Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2020-04-20T11:28:55Zhttps://gitlab.com/sympl.io/sympl/-/issues/286sympl-mail: Review Exim configuration2020-04-20T11:28:55ZPaul Cammishsympl-mail: Review Exim configurationThe Exim configuration has been inherited from older versions of Symbiosis, and has diverged a fair bit from the default Debian configuration. It's worth a full review of the config to bring it more in line and avoid issues later on.
On...The Exim configuration has been inherited from older versions of Symbiosis, and has diverged a fair bit from the default Debian configuration. It's worth a full review of the config to bring it more in line and avoid issues later on.
One specific mention was that we should
> Comment out the rfc_1413 lines in 00-main/60-general-options and add a separate file with an ‘official’ exim4 recipe for turning ident off.
...which seems like a good start.https://gitlab.com/sympl.io/sympl/-/issues/285sympl-mail: Enhancement - Reject abusive hosts in Exim2020-04-20T11:25:36ZPaul Cammishsympl-mail: Enhancement - Reject abusive hosts in EximAssuming we are logging more data from issue #283, we can then blacklist (or greylist?) abusive hosts using sympl-firewall, which should deal with attempts to brute-force account details.Assuming we are logging more data from issue #283, we can then blacklist (or greylist?) abusive hosts using sympl-firewall, which should deal with attempts to brute-force account details.https://gitlab.com/sympl.io/sympl/-/issues/284sympl-mail: Enhancement - Add a whitelist for Exim2020-04-20T11:22:27ZPaul Cammishsympl-mail: Enhancement - Add a whitelist for EximIf you're potentially blocking more mail due to the enhancement in issue #282, the ability to whitelist hosts/IPs, would be useful to skip all spam filtering and consider the source as trusted.
This would likely need to be configured on...If you're potentially blocking more mail due to the enhancement in issue #282, the ability to whitelist hosts/IPs, would be useful to skip all spam filtering and consider the source as trusted.
This would likely need to be configured on a whole-host basis, and maybe should be located in /etc/sympl rather than the Exim config directory.
Maybe something which can be done automatically based on a previous good reputation, similar to the blacklists used by the firewall?https://gitlab.com/sympl.io/sympl/-/issues/283sympl-mail: Enhancement - Improve Exim logging2020-04-20T11:25:36ZPaul Cammishsympl-mail: Enhancement - Improve Exim loggingIt's been suggested that moving the `log_selector` configuration out of `00-main/50-tls-options` into it's own separate file would be useful (due to a limitation on how many instances there can be), and likely adding the `+smtp_protocol_...It's been suggested that moving the `log_selector` configuration out of `00-main/50-tls-options` into it's own separate file would be useful (due to a limitation on how many instances there can be), and likely adding the `+smtp_protocol_error` option to it which will improve data for blacklisting with `sympl-firewall`.https://gitlab.com/sympl.io/sympl/-/issues/282sympl-mail: Enhancement - Expand blacklist functionality2020-04-20T11:22:27ZPaul Cammishsympl-mail: Enhancement - Expand blacklist functionalityAdding functionality for the b.barracudacentral.org and bl.spamcop.net RBLs alongside the current Spamhaus ones may be useful, however as they are more sensitive relevant warnings should be added to the documentation.Adding functionality for the b.barracudacentral.org and bl.spamcop.net RBLs alongside the current Spamhaus ones may be useful, however as they are more sensitive relevant warnings should be added to the documentation.https://gitlab.com/sympl.io/sympl/-/issues/278sympl-ssl: Reimplmentation2021-02-12T18:08:30ZPaul Cammishsympl-ssl: ReimplmentationComplete reimplementation of sympl-ssl in Python, maintaining all the existing functionality and resolving long-standing issues.Complete reimplementation of sympl-ssl in Python, maintaining all the existing functionality and resolving long-standing issues.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/277sympl-mail: add Autoconfigure functionality2020-01-31T09:23:05ZPaul Cammishsympl-mail: add Autoconfigure functionalityAutoConfigure for email is fairly simple, and only requires an XML file at a specific path.
Adding functionality for this should be fairly easy to accomplish.
https://forum.sympl.host/t/configure-auto-discover-for-mail-setup/94?u=kelduumAutoConfigure for email is fairly simple, and only requires an XML file at a specific path.
Adding functionality for this should be fairly easy to accomplish.
https://forum.sympl.host/t/configure-auto-discover-for-mail-setup/94?u=kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/273sympl-mail: A default-forward configured for a domain bypasses SpamAssassin f...2019-12-05T21:18:35ZPaul Cammishsympl-mail: A default-forward configured for a domain bypasses SpamAssassin filteringAs mentioned: https://forum.sympl.host/t/spam-not-being-tagged-nor-moved-to-the-spam-folder/63/4?u=kelduum
Seems likely its an order of execution thing - the mail is being handled by the delivery function before it's been scanned.
IIRC...As mentioned: https://forum.sympl.host/t/spam-not-being-tagged-nor-moved-to-the-spam-folder/63/4?u=kelduum
Seems likely its an order of execution thing - the mail is being handled by the delivery function before it's been scanned.
IIRC, this was an issue with Symbiosis as well, so likely has been around a while.https://gitlab.com/sympl.io/sympl/-/issues/269SNI for mail only works with 'bare' domain name (or www.domain.name for dovecot)2019-11-13T13:39:05ZPaul CammishSNI for mail only works with 'bare' domain name (or www.domain.name for dovecot)# Summary
You can't use mail.domain.name to access email securely
# Steps to reproduce
Use an SNI mail client to try to fetch / send mail using mail.domain.name as the host
# What is the current bug behavior?
The certificate retur...# Summary
You can't use mail.domain.name to access email securely
# Steps to reproduce
Use an SNI mail client to try to fetch / send mail using mail.domain.name as the host
# What is the current bug behavior?
The certificate returned is the default for the server.
# What is the expected correct behavior?
The certificate returned should be for the correct domain
# Possible fixes
When generating certificates for a domain, ensure one if requested for mail.domain.name. Then add an SNI section for Dovecot to reference this. Exim looks a little trickier, as it goes directly to /srv/$tls_in_sni/config/ssl/current/ssl.combined to get the certificate.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/268DKIM signature covers the sender address, but should cover the FROM HEADER ad...2020-09-24T06:23:41ZPaul CammishDKIM signature covers the sender address, but should cover the FROM HEADER address.# Summary
DKIM signatures are based on the SMTP sender address, not the email FROM HEADER address, which is the wrong thing to do. When the FROM address is local, and there's a DKIM key to sign with, then that should be done.
If there...# Summary
DKIM signatures are based on the SMTP sender address, not the email FROM HEADER address, which is the wrong thing to do. When the FROM address is local, and there's a DKIM key to sign with, then that should be done.
If there's no key to sign with, then perhaps we should not be sending the email!?
# Steps to reproduce
Send an email with a FROM address that doesn't match the SMTP sender address. You should notice that the DKIM header doesn't cover the FROM address.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/264Default IP confusion with other services2020-04-21T21:19:55ZPaul CammishDefault IP confusion with other services# What is the current bug behavior?
When adding extra IPs manually (such as an IPv6 address), Sympl can get confused as to which is the primary IP, in cases where the IPs are listed out-of order in the output of `ip a`
# What is the e...# What is the current bug behavior?
When adding extra IPs manually (such as an IPv6 address), Sympl can get confused as to which is the primary IP, in cases where the IPs are listed out-of order in the output of `ip a`
# What is the expected correct behavior?
Sympl should probably take the IP(s) of the default domain `/srv/$HOSTNAME` as the default IP, only using the `config/ip` file to override this.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/262sympl-firewall v10.0 uses iptables-legacy2019-08-16T17:52:37ZPaul Cammishsympl-firewall v10.0 uses iptables-legacyBuster has migrated to nftables, so Sympl should move in that direction also.
It's mostly compatible at the moment, however it does throw warnings when using the now default `iptables` in Buster.
Workround in sympl/sympl!124 to swap to...Buster has migrated to nftables, so Sympl should move in that direction also.
It's mostly compatible at the moment, however it does throw warnings when using the now default `iptables` in Buster.
Workround in sympl/sympl!124 to swap to `iptables-legacy`, but this should be investigated futher.https://gitlab.com/sympl.io/sympl/-/issues/258Occasional short-term failures reported by monitoring2019-07-31T17:52:47ZPaul CammishOccasional short-term failures reported by monitoringRecently received the following report from the automatic monitoring. It resolved itself a few minutes later.
[paste_1093477.txt](/uploads/b13f16c409a7c2c5791a95e3d7601585/paste_1093477.txt)
I've seen similar short-term failures a coup...Recently received the following report from the automatic monitoring. It resolved itself a few minutes later.
[paste_1093477.txt](/uploads/b13f16c409a7c2c5791a95e3d7601585/paste_1093477.txt)
I've seen similar short-term failures a couple of timeshttps://gitlab.com/sympl.io/sympl/-/issues/257Sympl should automatically update it's configuration near-instantly2020-01-28T13:33:20ZPaul CammishSympl should automatically update it's configuration near-instantlyWhen changes are made, typically it can take up to an hour to a day for everything to have run.
It would be nice if Sympl used [incrond](https://linux.die.net/man/8/incrond) (currently used by sympl-firewall) to detect changes to the co...When changes are made, typically it can take up to an hour to a day for everything to have run.
It would be nice if Sympl used [incrond](https://linux.die.net/man/8/incrond) (currently used by sympl-firewall) to detect changes to the configuration and update as needed, adding to incrond's config where needed as domains are added/removed.
This would make configuration practically instant, so would need some kind of logging/admin notification so you can see what's actually going on.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/256sympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lock2019-07-17T15:47:39ZPaul Cammishsympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lockJob [#11106](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/11106) failed for 89b35a9928e5c77aa5ea832fb4a0e851cc3cd601:
```
+ symbiosis-firewall --verbose
sympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lock: No ...Job [#11106](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/11106) failed for 89b35a9928e5c77aa5ea832fb4a0e851cc3cd601:
```
+ symbiosis-firewall --verbose
sympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lock: No locks available - Unable to acquire lock -- Resource temporarily unavailable
run-parts: autotest/test.d/50-test-cli exited with return code 1
ERROR: Job failed: Process exited with: 1. Reason was: ()
```
This is the testing job accidentally aligning with a scheduled run - it's only a few seconds of window, but it happens more often than I'd like.https://gitlab.com/sympl.io/sympl/-/issues/253sympl-test: Race condition with certificate testing2021-02-12T18:08:31ZPaul Cammishsympl-test: Race condition with certificate testingIt looks like on occasion a self-signed cert is being created, but being tested before it's valid.
Job [#9899](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/9899) failed for 80f6dd1c78f1401f5980105fc948fa74a2f01759:
```
=========...It looks like on occasion a self-signed cert is being created, but being tested before it's valid.
Job [#9899](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/9899) failed for 80f6dd1c78f1401f5980105fc948fa74a2f01759:
```
===============================================================================
Failure:
Exception raised:
OpenSSL::X509::CertificateError(<Not valid for rcyexz5q3p.test -- certificate is not yet valid (9)>)
test_ssl_verify_with_root_ca(SSLTest)
/etc/sympl/test.d/tc_ssl.rb:562:in `test_ssl_verify_with_root_ca'
559: #
560: assert_nothing_raised{ @domain.ssl_x509_certificate_file = @domain.directory+"/config/ssl.combined" }
561: assert_nothing_raised{ @domain.ssl_key_file = @domain.directory+"/config/ssl.combined" }
=> 562: assert_nothing_raised{ @domain.ssl_verify(@domain.ssl_x509_certificate, @domain.ssl_key, @domain.ssl_certificate_store, true) }
563: end
564:
565: def test_ssl_verify_with_intermediate_ca
===============================================================================
```https://gitlab.com/sympl.io/sympl/-/issues/228sympl-ssl dies when config directory is mangled2021-02-12T18:08:31ZPaul Cammishsympl-ssl dies when config directory is mangledThis looks to be a problem in Symbiosis also, but only appeared when upgrading from Symbiosis to Sympl.
What's happening is that sympl-ssl is being run, but if it has no certs for a site and a mangled config directory, it will fail and ...This looks to be a problem in Symbiosis also, but only appeared when upgrading from Symbiosis to Sympl.
What's happening is that sympl-ssl is being run, but if it has no certs for a site and a mangled config directory, it will fail and prevent the package from being configured.https://gitlab.com/sympl.io/sympl/-/issues/226common: Check new passwords against https://haveibeenpwned.com/API/v2#PwnedPa...2019-06-10T14:29:22ZPaul Cammishcommon: Check new passwords against https://haveibeenpwned.com/API/v2#PwnedPasswordsThe API at https://haveibeenpwned.com/API/v2#PwnedPasswords provides an API of compromised passwords.
This would be a good thing to check against when a user changes their password along with cracklib.The API at https://haveibeenpwned.com/API/v2#PwnedPasswords provides an API of compromised passwords.
This would be a good thing to check against when a user changes their password along with cracklib.Backloghttps://gitlab.com/sympl.io/sympl/-/issues/218sympl-all-crontabs.c should be rewritten in something more portable2019-07-17T15:48:41ZPaul Cammishsympl-all-crontabs.c should be rewritten in something more portable```text
* A wrapper script which will do some simple permission and file-presence
* checks, then launch the sympl-crontab command for each domain which
* is present.
*
* The way this script works is pretty simple:
*
* 1. Iterate over e...```text
* A wrapper script which will do some simple permission and file-presence
* checks, then launch the sympl-crontab command for each domain which
* is present.
*
* The way this script works is pretty simple:
*
* 1. Iterate over every entry beneath /srv
* - Ignoring dotfiles.
* - Ignoring entries that do not contain /srv/$name/config/crontab
*
* 2. Once a valid entry has been found ensure that the owner of
* /srv/$name and /srv/$name/config/crontab matches.
*
* 3. Invoke our ruby wrapper as the appropriate user, via /bin/su.
```
This should really be rewritten in something more portable (to ease install on non-amd64 platforms), or simply use bash instead as there's nothing particularly fancy here.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/207There are no build tests for webmail2019-05-28T11:23:23ZPaul CammishThere are no build tests for webmailThere aren't currently any tests to ensure webmail (ie: roundcube) is functional.
This is less of an issue at the moment as IMAP is tested, so this can be put off for now.
We should however create a test to ensure webmail can be logged...There aren't currently any tests to ensure webmail (ie: roundcube) is functional.
This is less of an issue at the moment as IMAP is tested, so this can be put off for now.
We should however create a test to ensure webmail can be logged into (via cURLing the local site, etc.Future Plans