install/tpl/fedora_dovecot2.conf.master

@@ -7,6 +7,8 @@ mail_privileged_group = vmail
 ssl_cert = </etc/postfix/smtpd.cert
 ssl_key = </etc/postfix/smtpd.key
 ssl_protocols = !SSLv2 !SSLv3
+auth_verbose = yes
+mail_plugins = quota
 passdb {
   args = /etc/dovecot-sql.conf
   driver = sql
@@ -20,7 +22,14 @@ userdb {
 }
 plugin {
   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
+
+  # no longer needed, as 'sieve' is in userdb extra fields:
   sieve=/var/vmail/%d/%n/.sieve
+
+  sieve_after=/var/vmail/%d/%n/.ispconfig.sieve
+  sieve_max_script_size = 2M
+  sieve_max_actions = 100
+  sieve_max_redirects = 25
 }
 service auth {
   unix_listener /var/spool/postfix/private/auth {
@@ -42,6 +51,7 @@ service lmtp {
    user = postfix
   }
 }
+lmtp_rcpt_check_quota = yes
 service imap-login {
   client_limit = 1000
   process_limit = 500
@@ -70,10 +80,46 @@ mail_plugins = $mail_plugins quota
 #2.3+         group = vmail
 #2.3+         mode = 0660
 #2.3+     }
-#2.3+ 
+#2.3+
 #2.3+     unix_listener stats-writer {
 #2.3+         user = vmail
 #2.3+         group = vmail
 #2.3+         mode = 0660
 #2.3+     }
 #2.3+ }
+
+service quota-status {
+  executable = quota-status -p postfix
+  unix_listener /var/spool/postfix/private/quota-status {
+    group = postfix
+    mode = 0660
+    user = postfix
+  }
+  client_limit = 1
+}
+plugin {
+  quota_status_success = DUNNO
+  quota_status_nouser = DUNNO
+  quota_status_overquota = "552 5.2.2 Mailbox is full"
+}
+
+imap_capability=+SEPCIAL-USE XLIST
+namespace inbox {
+  inbox = yes
+  separator = .
+  mailbox Drafts {
+    special_use = \Drafts
+  }
+  mailbox Junk {
+    special_use = \Junk
+  }
+  mailbox Sent {
+    special_use = \Sent
+  }
+  mailbox "Sent Messages" {
+    special_use = \Sent
+  }
+  mailbox Trash {
+    special_use = \Trash
+  }
+}

install/tpl/fedora_postfix.conf.master

@@ -11,7 +11,7 @@ broken_sasl_auth_clients = yes
 smtpd_sasl_authenticated_header = yes
 smtpd_restriction_classes = greylisting
 greylisting = check_policy_service inet:127.0.0.1:10023
-smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination{rbl_list}, check_recipient_access mysql:{config_dir}/mysql-virtual_recipient.cf{greylisting}
+smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:{config_dir}/mysql-virtual_recipient.cf{rbl_list}{greylisting}, check_policy_service unix:private/quota-status
 smtpd_use_tls = yes
 smtpd_tls_security_level = may
 smtpd_tls_cert_file = {config_dir}/smtpd.cert
@@ -22,7 +22,7 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
 smtpd_helo_required = yes
-smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
+smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
 smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
 smtpd_client_message_rate_limit = 100

install/tpl/fedora_pureftpd_conf.master

@@ -241,13 +241,6 @@ MinUID                      500
 
 
 
-# Do not use the /etc/ftpusers file to disable accounts. We're already
-# using MinUID to block users with uid < 500
-
-UseFtpUsers no
-
-
-
 # Allow FXP transfers for authenticated users.
 
 AllowUserFXP                no

install/tpl/gentoo_postfix.conf.master

@@ -10,7 +10,7 @@ broken_sasl_auth_clients = yes
 smtpd_sasl_authenticated_header = yes
 smtpd_restriction_classes = greylisting
 greylisting = check_policy_service inet:127.0.0.1:10023
-smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination{rbl_list}, check_recipient_access mysql:{config_dir}/mysql-virtual_recipient.cf{greylisting}
+smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:{config_dir}/mysql-virtual_recipient.cf{rbl_list}{greylisting}, check_policy_service unix:private/quota-status
 smtpd_use_tls = yes
 smtpd_tls_security_level = may
 smtpd_tls_cert_file = {config_dir}/smtpd.cert
@@ -21,7 +21,7 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
 smtpd_helo_required = yes
-smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
+smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
 smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
 smtpd_client_message_rate_limit = 100

install/tpl/jk_chrootsh.ini.master

@@ -10,4 +10,4 @@
 #relax_home_group=1
 skip_injail_passwd_check=1
 injail_shell=/bin/bash
-env = TERM, PATH
+env = TERM, PATH, LANG

install/tpl/jk_init.ini.master

+# jk_init.ini:  jailkit initialization config
+
+# Includes paths to handle Debian 10/9,
+# if other paths are needed please create an issue with the details:
+# https://git.ispconfig.org/ispconfig/ispconfig3/-/issues
+
 [uidbasics]
-# this section probably needs adjustment on 64bit systems
-# or non-Linux systems
 comment = common files for all jails that need user/group information
-libraries = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /lib/x86_64-linux-gnu/libnss*.so.2
-regularfiles = /etc/nsswitch.conf, /etc/ld.so.conf
+paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1, /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1, /lib/x86_64-linux-gnu/libnss*.so.2, /lib/arm-linux-gnueabihf/libnss*.so.2, /lib/arm-linux-gnueabihf/libnsl*.so.1, /etc/nsswitch.conf, /etc/ld.so.conf
 
 [netbasics]
 comment = common files for all jails that need any internet connectivity
-libraries = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /lib/x86_64-linux-gnu/libnss_dns.so.2
-regularfiles = /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols
+paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /lib/libnss_mdns*.so.2, /lib/i386-linux-gnu/libnss_dns.so.2, /lib/x86_64-linux-gnu/libnss_dns.so.2, /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols, /etc/services, /etc/ssl/certs/, /usr/lib/ssl/certs
 
 [logbasics]
-comment = timezone information
-regularfiles = /etc/localtime
+comment = timezone information and log sockets
+paths = /etc/localtime
 need_logsocket = 1
 
 [jk_lsh]
 comment = Jailkit limited shell
-executables = /usr/sbin/jk_lsh
-regularfiles = /etc/jailkit/jk_lsh.ini
+paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini
 users = root
 groups = root
-need_logsocket = 1
-includesections = uidbasics
+includesections = uidbasics, logbasics
 
 [limitedshell]
 comment = alias for jk_lsh
@@ -30,76 +30,77 @@ includesections = jk_lsh
 
 [cvs]
 comment = Concurrent Versions System
-executables = /usr/bin/cvs
+paths = cvs
 devices = /dev/null
 
 [git]
 comment = Fast Version Control System
-executables = /usr/bin/git*
-directories = /usr/share/git-core
-includesections = editors
+paths = /usr/bin/git*, /usr/lib/git-core, /usr/share/git-core, /usr/bin/pager
+includesections = editors, perl, netbasics, basicshell, coreutils
 
 [scp]
 comment = ssh secure copy
-executables = /usr/bin/scp
+paths = scp
 includesections = netbasics, uidbasics
 devices = /dev/urandom
 
 [sftp]
 comment = ssh secure ftp
-executables = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server
+paths = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server, /usr/lib/openssh/sftp-server
 includesections = netbasics, uidbasics
 devices = /dev/urandom, /dev/null
+# on solaris 
+#paths = /usr/lib/ssh/sftp-server
 
 [ssh]
 comment = ssh secure shell
-executables = /usr/bin/ssh
+paths = ssh
 includesections = netbasics, uidbasics
-devices = /dev/urandom, /dev/tty
+devices = /dev/urandom, /dev/tty, /dev/null
 
 [rsync]
-executables = /usr/bin/rsync
+paths = rsync
 includesections = netbasics, uidbasics
 
 [procmail]
 comment = procmail mail delivery
-executables = /usr/bin/procmail, /bin/sh
+paths = procmail, /bin/sh
 devices = /dev/null
 
 [basicshell]
 comment = bash based shell with several basic utilities
-executables = /bin/sh, /bin/bash, /bin/ls, /bin/cat, /bin/chmod, /bin/mkdir, /bin/cp, /bin/cpio, /bin/date, /bin/dd, /bin/echo, /bin/egrep, /bin/false, /bin/fgrep, /bin/grep, /bin/gunzip, /bin/gzip, /bin/ln, /bin/ls, /bin/mkdir, /bin/mktemp, /bin/more, /bin/mv, /bin/pwd, /bin/rm, /bin/rmdir, /bin/sed, /bin/sh, /bin/sleep, /bin/sync, /bin/tar, /bin/touch, /bin/true, /bin/uncompress, /bin/zcat
-regularfiles = /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile
-directories = /usr/lib/locale/en_US.utf8
+paths = /bin/sh, bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, egrep, false, fgrep, grep, gunzip, gzip, ln, ls, mkdir, mktemp, more, mv, pwd, rm, rmdir, sed, sh, sleep, sync, tar, touch, true, uncompress, zcat, /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile, /usr/lib/locale/en_US.utf8, uname, expr, xargs
 users = root
 groups = root
 includesections = uidbasics
 
 [midnightcommander]
 comment = Midnight Commander
-executables = /usr/bin/mc, /usr/bin/mcedit, /usr/bin/mcview
-directories = /etc/terminfo, /usr/share/terminfo, /usr/share/mc
-includesections = basicshell
+paths = mc, mcedit, mcview, /usr/share/mc
+includesections = basicshell, terminfo
 
 [extendedshell]
 comment = bash shell including things like awk, bzip, tail, less
-executables = /usr/bin/awk, /usr/bin/bzip2, /usr/bin/bunzip2, /usr/bin/ldd, /usr/bin/less, /usr/bin/clear, /usr/bin/cut, /usr/bin/du, /usr/bin/find, /usr/bin/head, /usr/bin/less, /usr/bin/md5sum, /usr/bin/nice, /usr/bin/sort, /usr/bin/tac, /usr/bin/tail, /usr/bin/tr, /usr/bin/sort, /usr/bin/wc, /usr/bin/watch, /usr/bin/whoami
+paths = awk, bzip2, bunzip2, ldd, less, clear, cut, du, find, head, less, md5sum, nice, sort, tac, tail, tr, sort, wc, watch, whoami
 includesections = basicshell, midnightcommander, editors
 
+[terminfo]
+comment = terminfo databases, required for example for ncurses or vim 
+paths = /etc/terminfo, /usr/share/terminfo, /lib/terminfo
+
 [editors]
 comment = vim, joe and nano
-executables = /usr/bin/joe, /usr/bin/nano, /usr/bin/vi, /usr/bin/vim, /usr/bin/pico
-regularfiles = /etc/vimrc
-directories = /etc/joe, /etc/terminfo, /usr/share/vim, /usr/share/terminfo, /lib/terminfo
+includesections = terminfo
+paths = joe, nano, vi, vim, /etc/vimrc, /etc/joe, /usr/share/vim
 
 [netutils]
 comment = several internet utilities like wget, ftp, rsync, scp, ssh
-executables = /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient
+paths = wget, lynx, ftp, host, rsync, smbclient
 includesections = netbasics, ssh, sftp, scp
 
 [apacheutils]
 comment = htpasswd utility
-executables = /usr/bin/htpasswd
+paths = htpasswd
 
 [extshellplusnet]
 comment = alias for extendedshell + netutils + apacheutils
@@ -107,45 +108,120 @@ includesections = extendedshell, netutils, apacheutils
 
 [openvpn]
 comment = jail for the openvpn daemon
-executables = /usr/sbin/openvpn
+paths = /usr/sbin/openvpn
 users = root,nobody
 groups = root,nogroup
-includesections = netbasics
 devices = /dev/urandom, /dev/random, /dev/net/tun
 includesections = netbasics, uidbasics
 need_logsocket = 1
 
 [apache]
 comment = the apache webserver, very basic setup, probably too limited for you
-executables = /usr/sbin/apache
+paths = /usr/sbin/apache
 users = root, www-data
 groups = root, www-data
 includesections = netbasics, uidbasics
 
 [perl]
 comment = the perl interpreter and libraries
-executables = /usr/bin/perl
-directories = /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5
+paths = perl, /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5
 
 [xauth]
 comment = getting X authentication to work
-executables = /usr/bin/X11/xauth
-regularfiles = /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf
+paths = /usr/bin/X11/xauth, /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf
 
 [xclients]
 comment = minimal files for X clients
-regularfiles = /usr/X11R6/lib/X11/rgb.txt
+paths = /usr/X11R6/lib/X11/rgb.txt
 includesections = xauth
 
 [vncserver]
 comment = the VNC server program
-executables = /usr/bin/Xvnc, /usr/bin/Xrealvnc
-directories = /usr/X11R6/lib/X11/fonts/
+paths = Xvnc, Xrealvnc, /usr/X11R6/lib/X11/fonts/
 includesections = xclients
 
+[ping]
+comment = Ping program
+paths_w_setuid = /bin/ping
 
 #[xterm]
 #comment = xterm
-#executables = /usr/bin/X11/xterm
-#directories = /usr/share/terminfo, /etc/terminfo
+#paths = /usr/bin/X11/xterm, /usr/share/terminfo, /etc/terminfo
 #devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4
+
++# coreutils from:
++# (echo -ne '\n[coreutils]\ncomment = non-sbin progs from coreutils\npaths = '; dpkg --listfiles coreutils | grep -E '^/bin/|/usr/bin/' | xargs -n1 -i@ echo -n "@, " | sed -e 's/, *$/\n/g' -e 's|/usr/bin/||g' -e 's|/bin/||g') >> /etc/jailkit/jk_init.ini
+
+[coreutils]
+comment = non-sbin progs from coreutils
+paths = cat, chgrp, chmod, chown, cp, date, dd, df, dir, echo, false, ln, ls, mkdir, mknod, mktemp, mv, pwd, readlink, rm, rmdir, sleep, stty, sync, touch, true, uname, vdir, [, arch, b2sum, base32, base64, basename, chcon, cksum, comm, csplit, cut, dircolors, dirname, du, env, expand, expr, factor, fmt, fold, groups, head, hostid, id, install, join, link, logname, md5sum, mkfifo, nice, nl, nohup, nproc, numfmt, od, paste, pathchk, pinky, pr, printenv, printf, ptx, realpath, runcon, seq, sha1sum, sha224sum, sha256sum, sha384sum, sha512sum, shred, shuf, sort, split, stat, stdbuf, sum, tac, tail, tee, test, timeout, tr, truncate, tsort, tty, unexpand, uniq, unlink, users, wc, who, whoami, yes, md5sum.textutils
+
+[wp]
+comment = WordPress Command Line
+paths = wp, /usr/local/bin/php
+includesections = php, mysql-client
+
+[mysql-client]
+comment = mysql client
+paths = mysql, mysqldump, mysqlshow, /usr/lib/libmysqlclient.so, /usr/lib/i386-linux-gnu/libmariadb.so.3, /usr/lib/i386-linux-gnu/mariadb19, /usr/lib/x86_64-linux-gnu/libmariadb.so.3, /usr/lib/x86_64-linux-gnu/mariadb19
+includesections = netbasics
+
+[composer]
+comment = composer
+paths = composer, /usr/local/bin/composer, /usr/share/doc/composer
+includesections = php, uidbasics, netbasics
+
+[node]
+comment = NodeJS
+paths = npm, node, nodejs, /usr/lib/nodejs, /usr/share/node-mime, /usr/lib/node_modules, /usr/local/lib/nodejs, /usr/local/lib/node_modules, elmi-to-json, /usr/local/bin/elmi-to-json
+
+[env]
+comment = /usr/bin/env for environment variables
+paths = env
+
+# Debian 10 default php version is 7.3 (Debian 9 is 7.0)
+# Todo: set default version in ISPConfig installer,
+# but install the php cli version matching the website
+[php]
+comment = default php version and libraries
+paths = /usr/bin/php
+includesections = php_common, php7_3
+
+[php_common]
+comment = common php directories and libraries
+# notice:  potential information leak
+#  do not add all of /etc/php/ or any of the fpm directories
+#  or the php config (which includes custom php snippets) from *all*
+#  sites which use fpm will be copied to *every* jailkit
+paths = /usr/bin/php, /usr/lib/php/, /usr/share/php/, /usr/share/zoneinfo/
+includesections = env
+
+[php5_6]
+comment = php version 5.6
+paths = /usr/bin/php5.6, /usr/lib/php/5.6/, /usr/lib/php/20131226/, /usr/share/php/5.6/, /etc/php/5.6/cli/, /etc/php/5.6/mods-available/
+includesections = php_common
+
+[php7_0]
+comment = php version 7.0
+paths = /usr/bin/php7.0, /usr/lib/php/7.0/, /usr/lib/php/20151012/, /usr/share/php/7.0/, /etc/php/7.0/cli/, /etc/php/7.0/mods-available/
+includesections = php_common
+
+[php7_1]
+comment = php version 7.1
+paths = /usr/bin/php7.1, /usr/lib/php/7.1/, /usr/lib/php/20160303/, /usr/share/php/7.1/, /etc/php/7.1/cli/, /etc/php/7.1/mods-available/
+includesections = php_common
+
+[php7_2]
+comment = php version 7.2
+paths = /usr/bin/php7.2, /usr/lib/php/7.2/, /usr/lib/php/20170718/, /usr/share/php/7.2/, /etc/php/7.2/cli/, /etc/php/7.2/mods-available/
+includesections = php_common
+
+[php7_3]
+comment = php version 7.3
+paths = /usr/bin/php7.3, /usr/lib/php/7.3/, /usr/lib/php/20180731/, /usr/share/php/7.3/, /etc/php/7.3/cli/, /etc/php/7.3/mods-available/
+includesections = php_common
+
+[php7_4]
+comment = php version 7.4
+paths = /usr/bin/php7.4, /usr/lib/php/7.4/, /usr/lib/php/20190902/, /usr/share/php/7.4/, /etc/php/7.4/cli/, /etc/php/7.4/mods-available/
+includesections = php_common

install/tpl/master_cf_amavis10025.master

@@ -8,6 +8,7 @@
         -o smtpd_helo_restrictions=
         -o smtpd_sender_restrictions=
         -o smtpd_recipient_restrictions=permit_mynetworks,reject
+        -o smtpd_end_of_data_restrictions=
         -o mynetworks=127.0.0.0/8
         -o strict_rfc821_envelopes=yes
         -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

install/tpl/master_cf_amavis10027.master

@@ -8,6 +8,7 @@
         -o smtpd_helo_restrictions=
         -o smtpd_sender_restrictions=
         -o smtpd_recipient_restrictions=permit_mynetworks,reject
+        -o smtpd_end_of_data_restrictions=
         -o mynetworks=127.0.0.0/8
         -o strict_rfc821_envelopes=yes
         -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

install/tpl/opensuse_dovecot.conf.master

@@ -1274,11 +1274,16 @@ plugin {
   # 
   # Location of the active script. When ManageSieve is used this is actually 
   # a symlink pointing to the active script in the sieve storage directory. 
-  sieve=~/.dovecot.sieve
-  #
+  sieve=~/.sieve
+
   # The path to the directory where the personal Sieve scripts are stored. For 
   # ManageSieve this is where the uploaded scripts are stored.
   sieve_dir=~/sieve
+
+  sieve_after=/var/vmail/%d/%n/.ispconfig.sieve
+  sieve_max_script_size = 2M
+  sieve_max_actions = 100
+  sieve_max_redirects = 25
 }
 
 # Config files can also be included. deliver doesn't support them currently.

install/tpl/opensuse_dovecot2.conf.master

@@ -7,6 +7,7 @@ mail_privileged_group = vmail
 ssl_cert = </etc/postfix/smtpd.cert
 ssl_key = </etc/postfix/smtpd.key
 ssl_protocols = !SSLv2 !SSLv3
+mail_plugins = quota
 passdb {
   args = /etc/dovecot/dovecot-sql.conf
   driver = sql
@@ -20,7 +21,14 @@ userdb {
 }
 plugin {
   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
+
+  # no longer needed, as 'sieve' is in userdb extra fields:
   sieve=/var/vmail/%d/%n/.sieve
+
+  sieve_after=/var/vmail/%d/%n/.ispconfig.sieve
+  sieve_max_script_size = 2M
+  sieve_max_actions = 100
+  sieve_max_redirects = 25
 }
 service auth {
   unix_listener /var/spool/postfix/private/auth {
@@ -42,6 +50,7 @@ service lmtp {
    user = postfix
   }
 }
+lmtp_rcpt_check_quota = yes
 service imap-login {
   client_limit = 1000
   process_limit = 500
@@ -76,3 +85,40 @@ mail_plugins = $mail_plugins quota
 #2.3+         mode = 0660
 #2.3+     }
 #2.3+ }
+
+service quota-status {
+  executable = quota-status -p postfix
+  unix_listener /var/spool/postfix/private/quota-status {
+    group = postfix
+    mode = 0660
+    user = postfix
+  }
+  client_limit = 1
+}
+plugin {
+  quota_status_success = DUNNO
+  quota_status_nouser = DUNNO
+  quota_status_overquota = "552 5.2.2 Mailbox is full"
+}
+
+imap_capability=+SEPCIAL-USE XLIST
+namespace inbox {
+  inbox = yes
+  separator = .
+  mailbox Drafts {
+    special_use = \Drafts
+  }
+  mailbox Junk {
+    special_use = \Junk
+  }
+  mailbox Sent {
+    special_use = \Sent
+  }
+  mailbox "Sent Messages" {
+    special_use = \Sent
+  }
+  mailbox Trash {
+    special_use = \Trash
+  }
+}
+

install/tpl/opensuse_postfix.conf.master

@@ -13,7 +13,7 @@ broken_sasl_auth_clients = yes
 smtpd_sasl_authenticated_header = yes
 smtpd_restriction_classes = greylisting
 greylisting = check_policy_service inet:127.0.0.1:10023
-smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination{rbl_list}, check_recipient_access mysql:{config_dir}/mysql-virtual_recipient.cf{greylisting}
+smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:{config_dir}/mysql-virtual_recipient.cf{rbl_list}{greylisting}, check_policy_service unix:private/quota-status
 smtpd_use_tls = yes
 smtpd_tls_security_level = may
 smtpd_tls_cert_file = {config_dir}/smtpd.cert
@@ -24,7 +24,7 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
 smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
 smtpd_helo_required = yes
-smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
+smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo
 smtpd_sender_restrictions = check_sender_access regexp:{config_dir}/tag_as_originating.re {reject_slm}, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_sender_access regexp:{config_dir}/tag_as_foreign.re
 smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
 smtpd_client_message_rate_limit = 100

install/tpl/server.ini.master

@@ -121,6 +121,7 @@ overquota_db_notify_client=y
 overquota_notify_onok=n
 logging=yes
 php_fpm_reload_mode=reload
+php_fpm_default_chroot=n
 
 [dns]
 bind_user=root

install/tpl/system.ini.master

@@ -69,3 +69,4 @@ session_timeout=0
 session_allow_endless=0
 min_password_length=8
 min_password_strength=3
+ssh_authentication=

interface/lib/classes/aps_guicontroller.inc.php

@@ -340,6 +340,8 @@ class ApsGUIController extends ApsBase
 								 "remote_access" => $mysql_db_remote_access,
 								 "remote_ips" => $mysql_db_remote_ips,
 								 "backup_copies" => $websrv['backup_copies'],
+								 "backup_format_web" => $websrv['backup_format_web'],
+								 "backup_format_db" => $websrv['backup_format_db'],
 								 "active" => 'y', 
 								 "backup_interval" => $websrv['backup_interval']
 								 );

interface/lib/classes/custom_datasource.inc.php

@@ -161,9 +161,10 @@ class custom_datasource {
 			$sql = "SELECT $server_type as server_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?";
 			$client = $app->db->queryOneRecord($sql, $client_group_id);
 			if($client['server_id'] > 0) {
-				//* Select the default server for the client
-				$sql = "SELECT server_id,server_name FROM server WHERE server_id = ?";
-				$records = $app->db->queryAllRecords($sql, $client['server_id']);
+				///* Select the available servers for the client
+				$clientservers = explode(',',$client['server_id']);
+				$sql = "SELECT server_id,server_name FROM server WHERE server_id IN ? ORDER BY server_name";
+				$records = $app->db->queryAllRecords($sql,$clientservers);
 			} else {
 				//* Not able to find the clients defaults, use this as fallback and add a warning message to the log
 				$app->log('Unable to find default server for client in custom_datasource.inc.php', 1);

interface/lib/classes/db_mysql.inc.php

@@ -258,6 +258,8 @@ class db
 
 	private function _query($sQuery = '') {
 		global $app;
+		
+		$aArgs = func_get_args();
 
 		if ($sQuery == '') {
 			$this->_sqlerror('Keine Anfrage angegeben / No query given');
@@ -297,7 +299,6 @@ class db
 			}
 		} while($ok == false);
 
-		$aArgs = func_get_args();
 		$sQuery = call_user_func_array(array(&$this, '_build_query_string'), $aArgs);
 		$this->securityScan($sQuery);
 		$this->_iQueryId = mysqli_query($this->_iConnId, $sQuery);
@@ -353,9 +354,11 @@ class db
 	 * @return array result row or NULL if none found
 	 */
 	public function queryOneRecord($sQuery = '') {
+		
+		$aArgs = func_get_args();
+		
 		if(!preg_match('/limit \d+\s*(,\s*\d+)?$/i', $sQuery)) $sQuery .= ' LIMIT 0,1';
 
-		$aArgs = func_get_args();
 		$oResult = call_user_func_array(array(&$this, 'query'), $aArgs);
 		if(!$oResult) return null;
 
@@ -1300,7 +1303,7 @@ class fakedb_result {
 
 		if(!is_array($this->aLimitedData)) return $aItem;
 
-		if(list($vKey, $aItem) = each($this->aLimitedData)) {
+		foreach($this->aLimitedData as $vKey => $aItem) {
 			if(!$aItem) $aItem = null;
 		}
 		return $aItem;

interface/lib/classes/ids.inc.php

@@ -68,7 +68,7 @@ class ids {
 		
 		// Get whitelist
 		$whitelist_path = '/usr/local/ispconfig/security/ids.whitelist';
-		if(is_file('/usr/local/ispconfig/security/ids.whitelist.custom')) $whitelist_path = '/usr/local/ispconfig/security/ids.whitelist.custom';
+		if(is_readable('/usr/local/ispconfig/security/ids.whitelist.custom')) $whitelist_path = '/usr/local/ispconfig/security/ids.whitelist.custom';
 		if(!is_file($whitelist_path)) $whitelist_path = realpath(ISPC_ROOT_PATH.'/../security/ids.whitelist');
 		
 		$whitelist_lines = file($whitelist_path);
@@ -91,7 +91,7 @@ class ids {
 		
 		// Get HTML fields
 		$htmlfield_path = '/usr/local/ispconfig/security/ids.htmlfield';
-		if(is_file('/usr/local/ispconfig/security/ids.htmlfield.custom')) $htmlfield_path = '/usr/local/ispconfig/security/ids.htmlfield.custom';
+		if(is_readable('/usr/local/ispconfig/security/ids.htmlfield.custom')) $htmlfield_path = '/usr/local/ispconfig/security/ids.htmlfield.custom';
 		if(!is_file($htmlfield_path)) $htmlfield_path = realpath(ISPC_ROOT_PATH.'/../security/ids.htmlfield');
 		
 		$htmlfield_lines = file($htmlfield_path);

interface/lib/classes/ispcmail.inc.php

@@ -169,7 +169,7 @@ class ispcmail {
 			$this->smtp_host = $value;
 			break;
 		case 'smtp_port':
-			$this->smtp_port = $value;
+			if(intval($value) > 0) $this->smtp_port = $value;
 			break;
 		case 'smtp_user':
 			$this->smtp_user = $value;
@@ -586,8 +586,8 @@ class ispcmail {
 	 */
 	private function _smtp_login() {
 		$this->_smtp_conn = fsockopen(($this->smtp_crypt == 'ssl' ? 'tls://' : '') . $this->smtp_host, $this->smtp_port, $errno, $errstr, 30);
-		$response = fgets($this->_smtp_conn, 515);
 		if(empty($this->_smtp_conn)) return false;
+		$response = fgets($this->_smtp_conn, 515);
 
 		//Say Hello to SMTP
 		if($this->smtp_helo == '') $this->detectHelo();
@@ -607,8 +607,11 @@ class ispcmail {
 			}
 			stream_context_set_option($this->_smtp_conn, 'ssl', 'verify_host', false);
 			stream_context_set_option($this->_smtp_conn, 'ssl', 'verify_peer', false);
+			stream_context_set_option($this->_smtp_conn, 'ssl', 'verify_peer_name', false);
 			stream_context_set_option($this->_smtp_conn, 'ssl', 'allow_self_signed', true);
-			stream_socket_enable_crypto($this->_smtp_conn, true, $crypto_method);
+			if (stream_socket_enable_crypto($this->_smtp_conn, true, $crypto_method) != true) {
+				return false;
+			}
 		}
 
 		//AUTH LOGIN

interface/lib/classes/listform_actions.inc.php

@@ -189,10 +189,11 @@ class listform_actions {
 		//* substitute value for select fields
 		if(is_array($app->listform->listDef['item']) && count($app->listform->listDef['item']) > 0) {
 			foreach($app->listform->listDef['item'] as $field) {
+				if($rec['active'] == 'n') $rec['warn_inactive'] = 'y';
 				$key = $field['field'];
 				if(isset($field['formtype']) && $field['formtype'] == 'SELECT') {
 					if(strtolower($rec[$key]) == 'y' or strtolower($rec[$key]) == 'n') {
-						// Set a additional image variable for bolean fields
+						// Set a additional image variable for boolean fields
 						$rec['_'.$key.'_'] = (strtolower($rec[$key]) == 'y')?'x16/tick_circle.png':'x16/cross_circle.png';
 					}
 					//* substitute value for select field