Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2023-03-16T12:40:32Zhttps://gitlab.com/sympl.io/sympl/-/issues/330sympl-webmail: Webmail should discourage over-use of the To: field2023-03-16T12:40:32ZPaul Cammishsympl-webmail: Webmail should discourage over-use of the To: fieldAs mentioned in https://forum.sympl.io/t/roundcube-max-disclosed-recipients/320, its possible to have Roundcube ask if you really want to send to lots of disclosed recipients.
This would be nice to add to the default configuration, alth...As mentioned in https://forum.sympl.io/t/roundcube-max-disclosed-recipients/320, its possible to have Roundcube ask if you really want to send to lots of disclosed recipients.
This would be nice to add to the default configuration, although with a reasonably high number.https://gitlab.com/sympl.io/sympl/-/issues/326sympl-web: sympl-web-rotate-logs doen't use an efficent naming convention.2022-08-05T14:02:45ZPaul Cammishsympl-web: sympl-web-rotate-logs doen't use an efficent naming convention.`sympl-web-rotate-logs` uses what is basically the worst case for backup efficiently in the logging, although this works like logrotate.
You get ~30 days of old logs, each named `.[1-3]?[0-9]` the older ones of which are gzipped. Each t...`sympl-web-rotate-logs` uses what is basically the worst case for backup efficiently in the logging, although this works like logrotate.
You get ~30 days of old logs, each named `.[1-3]?[0-9]` the older ones of which are gzipped. Each time it rotates, the highest number is dropped, and everything is moved up a number.
This isn't terrible for finding the old data, but it's not ideal, and it means each time you run a backup, *all* of the logs have changed, so even a quiet site ends up with all the logs being backed up again.
The logs should be datestamped, and then the oldest one(s) removed, that way each day's logs don't end up getting backed up over and over again for a month.https://gitlab.com/sympl.io/sympl/-/issues/324FTP logs should be written to /var/log/pure-ftp/connection.log or similar2022-04-25T11:58:29ZPaul CammishFTP logs should be written to /var/log/pure-ftp/connection.log or similarAt the moment they only get written to `/var/log/messages`, which isn't that logical as there's also a `/var/log/pure-ftpd/` directory, where you'd expect to find them.
Also, we shouldn't be logging the RDNS for connections without the ...At the moment they only get written to `/var/log/messages`, which isn't that logical as there's also a `/var/log/pure-ftpd/` directory, where you'd expect to find them.
Also, we shouldn't be logging the RDNS for connections without the IP where at all possible, as it's trivial to fake.https://gitlab.com/sympl.io/sympl/-/issues/321Add DNS records without preventing automatic generation2023-03-16T12:58:49ZPaul CammishAdd DNS records without preventing automatic generationI have my domain sign my emails with DKIM, using the host name as a selector, but I can also use an external SMTP server for some things, which has given me a public key to add to DNS. I guess in this case, I want to be able to add recor...I have my domain sign my emails with DKIM, using the host name as a selector, but I can also use an external SMTP server for some things, which has given me a public key to add to DNS. I guess in this case, I want to be able to add records to the DNS for the domain, but if I edit the DNS file, all other records will stop being updated. It would be good if there could be a different file for additional records so that the automatic file would still match its checksum.https://gitlab.com/sympl.io/sympl/-/issues/313sympl-mail: Exim deny-unusual-characters acl is a little over-strict for outg...2021-07-01T13:14:18ZPaul Cammishsympl-mail: Exim deny-unusual-characters acl is a little over-strict for outgoing mail.Non-local domains deny `%` and `!` in email addresses, although they're valid, and it seems like Xero are using `!`'s in emails in some cases.
Replacing `local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./` with `local_parts = ^[./|] : ^.*@ :...Non-local domains deny `%` and `!` in email addresses, although they're valid, and it seems like Xero are using `!`'s in emails in some cases.
Replacing `local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./` with `local_parts = ^[./|] : ^.*@ : ^.*/\\.\\./` in https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/buster/mail/exim4/sympl.d/10-acl/50-acl-check-rcpt/20-deny-unusual-characters should fix this.https://gitlab.com/sympl.io/sympl/-/issues/300sympl-web: Support for Apache Includes2020-09-10T08:28:06ZPaul Cammishsympl-web: Support for Apache IncludesA great idea in https://forum.sympl.host/t/auto-updating-ssl-certs-with-custom-apache-site-config/69/3?u=kelduum is to add an IncludeOptional directive to load extra configuration files from the config directory.A great idea in https://forum.sympl.host/t/auto-updating-ssl-certs-with-custom-apache-site-config/69/3?u=kelduum is to add an IncludeOptional directive to load extra configuration files from the config directory.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/294sympl-web: php-zip package is not installed by default2020-09-09T17:23:53ZPaul Cammishsympl-web: php-zip package is not installed by defaultIt probably should be included in typical installs, as windows-centric stuff is likely to expect it to be there.It probably should be included in typical installs, as windows-centric stuff is likely to expect it to be there.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/289sympl-firewall: The firewall shouldn't destroy other chains, and should be le...2020-04-20T14:05:48ZPaul Cammishsympl-firewall: The firewall shouldn't destroy other chains, and should be less ambiguous.This would be a change to existing operation, but Sympl shouldn't wipe out the all other iptables chains when it runs, and only modify rules it created itself (ie: comments).
Similarly, the ambiguously named blacklist and whitelist shou...This would be a change to existing operation, but Sympl shouldn't wipe out the all other iptables chains when it runs, and only modify rules it created itself (ie: comments).
Similarly, the ambiguously named blacklist and whitelist should have names referencing Sympl.https://gitlab.com/sympl.io/sympl/-/issues/286sympl-mail: Review Exim configuration2020-04-20T11:28:55ZPaul Cammishsympl-mail: Review Exim configurationThe Exim configuration has been inherited from older versions of Symbiosis, and has diverged a fair bit from the default Debian configuration. It's worth a full review of the config to bring it more in line and avoid issues later on.
On...The Exim configuration has been inherited from older versions of Symbiosis, and has diverged a fair bit from the default Debian configuration. It's worth a full review of the config to bring it more in line and avoid issues later on.
One specific mention was that we should
> Comment out the rfc_1413 lines in 00-main/60-general-options and add a separate file with an ‘official’ exim4 recipe for turning ident off.
...which seems like a good start.https://gitlab.com/sympl.io/sympl/-/issues/284sympl-mail: Enhancement - Add a whitelist for Exim2020-04-20T11:22:27ZPaul Cammishsympl-mail: Enhancement - Add a whitelist for EximIf you're potentially blocking more mail due to the enhancement in issue #282, the ability to whitelist hosts/IPs, would be useful to skip all spam filtering and consider the source as trusted.
This would likely need to be configured on...If you're potentially blocking more mail due to the enhancement in issue #282, the ability to whitelist hosts/IPs, would be useful to skip all spam filtering and consider the source as trusted.
This would likely need to be configured on a whole-host basis, and maybe should be located in /etc/sympl rather than the Exim config directory.
Maybe something which can be done automatically based on a previous good reputation, similar to the blacklists used by the firewall?https://gitlab.com/sympl.io/sympl/-/issues/283sympl-mail: Enhancement - Improve Exim logging2020-04-20T11:25:36ZPaul Cammishsympl-mail: Enhancement - Improve Exim loggingIt's been suggested that moving the `log_selector` configuration out of `00-main/50-tls-options` into it's own separate file would be useful (due to a limitation on how many instances there can be), and likely adding the `+smtp_protocol_...It's been suggested that moving the `log_selector` configuration out of `00-main/50-tls-options` into it's own separate file would be useful (due to a limitation on how many instances there can be), and likely adding the `+smtp_protocol_error` option to it which will improve data for blacklisting with `sympl-firewall`.https://gitlab.com/sympl.io/sympl/-/issues/282sympl-mail: Enhancement - Expand blacklist functionality2020-04-20T11:22:27ZPaul Cammishsympl-mail: Enhancement - Expand blacklist functionalityAdding functionality for the b.barracudacentral.org and bl.spamcop.net RBLs alongside the current Spamhaus ones may be useful, however as they are more sensitive relevant warnings should be added to the documentation.Adding functionality for the b.barracudacentral.org and bl.spamcop.net RBLs alongside the current Spamhaus ones may be useful, however as they are more sensitive relevant warnings should be added to the documentation.https://gitlab.com/sympl.io/sympl/-/issues/278sympl-ssl: Reimplmentation2021-02-12T18:08:30ZPaul Cammishsympl-ssl: ReimplmentationComplete reimplementation of sympl-ssl in Python, maintaining all the existing functionality and resolving long-standing issues.Complete reimplementation of sympl-ssl in Python, maintaining all the existing functionality and resolving long-standing issues.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/277sympl-mail: add Autoconfigure functionality2020-01-31T09:23:05ZPaul Cammishsympl-mail: add Autoconfigure functionalityAutoConfigure for email is fairly simple, and only requires an XML file at a specific path.
Adding functionality for this should be fairly easy to accomplish.
https://forum.sympl.host/t/configure-auto-discover-for-mail-setup/94?u=kelduumAutoConfigure for email is fairly simple, and only requires an XML file at a specific path.
Adding functionality for this should be fairly easy to accomplish.
https://forum.sympl.host/t/configure-auto-discover-for-mail-setup/94?u=kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/271sympl-core: On each install, check the user is in the right groups2020-01-28T00:25:25ZPaul Cammishsympl-core: On each install, check the user is in the right groupsAt the moment, the `sympl` user is only added to the relevant groups (notably www-data) when the user is created, rather than on installation of `sympl-core`.
This can cause some issues if the sympl user already exists (from a removed i...At the moment, the `sympl` user is only added to the relevant groups (notably www-data) when the user is created, rather than on installation of `sympl-core`.
This can cause some issues if the sympl user already exists (from a removed install, or it was created before installing), so it would be safer to check each time `sympl-core` is installed.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/270sympl-web: Allow apache includes in config/2020-09-10T08:28:06ZPaul Cammishsympl-web: Allow apache includes in config/As per https://forum.sympl.host/t/auto-updating-ssl-certs-with-custom-apache-site-config/69/3
> One of the ways around this under symbiosis was to add an `IncludeOptional` directive to the master templates (`ssl.template.erb` & `non_ssl...As per https://forum.sympl.host/t/auto-updating-ssl-certs-with-custom-apache-site-config/69/3
> One of the ways around this under symbiosis was to add an `IncludeOptional` directive to the master templates (`ssl.template.erb` & `non_ssl.template.erb`) with customisations kept in, say, config…
>
> `IncludeOptional /srv/<% domain %>/config/apache-*.conf`
Thanks to alphacabbage1 for the suggestion.
This will need checking for security, as we don't want any random user writing stuff to there, and breaking the security model or stopping Apache from starting.https://gitlab.com/sympl.io/sympl/-/issues/269SNI for mail only works with 'bare' domain name (or www.domain.name for dovecot)2019-11-13T13:39:05ZPaul CammishSNI for mail only works with 'bare' domain name (or www.domain.name for dovecot)# Summary
You can't use mail.domain.name to access email securely
# Steps to reproduce
Use an SNI mail client to try to fetch / send mail using mail.domain.name as the host
# What is the current bug behavior?
The certificate retur...# Summary
You can't use mail.domain.name to access email securely
# Steps to reproduce
Use an SNI mail client to try to fetch / send mail using mail.domain.name as the host
# What is the current bug behavior?
The certificate returned is the default for the server.
# What is the expected correct behavior?
The certificate returned should be for the correct domain
# Possible fixes
When generating certificates for a domain, ensure one if requested for mail.domain.name. Then add an SNI section for Dovecot to reference this. Exim looks a little trickier, as it goes directly to /srv/$tls_in_sni/config/ssl/current/ssl.combined to get the certificate.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/257Sympl should automatically update it's configuration near-instantly2020-01-28T13:33:20ZPaul CammishSympl should automatically update it's configuration near-instantlyWhen changes are made, typically it can take up to an hour to a day for everything to have run.
It would be nice if Sympl used [incrond](https://linux.die.net/man/8/incrond) (currently used by sympl-firewall) to detect changes to the co...When changes are made, typically it can take up to an hour to a day for everything to have run.
It would be nice if Sympl used [incrond](https://linux.die.net/man/8/incrond) (currently used by sympl-firewall) to detect changes to the configuration and update as needed, adding to incrond's config where needed as domains are added/removed.
This would make configuration practically instant, so would need some kind of logging/admin notification so you can see what's actually going on.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/252GitLab CI Improvements2019-07-09T18:44:33ZPaul CammishGitLab CI ImprovementsWhat should be happening is the runner should strategically install the previous version (if it exists) from the relevant public repo, then install the version from the local repo. Instead, theres a common race condition meaning the publ...What should be happening is the runner should strategically install the previous version (if it exists) from the relevant public repo, then install the version from the local repo. Instead, theres a common race condition meaning the public versions are the same as the newly pushed versions.
We should also have separate upgrade tests from the stable and the testing branches, so we can be certain that we won't break stable before deploying, but we can also pre-download the dependency packages needed in the images to save time and bandwidth, negating the need for a separate image.
* [x] Versions older than the local repo installed for upgrade tests.
* [x] Upgrade tests for stable and testing.
* [x] Pre-downloaded packages in clean install.
* [x] CI tidyup, ideally both major branches from the same version.
* [x] Tests for mangled changelog entries in the build CIFuture PlansPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/248sympl-mail: Debian-exim user should be added to sympl group.2019-07-02T16:36:27ZPaul Cammishsympl-mail: Debian-exim user should be added to sympl group.As is, the Debian-exim user already has access to the ssl-certs and other things, so giving it access to the config directory shouldn't be a problem now things are properly partitioned and will allow users to still configure things via S...As is, the Debian-exim user already has access to the ssl-certs and other things, so giving it access to the config directory shouldn't be a problem now things are properly partitioned and will allow users to still configure things via SFTP.
`sympl-filesystem-security` will need adjusting for this also.Paul CammishPaul Cammish