ -8,6 +8,7 @@ ssl_cert = </etc/postfix/smtpd.cert ...@@ -8,6 +8,7 @@ ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key ssl_key = </etc/postfix/smtpd.key
ssl_protocols = !SSLv2 !SSLv3 ssl_protocols = !SSLv2 !SSLv3
mail_max_userip_connections = 100 mail_max_userip_connections = 100
mail_plugins = quota
passdb { passdb {
args = /etc/dovecot/dovecot-sql.conf args = /etc/dovecot/dovecot-sql.conf
driver = sql driver = sql
...@@ -66,7 +67,6 @@ protocol lmtp { ...@@ -66,7 +67,6 @@ protocol lmtp {
postmaster_address = webmaster@localhost postmaster_address = webmaster@localhost
mail_plugins = quota sieve mail_plugins = quota sieve
} }
mail_plugins = $mail_plugins quota
imap_capability=+SEPCIAL-USE XLIST imap_capability=+SEPCIAL-USE XLIST
namespace inbox { namespace inbox {
inbox = yes inbox = yes
...@@ -9,6 +9,7 @@ ssl_cert = </etc/postfix/smtpd.cert ...@@ -9,6 +9,7 @@ ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key ssl_key = </etc/postfix/smtpd.key
ssl_protocols = !SSLv2 !SSLv3 ssl_protocols = !SSLv2 !SSLv3
mail_max_userip_connections = 100 mail_max_userip_connections = 100
mail_plugins = quota
passdb { passdb {
args = /etc/dovecot/dovecot-sql.conf args = /etc/dovecot/dovecot-sql.conf
driver = sql driver = sql
...@@ -64,7 +65,6 @@ protocol lmtp { ...@@ -64,7 +65,6 @@ protocol lmtp {
postmaster_address = webmaster@localhost postmaster_address = webmaster@localhost
mail_plugins = quota sieve mail_plugins = quota sieve
} }
mail_plugins = $mail_plugins quota
imap_capability=+SEPCIAL-USE XLIST imap_capability=+SEPCIAL-USE XLIST
namespace inbox { namespace inbox {
inbox = yes inbox = yes
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
virtual_alias_domains = virtual_alias_domains =
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:{config_dir}/, proxy:mysql:{config_dir}/ virtual_alias_maps = proxy:mysql:{config_dir}/, proxy:mysql:{config_dir}/
virtual_mailbox_domains = proxy:mysql:{config_dir}/ virtual_mailbox_domains = proxy:mysql:{config_dir}/
virtual_mailbox_maps = proxy:mysql:{config_dir}/ virtual_mailbox_maps = proxy:mysql:{config_dir}/
virtual_mailbox_base = {vmail_mailbox_base} virtual_mailbox_base = {vmail_mailbox_base}
...@@ -14,13 +12,13 @@ smtpd_sasl_auth_enable = yes ...@@ -14,13 +12,13 @@ smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes smtpd_sasl_authenticated_header = yes
smtpd_restriction_classes = greylisting smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet: greylisting = check_policy_service inet:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination{rbl_list}, check_recipient_access mysql:{config_dir}/{greylisting} smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination{rbl_list}, check_recipient_access mysql:{config_dir}/{greylisting}
smtpd_use_tls = yes smtpd_use_tls = yes
smtpd_tls_security_level = may smtpd_tls_security_level = may
smtpd_tls_cert_file = {config_dir}/smtpd.cert smtpd_tls_cert_file = {config_dir}/smtpd.cert
smtpd_tls_key_file = {config_dir}/smtpd.key smtpd_tls_key_file = {config_dir}/smtpd.key
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:{config_dir}/ transport_maps = proxy:mysql:{config_dir}/
relay_domains = mysql:{config_dir}/ relay_domains = mysql:{config_dir}/
relay_recipient_maps = mysql:{config_dir}/ relay_recipient_maps = mysql:{config_dir}/
smtpd_sender_login_maps = proxy:mysql:{config_dir}/ smtpd_sender_login_maps = proxy:mysql:{config_dir}/
...@@ -7,6 +7,7 @@ mail_privileged_group = vmail ...@@ -7,6 +7,7 @@ mail_privileged_group = vmail
ssl_cert = </etc/postfix/smtpd.cert ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key ssl_key = </etc/postfix/smtpd.key
ssl_protocols = !SSLv2 !SSLv3 ssl_protocols = !SSLv2 !SSLv3
mail_plugins = quota
passdb { passdb {
args = /etc/dovecot-sql.conf args = /etc/dovecot-sql.conf
driver = sql driver = sql
...@@ -61,7 +62,6 @@ protocol lmtp { ...@@ -61,7 +62,6 @@ protocol lmtp {
postmaster_address = webmaster@localhost postmaster_address = webmaster@localhost
mail_plugins = quota sieve mail_plugins = quota sieve
} }
mail_plugins = $mail_plugins quota
imap_capability=+SEPCIAL-USE XLIST imap_capability=+SEPCIAL-USE XLIST
namespace inbox { namespace inbox {
inbox = yes inbox = yes
virtual_alias_domains = virtual_alias_domains =
virtual_alias_maps = hash:/etc/mailman/virtual-mailman, proxy:mysql:{config_dir}/, proxy:mysql:{config_dir}/ virtual_alias_maps = proxy:mysql:{config_dir}/, proxy:mysql:{config_dir}/
virtual_mailbox_domains = proxy:mysql:{config_dir}/ virtual_mailbox_domains = proxy:mysql:{config_dir}/
virtual_mailbox_maps = proxy:mysql:{config_dir}/ virtual_mailbox_maps = proxy:mysql:{config_dir}/
virtual_mailbox_base = {vmail_mailbox_base} virtual_mailbox_base = {vmail_mailbox_base}
...@@ -16,7 +16,7 @@ smtpd_use_tls = yes ...@@ -16,7 +16,7 @@ smtpd_use_tls = yes
smtpd_tls_security_level = may smtpd_tls_security_level = may
smtpd_tls_cert_file = {config_dir}/smtpd.cert smtpd_tls_cert_file = {config_dir}/smtpd.cert
smtpd_tls_key_file = {config_dir}/smtpd.key smtpd_tls_key_file = {config_dir}/smtpd.key
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:{config_dir}/ transport_maps = proxy:mysql:{config_dir}/
relay_domains = mysql:{config_dir}/ relay_domains = mysql:{config_dir}/
relay_recipient_maps = mysql:{config_dir}/ relay_recipient_maps = mysql:{config_dir}/
smtpd_sender_login_maps = proxy:mysql:{config_dir}/ smtpd_sender_login_maps = proxy:mysql:{config_dir}/
...@@ -15,7 +15,7 @@ smtpd_use_tls = yes ...@@ -15,7 +15,7 @@ smtpd_use_tls = yes
smtpd_tls_security_level = may smtpd_tls_security_level = may
smtpd_tls_cert_file = {config_dir}/smtpd.cert smtpd_tls_cert_file = {config_dir}/smtpd.cert
smtpd_tls_key_file = {config_dir}/smtpd.key smtpd_tls_key_file = {config_dir}/smtpd.key
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:{config_dir}/ transport_maps = proxy:mysql:{config_dir}/
relay_domains = mysql:{config_dir}/ relay_domains = mysql:{config_dir}/
relay_recipient_maps = mysql:{config_dir}/ relay_recipient_maps = mysql:{config_dir}/
smtpd_sender_login_maps = proxy:mysql:{config_dir}/ smtpd_sender_login_maps = proxy:mysql:{config_dir}/
# Import variables
# Workaround for broken tolower function in some current fedora releases
if ( "$EXTENSION" ne "" )
if (!$SENDER)
SENDER = "<>"
# Autocreate maildir, if not existant
#`test -e {dist_postfix_vmail_mailbox_base}/$HOST`
#if ( $RETURNCODE != 0 )
# `mkdir {dist_postfix_vmail_mailbox_base}/$HOST`
#`test -e {dist_postfix_vmail_mailbox_base}/$HOST/$USER`
#if ( $RETURNCODE != 0 )
# `maildirmake {dist_postfix_vmail_mailbox_base}/$HOST/$USER`
# `chmod -R 0700 {dist_postfix_vmail_mailbox_base}/$HOST`
# Check if the user has a autoresponder enabled
`test -f {dist_postfix_vmail_mailbox_base}/mailfilters/$HOST/$USER/.autoresponder`
if ( $RETURNCODE == 0 )
include "{dist_postfix_vmail_mailbox_base}/mailfilters/$HOST/$USER/.autoresponder"
# Create a mailsize file
`test -e {dist_postfix_vmail_mailbox_base}/$HOST/$USER`
if ( $RETURNCODE == 0 )
`echo $SIZE >> {dist_postfix_vmail_mailbox_base}/$HOST/$USER/ispconfig_mailsize`
# Test if the user has his own maildrop include,
# if not available, check if $DEFAULT is set
# (newer maildrop get's that from the DB and updates
# it) and deliver or fail temporarily if not available
`test -f {dist_postfix_vmail_mailbox_base}/mailfilters/$HOST/$USER/.mailfilter`
if ( $RETURNCODE == 0 )
include "{dist_postfix_vmail_mailbox_base}/mailfilters/$HOST/$USER/.mailfilter"
if ( "$DEFAULT" ne "" )
\ No newline at end of file
sed -r -e 's/(^[^#]\S+\s+).+$/\1local/' $1 > /var/lib/mailman/data/transport-mailman
/usr/sbin/postmap /var/lib/mailman/data/transport-mailman
\ No newline at end of file
# Path of the skeleton for mailing lists
skel_dir = /usr/share/mlmmj/text.skel
# Where to store ML data and archive
spool_dir = /var/spool/mlmmj
\ No newline at end of file
# -*- python -*-
# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301 USA
"""This is the module which takes your site-specific settings.
From a raw distribution it should be copied to If you
already have an, be careful to add in only the new settings
you want. The complete set of distributed defaults, with annotation,
are in ./Defaults. In mm_cfg, override only those you want to
change, after the
from Defaults import *
line (see below).
Note that these are just default settings - many can be overridden via the
admin and user interfaces on a per-list or per-user basis.
Note also that some of the settings are resolved against the active list
setting by using the value as a format string against the
list-instance-object's dictionary - see the distributed value of
DEFAULT_MSG_FOOTER for an example."""
# Here's where we get the distributed defaults. #
from Defaults import *
# Put YOUR site-specific configuration below, in . #
# See for explanations of the values. #
# The name of the list Mailman uses to send password reminders
# and similar. Don't change if you want mailman-owner to be
# a valid local part.
# If you change these, you have to configure your http server
# accordingly (Alias and ScriptAlias directives in most httpds)
DEFAULT_URL_PATTERN = 'https://%s/cgi-bin/mailman/'
PRIVATE_ARCHIVE_URL = '/cgi-bin/mailman/private'
IMAGE_LOGOS = '/images/mailman/'
# Default domain for email addresses of newly created MLs
DEFAULT_EMAIL_HOST = '{hostname}'
# Default host for web interface of newly created MLs
DEFAULT_URL_HOST = '{hostname}'
# Required when setting any of its arguments.
# The default language for this server.
DEFAULT_SERVER_LANGUAGE = {default_language}
# Iirc this was used in pre 2.1, leave it for now
USE_ENVELOPE_SENDER = 0 # Still used?
# Unset send_reminders on newly created lists
# Uncomment this if you configured your MTA such that it
# automatically recognizes newly created lists.
# (see /usr/share/doc/mailman/README.Exim4.Debian or
# /usr/share/mailman/
# MTA=None # Misnomer, suppresses alias output on newlist
# Uncomment if you use Postfix virtual domains (but not
#, but be sure to see
# /usr/share/doc/mailman/README.Debian first.
# Uncomment if you want to filter mail with SpamAssassin. For
# more information please visit this website:
# GLOBAL_PIPELINE.insert(1, 'SpamAssassin')
POSTFIX_MAP_CMD = '/etc/mailman/'
# Note - if you're looking for something that is imported from mm_cfg, but you
# didn't find it above, it's probably in /usr/lib/mailman/Mailman/
\ No newline at end of file
...@@ -3,5 +3,6 @@ ...@@ -3,5 +3,6 @@
$clientdb_host = '{hostname}'; $clientdb_host = '{hostname}';
$clientdb_user = '{username}'; $clientdb_user = '{username}';
$clientdb_password = '{password}'; $clientdb_password = '{password}';
$clientdb_port = '{port}';
?> ?>
\ No newline at end of file
server {
listen {apps_vhost_port};
listen [::]:{apps_vhost_port} ipv6only=on;
ssl {ssl_on};
{ssl_comment}ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
{ssl_comment}ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
{ssl_comment}ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;
# redirect to https if accessed with http
{ssl_comment}error_page 497 https://$host:{vhost_port}$request_uri;
server_name {apps_vhost_servername};
root {apps_vhost_dir};
client_max_body_size 100M;
location / {
index index.php index.html;
# serve static files directly
location ~* ^.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt)$ {
access_log off;
location ~ \.php$ {
try_files $uri =404;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param HTTP_PROXY "";
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
fastcgi_pass unix:{fpm_socket};
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
location ~ /\. {
deny all;
location /phpmyadmin {
root /usr/share/;
index index.php index.html index.htm;
location ~ ^/phpmyadmin/(.+\.php)$ {
try_files $uri =404;
root /usr/share/;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# To access phpMyAdmin, the default user (like www-data on Debian/Devuan/Ubuntu) must be used
{use_socket}fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_read_timeout 1200;
location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
root /usr/share/;
location /phpMyAdmin {
rewrite ^/* /phpmyadmin last;
location /squirrelmail {
root /usr/share/;
index index.php index.html index.htm;
location ~ ^/squirrelmail/(.+\.php)$ {
try_files $uri =404;
root /usr/share/;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# To access SquirrelMail, the default user (like www-data on Debian/Devuan/Ubuntu) must be used
{use_socket}fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
location ~* ^/squirrelmail/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
root /usr/share/;
location /webmail {
rewrite ^/* /squirrelmail last;
location /cgi-bin/mailman {
root /usr/lib/;
fastcgi_split_path_info (^/cgi-bin/mailman/[^/]*)(.*)$;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_intercept_errors on;
fastcgi_pass unix:{cgi_socket};
location /images/mailman {
alias /usr/share/images/mailman;
location /pipermail {
alias /var/lib/mailman/archives/public;
autoindex on;
\ No newline at end of file
server { server {
listen {vhost_port}; listen {vhost_port}{ssl_on};
listen [::]:{vhost_port} ipv6only=on; listen [::]:{vhost_port} ipv6only=on{ssl_on};
ssl {ssl_on};
{ssl_comment}ssl_protocols TLSv1 TLSv1.1 TLSv1.2; {ssl_comment}ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
{ssl_comment}ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt; {ssl_comment}ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
{ssl_comment}ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key; {ssl_comment}ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;
{ssl_comment}ssl_prefer_server_ciphers on; {ssl_comment}ssl_prefer_server_ciphers on;
# redirect to https if accessed with http # redirect to https if accessed with http