Commit afd1a402 authored by Paul Cammish's avatar Paul Cammish

Merge branch 'stretch-testing' into 'stretch'

stretch testing -> stretch

See merge request !164
parents 1a026b58 e32c3972
Pipeline #829 passed with stages
in 49 minutes and 18 seconds
CHANGELOG
---------
2020-01-27
sympl-webmail
* Fixed importing contacts
2019-12-31
sympl-core
* Fixed inconsistency with 'disable-filesystem-security' switch.
2019-12-27
sympl-mail
* Improves default PCI Compliance by disabling TLS 1.0
sympl-ftp
* Improves default PCI Compliance by disabling TLS 1.0
2019-12-16
sympl-core
* Add sympl user to relevant groups on each install.
......
sympl-core (9.0.191231.0) stable; urgency=medium
* Fixed inconsistency with disable-filesystem-security switches.
-- Paul Cammish <sympl@kelduum.net> Tue, 31 Dec 2019 08:19:04 +0000
sympl-core (9.0.191216.0) stable; urgency=medium
* Add sympl user to relevant groups on each install.
......
......@@ -8,7 +8,7 @@
set -e
if [ -f /etc/sympl/do-not-secure ]; then exit 0; fi
if [ -f /etc/sympl/do-not-secure ] || [ -f /etc/sympl/disable-filesystem-security ] ; then exit 0; fi
function secure_domain_dir()
{
......@@ -136,7 +136,7 @@ if [ -d /etc/sympl ]; then
fi
for domain in $( find /srv -maxdepth 1 -mindepth 1 ! -type l -type d -print | grep -v '^/srv/\.' | grep '\.' ); do
if [ ! -f ${domain}/config/do-not-secure ]; then
if [ ! -f ${domain}/config/do-not-secure ] || [ -f /etc/sympl/disable-filesystem-security ] ; then
secure_domain_dir ${domain}
fi
done
......
sympl-ftp (9.0.191227.0) stable; urgency=medium
* Disabled dangerous TLSv1.0 cyphers
* Note: The version of pure-ftpd which ships with Debian 9 cannot be made PCI Compliant
* Users affected by this should remove or firewall FTP, or upgrade.
-- Paul Cammish <sympl@kelduum.net> Fri, 27 Dec 2019 17:27:01 +0000
sympl-ftp (9.0.190624.0) stable; urgency=medium
* Adjusted configuration to allow www-data
......
......@@ -62,22 +62,9 @@ if [ -e /etc/ssl/private/pure-ftpd.pem ] ; then
#
echo '2' > /etc/pure-ftpd/conf/TLS
#
# Set the TLS cipher suites
#
cs="/etc/pure-ftpd/conf/TLSCipherSuite"
if [ -f "$cs" ] && \
( echo "9939bfb21f5be996e89b8a9e43bab6ba $cs" | md5sum -c > /dev/null 2>&1 || \
echo "debef44fdd534db09718bd42c34d83af $cs" | md5sum -c > /dev/null 2>&1 ) ; then
# OK this is the Debian ciphers, or previously updated ones.
echo "I: Updating pure-ftpd cipher suite"
#
# If this list changes, remember to change the md5 in the prerm too.
#
echo 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS' > $cs
fi
# Set the TLS cipher suite
echo 'HIGH:!TLSv1' > /etc/pure-ftpd/conf/TLSCipherSuite
fi
#DEBHELPER#
......
......@@ -9,6 +9,7 @@ if [ "$1" = "purge" ] ; then
if [ -L /etc/ssl/private/pure-ftpd.pem ]; then
rm /etc/ssl/private/pure-ftpd.pem
rm -f /etc/pure-ftpd/conf/TLS
echo ":HIGH" > /etc/pure-ftpd/conf/TLSCipherSuite
fi
#
......
sympl-mail (9.0.191227.0) stable; urgency=medium
* Improved PCI compliance by disabling TLSv1.0
-- Paul Cammish <sympl@kelduum.net> Fri, 27 Dec 2019 17:31:17 +0000
sympl-mail (9.0.191004.0) stable; urgency=medium
* Fixes permissions issue with configs
......
......@@ -6,7 +6,7 @@ ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDH
#
# Ban ancient protocols too.
#
ssl_protocols = !SSLv3
ssl_protocols = !SSLv3 !TLSv1
#
# Prefer our ciphers
......
......@@ -52,8 +52,9 @@ tls_on_connect_ports = 465
# removed unless the connecting port is 25, so ancient remote mail servers
# don't break too badly.
#
tls_require_ciphers = %SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:%COMPAT:PFS:NORMAL:-VERS-SSL3.0:-MD5:-CURVE-SECP192R1:-CURVE-SECP224R1:\
-CAMELLIA-256-CBC:-CAMELLIA-192-CBC:-CAMELLIA-128-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM\
tls_require_ciphers = %SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:%COMPAT:SECURE128:SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-MD5:\
-CURVE-SECP192R1:-CURVE-SECP224R1:-CAMELLIA-256-CBC:-CAMELLIA-192-CBC:-CAMELLIA-128-CBC:\
-CAMELLIA-128-GCM:-CAMELLIA-256-GCM\
${if !eq{$received_port}{25}{:-ARCFOUR-128}}
#
......
......@@ -23,6 +23,7 @@ class TestEximLive < Test::Unit::TestCase
@mailbox_crypt.password = @mailbox_crypt_password
@ssl_ctx = OpenSSL::SSL::SSLContext.new("TLSv1_client")
@ssl_ctx.ssl_version = :TLSv1_2
@ssl_ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
......
......@@ -5,4 +5,5 @@ Alias /webmail /var/www/webmail
<Directory /var/www/webmail >
php_admin_value open_basedir /var/www/webmail:/usr/share/roundcube:/var/lib/roundcube/:/usr/share/php:/etc/roundcube/:/var/log/roundcube
php_admin_value upload_tmp_dir /var/lib/roundcube/temp
</Directory>
sympl-webmail (9.0.200127.0) stable; urgency=medium
* Fixed importing contacts
-- Paul Cammish <sympl@kelduum.net> Mon, 27 Jan 2020 23:32:01 +0000
sympl-webmail (9.0.190619.0) stable; urgency=medium
* Updated configuration to restrict PHP directory access
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment