Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2022-08-05T14:02:45Zhttps://gitlab.com/sympl.io/sympl/-/issues/326sympl-web: sympl-web-rotate-logs doen't use an efficent naming convention.2022-08-05T14:02:45ZPaul Cammishsympl-web: sympl-web-rotate-logs doen't use an efficent naming convention.`sympl-web-rotate-logs` uses what is basically the worst case for backup efficiently in the logging, although this works like logrotate.
You get ~30 days of old logs, each named `.[1-3]?[0-9]` the older ones of which are gzipped. Each t...`sympl-web-rotate-logs` uses what is basically the worst case for backup efficiently in the logging, although this works like logrotate.
You get ~30 days of old logs, each named `.[1-3]?[0-9]` the older ones of which are gzipped. Each time it rotates, the highest number is dropped, and everything is moved up a number.
This isn't terrible for finding the old data, but it's not ideal, and it means each time you run a backup, *all* of the logs have changed, so even a quiet site ends up with all the logs being backed up again.
The logs should be datestamped, and then the oldest one(s) removed, that way each day's logs don't end up getting backed up over and over again for a month.https://gitlab.com/sympl.io/sympl/-/issues/325sympl: Removing packages doesn't clean up links and other files2023-06-10T21:36:53ZPaul Cammishsympl: Removing packages doesn't clean up links and other filesRemoving FTP and related monitoring.
This will involve checking what's left over after uninstalling each package, versus what was there originally then updating debian/postrm or similar to ensure things are cleaned up properly.
Origina...Removing FTP and related monitoring.
This will involve checking what's left over after uninstalling each package, versus what was there originally then updating debian/postrm or similar to ensure things are cleaned up properly.
Originally raised [on the forum](https://forum.sympl.io/t/removing-ftp-and-related-monitoring/290).https://gitlab.com/sympl.io/sympl/-/issues/324FTP logs should be written to /var/log/pure-ftp/connection.log or similar2022-04-25T11:58:29ZPaul CammishFTP logs should be written to /var/log/pure-ftp/connection.log or similarAt the moment they only get written to `/var/log/messages`, which isn't that logical as there's also a `/var/log/pure-ftpd/` directory, where you'd expect to find them.
Also, we shouldn't be logging the RDNS for connections without the ...At the moment they only get written to `/var/log/messages`, which isn't that logical as there's also a `/var/log/pure-ftpd/` directory, where you'd expect to find them.
Also, we shouldn't be logging the RDNS for connections without the IP where at all possible, as it's trivial to fake.https://gitlab.com/sympl.io/sympl/-/issues/320sympl-firewall: does not play nicely with iptables-persistent2021-12-06T19:55:39ZPaul Cammishsympl-firewall: does not play nicely with iptables-persistentYou can get in an odd state if you don't have any v4 DNS resolvers and have iptables-persistent installed, where it will eventually fail to bring up the IPv6 address on the server, after timing out, and sympl-fireall will fail in an odd ...You can get in an odd state if you don't have any v4 DNS resolvers and have iptables-persistent installed, where it will eventually fail to bring up the IPv6 address on the server, after timing out, and sympl-fireall will fail in an odd was, meaning the server acts unusually.
Adding iptables-persistent (and friends) to the conflicts list should prevent this.https://gitlab.com/sympl.io/sympl/-/issues/314sympl-ftp: SSL cert isn't updated once rotated2021-09-20T22:46:56ZPaul Cammishsympl-ftp: SSL cert isn't updated once rotatedThere's nothing to restart the pure-ftpd service once the SSL cert is updated, so a monthly restart may be worthwhile.
From: https://forum.sympl.host/t/ftps-certificate-expired-error/225There's nothing to restart the pure-ftpd service once the SSL cert is updated, so a monthly restart may be worthwhile.
From: https://forum.sympl.host/t/ftps-certificate-expired-error/225https://gitlab.com/sympl.io/sympl/-/issues/313sympl-mail: Exim deny-unusual-characters acl is a little over-strict for outg...2021-07-01T13:14:18ZPaul Cammishsympl-mail: Exim deny-unusual-characters acl is a little over-strict for outgoing mail.Non-local domains deny `%` and `!` in email addresses, although they're valid, and it seems like Xero are using `!`'s in emails in some cases.
Replacing `local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./` with `local_parts = ^[./|] : ^.*@ :...Non-local domains deny `%` and `!` in email addresses, although they're valid, and it seems like Xero are using `!`'s in emails in some cases.
Replacing `local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./` with `local_parts = ^[./|] : ^.*@ : ^.*/\\.\\./` in https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/buster/mail/exim4/sympl.d/10-acl/50-acl-check-rcpt/20-deny-unusual-characters should fix this.https://gitlab.com/sympl.io/sympl/-/issues/312sympl-firewall: iptables-persistent conflict2022-03-28T10:01:35ZPaul Cammishsympl-firewall: iptables-persistent conflictIt looks like when iptables-persistent is installed with a reasonable standard config, it can prevent DNS lookups when there's no IPv4 resolvers, which leads to the sympl-firewall hook waiting indefinitely and eventually being killed, an...It looks like when iptables-persistent is installed with a reasonable standard config, it can prevent DNS lookups when there's no IPv4 resolvers, which leads to the sympl-firewall hook waiting indefinitely and eventually being killed, and therefore no IPv6 coming up (and therefore no DNS resolution) which leads to other oddities.
Likely fix: make sure the hook doesn't stall indefinitely and instead times out.https://gitlab.com/sympl.io/sympl/-/issues/311sympl-core: MOTD refers to v9.0 and v10.02021-04-13T11:38:10ZPaul Cammishsympl-core: MOTD refers to v9.0 and v10.0Since switching to continuous releases, we should remove the '.0' references on the MOTDSince switching to continuous releases, we should remove the '.0' references on the MOTDhttps://gitlab.com/sympl.io/sympl/-/issues/303sympl-firewall: Traffic on the local IPv6 network can trigger blacklisting of...2021-01-23T17:45:17ZPaul Cammishsympl-firewall: Traffic on the local IPv6 network can trigger blacklisting of the LANSympl will track IPv6 traffic at a /64 resolution, but this means if something on the same LAN is flagged and blacklisted, it will effectively disable IPv6 traffic from the same /64, which can interfere with monitoring or similar.
What ...Sympl will track IPv6 traffic at a /64 resolution, but this means if something on the same LAN is flagged and blacklisted, it will effectively disable IPv6 traffic from the same /64, which can interfere with monitoring or similar.
What should probably happen is that Sympl is a bit more granular with it's filtering of V6 addresses on the same /64, and instead only blocks individual IPs if it sees them acting suspicious.https://gitlab.com/sympl.io/sympl/-/issues/301sympl-firewall: "Another app is currently holding the xtables lock"2020-09-17T13:30:58ZPaul Cammishsympl-firewall: "Another app is currently holding the xtables lock"One user was reporting emails like this, coming from `/usr/sbin/sympl-firewall` and `/usr/sbin/sympl-firewall-blacklist` on two hosts.
```text
From: Cron Daemon <root@hostname.fqdn>
Date: Mon, 14 Sep 2020 at 19:00
Subject: Cron <root@ho...One user was reporting emails like this, coming from `/usr/sbin/sympl-firewall` and `/usr/sbin/sympl-firewall-blacklist` on two hosts.
```text
From: Cron Daemon <root@hostname.fqdn>
Date: Mon, 14 Sep 2020 at 19:00
Subject: Cron <root@hostname> [ -x /usr/sbin/sympl-firewall ] &&
/usr/sbin/sympl-firewall
To: <root@hostname.fqdn>
Another app is currently holding the xtables lock. Perhaps you want to use
the -w option?
sympl-firewall: Firewall script failed.
sympl-firewall: Flushing /sbin/iptables rules and chains.
sympl-firewall: Flushing /sbin/ip6tables rules and chains.
sympl-firewall: Restoring old iptables rules and chains.
sympl-firewall: Restoring old ip6tables rules and chains.
sympl-firewall: Left firewall script in
/tmp/user/0/sympl-firewall-20200914-1505-1srb1j3-saved for inspection.
```
The direct cause is unclear at the moment, and they don't happen all the time (once a day or so, apparently), so it may simply be a race condition.https://gitlab.com/sympl.io/sympl/-/issues/288sympl-core: Man page broken for sympl-ssl2020-04-20T11:37:33ZPaul Cammishsympl-core: Man page broken for sympl-sslThis is likely as the sympl-ssl man pages are built from the ruby normally, which currently has a wrapper to fix IPv6 support.
This should be fixed soon if possible, otherwise it will be fixed as part of issue #278.This is likely as the sympl-ssl man pages are built from the ruby normally, which currently has a wrapper to fix IPv6 support.
This should be fixed soon if possible, otherwise it will be fixed as part of issue #278.https://gitlab.com/sympl.io/sympl/-/issues/287sympl-mail: Man pages broken for support scripts2020-04-20T11:35:18ZPaul Cammishsympl-mail: Man pages broken for support scriptsThe man pages for:
```text
sympl-mail-dict-proxy
sympl-mail-encrypt-passwords
sympl-mail-poppassd
```
Only contain the Groff header, and should be fixed.The man pages for:
```text
sympl-mail-dict-proxy
sympl-mail-encrypt-passwords
sympl-mail-poppassd
```
Only contain the Groff header, and should be fixed.https://gitlab.com/sympl.io/sympl/-/issues/278sympl-ssl: Reimplmentation2021-02-12T18:08:30ZPaul Cammishsympl-ssl: ReimplmentationComplete reimplementation of sympl-ssl in Python, maintaining all the existing functionality and resolving long-standing issues.Complete reimplementation of sympl-ssl in Python, maintaining all the existing functionality and resolving long-standing issues.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/277sympl-mail: add Autoconfigure functionality2020-01-31T09:23:05ZPaul Cammishsympl-mail: add Autoconfigure functionalityAutoConfigure for email is fairly simple, and only requires an XML file at a specific path.
Adding functionality for this should be fairly easy to accomplish.
https://forum.sympl.host/t/configure-auto-discover-for-mail-setup/94?u=kelduumAutoConfigure for email is fairly simple, and only requires an XML file at a specific path.
Adding functionality for this should be fairly easy to accomplish.
https://forum.sympl.host/t/configure-auto-discover-for-mail-setup/94?u=kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/273sympl-mail: A default-forward configured for a domain bypasses SpamAssassin f...2019-12-05T21:18:35ZPaul Cammishsympl-mail: A default-forward configured for a domain bypasses SpamAssassin filteringAs mentioned: https://forum.sympl.host/t/spam-not-being-tagged-nor-moved-to-the-spam-folder/63/4?u=kelduum
Seems likely its an order of execution thing - the mail is being handled by the delivery function before it's been scanned.
IIRC...As mentioned: https://forum.sympl.host/t/spam-not-being-tagged-nor-moved-to-the-spam-folder/63/4?u=kelduum
Seems likely its an order of execution thing - the mail is being handled by the delivery function before it's been scanned.
IIRC, this was an issue with Symbiosis as well, so likely has been around a while.https://gitlab.com/sympl.io/sympl/-/issues/269SNI for mail only works with 'bare' domain name (or www.domain.name for dovecot)2019-11-13T13:39:05ZPaul CammishSNI for mail only works with 'bare' domain name (or www.domain.name for dovecot)# Summary
You can't use mail.domain.name to access email securely
# Steps to reproduce
Use an SNI mail client to try to fetch / send mail using mail.domain.name as the host
# What is the current bug behavior?
The certificate retur...# Summary
You can't use mail.domain.name to access email securely
# Steps to reproduce
Use an SNI mail client to try to fetch / send mail using mail.domain.name as the host
# What is the current bug behavior?
The certificate returned is the default for the server.
# What is the expected correct behavior?
The certificate returned should be for the correct domain
# Possible fixes
When generating certificates for a domain, ensure one if requested for mail.domain.name. Then add an SNI section for Dovecot to reference this. Exim looks a little trickier, as it goes directly to /srv/$tls_in_sni/config/ssl/current/ssl.combined to get the certificate.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/268DKIM signature covers the sender address, but should cover the FROM HEADER ad...2020-09-24T06:23:41ZPaul CammishDKIM signature covers the sender address, but should cover the FROM HEADER address.# Summary
DKIM signatures are based on the SMTP sender address, not the email FROM HEADER address, which is the wrong thing to do. When the FROM address is local, and there's a DKIM key to sign with, then that should be done.
If there...# Summary
DKIM signatures are based on the SMTP sender address, not the email FROM HEADER address, which is the wrong thing to do. When the FROM address is local, and there's a DKIM key to sign with, then that should be done.
If there's no key to sign with, then perhaps we should not be sending the email!?
# Steps to reproduce
Send an email with a FROM address that doesn't match the SMTP sender address. You should notice that the DKIM header doesn't cover the FROM address.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/264Default IP confusion with other services2020-04-21T21:19:55ZPaul CammishDefault IP confusion with other services# What is the current bug behavior?
When adding extra IPs manually (such as an IPv6 address), Sympl can get confused as to which is the primary IP, in cases where the IPs are listed out-of order in the output of `ip a`
# What is the e...# What is the current bug behavior?
When adding extra IPs manually (such as an IPv6 address), Sympl can get confused as to which is the primary IP, in cases where the IPs are listed out-of order in the output of `ip a`
# What is the expected correct behavior?
Sympl should probably take the IP(s) of the default domain `/srv/$HOSTNAME` as the default IP, only using the `config/ip` file to override this.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/262sympl-firewall v10.0 uses iptables-legacy2019-08-16T17:52:37ZPaul Cammishsympl-firewall v10.0 uses iptables-legacyBuster has migrated to nftables, so Sympl should move in that direction also.
It's mostly compatible at the moment, however it does throw warnings when using the now default `iptables` in Buster.
Workround in sympl/sympl!124 to swap to...Buster has migrated to nftables, so Sympl should move in that direction also.
It's mostly compatible at the moment, however it does throw warnings when using the now default `iptables` in Buster.
Workround in sympl/sympl!124 to swap to `iptables-legacy`, but this should be investigated futher.https://gitlab.com/sympl.io/sympl/-/issues/258Occasional short-term failures reported by monitoring2019-07-31T17:52:47ZPaul CammishOccasional short-term failures reported by monitoringRecently received the following report from the automatic monitoring. It resolved itself a few minutes later.
[paste_1093477.txt](/uploads/b13f16c409a7c2c5791a95e3d7601585/paste_1093477.txt)
I've seen similar short-term failures a coup...Recently received the following report from the automatic monitoring. It resolved itself a few minutes later.
[paste_1093477.txt](/uploads/b13f16c409a7c2c5791a95e3d7601585/paste_1093477.txt)
I've seen similar short-term failures a couple of times