Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2022-04-25T11:58:29Zhttps://gitlab.com/sympl.io/sympl/-/issues/324FTP logs should be written to /var/log/pure-ftp/connection.log or similar2022-04-25T11:58:29ZPaul CammishFTP logs should be written to /var/log/pure-ftp/connection.log or similarAt the moment they only get written to `/var/log/messages`, which isn't that logical as there's also a `/var/log/pure-ftpd/` directory, where you'd expect to find them.
Also, we shouldn't be logging the RDNS for connections without the ...At the moment they only get written to `/var/log/messages`, which isn't that logical as there's also a `/var/log/pure-ftpd/` directory, where you'd expect to find them.
Also, we shouldn't be logging the RDNS for connections without the IP where at all possible, as it's trivial to fake.https://gitlab.com/sympl.io/sympl/-/issues/320sympl-firewall: does not play nicely with iptables-persistent2021-12-06T19:55:39ZPaul Cammishsympl-firewall: does not play nicely with iptables-persistentYou can get in an odd state if you don't have any v4 DNS resolvers and have iptables-persistent installed, where it will eventually fail to bring up the IPv6 address on the server, after timing out, and sympl-fireall will fail in an odd ...You can get in an odd state if you don't have any v4 DNS resolvers and have iptables-persistent installed, where it will eventually fail to bring up the IPv6 address on the server, after timing out, and sympl-fireall will fail in an odd was, meaning the server acts unusually.
Adding iptables-persistent (and friends) to the conflicts list should prevent this.https://gitlab.com/sympl.io/sympl/-/issues/314sympl-ftp: SSL cert isn't updated once rotated2021-09-20T22:46:56ZPaul Cammishsympl-ftp: SSL cert isn't updated once rotatedThere's nothing to restart the pure-ftpd service once the SSL cert is updated, so a monthly restart may be worthwhile.
From: https://forum.sympl.host/t/ftps-certificate-expired-error/225There's nothing to restart the pure-ftpd service once the SSL cert is updated, so a monthly restart may be worthwhile.
From: https://forum.sympl.host/t/ftps-certificate-expired-error/225https://gitlab.com/sympl.io/sympl/-/issues/313sympl-mail: Exim deny-unusual-characters acl is a little over-strict for outg...2021-07-01T13:14:18ZPaul Cammishsympl-mail: Exim deny-unusual-characters acl is a little over-strict for outgoing mail.Non-local domains deny `%` and `!` in email addresses, although they're valid, and it seems like Xero are using `!`'s in emails in some cases.
Replacing `local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./` with `local_parts = ^[./|] : ^.*@ :...Non-local domains deny `%` and `!` in email addresses, although they're valid, and it seems like Xero are using `!`'s in emails in some cases.
Replacing `local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./` with `local_parts = ^[./|] : ^.*@ : ^.*/\\.\\./` in https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/buster/mail/exim4/sympl.d/10-acl/50-acl-check-rcpt/20-deny-unusual-characters should fix this.https://gitlab.com/sympl.io/sympl/-/issues/312sympl-firewall: iptables-persistent conflict2022-03-28T10:01:35ZPaul Cammishsympl-firewall: iptables-persistent conflictIt looks like when iptables-persistent is installed with a reasonable standard config, it can prevent DNS lookups when there's no IPv4 resolvers, which leads to the sympl-firewall hook waiting indefinitely and eventually being killed, an...It looks like when iptables-persistent is installed with a reasonable standard config, it can prevent DNS lookups when there's no IPv4 resolvers, which leads to the sympl-firewall hook waiting indefinitely and eventually being killed, and therefore no IPv6 coming up (and therefore no DNS resolution) which leads to other oddities.
Likely fix: make sure the hook doesn't stall indefinitely and instead times out.https://gitlab.com/sympl.io/sympl/-/issues/311sympl-core: MOTD refers to v9.0 and v10.02021-04-13T11:38:10ZPaul Cammishsympl-core: MOTD refers to v9.0 and v10.0Since switching to continuous releases, we should remove the '.0' references on the MOTDSince switching to continuous releases, we should remove the '.0' references on the MOTDhttps://gitlab.com/sympl.io/sympl/-/issues/303sympl-firewall: Traffic on the local IPv6 network can trigger blacklisting of...2021-01-23T17:45:17ZPaul Cammishsympl-firewall: Traffic on the local IPv6 network can trigger blacklisting of the LANSympl will track IPv6 traffic at a /64 resolution, but this means if something on the same LAN is flagged and blacklisted, it will effectively disable IPv6 traffic from the same /64, which can interfere with monitoring or similar.
What ...Sympl will track IPv6 traffic at a /64 resolution, but this means if something on the same LAN is flagged and blacklisted, it will effectively disable IPv6 traffic from the same /64, which can interfere with monitoring or similar.
What should probably happen is that Sympl is a bit more granular with it's filtering of V6 addresses on the same /64, and instead only blocks individual IPs if it sees them acting suspicious.https://gitlab.com/sympl.io/sympl/-/issues/288sympl-core: Man page broken for sympl-ssl2020-04-20T11:37:33ZPaul Cammishsympl-core: Man page broken for sympl-sslThis is likely as the sympl-ssl man pages are built from the ruby normally, which currently has a wrapper to fix IPv6 support.
This should be fixed soon if possible, otherwise it will be fixed as part of issue #278.This is likely as the sympl-ssl man pages are built from the ruby normally, which currently has a wrapper to fix IPv6 support.
This should be fixed soon if possible, otherwise it will be fixed as part of issue #278.https://gitlab.com/sympl.io/sympl/-/issues/287sympl-mail: Man pages broken for support scripts2020-04-20T11:35:18ZPaul Cammishsympl-mail: Man pages broken for support scriptsThe man pages for:
```text
sympl-mail-dict-proxy
sympl-mail-encrypt-passwords
sympl-mail-poppassd
```
Only contain the Groff header, and should be fixed.The man pages for:
```text
sympl-mail-dict-proxy
sympl-mail-encrypt-passwords
sympl-mail-poppassd
```
Only contain the Groff header, and should be fixed.https://gitlab.com/sympl.io/sympl/-/issues/278sympl-ssl: Reimplmentation2021-02-12T18:08:30ZPaul Cammishsympl-ssl: ReimplmentationComplete reimplementation of sympl-ssl in Python, maintaining all the existing functionality and resolving long-standing issues.Complete reimplementation of sympl-ssl in Python, maintaining all the existing functionality and resolving long-standing issues.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/277sympl-mail: add Autoconfigure functionality2020-01-31T09:23:05ZPaul Cammishsympl-mail: add Autoconfigure functionalityAutoConfigure for email is fairly simple, and only requires an XML file at a specific path.
Adding functionality for this should be fairly easy to accomplish.
https://forum.sympl.host/t/configure-auto-discover-for-mail-setup/94?u=kelduumAutoConfigure for email is fairly simple, and only requires an XML file at a specific path.
Adding functionality for this should be fairly easy to accomplish.
https://forum.sympl.host/t/configure-auto-discover-for-mail-setup/94?u=kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/273sympl-mail: A default-forward configured for a domain bypasses SpamAssassin f...2019-12-05T21:18:35ZPaul Cammishsympl-mail: A default-forward configured for a domain bypasses SpamAssassin filteringAs mentioned: https://forum.sympl.host/t/spam-not-being-tagged-nor-moved-to-the-spam-folder/63/4?u=kelduum
Seems likely its an order of execution thing - the mail is being handled by the delivery function before it's been scanned.
IIRC...As mentioned: https://forum.sympl.host/t/spam-not-being-tagged-nor-moved-to-the-spam-folder/63/4?u=kelduum
Seems likely its an order of execution thing - the mail is being handled by the delivery function before it's been scanned.
IIRC, this was an issue with Symbiosis as well, so likely has been around a while.https://gitlab.com/sympl.io/sympl/-/issues/269SNI for mail only works with 'bare' domain name (or www.domain.name for dovecot)2019-11-13T13:39:05ZPaul CammishSNI for mail only works with 'bare' domain name (or www.domain.name for dovecot)# Summary
You can't use mail.domain.name to access email securely
# Steps to reproduce
Use an SNI mail client to try to fetch / send mail using mail.domain.name as the host
# What is the current bug behavior?
The certificate retur...# Summary
You can't use mail.domain.name to access email securely
# Steps to reproduce
Use an SNI mail client to try to fetch / send mail using mail.domain.name as the host
# What is the current bug behavior?
The certificate returned is the default for the server.
# What is the expected correct behavior?
The certificate returned should be for the correct domain
# Possible fixes
When generating certificates for a domain, ensure one if requested for mail.domain.name. Then add an SNI section for Dovecot to reference this. Exim looks a little trickier, as it goes directly to /srv/$tls_in_sni/config/ssl/current/ssl.combined to get the certificate.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/268DKIM signature covers the sender address, but should cover the FROM HEADER ad...2020-09-24T06:23:41ZPaul CammishDKIM signature covers the sender address, but should cover the FROM HEADER address.# Summary
DKIM signatures are based on the SMTP sender address, not the email FROM HEADER address, which is the wrong thing to do. When the FROM address is local, and there's a DKIM key to sign with, then that should be done.
If there...# Summary
DKIM signatures are based on the SMTP sender address, not the email FROM HEADER address, which is the wrong thing to do. When the FROM address is local, and there's a DKIM key to sign with, then that should be done.
If there's no key to sign with, then perhaps we should not be sending the email!?
# Steps to reproduce
Send an email with a FROM address that doesn't match the SMTP sender address. You should notice that the DKIM header doesn't cover the FROM address.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/264Default IP confusion with other services2020-04-21T21:19:55ZPaul CammishDefault IP confusion with other services# What is the current bug behavior?
When adding extra IPs manually (such as an IPv6 address), Sympl can get confused as to which is the primary IP, in cases where the IPs are listed out-of order in the output of `ip a`
# What is the e...# What is the current bug behavior?
When adding extra IPs manually (such as an IPv6 address), Sympl can get confused as to which is the primary IP, in cases where the IPs are listed out-of order in the output of `ip a`
# What is the expected correct behavior?
Sympl should probably take the IP(s) of the default domain `/srv/$HOSTNAME` as the default IP, only using the `config/ip` file to override this.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/258Occasional short-term failures reported by monitoring2019-07-31T17:52:47ZPaul CammishOccasional short-term failures reported by monitoringRecently received the following report from the automatic monitoring. It resolved itself a few minutes later.
[paste_1093477.txt](/uploads/b13f16c409a7c2c5791a95e3d7601585/paste_1093477.txt)
I've seen similar short-term failures a coup...Recently received the following report from the automatic monitoring. It resolved itself a few minutes later.
[paste_1093477.txt](/uploads/b13f16c409a7c2c5791a95e3d7601585/paste_1093477.txt)
I've seen similar short-term failures a couple of timeshttps://gitlab.com/sympl.io/sympl/-/issues/257Sympl should automatically update it's configuration near-instantly2020-01-28T13:33:20ZPaul CammishSympl should automatically update it's configuration near-instantlyWhen changes are made, typically it can take up to an hour to a day for everything to have run.
It would be nice if Sympl used [incrond](https://linux.die.net/man/8/incrond) (currently used by sympl-firewall) to detect changes to the co...When changes are made, typically it can take up to an hour to a day for everything to have run.
It would be nice if Sympl used [incrond](https://linux.die.net/man/8/incrond) (currently used by sympl-firewall) to detect changes to the configuration and update as needed, adding to incrond's config where needed as domains are added/removed.
This would make configuration practically instant, so would need some kind of logging/admin notification so you can see what's actually going on.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/256sympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lock2019-07-17T15:47:39ZPaul Cammishsympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lockJob [#11106](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/11106) failed for 89b35a9928e5c77aa5ea832fb4a0e851cc3cd601:
```
+ symbiosis-firewall --verbose
sympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lock: No ...Job [#11106](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/11106) failed for 89b35a9928e5c77aa5ea832fb4a0e851cc3cd601:
```
+ symbiosis-firewall --verbose
sympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lock: No locks available - Unable to acquire lock -- Resource temporarily unavailable
run-parts: autotest/test.d/50-test-cli exited with return code 1
ERROR: Job failed: Process exited with: 1. Reason was: ()
```
This is the testing job accidentally aligning with a scheduled run - it's only a few seconds of window, but it happens more often than I'd like.https://gitlab.com/sympl.io/sympl/-/issues/253sympl-test: Race condition with certificate testing2021-02-12T18:08:31ZPaul Cammishsympl-test: Race condition with certificate testingIt looks like on occasion a self-signed cert is being created, but being tested before it's valid.
Job [#9899](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/9899) failed for 80f6dd1c78f1401f5980105fc948fa74a2f01759:
```
=========...It looks like on occasion a self-signed cert is being created, but being tested before it's valid.
Job [#9899](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/9899) failed for 80f6dd1c78f1401f5980105fc948fa74a2f01759:
```
===============================================================================
Failure:
Exception raised:
OpenSSL::X509::CertificateError(<Not valid for rcyexz5q3p.test -- certificate is not yet valid (9)>)
test_ssl_verify_with_root_ca(SSLTest)
/etc/sympl/test.d/tc_ssl.rb:562:in `test_ssl_verify_with_root_ca'
559: #
560: assert_nothing_raised{ @domain.ssl_x509_certificate_file = @domain.directory+"/config/ssl.combined" }
561: assert_nothing_raised{ @domain.ssl_key_file = @domain.directory+"/config/ssl.combined" }
=> 562: assert_nothing_raised{ @domain.ssl_verify(@domain.ssl_x509_certificate, @domain.ssl_key, @domain.ssl_certificate_store, true) }
563: end
564:
565: def test_ssl_verify_with_intermediate_ca
===============================================================================
```https://gitlab.com/sympl.io/sympl/-/issues/227Sympl parser2019-07-05T12:19:35ZPaul CammishSympl parserA basic version of the Sympl parser should be created, covering the most common things:
Creating domains, sites, mailboxes, ftp accounts, etc.
This can then be used in the new documentation, and expanded on further.A basic version of the Sympl parser should be created, covering the most common things:
Creating domains, sites, mailboxes, ftp accounts, etc.
This can then be used in the new documentation, and expanded on further.BacklogPaul CammishPaul Cammish