Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2019-07-17T15:54:09Zhttps://gitlab.com/sympl.io/sympl/-/issues/176Symbiosis: SSL symlinks broken on hostname change2019-07-17T15:54:09ZPaul CammishSymbiosis: SSL symlinks broken on hostname changeImported from https://www.github.com/BytemarkHosting/symbiosis/issues/42
When the hostname of a system running Symbiosis is changed the symbolic links for the self signed certificates in <code>/etc/ssl</code> are broken.
The symbolic l...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/42
When the hostname of a system running Symbiosis is changed the symbolic links for the self signed certificates in <code>/etc/ssl</code> are broken.
The symbolic links in <code>/etc/ssl</code> continue to point at <code>/srv/original-server-name/...</code>.
This then prevents the Apache service from starting as the SSL files are missing/invalid.Backloghttps://gitlab.com/sympl.io/sympl/-/issues/166Symbiosis: reject-www-data rule unintentionally removed from ip6tables when f...2019-06-07T14:36:07ZPaul CammishSymbiosis: reject-www-data rule unintentionally removed from ip6tables when file contains only IPv4 addressesImported from https://www.github.com/BytemarkHosting/symbiosis/issues/76
When an IPv4 address is added to the reject-www-data rule, the rule is removed from ip6tables.
1. Run `ip6tables -L -v -n` and notice the reject-www-data table is...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/76
When an IPv4 address is added to the reject-www-data rule, the rule is removed from ip6tables.
1. Run `ip6tables -L -v -n` and notice the reject-www-data table is present
2. Add 10.0.0.1 to `/etc/symbiosis/firewall/outgoing.d/50-reject-www-data`
3. Run `ip6tables -L -v -n` and notice the reject-www-data table is *no longer* presentBackloghttps://gitlab.com/sympl.io/sympl/-/issues/144Symbiosis: If an SSL cert is automatically disabled, Symbiosis won't use auto...2019-07-17T15:53:24ZPaul CammishSymbiosis: If an SSL cert is automatically disabled, Symbiosis won't use automatically it again if it becomes validImported from https://www.github.com/BytemarkHosting/symbiosis/issues/111
For example, if I have a site (https://under100words.com) and manually disable Let's Encrypt by placing `false` in `/srv/under100words.com/config/ssl-provider` an...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/111
For example, if I have a site (https://under100words.com) and manually disable Let's Encrypt by placing `false` in `/srv/under100words.com/config/ssl-provider` and moving the `config/ssl directory` out of the way, `symbiosis-httpd-configure` will disable the specific SSL cert for the site, swapping it to self-signed.
This is fine, and to be expected, however it does this by removing the relevant symlink from `/etc/apache2/sites-enabled`, which has the effect of flagging the site as "manually disabled", dropping it back to mass hosting, if configured.
Restoring the SSL configuration (removing `ssl-provider` and restoring `config/ssl`) then re-running `symbiosis-httpd-configure --verbose` you get:
```
# symbiosis-httpd-configure --verbose
[ . . . ]
Domain: under100words.com
Current SSL set 1: signed by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3, expires 2018-02-20 13:36:22 UTC
This site has SSL enabled, and is using the host's primary IPs -- continuing with SNI.
SSL is enabled -- using SSL template
Adding to configurations
[ . . . ]
Configuration: under100words.com.conf
Configuration is up-to date.
!! Configuration has been manually disabled.
```
So, it's still thinking that the site was manually disabled, so even if it managed to create the individual config as there are valid SSL certs, it's not being symlinked.
A manual workaround is to run `symbiosis-httpd-configure` for the specific site:
```
# symbiosis-httpd-configure --verbose under100words.com
Domain: under100words.com
Current SSL set 1: signed by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3, expires 2018-02-20 13:36:22 UTC
This site has SSL enabled, and is using the host's primary IPs -- continuing with SNI.
SSL is enabled -- using SSL template
Adding to configurations
Configuration: under100words.com.conf
Configuration is up-to date.
Enabling configuration.
Reloading Apache
```
This instead enables the config anyway, and things work normally again.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/141Symbiosis: Exim can't deliver to a virgin mailbox2019-06-07T14:36:02ZPaul CammishSymbiosis: Exim can't deliver to a virgin mailboxImported from https://www.github.com/BytemarkHosting/symbiosis/issues/132
Mostly, Exim hands off email to dovecot for delivery. BUT, it's possible to use an Exim filter file to ask Exim to deliver email directly to a mailbox.
If Exim t...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/132
Mostly, Exim hands off email to dovecot for delivery. BUT, it's possible to use an Exim filter file to ask Exim to deliver email directly to a mailbox.
If Exim tries to do that before Dovecot has delivered to that user, Exim will fail.
Dovecot lazily (ie, when it first delivers an email to a user) creates a quota file in the root of the user's mailbox. Exim can't deliver email to a user if that quota file is missing. And it can't create it either.
This only matters if the user doesn't get mail delivered by dovecot, which is kind of unusual. The simple work-around is just to send an unfiltered email to the user.
A better fix might be to have a cron job looking for missing quota files, and adding them where required. Or maybe there's an Exim option to ignore the missing file? Or something.Backloghttps://gitlab.com/sympl.io/sympl/-/issues/137Symbiosis: Don't crash if a password file is empty2019-06-07T14:31:05ZPaul CammishSymbiosis: Don't crash if a password file is emptyImported from https://www.github.com/BytemarkHosting/symbiosis/issues/110
As reported here:
* https://forum.bytemark.co.uk/t/empty-password-crashes-cron-job/2744
The following code reproduces the problem:
```ruby
#!/usr/bin/ruby
requ...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/110
As reported here:
* https://forum.bytemark.co.uk/t/empty-password-crashes-cron-job/2744
The following code reproduces the problem:
```ruby
#!/usr/bin/ruby
require 'cracklib'
c = CrackLib::Fascist(nil)
if c.ok?
puts "OK"
end
```
The following patch is probably sufficient to resolve the problem, but requires a test-case:
```
--- a/common/sbin/symbiosis-password-test
+++ b/common/sbin/symbiosis-password-test
@@ -155,6 +155,7 @@ Symbiosis::Domains.each(prefix) do |domain|
end
ftp_users.each do |u|
+ next if c.nil?
c = CrackLib::Fascist(u.password)
if c.ok?
```Backloghttps://gitlab.com/sympl.io/sympl/-/issues/135Symbiosis: DNS service records not created even though mailbox folders are there2019-06-07T14:30:27ZPaul CammishSymbiosis: DNS service records not created even though mailbox folders are thereImported from https://www.github.com/BytemarkHosting/symbiosis/issues/133
DNS srv records are not being created by the symbiosis-dns-generate command, the template suggests these are created at the presence of a mailbox folder:
```
%if...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/133
DNS srv records are not being created by the symbiosis-dns-generate command, the template suggests these are created at the presence of a mailbox folder:
```
%if domain.respond_to?(:mailboxes) and domain.mailboxes.length > 0
#
# SRV records for various mail services
#
:_submission._tcp.<%= domain %>:33:<%= domain.srv_record_for(0,5,587, "mail."+domain) %>:<%= ttl %>
:_imap._tcp.<%= domain %>:33:<%= domain.srv_record_for(0,5,143, "mail."+domain) %>:<%= ttl %>
:_imaps._tcp.<%= domain %>:33:<%= domain.srv_record_for(0,5,993, "mail."+domain) %>:<%= ttl %>
:_pop3._tcp.<%= domain %>:33:<%= domain.srv_record_for(10,5,110, "mail."+domain) %>:<%= ttl %>
:_pop3s._tcp.<%= domain %>:33:<%= domain.srv_record_for(10,5,995, "mail."+domain) %>:<%= ttl %>
% end
```
These service records are not created. could this be removed from the template?Backloghttps://gitlab.com/sympl.io/sympl/-/issues/122Symbiosis: `symbiosis-configure-ips` doesn't remove IPs it added once they ar...2019-06-06T11:08:42ZPaul CammishSymbiosis: `symbiosis-configure-ips` doesn't remove IPs it added once they are removed from /srv/*/config/ipImported from https://www.github.com/BytemarkHosting/symbiosis/issues/59
If an IP has been added to a machine via `/srv/*/config/ip`, then if removed, it won't be removed from the configuration until next reboot when it won't be re-adde...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/59
If an IP has been added to a machine via `/srv/*/config/ip`, then if removed, it won't be removed from the configuration until next reboot when it won't be re-added.
This is likely as it can't be determined that Symbiosis added the IP, so we should probably either:
1. Make it clear in the docs that removing an IP will need a reboot or manual change via `ip`.
2. Automatically remove any IPs not set somewhere in `/srv/*/config/ip` when running symbiosis-configure-ips.
3. Provide a `--force` switch (like the other Symbiosis apps) to make the config match what symbiosis-configure-ips is trying to do.
Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/182Symbiosis: symbiosis-firewall 99-reject file is blank by default2019-04-15T09:14:34ZPaul CammishSymbiosis: symbiosis-firewall 99-reject file is blank by defaultImported from https://www.github.com/BytemarkHosting/symbiosis/issues/137
Symbiosis' firewall contains a `/etc/symbiosis/firewall/incoming.d/99-reject` rule by default, which will block connections from `0.0.0.0/0` (anywhere).
If we a...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/137
Symbiosis' firewall contains a `/etc/symbiosis/firewall/incoming.d/99-reject` rule by default, which will block connections from `0.0.0.0/0` (anywhere).
If we add an IP to this 99-reject file, connections will only be blocked from this IP and allowed from everywhere else, which isn't usually what we want to happen.
It would be safer if the 99-reject file contained `0.0.0.0/0` by default to avoid allowing more through the firewall than what was intended. This could still be removed from the file if needed.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/165Symbiosis: Publish CAA (DNS TXT) records to improve security2019-04-14T20:59:45ZPaul CammishSymbiosis: Publish CAA (DNS TXT) records to improve securityImported from https://www.github.com/BytemarkHosting/symbiosis/issues/134
Certification Authority Authorization (CAA), specified in RFC 6844 in 2013, is a proposal to improve the strength of the PKI ecosystem with a new control to restr...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/134
Certification Authority Authorization (CAA), specified in RFC 6844 in 2013, is a proposal to improve the strength of the PKI ecosystem with a new control to restrict which CAs can issue certificates for a particular domain name. It prevents bad people obtaining certificates from rogue or sloppy certification authorities.
It's a simple DNS text record to say, for example:
`example.org. CAA 128 issue "letsencrypt.org"`
At minimum, we could publish this record for a domain that's protected by a LetsEncrypt certificate.
https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forumFuture Planshttps://gitlab.com/sympl.io/sympl/-/issues/338sympl-mail-dict-proxy - passed username incorrect? (bookworm)2023-06-10T20:43:17ZPaul Cammishsympl-mail-dict-proxy - passed username incorrect? (bookworm)Something changes with bookworm, and it now seems to dict proxy is now being sent `Lshared/passdb/<username><tab><username>` rather than the expected `Lshared/passdb/<username>`.
Trimming the tab and everything after this 'fixes' it, bu...Something changes with bookworm, and it now seems to dict proxy is now being sent `Lshared/passdb/<username><tab><username>` rather than the expected `Lshared/passdb/<username>`.
Trimming the tab and everything after this 'fixes' it, but it needs investigation as to why this happens.https://gitlab.com/sympl.io/sympl/-/issues/325sympl: Removing packages doesn't clean up links and other files2023-06-10T21:36:53ZPaul Cammishsympl: Removing packages doesn't clean up links and other filesRemoving FTP and related monitoring.
This will involve checking what's left over after uninstalling each package, versus what was there originally then updating debian/postrm or similar to ensure things are cleaned up properly.
Origina...Removing FTP and related monitoring.
This will involve checking what's left over after uninstalling each package, versus what was there originally then updating debian/postrm or similar to ensure things are cleaned up properly.
Originally raised [on the forum](https://forum.sympl.io/t/removing-ftp-and-related-monitoring/290).https://gitlab.com/sympl.io/sympl/-/issues/314sympl-ftp: SSL cert isn't updated once rotated2021-09-20T22:46:56ZPaul Cammishsympl-ftp: SSL cert isn't updated once rotatedThere's nothing to restart the pure-ftpd service once the SSL cert is updated, so a monthly restart may be worthwhile.
From: https://forum.sympl.host/t/ftps-certificate-expired-error/225There's nothing to restart the pure-ftpd service once the SSL cert is updated, so a monthly restart may be worthwhile.
From: https://forum.sympl.host/t/ftps-certificate-expired-error/225https://gitlab.com/sympl.io/sympl/-/issues/284sympl-mail: Enhancement - Add a whitelist for Exim2020-04-20T11:22:27ZPaul Cammishsympl-mail: Enhancement - Add a whitelist for EximIf you're potentially blocking more mail due to the enhancement in issue #282, the ability to whitelist hosts/IPs, would be useful to skip all spam filtering and consider the source as trusted.
This would likely need to be configured on...If you're potentially blocking more mail due to the enhancement in issue #282, the ability to whitelist hosts/IPs, would be useful to skip all spam filtering and consider the source as trusted.
This would likely need to be configured on a whole-host basis, and maybe should be located in /etc/sympl rather than the Exim config directory.
Maybe something which can be done automatically based on a previous good reputation, similar to the blacklists used by the firewall?https://gitlab.com/sympl.io/sympl/-/issues/273sympl-mail: A default-forward configured for a domain bypasses SpamAssassin f...2019-12-05T21:18:35ZPaul Cammishsympl-mail: A default-forward configured for a domain bypasses SpamAssassin filteringAs mentioned: https://forum.sympl.host/t/spam-not-being-tagged-nor-moved-to-the-spam-folder/63/4?u=kelduum
Seems likely its an order of execution thing - the mail is being handled by the delivery function before it's been scanned.
IIRC...As mentioned: https://forum.sympl.host/t/spam-not-being-tagged-nor-moved-to-the-spam-folder/63/4?u=kelduum
Seems likely its an order of execution thing - the mail is being handled by the delivery function before it's been scanned.
IIRC, this was an issue with Symbiosis as well, so likely has been around a while.https://gitlab.com/sympl.io/sympl/-/issues/262sympl-firewall v10.0 uses iptables-legacy2019-08-16T17:52:37ZPaul Cammishsympl-firewall v10.0 uses iptables-legacyBuster has migrated to nftables, so Sympl should move in that direction also.
It's mostly compatible at the moment, however it does throw warnings when using the now default `iptables` in Buster.
Workround in sympl/sympl!124 to swap to...Buster has migrated to nftables, so Sympl should move in that direction also.
It's mostly compatible at the moment, however it does throw warnings when using the now default `iptables` in Buster.
Workround in sympl/sympl!124 to swap to `iptables-legacy`, but this should be investigated futher.https://gitlab.com/sympl.io/sympl/-/issues/257Sympl should automatically update it's configuration near-instantly2020-01-28T13:33:20ZPaul CammishSympl should automatically update it's configuration near-instantlyWhen changes are made, typically it can take up to an hour to a day for everything to have run.
It would be nice if Sympl used [incrond](https://linux.die.net/man/8/incrond) (currently used by sympl-firewall) to detect changes to the co...When changes are made, typically it can take up to an hour to a day for everything to have run.
It would be nice if Sympl used [incrond](https://linux.die.net/man/8/incrond) (currently used by sympl-firewall) to detect changes to the configuration and update as needed, adding to incrond's config where needed as domains are added/removed.
This would make configuration practically instant, so would need some kind of logging/admin notification so you can see what's actually going on.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/330sympl-webmail: Webmail should discourage over-use of the To: field2023-03-16T12:40:32ZPaul Cammishsympl-webmail: Webmail should discourage over-use of the To: fieldAs mentioned in https://forum.sympl.io/t/roundcube-max-disclosed-recipients/320, its possible to have Roundcube ask if you really want to send to lots of disclosed recipients.
This would be nice to add to the default configuration, alth...As mentioned in https://forum.sympl.io/t/roundcube-max-disclosed-recipients/320, its possible to have Roundcube ask if you really want to send to lots of disclosed recipients.
This would be nice to add to the default configuration, although with a reasonably high number.https://gitlab.com/sympl.io/sympl/-/issues/326sympl-web: sympl-web-rotate-logs doen't use an efficent naming convention.2022-08-05T14:02:45ZPaul Cammishsympl-web: sympl-web-rotate-logs doen't use an efficent naming convention.`sympl-web-rotate-logs` uses what is basically the worst case for backup efficiently in the logging, although this works like logrotate.
You get ~30 days of old logs, each named `.[1-3]?[0-9]` the older ones of which are gzipped. Each t...`sympl-web-rotate-logs` uses what is basically the worst case for backup efficiently in the logging, although this works like logrotate.
You get ~30 days of old logs, each named `.[1-3]?[0-9]` the older ones of which are gzipped. Each time it rotates, the highest number is dropped, and everything is moved up a number.
This isn't terrible for finding the old data, but it's not ideal, and it means each time you run a backup, *all* of the logs have changed, so even a quiet site ends up with all the logs being backed up again.
The logs should be datestamped, and then the oldest one(s) removed, that way each day's logs don't end up getting backed up over and over again for a month.https://gitlab.com/sympl.io/sympl/-/issues/324FTP logs should be written to /var/log/pure-ftp/connection.log or similar2022-04-25T11:58:29ZPaul CammishFTP logs should be written to /var/log/pure-ftp/connection.log or similarAt the moment they only get written to `/var/log/messages`, which isn't that logical as there's also a `/var/log/pure-ftpd/` directory, where you'd expect to find them.
Also, we shouldn't be logging the RDNS for connections without the ...At the moment they only get written to `/var/log/messages`, which isn't that logical as there's also a `/var/log/pure-ftpd/` directory, where you'd expect to find them.
Also, we shouldn't be logging the RDNS for connections without the IP where at all possible, as it's trivial to fake.https://gitlab.com/sympl.io/sympl/-/issues/321Add DNS records without preventing automatic generation2023-03-16T12:58:49ZPaul CammishAdd DNS records without preventing automatic generationI have my domain sign my emails with DKIM, using the host name as a selector, but I can also use an external SMTP server for some things, which has given me a public key to add to DNS. I guess in this case, I want to be able to add recor...I have my domain sign my emails with DKIM, using the host name as a selector, but I can also use an external SMTP server for some things, which has given me a public key to add to DNS. I guess in this case, I want to be able to add records to the DNS for the domain, but if I edit the DNS file, all other records will stop being updated. It would be good if there could be a different file for additional records so that the automatic file would still match its checksum.