Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2023-06-10T20:43:17Zhttps://gitlab.com/sympl.io/sympl/-/issues/338sympl-mail-dict-proxy - passed username incorrect? (bookworm)2023-06-10T20:43:17ZPaul Cammishsympl-mail-dict-proxy - passed username incorrect? (bookworm)Something changes with bookworm, and it now seems to dict proxy is now being sent `Lshared/passdb/<username><tab><username>` rather than the expected `Lshared/passdb/<username>`.
Trimming the tab and everything after this 'fixes' it, bu...Something changes with bookworm, and it now seems to dict proxy is now being sent `Lshared/passdb/<username><tab><username>` rather than the expected `Lshared/passdb/<username>`.
Trimming the tab and everything after this 'fixes' it, but it needs investigation as to why this happens.https://gitlab.com/sympl.io/sympl/-/issues/327letsencrypt initialisation uses incorrect e-mail address2023-05-12T15:40:23ZPaul Cammishletsencrypt initialisation uses incorrect e-mail address# Summary
When letsencrypt is initialised, if a second website has already been created, that site's domain is used to register with letsencrypt rather than the system's hostname domain.
# Steps to reproduce
1. Automatically install ...# Summary
When letsencrypt is initialised, if a second website has already been created, that site's domain is used to register with letsencrypt rather than the system's hostname domain.
# Steps to reproduce
1. Automatically install sympl on Debian 11.
2. 'sympl web create banana.DOMAIN'
3. Follow wiki instructions to rename system from localhost.localdomain to apple.DOMAIN
4. 'echo "letsencrypt" > /srv/apple.DOMAIN/config/ssl-provider'
5. 'sudo sympl-ssl --verbose --force $newhost'
# What is the current bug behavior?
When letsencrypt is run for the first time, if a website other than the default one has already been created, the wrong domain is used to register with letsencrypt
# What is the expected correct behavior?
The system hostname domain should be used
# Relevant logs and/or screenshots
```
* Examining certificates for apple.DOMAIN
SSL set 0: The certificate subject is not valid for this domain apple.DOMAIN.
SSL set 0: The certificate subject is not valid for this domain apple.DOMAIN.
No valid certificate sets found.
Fetching a new certificate from LetsEncrypt.
Created new account with email address: root@banana.DOMAIN
Requesting verification for apple.DOMAIN from https://acme-v02.api.letsencrypt.org/directory
Successfully verified apple.DOMAIN
Requesting verification for www.apple.DOMAIN from https://acme-v02.api.letsencrypt.org/directory
!! Unable to verify www.apple.DOMAIN (status: invalid)
!! Check http://www.apple.DOMAIN/.well-known/acme-challenge/V45LrunGXuYPgAU8fnsLSvQDZReL0DemhcFc0Nf0APY works.
Successfully fetched new certificate and created set 1
Rolled over to SSL set 1
```
You can see that while the correct certificate is requested (apple.DOMAIN), the wrong e-mail address (root@banana.DOMAIN) is used to register with letsencrypt.
# Possible fixes
Sorry, no idea.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/325sympl: Removing packages doesn't clean up links and other files2023-06-10T21:36:53ZPaul Cammishsympl: Removing packages doesn't clean up links and other filesRemoving FTP and related monitoring.
This will involve checking what's left over after uninstalling each package, versus what was there originally then updating debian/postrm or similar to ensure things are cleaned up properly.
Origina...Removing FTP and related monitoring.
This will involve checking what's left over after uninstalling each package, versus what was there originally then updating debian/postrm or similar to ensure things are cleaned up properly.
Originally raised [on the forum](https://forum.sympl.io/t/removing-ftp-and-related-monitoring/290).https://gitlab.com/sympl.io/sympl/-/issues/319multiple: 'tempfile is deprecated; consider using mktemp instead.'2022-03-28T10:02:58ZPaul Cammishmultiple: 'tempfile is deprecated; consider using mktemp instead.'Reported in https://forum.sympl.host/t/tempfile-is-deprecated-messages/245
Cron weekly (and likely others) report `WARNING: tempfile is deprecated; consider using mktemp instead. ` when running the jobs.
On investigation, `tempfile` is...Reported in https://forum.sympl.host/t/tempfile-is-deprecated-messages/245
Cron weekly (and likely others) report `WARNING: tempfile is deprecated; consider using mktemp instead. ` when running the jobs.
On investigation, `tempfile` is used in:
```list
core/lib/symbiosis/config_file.rb
core/test.d/tc_utils.rb
core/test.d/tc_config_file.rb
dns/lib/symbiosis/config_files/tinydns.rb
firewall/sbin/sympl-firewall-blacklist
firewall/sbin/sympl-firewall-whitelist
firewall/sbin/sympl-firewall
firewall/test.d/tc_blacklistdb.r
ftp/test.d/tc_ftp.rb
mail/sympl/test.d/tc_poppassd.rb
mail/sympl/test.d/tc_dict_handler.rb
web/lib/symbiosis/config_files/apache.rb
web/lib/symbiosis/config_files/webalizer.rb
web/test.d/tc_apache_logger.rb
web/test.d/tb_sympl_web_configure.rb
```
More investigation is probably needed as it looks to be originating with the ruby tempfile.rb library.https://gitlab.com/sympl.io/sympl/-/issues/314sympl-ftp: SSL cert isn't updated once rotated2021-09-20T22:46:56ZPaul Cammishsympl-ftp: SSL cert isn't updated once rotatedThere's nothing to restart the pure-ftpd service once the SSL cert is updated, so a monthly restart may be worthwhile.
From: https://forum.sympl.host/t/ftps-certificate-expired-error/225There's nothing to restart the pure-ftpd service once the SSL cert is updated, so a monthly restart may be worthwhile.
From: https://forum.sympl.host/t/ftps-certificate-expired-error/225https://gitlab.com/sympl.io/sympl/-/issues/312sympl-firewall: iptables-persistent conflict2022-03-28T10:01:35ZPaul Cammishsympl-firewall: iptables-persistent conflictIt looks like when iptables-persistent is installed with a reasonable standard config, it can prevent DNS lookups when there's no IPv4 resolvers, which leads to the sympl-firewall hook waiting indefinitely and eventually being killed, an...It looks like when iptables-persistent is installed with a reasonable standard config, it can prevent DNS lookups when there's no IPv4 resolvers, which leads to the sympl-firewall hook waiting indefinitely and eventually being killed, and therefore no IPv6 coming up (and therefore no DNS resolution) which leads to other oddities.
Likely fix: make sure the hook doesn't stall indefinitely and instead times out.https://gitlab.com/sympl.io/sympl/-/issues/304sympl11 - Exim configuration uses tainting workaround2021-08-13T16:12:36ZPaul Cammishsympl11 - Exim configuration uses tainting workaroundThe configuration in Exim 4.94 has introduced the concept of training for user-submitted variables.
This causes some issues with the Sympl configuration as we need to be able to read the relevant information based on the input to route ...The configuration in Exim 4.94 has introduced the concept of training for user-submitted variables.
This causes some issues with the Sympl configuration as we need to be able to read the relevant information based on the input to route mail correctly.
A workaround has been applied to the relevant parts, but this should be removed before it leaves testing.https://gitlab.com/sympl.io/sympl/-/issues/303sympl-firewall: Traffic on the local IPv6 network can trigger blacklisting of...2021-01-23T17:45:17ZPaul Cammishsympl-firewall: Traffic on the local IPv6 network can trigger blacklisting of the LANSympl will track IPv6 traffic at a /64 resolution, but this means if something on the same LAN is flagged and blacklisted, it will effectively disable IPv6 traffic from the same /64, which can interfere with monitoring or similar.
What ...Sympl will track IPv6 traffic at a /64 resolution, but this means if something on the same LAN is flagged and blacklisted, it will effectively disable IPv6 traffic from the same /64, which can interfere with monitoring or similar.
What should probably happen is that Sympl is a bit more granular with it's filtering of V6 addresses on the same /64, and instead only blocks individual IPs if it sees them acting suspicious.https://gitlab.com/sympl.io/sympl/-/issues/301sympl-firewall: "Another app is currently holding the xtables lock"2020-09-17T13:30:58ZPaul Cammishsympl-firewall: "Another app is currently holding the xtables lock"One user was reporting emails like this, coming from `/usr/sbin/sympl-firewall` and `/usr/sbin/sympl-firewall-blacklist` on two hosts.
```text
From: Cron Daemon <root@hostname.fqdn>
Date: Mon, 14 Sep 2020 at 19:00
Subject: Cron <root@ho...One user was reporting emails like this, coming from `/usr/sbin/sympl-firewall` and `/usr/sbin/sympl-firewall-blacklist` on two hosts.
```text
From: Cron Daemon <root@hostname.fqdn>
Date: Mon, 14 Sep 2020 at 19:00
Subject: Cron <root@hostname> [ -x /usr/sbin/sympl-firewall ] &&
/usr/sbin/sympl-firewall
To: <root@hostname.fqdn>
Another app is currently holding the xtables lock. Perhaps you want to use
the -w option?
sympl-firewall: Firewall script failed.
sympl-firewall: Flushing /sbin/iptables rules and chains.
sympl-firewall: Flushing /sbin/ip6tables rules and chains.
sympl-firewall: Restoring old iptables rules and chains.
sympl-firewall: Restoring old ip6tables rules and chains.
sympl-firewall: Left firewall script in
/tmp/user/0/sympl-firewall-20200914-1505-1srb1j3-saved for inspection.
```
The direct cause is unclear at the moment, and they don't happen all the time (once a day or so, apparently), so it may simply be a race condition.https://gitlab.com/sympl.io/sympl/-/issues/284sympl-mail: Enhancement - Add a whitelist for Exim2020-04-20T11:22:27ZPaul Cammishsympl-mail: Enhancement - Add a whitelist for EximIf you're potentially blocking more mail due to the enhancement in issue #282, the ability to whitelist hosts/IPs, would be useful to skip all spam filtering and consider the source as trusted.
This would likely need to be configured on...If you're potentially blocking more mail due to the enhancement in issue #282, the ability to whitelist hosts/IPs, would be useful to skip all spam filtering and consider the source as trusted.
This would likely need to be configured on a whole-host basis, and maybe should be located in /etc/sympl rather than the Exim config directory.
Maybe something which can be done automatically based on a previous good reputation, similar to the blacklists used by the firewall?https://gitlab.com/sympl.io/sympl/-/issues/273sympl-mail: A default-forward configured for a domain bypasses SpamAssassin f...2019-12-05T21:18:35ZPaul Cammishsympl-mail: A default-forward configured for a domain bypasses SpamAssassin filteringAs mentioned: https://forum.sympl.host/t/spam-not-being-tagged-nor-moved-to-the-spam-folder/63/4?u=kelduum
Seems likely its an order of execution thing - the mail is being handled by the delivery function before it's been scanned.
IIRC...As mentioned: https://forum.sympl.host/t/spam-not-being-tagged-nor-moved-to-the-spam-folder/63/4?u=kelduum
Seems likely its an order of execution thing - the mail is being handled by the delivery function before it's been scanned.
IIRC, this was an issue with Symbiosis as well, so likely has been around a while.https://gitlab.com/sympl.io/sympl/-/issues/268DKIM signature covers the sender address, but should cover the FROM HEADER ad...2020-09-24T06:23:41ZPaul CammishDKIM signature covers the sender address, but should cover the FROM HEADER address.# Summary
DKIM signatures are based on the SMTP sender address, not the email FROM HEADER address, which is the wrong thing to do. When the FROM address is local, and there's a DKIM key to sign with, then that should be done.
If there...# Summary
DKIM signatures are based on the SMTP sender address, not the email FROM HEADER address, which is the wrong thing to do. When the FROM address is local, and there's a DKIM key to sign with, then that should be done.
If there's no key to sign with, then perhaps we should not be sending the email!?
# Steps to reproduce
Send an email with a FROM address that doesn't match the SMTP sender address. You should notice that the DKIM header doesn't cover the FROM address.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/264Default IP confusion with other services2020-04-21T21:19:55ZPaul CammishDefault IP confusion with other services# What is the current bug behavior?
When adding extra IPs manually (such as an IPv6 address), Sympl can get confused as to which is the primary IP, in cases where the IPs are listed out-of order in the output of `ip a`
# What is the e...# What is the current bug behavior?
When adding extra IPs manually (such as an IPv6 address), Sympl can get confused as to which is the primary IP, in cases where the IPs are listed out-of order in the output of `ip a`
# What is the expected correct behavior?
Sympl should probably take the IP(s) of the default domain `/srv/$HOSTNAME` as the default IP, only using the `config/ip` file to override this.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/262sympl-firewall v10.0 uses iptables-legacy2019-08-16T17:52:37ZPaul Cammishsympl-firewall v10.0 uses iptables-legacyBuster has migrated to nftables, so Sympl should move in that direction also.
It's mostly compatible at the moment, however it does throw warnings when using the now default `iptables` in Buster.
Workround in sympl/sympl!124 to swap to...Buster has migrated to nftables, so Sympl should move in that direction also.
It's mostly compatible at the moment, however it does throw warnings when using the now default `iptables` in Buster.
Workround in sympl/sympl!124 to swap to `iptables-legacy`, but this should be investigated futher.https://gitlab.com/sympl.io/sympl/-/issues/258Occasional short-term failures reported by monitoring2019-07-31T17:52:47ZPaul CammishOccasional short-term failures reported by monitoringRecently received the following report from the automatic monitoring. It resolved itself a few minutes later.
[paste_1093477.txt](/uploads/b13f16c409a7c2c5791a95e3d7601585/paste_1093477.txt)
I've seen similar short-term failures a coup...Recently received the following report from the automatic monitoring. It resolved itself a few minutes later.
[paste_1093477.txt](/uploads/b13f16c409a7c2c5791a95e3d7601585/paste_1093477.txt)
I've seen similar short-term failures a couple of timeshttps://gitlab.com/sympl.io/sympl/-/issues/257Sympl should automatically update it's configuration near-instantly2020-01-28T13:33:20ZPaul CammishSympl should automatically update it's configuration near-instantlyWhen changes are made, typically it can take up to an hour to a day for everything to have run.
It would be nice if Sympl used [incrond](https://linux.die.net/man/8/incrond) (currently used by sympl-firewall) to detect changes to the co...When changes are made, typically it can take up to an hour to a day for everything to have run.
It would be nice if Sympl used [incrond](https://linux.die.net/man/8/incrond) (currently used by sympl-firewall) to detect changes to the configuration and update as needed, adding to incrond's config where needed as domains are added/removed.
This would make configuration practically instant, so would need some kind of logging/admin notification so you can see what's actually going on.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/253sympl-test: Race condition with certificate testing2021-02-12T18:08:31ZPaul Cammishsympl-test: Race condition with certificate testingIt looks like on occasion a self-signed cert is being created, but being tested before it's valid.
Job [#9899](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/9899) failed for 80f6dd1c78f1401f5980105fc948fa74a2f01759:
```
=========...It looks like on occasion a self-signed cert is being created, but being tested before it's valid.
Job [#9899](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/9899) failed for 80f6dd1c78f1401f5980105fc948fa74a2f01759:
```
===============================================================================
Failure:
Exception raised:
OpenSSL::X509::CertificateError(<Not valid for rcyexz5q3p.test -- certificate is not yet valid (9)>)
test_ssl_verify_with_root_ca(SSLTest)
/etc/sympl/test.d/tc_ssl.rb:562:in `test_ssl_verify_with_root_ca'
559: #
560: assert_nothing_raised{ @domain.ssl_x509_certificate_file = @domain.directory+"/config/ssl.combined" }
561: assert_nothing_raised{ @domain.ssl_key_file = @domain.directory+"/config/ssl.combined" }
=> 562: assert_nothing_raised{ @domain.ssl_verify(@domain.ssl_x509_certificate, @domain.ssl_key, @domain.ssl_certificate_store, true) }
563: end
564:
565: def test_ssl_verify_with_intermediate_ca
===============================================================================
```