Merge branch 'kelduum-bullseye-testing-patch-09414' into 'bullseye-testing'

Fixes for Debian Bullseye Release See merge request !236

Merge branch 'kelduum-bullseye-testing-patch-09414' into 'bullseye-testing'
Fixes for Debian Bullseye Release See merge request !236
66f71229 · Paul Cammish · a1282608 · 28740047 · 66f71229 · 66f71229
Commit 66f71229 authored Aug 18, 2021 by Paul Cammish
--- a/CHANGELOG
+++ b/CHANGELOG
 CHANGELOG
 ---------

+2021-08-18
+  sympl-core:
+    * Check htdocs/stats for AWFFull rather than Webalizer
+  sympl-web
+    * Update Webalizer references to AWFFull
+    * Disable default AWFFull cron
+  sympl-mail
+    * Further fixes for Exim 4.94 in Debian Bullseye
+  
+2021-08-13
+  sympl-mail:
+    * use systemd socket activation for sympl-mail-poppassd    
+
 2021-04-09
  sympl-core
    * Update sympl.host to sympl.io

--- a/core/debian/changelog
+++ b/core/debian/changelog
+sympl-core (11.20210818.0) stable; urgency=medium
+
+  * Check htdocs/stats for AWFFull rather than Webalizer
+
+ -- Paul Cammish <sympl@kelduum.net>  Wed, 18 Aug 2021 12:15:00 +0100
+ 
 sympl-core (11.20210409.0) stable; urgency=medium
 
  * Updated sympl.host to sympl.io

--- a/core/sbin/sympl-filesystem-security
+++ b/core/sbin/sympl-filesystem-security
@@ -86,12 +86,12 @@ function secure_domain_dir()
    fi


-    # Lock down the public/htdocs/stats directory, if it exists and contains webalizer html
+    # Lock down the public/htdocs/stats directory, if it exists and contains awffull html
    # By default this is left unprotected, and includes IP addresses which are classified
    #   under GDPR as personally identifiable

    if [ ! -f "${domain}/public/htdocs/stats/.htaccess" ] && [ -f "${domain}/public/htdocs/stats/index.html" ]; then
-      if [ $( grep -c 'webalizer' "${domain}/public/htdocs/stats/index.html" ) != 0 ]; then
+      if [ $( grep -c 'awffull' "${domain}/public/htdocs/stats/index.html" ) != 0 ]; then
        echo "# Prevent unauthorized access to stats and enforce HTTPS
 RewriteEngine On
 RewriteCond %{HTTPS} off

--- a/mail/debian/changelog
+++ b/mail/debian/changelog
+sympl-mail (11.20210818.0) stable; urgency=medium
+
+  * Further fixes for Exim 4.94 in Debian Bullseye
+
+ -- Paul Cammish <sympl@kelduum.net>  Wed, 18 Aug 2021 12:15:00 +0100
+ 
 sympl-mail (11.20210813.1) stable; urgency=medium

  * ensure sympl-mail-poppassd socket always starts before service

--- a/mail/exim4/sympl.d/10-acl/50-acl-check-rcpt/80-enable-antispam-check
+++ b/mail/exim4/sympl.d/10-acl/50-acl-check-rcpt/80-enable-antispam-check
@@ -23,7 +23,7 @@
          # starts with 'tag', then the message will be accepted and tagged, else
          # we reject the mail.

-          set acl_m0  = ${if match{${extract{smode}{${stat:VHOST_DIR/${domain_data}/VHOST_CONFIG_DIR/antispam}}}}{\Nr\N}{\
-                          ${if match{${readfile{VHOST_DIR/${domain_data}/VHOST_CONFIG_DIR/antispam}}}{^tag}{tag}{reject}}\
+          set acl_m0  = ${if match{${extract{smode}{${stat:VHOST_DIR/${lookup{$domain} dsearch{VHOST_DIR/}}/VHOST_CONFIG_DIR/antispam}}}}{\Nr\N}{\
+                          ${if match{${readfile{VHOST_DIR/${lookup{$domain} dsearch{VHOST_DIR/}}/VHOST_CONFIG_DIR/antispam}}}{^tag}{tag}{reject}}\
                        }{reject}}

--- a/mail/exim4/sympl.d/10-acl/50-acl-check-rcpt/85-enable-antivirus-check
+++ b/mail/exim4/sympl.d/10-acl/50-acl-check-rcpt/85-enable-antivirus-check
-  # Test to see if a domain needs virus scanning, 
+  # Test to see if a domain needs virus scanning,
  warn    domains    = +vhost_domains
          condition  = ${if and{\
                         {exists{VHOST_DIR/${domain_data}/VHOST_CONFIG_DIR/antivirus}} \
                         {!eq{$acl_m2}{tag}} \
                       }}

-          set acl_m2 = ${if match{${extract{smode}{${stat:VHOST_DIR/${domain_data}/VHOST_CONFIG_DIR/antivirus}}}}{\Nr\N}{\
-                          ${if match{${readfile{VHOST_DIR/${domain_data}/VHOST_CONFIG_DIR/antivirus}}}{^tag}{tag}{reject}}\
+          set acl_m2 = ${if match{${extract{smode}{${stat:VHOST_DIR/${lookup{$domain} dsearch{VHOST_DIR/}}/VHOST_CONFIG_DIR/antivirus}}}}{\Nr\N}{\
+                          ${if match{${readfile{VHOST_DIR/${lookup{$domain} dsearch{VHOST_DIR/}}/VHOST_CONFIG_DIR/antivirus}}}{^tag}{tag}{reject}}\
                       }{reject}}

--- a/mail/exim4/sympl.d/30-transports/10-remote-smtp
+++ b/mail/exim4/sympl.d/30-transports/10-remote-smtp
@@ -10,7 +10,7 @@ remote_smtp:
  #
  interface = <, ${extract {1}{:}\
      {${filter\
-        {VHOST_DIR/$sender_address_domain/VHOST_CONFIG_DIR/ip:VHOST_DIR/$sender_address_domain/VHOST_CONFIG_DIR/ips:/etc/sympl/config/ip:/etc/sympl/config/ips}\
+        {VHOST_DIR/${lookup{$sender_address_domain} dsearch{VHOST_DIR/}}/VHOST_CONFIG_DIR/ip:VHOST_DIR/${lookup{$sender_address_domain} dsearch{VHOST_DIR/}}/VHOST_CONFIG_DIR/ips:/etc/sympl/config/ip:/etc/sympl/config/ips}\
        {exists{$item}}\
      }}\
      {${if !eq{$value}{}{\

--- a/mail/exim4/sympl.d/30-transports/15-remote-smtp-with-dkim
+++ b/mail/exim4/sympl.d/30-transports/15-remote-smtp-with-dkim
@@ -6,7 +6,7 @@
 DKIM_SELECTOR_REGEX = (?i)\N\b(([_a-z0-9-]+)(\.[_a-z0-9-]+)*)\b\N

 remote_smtp_with_dkim:
-  debug_print = "T: remote_smtp_with_dkim for $local_part@$domain ($sender_address_domain key)"
+  debug_print = "T: remote_smtp_with_dkim for $local_part@$domain (${lookup{$sender_address_domain} dsearch{VHOST_DIR/}} key)"
  driver = smtp

  group = ${extract{gid}{${stat:VHOST_DIR/$sender_address_domain/VHOST_CONFIG_DIR}}}
@@ -14,13 +14,13 @@ remote_smtp_with_dkim:
  #
  # Sign using the $sender_address_domain
  #
-  dkim_domain      = $sender_address_domain
+  dkim_domain      = ${lookup{$sender_address_domain} dsearch{VHOST_DIR/}}

  #
  # This reads the dkim selector file in, replaces new lines with colons, and
  # picks the first.  If it is empty, use the $primary_hostname.
  #
-  dkim_selector = ${if match{ ${readfile{VHOST_DIR/${sender_address_domain}/VHOST_CONFIG_DIR/dkim}} }\
+  dkim_selector = ${if match{ ${readfile{VHOST_DIR/${lookup{$sender_address_domain} dsearch{VHOST_DIR/}}/VHOST_CONFIG_DIR/dkim}} }\
                       {DKIM_SELECTOR_REGEX}\
                       {$1}\
                       {${if match{$primary_hostname}\
@@ -30,7 +30,7 @@ remote_smtp_with_dkim:
                       }}\
                  }

-  dkim_private_key = ${readfile{VHOST_DIR/${sender_address_domain}/VHOST_CONFIG_DIR/dkim.key}}
+  dkim_private_key = ${readfile{VHOST_DIR/${lookup{$sender_address_domain} dsearch{VHOST_DIR/}}/VHOST_CONFIG_DIR/dkim.key}}

  #
  # If dkim_strict is set to true, exim will defer sending the message if
@@ -57,7 +57,7 @@ remote_smtp_with_dkim:
  #
  interface = <, ${extract {1}{:}\
      {${filter\
-        {VHOST_DIR/$sender_address_domain/config/ip:VHOST_DIR/$sender_address_domain/config/ips:/etc/sympl/config/ip:/etc/sympl/config/ips}\
+        {VHOST_DIR/${lookup{$sender_address_domain} dsearch{VHOST_DIR/}}/config/ip:VHOST_DIR/${lookup{$sender_address_domain} dsearch{VHOST_DIR/}}/config/ips:/etc/sympl/config/ip:/etc/sympl/config/ips}\
        {exists{$item}}\
      }}\
      {${if !eq{$value}{}{\

--- a/web/debian/changelog
+++ b/web/debian/changelog
+sympl-web (11.20210818.0) stable; urgency=medium
+
+  * Update Webalizer references to AWFFull
+  * Disable default AWFFull cron
+
+ -- Paul Cammish <sympl@kelduum.net>  Wed, 18 Aug 2021 12:15:00 +0100
+
 sympl-web (11.20210215.0) stable; urgency=medium

  * Updated version numbering format

--- a/web/debian/sympl-web.postinst
+++ b/web/debian/sympl-web.postinst
@@ -82,4 +82,11 @@ for i in apache2; do
  fi
 done

+#
+# Disable superflous awffull cron job as Sympl runs it itself
+#
+if [ -f /etc/cron.daily/awffull ]; then
+  find /etc/cron.daily -type f -name awffull -perm /111 -exec chmod -x {} \;
+fi
+
 exit 0
--- a/web/sbin/sympl-web-generate-stats
+++ b/web/sbin/sympl-web-generate-stats
@@ -12,10 +12,10 @@
 #
 # OPTIONS
 #
-#  -t, --template <file>   Set the webalizer config template file. Defaults to
+#  -t, --template <file>   Set the awffull config template file. Defaults to
 #                          /etc/sympl/apache.d/webalizer.conf.erb.
 #
-#  -f, --force             Force regeneration of the webalizer configuration
+#  -f, --force             Force regeneration of the awffull configuration
 #                          snippet for all domains.
 #
 #  -p, --prefix <directory>  Prefix directory, defaults to /srv.
@@ -33,9 +33,10 @@
 #
 # The script is assumed to be invoked once per day, via /etc/cron.daily/.
 #
-# AUTHOR
+# AUTHORS
 #
 #   Steve Kemp <steve@bytemark.co.uk>
+#   Paul Cammish <sympl@kelduum.net>
 #


@@ -223,7 +224,7 @@ Symbiosis::Domains.each(prefix) do |domain|
  #  ssl_access.log for HTTPS accesses.
  #
  #
-  # Firstly check when webalizer was last run.
+  # Firstly check when awffull was last run.
  #
  last_run = nil

@@ -261,7 +262,7 @@ Symbiosis::Domains.each(prefix) do |domain|
  end

  #
-  # Now stat() it -- webalizer updates this file with each run.
+  # Now stat() it -- awffull updates this file with each run.
  #
  if File.exist?(history_file)
    last_run = File.stat(history_file).mtime
@@ -318,12 +319,12 @@ Symbiosis::Domains.each(prefix) do |domain|
  #  Now process each logfile.
  #
  process.each do |stinking_log_file|
-    puts "\tRunning webalizer against #{stinking_log_file}" if $VERBOSELOCAL
+    puts "\tRunning awffull against #{stinking_log_file}" if $VERBOSELOCAL

    #
    #  Now run it under sudo, as the user ID of the domain.
    #
    quiet = ($VERBOSELOCAL ? "-d" : "-Q")
-    system( "cd #{domain.config_dir} && sudo -u '\##{domain.uid}' -- webalizer -c #{webalizer_conf} #{quiet} #{stinking_log_file}" )
+    system( "cd #{domain.config_dir} && sudo -u '\##{domain.uid}' -- awffull -c #{webalizer_conf} #{quiet} #{stinking_log_file}" )
  end
 end