Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2021-02-12T18:08:30Zhttps://gitlab.com/sympl.io/sympl/-/issues/278sympl-ssl: Reimplmentation2021-02-12T18:08:30ZPaul Cammishsympl-ssl: ReimplmentationComplete reimplementation of sympl-ssl in Python, maintaining all the existing functionality and resolving long-standing issues.Complete reimplementation of sympl-ssl in Python, maintaining all the existing functionality and resolving long-standing issues.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/227Sympl parser2019-07-05T12:19:35ZPaul CammishSympl parserA basic version of the Sympl parser should be created, covering the most common things:
Creating domains, sites, mailboxes, ftp accounts, etc.
This can then be used in the new documentation, and expanded on further.A basic version of the Sympl parser should be created, covering the most common things:
Creating domains, sites, mailboxes, ftp accounts, etc.
This can then be used in the new documentation, and expanded on further.BacklogPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/313sympl-mail: Exim deny-unusual-characters acl is a little over-strict for outg...2021-07-01T13:14:18ZPaul Cammishsympl-mail: Exim deny-unusual-characters acl is a little over-strict for outgoing mail.Non-local domains deny `%` and `!` in email addresses, although they're valid, and it seems like Xero are using `!`'s in emails in some cases.
Replacing `local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./` with `local_parts = ^[./|] : ^.*@ :...Non-local domains deny `%` and `!` in email addresses, although they're valid, and it seems like Xero are using `!`'s in emails in some cases.
Replacing `local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./` with `local_parts = ^[./|] : ^.*@ : ^.*/\\.\\./` in https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/buster/mail/exim4/sympl.d/10-acl/50-acl-check-rcpt/20-deny-unusual-characters should fix this.https://gitlab.com/sympl.io/sympl/-/issues/144Symbiosis: If an SSL cert is automatically disabled, Symbiosis won't use auto...2019-07-17T15:53:24ZPaul CammishSymbiosis: If an SSL cert is automatically disabled, Symbiosis won't use automatically it again if it becomes validImported from https://www.github.com/BytemarkHosting/symbiosis/issues/111
For example, if I have a site (https://under100words.com) and manually disable Let's Encrypt by placing `false` in `/srv/under100words.com/config/ssl-provider` an...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/111
For example, if I have a site (https://under100words.com) and manually disable Let's Encrypt by placing `false` in `/srv/under100words.com/config/ssl-provider` and moving the `config/ssl directory` out of the way, `symbiosis-httpd-configure` will disable the specific SSL cert for the site, swapping it to self-signed.
This is fine, and to be expected, however it does this by removing the relevant symlink from `/etc/apache2/sites-enabled`, which has the effect of flagging the site as "manually disabled", dropping it back to mass hosting, if configured.
Restoring the SSL configuration (removing `ssl-provider` and restoring `config/ssl`) then re-running `symbiosis-httpd-configure --verbose` you get:
```
# symbiosis-httpd-configure --verbose
[ . . . ]
Domain: under100words.com
Current SSL set 1: signed by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3, expires 2018-02-20 13:36:22 UTC
This site has SSL enabled, and is using the host's primary IPs -- continuing with SNI.
SSL is enabled -- using SSL template
Adding to configurations
[ . . . ]
Configuration: under100words.com.conf
Configuration is up-to date.
!! Configuration has been manually disabled.
```
So, it's still thinking that the site was manually disabled, so even if it managed to create the individual config as there are valid SSL certs, it's not being symlinked.
A manual workaround is to run `symbiosis-httpd-configure` for the specific site:
```
# symbiosis-httpd-configure --verbose under100words.com
Domain: under100words.com
Current SSL set 1: signed by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3, expires 2018-02-20 13:36:22 UTC
This site has SSL enabled, and is using the host's primary IPs -- continuing with SNI.
SSL is enabled -- using SSL template
Adding to configurations
Configuration: under100words.com.conf
Configuration is up-to date.
Enabling configuration.
Reloading Apache
```
This instead enables the config anyway, and things work normally again.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/122Symbiosis: `symbiosis-configure-ips` doesn't remove IPs it added once they ar...2019-06-06T11:08:42ZPaul CammishSymbiosis: `symbiosis-configure-ips` doesn't remove IPs it added once they are removed from /srv/*/config/ipImported from https://www.github.com/BytemarkHosting/symbiosis/issues/59
If an IP has been added to a machine via `/srv/*/config/ip`, then if removed, it won't be removed from the configuration until next reboot when it won't be re-adde...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/59
If an IP has been added to a machine via `/srv/*/config/ip`, then if removed, it won't be removed from the configuration until next reboot when it won't be re-added.
This is likely as it can't be determined that Symbiosis added the IP, so we should probably either:
1. Make it clear in the docs that removing an IP will need a reboot or manual change via `ip`.
2. Automatically remove any IPs not set somewhere in `/srv/*/config/ip` when running symbiosis-configure-ips.
3. Provide a `--force` switch (like the other Symbiosis apps) to make the config match what symbiosis-configure-ips is trying to do.
Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/182Symbiosis: symbiosis-firewall 99-reject file is blank by default2019-04-15T09:14:34ZPaul CammishSymbiosis: symbiosis-firewall 99-reject file is blank by defaultImported from https://www.github.com/BytemarkHosting/symbiosis/issues/137
Symbiosis' firewall contains a `/etc/symbiosis/firewall/incoming.d/99-reject` rule by default, which will block connections from `0.0.0.0/0` (anywhere).
If we a...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/137
Symbiosis' firewall contains a `/etc/symbiosis/firewall/incoming.d/99-reject` rule by default, which will block connections from `0.0.0.0/0` (anywhere).
If we add an IP to this 99-reject file, connections will only be blocked from this IP and allowed from everywhere else, which isn't usually what we want to happen.
It would be safer if the 99-reject file contained `0.0.0.0/0` by default to avoid allowing more through the firewall than what was intended. This could still be removed from the file if needed.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/165Symbiosis: Publish CAA (DNS TXT) records to improve security2019-04-14T20:59:45ZPaul CammishSymbiosis: Publish CAA (DNS TXT) records to improve securityImported from https://www.github.com/BytemarkHosting/symbiosis/issues/134
Certification Authority Authorization (CAA), specified in RFC 6844 in 2013, is a proposal to improve the strength of the PKI ecosystem with a new control to restr...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/134
Certification Authority Authorization (CAA), specified in RFC 6844 in 2013, is a proposal to improve the strength of the PKI ecosystem with a new control to restrict which CAs can issue certificates for a particular domain name. It prevents bad people obtaining certificates from rogue or sloppy certification authorities.
It's a simple DNS text record to say, for example:
`example.org. CAA 128 issue "letsencrypt.org"`
At minimum, we could publish this record for a domain that's protected by a LetsEncrypt certificate.
https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forumFuture Planshttps://gitlab.com/sympl.io/sympl/-/issues/284sympl-mail: Enhancement - Add a whitelist for Exim2020-04-20T11:22:27ZPaul Cammishsympl-mail: Enhancement - Add a whitelist for EximIf you're potentially blocking more mail due to the enhancement in issue #282, the ability to whitelist hosts/IPs, would be useful to skip all spam filtering and consider the source as trusted.
This would likely need to be configured on...If you're potentially blocking more mail due to the enhancement in issue #282, the ability to whitelist hosts/IPs, would be useful to skip all spam filtering and consider the source as trusted.
This would likely need to be configured on a whole-host basis, and maybe should be located in /etc/sympl rather than the Exim config directory.
Maybe something which can be done automatically based on a previous good reputation, similar to the blacklists used by the firewall?https://gitlab.com/sympl.io/sympl/-/issues/257Sympl should automatically update it's configuration near-instantly2020-01-28T13:33:20ZPaul CammishSympl should automatically update it's configuration near-instantlyWhen changes are made, typically it can take up to an hour to a day for everything to have run.
It would be nice if Sympl used [incrond](https://linux.die.net/man/8/incrond) (currently used by sympl-firewall) to detect changes to the co...When changes are made, typically it can take up to an hour to a day for everything to have run.
It would be nice if Sympl used [incrond](https://linux.die.net/man/8/incrond) (currently used by sympl-firewall) to detect changes to the configuration and update as needed, adding to incrond's config where needed as domains are added/removed.
This would make configuration practically instant, so would need some kind of logging/admin notification so you can see what's actually going on.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/330sympl-webmail: Webmail should discourage over-use of the To: field2023-03-16T12:40:32ZPaul Cammishsympl-webmail: Webmail should discourage over-use of the To: fieldAs mentioned in https://forum.sympl.io/t/roundcube-max-disclosed-recipients/320, its possible to have Roundcube ask if you really want to send to lots of disclosed recipients.
This would be nice to add to the default configuration, alth...As mentioned in https://forum.sympl.io/t/roundcube-max-disclosed-recipients/320, its possible to have Roundcube ask if you really want to send to lots of disclosed recipients.
This would be nice to add to the default configuration, although with a reasonably high number.https://gitlab.com/sympl.io/sympl/-/issues/326sympl-web: sympl-web-rotate-logs doen't use an efficent naming convention.2022-08-05T14:02:45ZPaul Cammishsympl-web: sympl-web-rotate-logs doen't use an efficent naming convention.`sympl-web-rotate-logs` uses what is basically the worst case for backup efficiently in the logging, although this works like logrotate.
You get ~30 days of old logs, each named `.[1-3]?[0-9]` the older ones of which are gzipped. Each t...`sympl-web-rotate-logs` uses what is basically the worst case for backup efficiently in the logging, although this works like logrotate.
You get ~30 days of old logs, each named `.[1-3]?[0-9]` the older ones of which are gzipped. Each time it rotates, the highest number is dropped, and everything is moved up a number.
This isn't terrible for finding the old data, but it's not ideal, and it means each time you run a backup, *all* of the logs have changed, so even a quiet site ends up with all the logs being backed up again.
The logs should be datestamped, and then the oldest one(s) removed, that way each day's logs don't end up getting backed up over and over again for a month.https://gitlab.com/sympl.io/sympl/-/issues/324FTP logs should be written to /var/log/pure-ftp/connection.log or similar2022-04-25T11:58:29ZPaul CammishFTP logs should be written to /var/log/pure-ftp/connection.log or similarAt the moment they only get written to `/var/log/messages`, which isn't that logical as there's also a `/var/log/pure-ftpd/` directory, where you'd expect to find them.
Also, we shouldn't be logging the RDNS for connections without the ...At the moment they only get written to `/var/log/messages`, which isn't that logical as there's also a `/var/log/pure-ftpd/` directory, where you'd expect to find them.
Also, we shouldn't be logging the RDNS for connections without the IP where at all possible, as it's trivial to fake.https://gitlab.com/sympl.io/sympl/-/issues/321Add DNS records without preventing automatic generation2023-03-16T12:58:49ZPaul CammishAdd DNS records without preventing automatic generationI have my domain sign my emails with DKIM, using the host name as a selector, but I can also use an external SMTP server for some things, which has given me a public key to add to DNS. I guess in this case, I want to be able to add recor...I have my domain sign my emails with DKIM, using the host name as a selector, but I can also use an external SMTP server for some things, which has given me a public key to add to DNS. I guess in this case, I want to be able to add records to the DNS for the domain, but if I edit the DNS file, all other records will stop being updated. It would be good if there could be a different file for additional records so that the automatic file would still match its checksum.https://gitlab.com/sympl.io/sympl/-/issues/289sympl-firewall: The firewall shouldn't destroy other chains, and should be le...2020-04-20T14:05:48ZPaul Cammishsympl-firewall: The firewall shouldn't destroy other chains, and should be less ambiguous.This would be a change to existing operation, but Sympl shouldn't wipe out the all other iptables chains when it runs, and only modify rules it created itself (ie: comments).
Similarly, the ambiguously named blacklist and whitelist shou...This would be a change to existing operation, but Sympl shouldn't wipe out the all other iptables chains when it runs, and only modify rules it created itself (ie: comments).
Similarly, the ambiguously named blacklist and whitelist should have names referencing Sympl.https://gitlab.com/sympl.io/sympl/-/issues/286sympl-mail: Review Exim configuration2020-04-20T11:28:55ZPaul Cammishsympl-mail: Review Exim configurationThe Exim configuration has been inherited from older versions of Symbiosis, and has diverged a fair bit from the default Debian configuration. It's worth a full review of the config to bring it more in line and avoid issues later on.
On...The Exim configuration has been inherited from older versions of Symbiosis, and has diverged a fair bit from the default Debian configuration. It's worth a full review of the config to bring it more in line and avoid issues later on.
One specific mention was that we should
> Comment out the rfc_1413 lines in 00-main/60-general-options and add a separate file with an ‘official’ exim4 recipe for turning ident off.
...which seems like a good start.https://gitlab.com/sympl.io/sympl/-/issues/285sympl-mail: Enhancement - Reject abusive hosts in Exim2020-04-20T11:25:36ZPaul Cammishsympl-mail: Enhancement - Reject abusive hosts in EximAssuming we are logging more data from issue #283, we can then blacklist (or greylist?) abusive hosts using sympl-firewall, which should deal with attempts to brute-force account details.Assuming we are logging more data from issue #283, we can then blacklist (or greylist?) abusive hosts using sympl-firewall, which should deal with attempts to brute-force account details.https://gitlab.com/sympl.io/sympl/-/issues/283sympl-mail: Enhancement - Improve Exim logging2020-04-20T11:25:36ZPaul Cammishsympl-mail: Enhancement - Improve Exim loggingIt's been suggested that moving the `log_selector` configuration out of `00-main/50-tls-options` into it's own separate file would be useful (due to a limitation on how many instances there can be), and likely adding the `+smtp_protocol_...It's been suggested that moving the `log_selector` configuration out of `00-main/50-tls-options` into it's own separate file would be useful (due to a limitation on how many instances there can be), and likely adding the `+smtp_protocol_error` option to it which will improve data for blacklisting with `sympl-firewall`.https://gitlab.com/sympl.io/sympl/-/issues/282sympl-mail: Enhancement - Expand blacklist functionality2020-04-20T11:22:27ZPaul Cammishsympl-mail: Enhancement - Expand blacklist functionalityAdding functionality for the b.barracudacentral.org and bl.spamcop.net RBLs alongside the current Spamhaus ones may be useful, however as they are more sensitive relevant warnings should be added to the documentation.Adding functionality for the b.barracudacentral.org and bl.spamcop.net RBLs alongside the current Spamhaus ones may be useful, however as they are more sensitive relevant warnings should be added to the documentation.https://gitlab.com/sympl.io/sympl/-/issues/277sympl-mail: add Autoconfigure functionality2020-01-31T09:23:05ZPaul Cammishsympl-mail: add Autoconfigure functionalityAutoConfigure for email is fairly simple, and only requires an XML file at a specific path.
Adding functionality for this should be fairly easy to accomplish.
https://forum.sympl.host/t/configure-auto-discover-for-mail-setup/94?u=kelduumAutoConfigure for email is fairly simple, and only requires an XML file at a specific path.
Adding functionality for this should be fairly easy to accomplish.
https://forum.sympl.host/t/configure-auto-discover-for-mail-setup/94?u=kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/269SNI for mail only works with 'bare' domain name (or www.domain.name for dovecot)2019-11-13T13:39:05ZPaul CammishSNI for mail only works with 'bare' domain name (or www.domain.name for dovecot)# Summary
You can't use mail.domain.name to access email securely
# Steps to reproduce
Use an SNI mail client to try to fetch / send mail using mail.domain.name as the host
# What is the current bug behavior?
The certificate retur...# Summary
You can't use mail.domain.name to access email securely
# Steps to reproduce
Use an SNI mail client to try to fetch / send mail using mail.domain.name as the host
# What is the current bug behavior?
The certificate returned is the default for the server.
# What is the expected correct behavior?
The certificate returned should be for the correct domain
# Possible fixes
When generating certificates for a domain, ensure one if requested for mail.domain.name. Then add an SNI section for Dovecot to reference this. Exim looks a little trickier, as it goes directly to /srv/$tls_in_sni/config/ssl/current/ssl.combined to get the certificate.
/cc @kelduum