Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2019-06-06T11:01:27Zhttps://gitlab.com/sympl.io/sympl/-/issues/215Command line scripts need to be renamed, references to symbiosis in filesyste...2019-06-06T11:01:27ZPaul CammishCommand line scripts need to be renamed, references to symbiosis in filesystem removedWIP in https://gitlab.mythic-beasts.com/sympl/sympl_stretch/merge_requests/19
Any existing command line scripts should have symlinks/helpers created to them from the old names for compatibility.
Ruby Libraries can stay where they are f...WIP in https://gitlab.mythic-beasts.com/sympl/sympl_stretch/merge_requests/19
Any existing command line scripts should have symlinks/helpers created to them from the old names for compatibility.
Ruby Libraries can stay where they are for now (this can be tackled later), but things like /etc/symbiosis and dpkg copies need to be moved/renamed (and symlinks created).
* [x] package:core
* [x] package:backup
* [x] package:common
* [x] package:cron
* [x] package:dns
* [x] package:email
* [x] package:firewall
* [x] package:ftpd
* [x] package:httpd
* [x] package:monit
* [x] package:mysql
* [x] package:phpmyadmin
* [x] package:updater
* [x] package:webmail
----
* [x] update all version numbers
* [x] double-check all copyright filesRebranding Symbiosis to SymplPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/216The auth/helper processes don't seem to be running after a reboot2019-06-02T21:18:53ZPaul CammishThe auth/helper processes don't seem to be running after a rebootspecifically:
```
/usr/sbin/pure-authd --run /usr/sbin/symbiosis-ftpd-check-password --socket /var/run/pure-ftpd/pure-authd.sock
/usr/bin/ruby /usr/sbin/symbiosis-email-poppassd
/usr/bin/ruby /usr/sbin/symbiosis-email-dict-proxy
```specifically:
```
/usr/sbin/pure-authd --run /usr/sbin/symbiosis-ftpd-check-password --socket /var/run/pure-ftpd/pure-authd.sock
/usr/bin/ruby /usr/sbin/symbiosis-email-poppassd
/usr/bin/ruby /usr/sbin/symbiosis-email-dict-proxy
```Rebranding Symbiosis to SymplPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/218sympl-all-crontabs.c should be rewritten in something more portable2019-07-17T15:48:41ZPaul Cammishsympl-all-crontabs.c should be rewritten in something more portable```text
* A wrapper script which will do some simple permission and file-presence
* checks, then launch the sympl-crontab command for each domain which
* is present.
*
* The way this script works is pretty simple:
*
* 1. Iterate over e...```text
* A wrapper script which will do some simple permission and file-presence
* checks, then launch the sympl-crontab command for each domain which
* is present.
*
* The way this script works is pretty simple:
*
* 1. Iterate over every entry beneath /srv
* - Ignoring dotfiles.
* - Ignoring entries that do not contain /srv/$name/config/crontab
*
* 2. Once a valid entry has been found ensure that the owner of
* /srv/$name and /srv/$name/config/crontab matches.
*
* 3. Invoke our ruby wrapper as the appropriate user, via /bin/su.
```
This should really be rewritten in something more portable (to ease install on non-amd64 platforms), or simply use bash instead as there's nothing particularly fancy here.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/221Symbiosis: symbiosis-httpd-logger is run where it's not really needed2019-06-20T13:24:05ZPaul CammishSymbiosis: symbiosis-httpd-logger is run where it's not really neededThe HTTP and HTTPS templates for sites both run the symbiosis-httpd-logger process (aka sypl-web-logger) which does little other than write logs owned by the admin user.
This is useful for the zz-mass-hosting configuration, as it then w...The HTTP and HTTPS templates for sites both run the symbiosis-httpd-logger process (aka sypl-web-logger) which does little other than write logs owned by the admin user.
This is useful for the zz-mass-hosting configuration, as it then writes logs to the relevant locations, but it's wasted resources when you have a lot of sites running.
If #219 happens, then the templates should just write the files directly via the normal apache method.Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/222A new 'theres no site here yet' page is needed2019-06-07T10:37:50ZPaul CammishA new 'theres no site here yet' page is neededThe old one had 2012-eta Bytemark branding, but I should be able to do something better - just need a proper logo for Sympl created.The old one had 2012-eta Bytemark branding, but I should be able to do something better - just need a proper logo for Sympl created.Rebranding Symbiosis to SymplPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/224Web: `sympl-web-* --manual` requires sympl-common package2019-06-28T15:08:51ZPaul CammishWeb: `sympl-web-* --manual` requires sympl-common packageThis isn't a problem when building in gitlab-ci, but breaks otherwise.
Option 1: Add sympl-common as a build dependency. (quick but untidy!)
Option 2: Make them work like the others and output the man page without any dependencies.
Opt...This isn't a problem when building in gitlab-ci, but breaks otherwise.
Option 1: Add sympl-common as a build dependency. (quick but untidy!)
Option 2: Make them work like the others and output the man page without any dependencies.
Option 2 is the best option here, especially as the libs aren't needed elsewhere.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/226common: Check new passwords against https://haveibeenpwned.com/API/v2#PwnedPa...2019-06-10T14:29:22ZPaul Cammishcommon: Check new passwords against https://haveibeenpwned.com/API/v2#PwnedPasswordsThe API at https://haveibeenpwned.com/API/v2#PwnedPasswords provides an API of compromised passwords.
This would be a good thing to check against when a user changes their password along with cracklib.The API at https://haveibeenpwned.com/API/v2#PwnedPasswords provides an API of compromised passwords.
This would be a good thing to check against when a user changes their password along with cracklib.Backloghttps://gitlab.com/sympl.io/sympl/-/issues/220Web stats are insecure and need updating2019-06-12T13:10:49ZPaul CammishWeb stats are insecure and need updatingIt's unclear if the stats stuff even gets used, as it's not mentioned much in the old Symbiosis docs.
However, some time ago it was supposed to be disabled by default, but that's not the case, so it's automatically generated for each si...It's unclear if the stats stuff even gets used, as it's not mentioned much in the old Symbiosis docs.
However, some time ago it was supposed to be disabled by default, but that's not the case, so it's automatically generated for each site at /stats, and doesn't require any auth at all.
This should either be secured properly, or replaced with something a bit more up to date, like goaccess which has a package and is realtime.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/230sympl-web: Logs directory is not automatically created2019-06-12T13:11:07ZPaul Cammishsympl-web: Logs directory is not automatically createdThis looks to happen when the directory is not owned by a non-system user, and is likely in `sympl-web-logger`
Adding this to sympl-web-configure in a relevant place should fix it:
```ruby
dirname = File.dirname("#{domain.directory}...This looks to happen when the directory is not owned by a non-system user, and is likely in `sympl-web-logger`
Adding this to sympl-web-configure in a relevant place should fix it:
```ruby
dirname = File.dirname("#{domain.directory}/public/logs/.")
unless File.directory?(dirname)
verbose "\tCReating log directory #{dirname}"
FileUtils.mkdir_p(dirname)
FileUtils.chown_R 'sympl', 'sympl', dirname, :verbose => true
end
```Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/231sympl-filesystem-security: /srv/example.com/public is not set 27752019-06-12T13:11:10ZPaul Cammishsympl-filesystem-security: /srv/example.com/public is not set 2775Looks like I missed this when I was putting the script together, should be a simple fix:
`find "${domain}/public" ! -type l ! \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d -perm 2775 -exec chmod 2775 {} \; \)`
sympl-filesyste...Looks like I missed this when I was putting the script together, should be a simple fix:
`find "${domain}/public" ! -type l ! \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d -perm 2775 -exec chmod 2775 {} \; \)`
sympl-filesystem-security should also check config/ssl/sets exists before trying to do anything with it
Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/228sympl-ssl dies when config directory is mangled2021-02-12T18:08:31ZPaul Cammishsympl-ssl dies when config directory is mangledThis looks to be a problem in Symbiosis also, but only appeared when upgrading from Symbiosis to Sympl.
What's happening is that sympl-ssl is being run, but if it has no certs for a site and a mangled config directory, it will fail and ...This looks to be a problem in Symbiosis also, but only appeared when upgrading from Symbiosis to Sympl.
What's happening is that sympl-ssl is being run, but if it has no certs for a site and a mangled config directory, it will fail and prevent the package from being configured.https://gitlab.com/sympl.io/sympl/-/issues/232Sympl determines host name incorrectly during install2022-04-26T09:50:34ZPaul CammishSympl determines host name incorrectly during installDuring the install, sympl creates a 'default' directory based on the hostname of the machine. However, it incorrectly uses the domain 'localdomain' when creating this directory.
On a clean debian machine, the /etc/hostname file contains...During the install, sympl creates a 'default' directory based on the hostname of the machine. However, it incorrectly uses the domain 'localdomain' when creating this directory.
On a clean debian machine, the /etc/hostname file contains a bare hostname. Code in core/debian/postinst uses this file as the hostname, and if it sees a 'bare' hostname, appends 'localdomain' to the hostname read from the file.
The debian installation had a full hostname specified, and typing
hostname -f
retrieves this full host name correctly.
The postinst script will also fall back to using hostname -f if /etc/hostname exists.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/233An installer script would be nice...2019-06-20T22:41:04ZPaul CammishAn installer script would be nice...This would allow us to run a single command which would install Sympl and set the relevant option so the user is not prompted at all.
This would also be able to point the user to documentation and make them aware of things like the `sym...This would allow us to run a single command which would install Sympl and set the relevant option so the user is not prompted at all.
This would also be able to point the user to documentation and make them aware of things like the `sympl` user using the `root` users password (which may not be secure) and/or force them to set a new one and include the root users authorized keys file.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/235mail: Dovecot config entries obsoleted.2019-06-24T14:12:23ZPaul Cammishmail: Dovecot config entries obsoleted.```
ssl_protocols -> ssl_min_protocol
ssl_dh_parameters_length -> x
```
Possibly some others, so worth checking against a plain config.```
ssl_protocols -> ssl_min_protocol
ssl_dh_parameters_length -> x
```
Possibly some others, so worth checking against a plain config.Sympl v10.0 (for Debian Buster)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/236mail: Exim - Warning: purging the environment.2019-06-24T14:24:24ZPaul Cammishmail: Exim - Warning: purging the environment.On starting exim reports:
`Warning: purging the environment.`
`use keep_environment`
IIRC this is a thing from Jessie, so may have turned up again (or just not been fixed).On starting exim reports:
`Warning: purging the environment.`
`use keep_environment`
IIRC this is a thing from Jessie, so may have turned up again (or just not been fixed).Sympl v10.0 (for Debian Buster)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/237core: ssl certs not getting linked on install2019-06-24T14:11:29ZPaul Cammishcore: ssl certs not getting linked on installLooks like something is borking along the way, probably preventing sympl-core from betting properly configured.
Should be fairly easy to fix.Looks like something is borking along the way, probably preventing sympl-core from betting properly configured.
Should be fairly easy to fix.Sympl v10.0 (for Debian Buster)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/238mail: Sieve tests failing2019-07-02T16:38:04ZPaul Cammishmail: Sieve tests failingLooks like two tests are failing at present.
* test_deliver_with_sieve
* test_deliver_with_sieve_for_local_users
Likely a change to sieve configuration as with Stretch.Looks like two tests are failing at present.
* test_deliver_with_sieve
* test_deliver_with_sieve_for_local_users
Likely a change to sieve configuration as with Stretch.Sympl v10.0 (for Debian Buster)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/239phpmyadmin: phpmyadmin is no longer packaged in Debian Buster2020-09-16T16:16:37ZPaul Cammishphpmyadmin: phpmyadmin is no longer packaged in Debian BusterBased on an [informal poll](https://twitter.com/Mythic_Beasts/status/1139540952840908800) it look like a picture of a kitten should be a good replacement, however I'll probably rename the package, swap to [Adminer](https://www.adminer.or...Based on an [informal poll](https://twitter.com/Mythic_Beasts/status/1139540952840908800) it look like a picture of a kitten should be a good replacement, however I'll probably rename the package, swap to [Adminer](https://www.adminer.org/), and add instructions for installing phpmyadmin yourself.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/240Job Failed #7680 - net_connect_unix(/var/run/dovecot/stats-writer)2019-06-26T16:11:45ZPaul CammishJob Failed #7680 - net_connect_unix(/var/run/dovecot/stats-writer)Job [#7680](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/7680) failed for f7d32cae365d7e879cd6d3987ec68d63d0f125c8:
```
run-parts: executing autotest/test.d/90-symbiosis-test
Running sympl-test...
Loaded suite /usr/bin/sympl-test...Job [#7680](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/7680) failed for f7d32cae365d7e879cd6d3987ec68d63d0f125c8:
```
run-parts: executing autotest/test.d/90-symbiosis-test
Running sympl-test...
Loaded suite /usr/bin/sympl-test
Started
...............................................................................
.......................................lda(test@h2t4nehquz.test,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
.lda(sympl-test@quick.sympl.test,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
.lda(test@tsn3b3s36c.test,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
.lda(test@cu9yts5qtz.test,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
F
===============================================================================
Failure: test_deliver_with_sieve(TestDovecot)
/etc/sympl/test.d/tc_dovecot.rb:371:in `do_test_deliver_with_sieve'
/etc/sympl/test.d/tc_dovecot.rb:382:in `test_deliver_with_sieve'
379:
380: def test_deliver_with_sieve
381: @mailbox.create
=> 382: do_test_deliver_with_sieve(@mailbox)
383: end
384:
385: def test_deliver_with_sieve_for_local_users
Found 1 messages in Maildir/new rather than 0
<0> expected but was
<1>
===============================================================================
.lda(sympl-test@quick.sympl.test,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
F
===============================================================================
Failure: test_deliver_with_sieve_for_local_users(TestDovecot)
/etc/sympl/test.d/tc_dovecot.rb:371:in `do_test_deliver_with_sieve'
/etc/sympl/test.d/tc_dovecot.rb:391:in `test_deliver_with_sieve_for_local_users'
388: mailbox = do_setup_local_mailbox(test_user)
389: sieve_file = File.join(mailbox.directory, ".sieve")
390:
=> 391: do_test_deliver_with_sieve(mailbox)
392: ensure
393: File.unlink(sieve_file) if sieve_file and File.exist?(sieve_file)
394: end
Found 1 messages in Maildir/new rather than 0
<0> expected but was
<1>
===============================================================================
...............................................................................
.......................
Finished in 102.66534708 seconds.
-------------------------------------------------------------------------------
226 tests, 1495 assertions, 2 failures, 0 errors, 0 pendings, 0 omissions, 0 notifications
99.115% passed
-------------------------------------------------------------------------------
2.20 tests/s, 14.56 assertions/s
```
This may simply be the way the testing interfaces with dovecot, as the 'stats' functionality in Dovecot has changed.Sympl v10.0 (for Debian Buster)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/241stretch-testing -> stretch2019-06-25T08:36:27ZPaul Cammishstretch-testing -> stretch# Testing to Stable
## Setup
* [x] Add example.com to /etc/hosts.
* [x] Start with a clean machine running the relevant version of Debian.
## Install
* [x] Run Install script as per https://wiki.sympl.host/Installation_Instructions w...# Testing to Stable
## Setup
* [x] Add example.com to /etc/hosts.
* [x] Start with a clean machine running the relevant version of Debian.
## Install
* [x] Run Install script as per https://wiki.sympl.host/Installation_Instructions without dpkg prompts.
* [x] User is pointed to https://wiki.sympl.host for docs, and https://forum.sympl.host for issues.
* [x] User has to set a new password for `sympl`, and is suggested to use an SSH key.
* [x] User can log in as the `sympl` user.
## Core
* [x] Banner happens on login and provides correct version/system stats.
* [x] Typical utilities such as vim, htop, etc are installed and work normally.
## Web
* [x] `mkdir -p /srv/example.com/public/htdocs`, make sure you are served a 'theres nothing here yet' page.
* [x] `echo 'Testing example.com' > /srv/example.com/public/htdocs/index.html`, check the page loads with the new content.
* [x] `echo '<?php phpinfo() ?>' > /srv/example.com/public/htdocs/index.php`, check the page loads with phpinfo.
* [x] `sudo sympl-web-configure --verbose`, check /srv/example.com/ contains public/logs, php_tmp, php_sessions.
* [x] Browse to http://example.com again, check logs are being written to `public/logs/access.log`.
* [x] Browse to https://example.com again (expect browser warning), check logs are being written to `public/logs/ssl_access.log`.
* [x] `sudo sympl-web-rotate-logs`, check logs have rotated.
* [x] `sudo sympl-web-generate-stats --verbose`, check stats have NOT been created.
* [x] `mkdir -p /srv/example.com/config ; echo selfsigned > /srv/example.com/config/ssl-provider ; sudo sympl-ssl --verbose`, check cert is generated.
* [x] `sudo sympl-web-configure --verbose`, check site now loads with self-signed certificate.
## FTP
* [x] Confirm you cannot login anonymously via FTP.
* [x] `echo some-password > /srv/example.com/config/ftp-password`, check you can log in with user `example.com` password `some-password` via FTP and are placed in public.
* [x] Confirm you can upload/download/delete files via FTP.
* [x] `echo someuser:someotherpass:htdocs:0M > /srv/example.com/config/ftp-users`, check you can log in with user `someuser@example.com` password `someotherpass` via FTP and are placed in htdocs.
* [x] Confirm you can download but not upload files via FTP.
* [x] `sudo sympl-password-test --verbose`, confirm password warning.
## Mail & WebMail
* [x] `mkdir -p /srv/example.com/mailboxes/user ; echo some-password > /srv/example.com/mailboxes/user/password ; sudo sympl-password-test --verbose`, confirm password warning.
* [x] Browse to https://example.com/webmail, log in with `user` and `password`
* [x] `echo new-password > /srv/example.com/mailboxes/user/password`, log out of webmail.
* [x] Confirm you cannot log in with old password.
* [x] Confirm you can log in with new password.
* [x] `sudo sympl-mail-encrypt-passwords --verbose`
* [x] Log out and back in again.
* [x] Send mail to a gmail address, confirm bounce/delivery.
* [x] `openssl genrsa -out /srv/example.com/config/dkim.key 2048 ; chmod 640 /srv/example.com/config/dkim.key ; chown admin:Debian-exim /srv/example.com/config/dkim.key ; touch /srv/example.com/config/dkim`
* [x] Send email again, check for DKIM record in bounce/delivery.
## Network
* [x] `ip a ; sympl-ip`, confirm IPs match.
* [x] `echo 10.111.234.56 > /srv/example.com/config/ip ; sudo sympl-configure-ips --verbose`, confirm new IP picked up.
* [x] `ip a ; sympl-ip`, confirm '10.111.234.56' now listed on both results.
* [x] `sudo iptables -L -n | grep -c ':1234'`, confirm result is 0.
* [x] `touch /etc/sympl/firewall/incoming.d/99-1234 ; sudo sympl-firewall`
* [x] `sudo iptables -L -n | grep -c ':1234'`, confirm result is 2.
* [x] `touch '/etc/sympl/firewall/blacklist.d/10.9.8.7|31' ; sudo sympl-firewall`
* [x] `sudo iptables -L -n | grep -c '10.9.8.6'`, confirm result is 1.
## MySQL / MariaDB & phpMyAdmin
* [x] `mysql -e 'show databases'`, confirm databases are listed.
* [x] Browse to http://example.com/phpmyadmin, confirm redirected to HTTPS.
* [x] `cat ~/mysql_password`, log in with user `sympl` and password.
* [x] Confirm no errors/warnings, database can be created.
## Monit
* [x] `sudo service apache2 stop ; sudo service apache2 status ; sudo sympl-monit ; sudo service apache2 status ;`, confirm apache is started again.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/242sympl-mail-dovecot-sni should use ssl.bundle rather than ssl.crt2019-06-26T14:59:50ZPaul Cammishsympl-mail-dovecot-sni should use ssl.bundle rather than ssl.crtAs is, it provides the cert, but not the bundle, meaning the chain is broken.
It's worth investigating of the exim sni configuration has the same issue also.As is, it provides the cert, but not the bundle, meaning the chain is broken.
It's worth investigating of the exim sni configuration has the same issue also.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/243Buster: zz-mass-hosting doesn't appear to work.2019-08-16T17:54:56ZPaul CammishBuster: zz-mass-hosting doesn't appear to work.On boot, it's sending traffic to /var/www/html, and then after reconfiguring it seems to be only sending traffic to /srv/$localhost/public/htdocs.
It may be due to changes in the newer Apache breaking dynamic vhost configurations in gen...On boot, it's sending traffic to /var/www/html, and then after reconfiguring it seems to be only sending traffic to /srv/$localhost/public/htdocs.
It may be due to changes in the newer Apache breaking dynamic vhost configurations in general, or something else like the custom module not working right any more.Backloghttps://gitlab.com/sympl.io/sympl/-/issues/244Incorrect permissions on dkim selector file2019-06-28T16:43:46ZPaul CammishIncorrect permissions on dkim selector fileMy dkim selector file is currently owned by sympl:sympl, with permissions set to 660.
I received the following error in my logs overnight:
2019-06-27 06:39:42 1hgN8H-0005FM-Rw failed to expand dkim_selector: failed to open /srv/gentlys...My dkim selector file is currently owned by sympl:sympl, with permissions set to 660.
I received the following error in my logs overnight:
2019-06-27 06:39:42 1hgN8H-0005FM-Rw failed to expand dkim_selector: failed to open /srv/gentlysympl.gentlyhosting.uk/config/dkim: Permission denied (euid=105 egid=109)
What should the permissions / ownership be set to? The uid / gid referred to in the error are both Debian-exim. Can sympl automatically adjust these permissions if a specific set are required?Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/245Job Failed #83802019-07-02T16:38:11ZPaul CammishJob Failed #8380This is breaking phpMyAdmin, which should be split into a separate config as it's being retired.
Job [#8380](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/8380) failed for 477a89553e5662f5d77f15a5ba1739cdb60ebbf8:This is breaking phpMyAdmin, which should be split into a separate config as it's being retired.
Job [#8380](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/8380) failed for 477a89553e5662f5d77f15a5ba1739cdb60ebbf8:Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/246Roundcube unable to send mail in Buster.2019-07-02T16:38:13ZPaul CammishRoundcube unable to send mail in Buster.Needs confirming if this is affecting Stretch also.Needs confirming if this is affecting Stretch also.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/248sympl-mail: Debian-exim user should be added to sympl group.2019-07-02T16:36:27ZPaul Cammishsympl-mail: Debian-exim user should be added to sympl group.As is, the Debian-exim user already has access to the ssl-certs and other things, so giving it access to the config directory shouldn't be a problem now things are properly partitioned and will allow users to still configure things via S...As is, the Debian-exim user already has access to the ssl-certs and other things, so giving it access to the config directory shouldn't be a problem now things are properly partitioned and will allow users to still configure things via SFTP.
`sympl-filesystem-security` will need adjusting for this also.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/249sympl-ssl - IPv6 Only DNS Resolution2021-02-12T18:08:30ZPaul Cammishsympl-ssl - IPv6 Only DNS ResolutionDNS resolution times out in IPv6 Only environment when contacting Let's Encrypt.
This is due to the resolver assuming theres an IPv4 address, and binding to that for replies.
A workaround is to add the relevant host to /etc/hosts befor...DNS resolution times out in IPv6 Only environment when contacting Let's Encrypt.
This is due to the resolver assuming theres an IPv4 address, and binding to that for replies.
A workaround is to add the relevant host to /etc/hosts before running.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/250Apache config template changes from Buster need to be backported to Stretch2019-07-06T19:10:34ZPaul CammishApache config template changes from Buster need to be backported to StretchIn progress: !77In progress: !77Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/251Dovecot doesn't reload after cert changes if config hasn't changed.2019-07-07T00:28:05ZPaul CammishDovecot doesn't reload after cert changes if config hasn't changed.In the situation where no new domains are created, but SSL certs update automatically, Dovecot would eventually expire the cached certs, so a reload is needed, as well as a check for when there are literally no certs (ie: first cert atte...In the situation where no new domains are created, but SSL certs update automatically, Dovecot would eventually expire the cached certs, so a reload is needed, as well as a check for when there are literally no certs (ie: first cert attempt fails).
In progress: sympl/sympl!76Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/252GitLab CI Improvements2019-07-09T18:44:33ZPaul CammishGitLab CI ImprovementsWhat should be happening is the runner should strategically install the previous version (if it exists) from the relevant public repo, then install the version from the local repo. Instead, theres a common race condition meaning the publ...What should be happening is the runner should strategically install the previous version (if it exists) from the relevant public repo, then install the version from the local repo. Instead, theres a common race condition meaning the public versions are the same as the newly pushed versions.
We should also have separate upgrade tests from the stable and the testing branches, so we can be certain that we won't break stable before deploying, but we can also pre-download the dependency packages needed in the images to save time and bandwidth, negating the need for a separate image.
* [x] Versions older than the local repo installed for upgrade tests.
* [x] Upgrade tests for stable and testing.
* [x] Pre-downloaded packages in clean install.
* [x] CI tidyup, ideally both major branches from the same version.
* [x] Tests for mangled changelog entries in the build CIFuture PlansPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/253sympl-test: Race condition with certificate testing2021-02-12T18:08:31ZPaul Cammishsympl-test: Race condition with certificate testingIt looks like on occasion a self-signed cert is being created, but being tested before it's valid.
Job [#9899](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/9899) failed for 80f6dd1c78f1401f5980105fc948fa74a2f01759:
```
=========...It looks like on occasion a self-signed cert is being created, but being tested before it's valid.
Job [#9899](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/9899) failed for 80f6dd1c78f1401f5980105fc948fa74a2f01759:
```
===============================================================================
Failure:
Exception raised:
OpenSSL::X509::CertificateError(<Not valid for rcyexz5q3p.test -- certificate is not yet valid (9)>)
test_ssl_verify_with_root_ca(SSLTest)
/etc/sympl/test.d/tc_ssl.rb:562:in `test_ssl_verify_with_root_ca'
559: #
560: assert_nothing_raised{ @domain.ssl_x509_certificate_file = @domain.directory+"/config/ssl.combined" }
561: assert_nothing_raised{ @domain.ssl_key_file = @domain.directory+"/config/ssl.combined" }
=> 562: assert_nothing_raised{ @domain.ssl_verify(@domain.ssl_x509_certificate, @domain.ssl_key, @domain.ssl_certificate_store, true) }
563: end
564:
565: def test_ssl_verify_with_intermediate_ca
===============================================================================
```https://gitlab.com/sympl.io/sympl/-/issues/254sympl-firewall: iptables email warning (buster)2019-08-16T17:51:06ZPaul Cammishsympl-firewall: iptables email warning (buster)It appears with the change to iptables-nft, wanring are being generated about iptables-legacy having rules (although they appear to be empty).It appears with the change to iptables-nft, wanring are being generated about iptables-legacy having rules (although they appear to be empty).Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/255sympl-web-rotate-logs doesnt work2019-07-09T19:27:36ZPaul Cammishsympl-web-rotate-logs doesnt workThis is due to it dropping permissions which is incompatible with the new security permissions system.
As it normally only ever runs as root, this isn't needed, and also means log rotation never happens properly as it's only telling the...This is due to it dropping permissions which is incompatible with the new security permissions system.
As it normally only ever runs as root, this isn't needed, and also means log rotation never happens properly as it's only telling the logger processes to reload, not Apache.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/256sympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lock2019-07-17T15:47:39ZPaul Cammishsympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lockJob [#11106](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/11106) failed for 89b35a9928e5c77aa5ea832fb4a0e851cc3cd601:
```
+ symbiosis-firewall --verbose
sympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lock: No ...Job [#11106](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/11106) failed for 89b35a9928e5c77aa5ea832fb4a0e851cc3cd601:
```
+ symbiosis-firewall --verbose
sympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lock: No locks available - Unable to acquire lock -- Resource temporarily unavailable
run-parts: autotest/test.d/50-test-cli exited with return code 1
ERROR: Job failed: Process exited with: 1. Reason was: ()
```
This is the testing job accidentally aligning with a scheduled run - it's only a few seconds of window, but it happens more often than I'd like.https://gitlab.com/sympl.io/sympl/-/issues/257Sympl should automatically update it's configuration near-instantly2020-01-28T13:33:20ZPaul CammishSympl should automatically update it's configuration near-instantlyWhen changes are made, typically it can take up to an hour to a day for everything to have run.
It would be nice if Sympl used [incrond](https://linux.die.net/man/8/incrond) (currently used by sympl-firewall) to detect changes to the co...When changes are made, typically it can take up to an hour to a day for everything to have run.
It would be nice if Sympl used [incrond](https://linux.die.net/man/8/incrond) (currently used by sympl-firewall) to detect changes to the configuration and update as needed, adding to incrond's config where needed as domains are added/removed.
This would make configuration practically instant, so would need some kind of logging/admin notification so you can see what's actually going on.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/258Occasional short-term failures reported by monitoring2019-07-31T17:52:47ZPaul CammishOccasional short-term failures reported by monitoringRecently received the following report from the automatic monitoring. It resolved itself a few minutes later.
[paste_1093477.txt](/uploads/b13f16c409a7c2c5791a95e3d7601585/paste_1093477.txt)
I've seen similar short-term failures a coup...Recently received the following report from the automatic monitoring. It resolved itself a few minutes later.
[paste_1093477.txt](/uploads/b13f16c409a7c2c5791a95e3d7601585/paste_1093477.txt)
I've seen similar short-term failures a couple of timeshttps://gitlab.com/sympl.io/sympl/-/issues/259Running backups manually seems to cause issues2019-08-19T07:25:08ZPaul CammishRunning backups manually seems to cause issuesIt appears that running backups manually as the `sympl` user will cause the sympl-sqldump script to fail (as it's not running as root), possibly causing later backups to fail as a dump was started but not completed.
Sympl should probabl...It appears that running backups manually as the `sympl` user will cause the sympl-sqldump script to fail (as it's not running as root), possibly causing later backups to fail as a dump was started but not completed.
Sympl should probably check for a generic user with full mysql access rather than just root (or the root or Sympl user), and/or automatically use the `--force` flag when triggering backups.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/260Extra content in /root/.ssh/authorized_keys is copied also2019-08-16T12:20:27ZPaul CammishExtra content in /root/.ssh/authorized_keys is copied alsoIn the event `/root/.ssh/authorized_keys` contains other content (such as a "command=" entry for the key [ref](https://forum.sympl.host/t/dont-login-as-root-warning/39)), then the Sympl user will be similarly restricted on first logging ...In the event `/root/.ssh/authorized_keys` contains other content (such as a "command=" entry for the key [ref](https://forum.sympl.host/t/dont-login-as-root-warning/39)), then the Sympl user will be similarly restricted on first logging in.
Not necessarily a bug, but we may want to think about excluding these entries or handling them differently.https://gitlab.com/sympl.io/sympl/-/issues/261sympl-ssl fails in NAT64 environments with IPv4 addresses2019-09-17T13:45:19ZPaul Cammishsympl-ssl fails in NAT64 environments with IPv4 addressesThis is due to the old Ruby library being used, which defaults to IPv4.
A workaround exists for this, which adds an entry to the hosts file, but fails to detect NAT64 setups.This is due to the old Ruby library being used, which defaults to IPv4.
A workaround exists for this, which adds an entry to the hosts file, but fails to detect NAT64 setups.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/262sympl-firewall v10.0 uses iptables-legacy2019-08-16T17:52:37ZPaul Cammishsympl-firewall v10.0 uses iptables-legacyBuster has migrated to nftables, so Sympl should move in that direction also.
It's mostly compatible at the moment, however it does throw warnings when using the now default `iptables` in Buster.
Workround in sympl/sympl!124 to swap to...Buster has migrated to nftables, so Sympl should move in that direction also.
It's mostly compatible at the moment, however it does throw warnings when using the now default `iptables` in Buster.
Workround in sympl/sympl!124 to swap to `iptables-legacy`, but this should be investigated futher.https://gitlab.com/sympl.io/sympl/-/issues/263LetsEncrypt certificates not renewed early enough2019-09-08T15:13:43ZPaul CammishLetsEncrypt certificates not renewed early enough# Summary
LetsEncrypt certificates are not renewed a month before expiry (as recommended). This causes warning emails to be received from LetsEncrypt.
# Steps to reproduce
Enable LetsEncrypt certificates for a domain. Wait 60 days.
...# Summary
LetsEncrypt certificates are not renewed a month before expiry (as recommended). This causes warning emails to be received from LetsEncrypt.
# Steps to reproduce
Enable LetsEncrypt certificates for a domain. Wait 60 days.
# What is the current bug behavior?
Certificates are not renewed until 2 weeks before expiry, causing a warning.email to be received
# What is the expected correct behavior?
Certificate should be removed 30 days before expiry.
See: https://letsencrypt.org/docs/integration-guide/
for more info.
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/264Default IP confusion with other services2020-04-21T21:19:55ZPaul CammishDefault IP confusion with other services# What is the current bug behavior?
When adding extra IPs manually (such as an IPv6 address), Sympl can get confused as to which is the primary IP, in cases where the IPs are listed out-of order in the output of `ip a`
# What is the e...# What is the current bug behavior?
When adding extra IPs manually (such as an IPv6 address), Sympl can get confused as to which is the primary IP, in cases where the IPs are listed out-of order in the output of `ip a`
# What is the expected correct behavior?
Sympl should probably take the IP(s) of the default domain `/srv/$HOSTNAME` as the default IP, only using the `config/ip` file to override this.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/265sympl-backup triggers `tar` warnings2019-09-17T13:45:19ZPaul Cammishsympl-backup triggers `tar` warningshttps://forum.sympl.host/t/backups-tar-warning-about-non-optional-arguments/44
## Problem Description
When doing backups, the following message is shown, with the backup succeeding:
```
Creating archive using 'DRIVER_TAR_GZ'...
tar:...https://forum.sympl.host/t/backups-tar-warning-about-non-optional-arguments/44
## Problem Description
When doing backups, the following message is shown, with the backup succeeding:
```
Creating archive using 'DRIVER_TAR_GZ'...
tar: The following options were used after any non-optional arguments in archive create or update mode. These options are positional and affect only arguments that follow them. Please, rearrange them properly.
tar: --no-recursion has no effect
tar: Exiting with failure status due to previous errors
Checking TOC of archive file (< real file, > archive entry)...
```
This is due to changes to `tar` in Buster.
Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/266sympl-firewall uses incron, which is incompatible with some systems2019-09-17T13:58:20ZPaul Cammishsympl-firewall uses incron, which is incompatible with some systemsIn short, incron should be removed if possible - this doesn't work on all filesystems, and many systems use NFS for the filesystem (the Mythic Beasts RPi platform) which causes problems.In short, incron should be removed if possible - this doesn't work on all filesystems, and many systems use NFS for the filesystem (the Mythic Beasts RPi platform) which causes problems.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/268DKIM signature covers the sender address, but should cover the FROM HEADER ad...2020-09-24T06:23:41ZPaul CammishDKIM signature covers the sender address, but should cover the FROM HEADER address.# Summary
DKIM signatures are based on the SMTP sender address, not the email FROM HEADER address, which is the wrong thing to do. When the FROM address is local, and there's a DKIM key to sign with, then that should be done.
If there...# Summary
DKIM signatures are based on the SMTP sender address, not the email FROM HEADER address, which is the wrong thing to do. When the FROM address is local, and there's a DKIM key to sign with, then that should be done.
If there's no key to sign with, then perhaps we should not be sending the email!?
# Steps to reproduce
Send an email with a FROM address that doesn't match the SMTP sender address. You should notice that the DKIM header doesn't cover the FROM address.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/269SNI for mail only works with 'bare' domain name (or www.domain.name for dovecot)2019-11-13T13:39:05ZPaul CammishSNI for mail only works with 'bare' domain name (or www.domain.name for dovecot)# Summary
You can't use mail.domain.name to access email securely
# Steps to reproduce
Use an SNI mail client to try to fetch / send mail using mail.domain.name as the host
# What is the current bug behavior?
The certificate retur...# Summary
You can't use mail.domain.name to access email securely
# Steps to reproduce
Use an SNI mail client to try to fetch / send mail using mail.domain.name as the host
# What is the current bug behavior?
The certificate returned is the default for the server.
# What is the expected correct behavior?
The certificate returned should be for the correct domain
# Possible fixes
When generating certificates for a domain, ensure one if requested for mail.domain.name. Then add an SNI section for Dovecot to reference this. Exim looks a little trickier, as it goes directly to /srv/$tls_in_sni/config/ssl/current/ssl.combined to get the certificate.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/270sympl-web: Allow apache includes in config/2020-09-10T08:28:06ZPaul Cammishsympl-web: Allow apache includes in config/As per https://forum.sympl.host/t/auto-updating-ssl-certs-with-custom-apache-site-config/69/3
> One of the ways around this under symbiosis was to add an `IncludeOptional` directive to the master templates (`ssl.template.erb` & `non_ssl...As per https://forum.sympl.host/t/auto-updating-ssl-certs-with-custom-apache-site-config/69/3
> One of the ways around this under symbiosis was to add an `IncludeOptional` directive to the master templates (`ssl.template.erb` & `non_ssl.template.erb`) with customisations kept in, say, config…
>
> `IncludeOptional /srv/<% domain %>/config/apache-*.conf`
Thanks to alphacabbage1 for the suggestion.
This will need checking for security, as we don't want any random user writing stuff to there, and breaking the security model or stopping Apache from starting.https://gitlab.com/sympl.io/sympl/-/issues/271sympl-core: On each install, check the user is in the right groups2020-01-28T00:25:25ZPaul Cammishsympl-core: On each install, check the user is in the right groupsAt the moment, the `sympl` user is only added to the relevant groups (notably www-data) when the user is created, rather than on installation of `sympl-core`.
This can cause some issues if the sympl user already exists (from a removed i...At the moment, the `sympl` user is only added to the relevant groups (notably www-data) when the user is created, rather than on installation of `sympl-core`.
This can cause some issues if the sympl user already exists (from a removed install, or it was created before installing), so it would be safer to check each time `sympl-core` is installed.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/272Update sympl-ssl IPv6 only to support Let's Encrypt ACMEv22019-12-27T18:11:03ZPaul CammishUpdate sympl-ssl IPv6 only to support Let's Encrypt ACMEv2I've been wondering why a Mythic Beasts hosted RPi site wasn't updating the SSL certificate. (Luckily I've got an alert through Status Cake for it.)
Looking in the `/etc/hosts` file, I noticed many lines of the form (output from `cat`):...I've been wondering why a Mythic Beasts hosted RPi site wasn't updating the SSL certificate. (Luckily I've got an alert through Status Cake for it.)
Looking in the `/etc/hosts` file, I noticed many lines of the form (output from `cat`):
```
2606:4700:60:0:f53d:5624:85c7:3a2c
acme-v01.api.letsencrypt.org # sympl-ssl workaround
2606:4700:60:0:f53d:5624:85c7:3a2c
acme-v01.api.letsencrypt.org # sympl-ssl workaround
2606:4700:60:0:f53d:5624:85c7:3a2c
acme-v01.api.letsencrypt.org # sympl-ssl workaround
```
Knowing that the v02 API is now needed, I adjusted it to remove the new line, and switched to the v2 url, and then running `sudo sympl-ssl --verbose subdomain.example.com` worked as expected instead of giving the error:
```
Current SSL set 14: signed by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3, expires 2019-12-08 06:19:41 UTC
The current certificate expires in 4 days.
Fetching a new certificate from LetsEncrypt.
!! Failed: execution expired
```
Could the workaround please be updated for the new API (changing the 1 to a 2 in the url)?Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/273sympl-mail: A default-forward configured for a domain bypasses SpamAssassin f...2019-12-05T21:18:35ZPaul Cammishsympl-mail: A default-forward configured for a domain bypasses SpamAssassin filteringAs mentioned: https://forum.sympl.host/t/spam-not-being-tagged-nor-moved-to-the-spam-folder/63/4?u=kelduum
Seems likely its an order of execution thing - the mail is being handled by the delivery function before it's been scanned.
IIRC...As mentioned: https://forum.sympl.host/t/spam-not-being-tagged-nor-moved-to-the-spam-folder/63/4?u=kelduum
Seems likely its an order of execution thing - the mail is being handled by the delivery function before it's been scanned.
IIRC, this was an issue with Symbiosis as well, so likely has been around a while.https://gitlab.com/sympl.io/sympl/-/issues/274ChangeLog needs updating with the major changes.2019-12-13T16:51:16ZPaul CammishChangeLog needs updating with the major changes.As per !146, the changelog needs some updates with the service affecting changes.As per !146, the changelog needs some updates with the service affecting changes.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/275"doveconf: Warning: please set ssl_dh"2020-01-28T00:25:23ZPaul Cammish"doveconf: Warning: please set ssl_dh"I'm getting an hourly email from /etc/cron.hourly/sympl-mail-dovecot-sni saying:
> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
> doveconf: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 s...I'm getting an hourly email from /etc/cron.hourly/sympl-mail-dovecot-sni saying:
> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
> doveconf: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem
It looks like from https://wiki2.dovecot.org/Upgrading/2.3#dhparams you can do just that in order to fix the issue, but not sure if there's something else that should be done instead/as well. I'm running the buster version of Sympl.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/276sympl-webmail: Roundcube fails to import contacts2020-01-28T13:26:56ZPaul Cammishsympl-webmail: Roundcube fails to import contactsSee https://forum.sympl.host/t/roundcube-fails-importing-contact-list/92?u=kelduum for details.
In short, uploads work fine for attachments but fail for contacts uploads, and likely other cases.See https://forum.sympl.host/t/roundcube-fails-importing-contact-list/92?u=kelduum for details.
In short, uploads work fine for attachments but fail for contacts uploads, and likely other cases.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/277sympl-mail: add Autoconfigure functionality2020-01-31T09:23:05ZPaul Cammishsympl-mail: add Autoconfigure functionalityAutoConfigure for email is fairly simple, and only requires an XML file at a specific path.
Adding functionality for this should be fairly easy to accomplish.
https://forum.sympl.host/t/configure-auto-discover-for-mail-setup/94?u=kelduumAutoConfigure for email is fairly simple, and only requires an XML file at a specific path.
Adding functionality for this should be fairly easy to accomplish.
https://forum.sympl.host/t/configure-auto-discover-for-mail-setup/94?u=kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/278sympl-ssl: Reimplmentation2021-02-12T18:08:30ZPaul Cammishsympl-ssl: ReimplmentationComplete reimplementation of sympl-ssl in Python, maintaining all the existing functionality and resolving long-standing issues.Complete reimplementation of sympl-ssl in Python, maintaining all the existing functionality and resolving long-standing issues.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/279sympl-monit: Security warning emails on hostname resolution failure2020-04-20T10:41:34ZPaul Cammishsympl-monit: Security warning emails on hostname resolution failureIf for some reason DNS fails for the system hostname, the systemd service at `/usr/lib/systemd/system/sympl-monit.service` will throw security warnings at the root user via email as sudo is not happy.If for some reason DNS fails for the system hostname, the systemd service at `/usr/lib/systemd/system/sympl-monit.service` will throw security warnings at the root user via email as sudo is not happy.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/280sympl-core: sympl-filesystem-security breaks access to config/stats-htaccess2020-04-20T10:41:34ZPaul Cammishsympl-core: sympl-filesystem-security breaks access to config/stats-htaccessReported by a user, the `config/stats-htaccess` file has it's permissions reset by `sympl-filesystem-security` to a configuration which prevents access by www-data, and therefore Apache denied all access to example.com/statsReported by a user, the `config/stats-htaccess` file has it's permissions reset by `sympl-filesystem-security` to a configuration which prevents access by www-data, and therefore Apache denied all access to example.com/statsPaul CammishPaul Cammish2020-04-20https://gitlab.com/sympl.io/sympl/-/issues/281sympl-mail: filesystem loop in /srv causes errors with sympl-mail-dovecot-sni2020-04-20T10:41:32ZPaul Cammishsympl-mail: filesystem loop in /srv causes errors with sympl-mail-dovecot-sniObviously it should do this, and it looks like the search for certificates is looking far too wide, searching all of /srv rather than just /srv/*/config/ssl/current/Obviously it should do this, and it looks like the search for certificates is looking far too wide, searching all of /srv rather than just /srv/*/config/ssl/current/Paul CammishPaul Cammish2020-04-20https://gitlab.com/sympl.io/sympl/-/issues/282sympl-mail: Enhancement - Expand blacklist functionality2020-04-20T11:22:27ZPaul Cammishsympl-mail: Enhancement - Expand blacklist functionalityAdding functionality for the b.barracudacentral.org and bl.spamcop.net RBLs alongside the current Spamhaus ones may be useful, however as they are more sensitive relevant warnings should be added to the documentation.Adding functionality for the b.barracudacentral.org and bl.spamcop.net RBLs alongside the current Spamhaus ones may be useful, however as they are more sensitive relevant warnings should be added to the documentation.https://gitlab.com/sympl.io/sympl/-/issues/283sympl-mail: Enhancement - Improve Exim logging2020-04-20T11:25:36ZPaul Cammishsympl-mail: Enhancement - Improve Exim loggingIt's been suggested that moving the `log_selector` configuration out of `00-main/50-tls-options` into it's own separate file would be useful (due to a limitation on how many instances there can be), and likely adding the `+smtp_protocol_...It's been suggested that moving the `log_selector` configuration out of `00-main/50-tls-options` into it's own separate file would be useful (due to a limitation on how many instances there can be), and likely adding the `+smtp_protocol_error` option to it which will improve data for blacklisting with `sympl-firewall`.https://gitlab.com/sympl.io/sympl/-/issues/284sympl-mail: Enhancement - Add a whitelist for Exim2020-04-20T11:22:27ZPaul Cammishsympl-mail: Enhancement - Add a whitelist for EximIf you're potentially blocking more mail due to the enhancement in issue #282, the ability to whitelist hosts/IPs, would be useful to skip all spam filtering and consider the source as trusted.
This would likely need to be configured on...If you're potentially blocking more mail due to the enhancement in issue #282, the ability to whitelist hosts/IPs, would be useful to skip all spam filtering and consider the source as trusted.
This would likely need to be configured on a whole-host basis, and maybe should be located in /etc/sympl rather than the Exim config directory.
Maybe something which can be done automatically based on a previous good reputation, similar to the blacklists used by the firewall?https://gitlab.com/sympl.io/sympl/-/issues/285sympl-mail: Enhancement - Reject abusive hosts in Exim2020-04-20T11:25:36ZPaul Cammishsympl-mail: Enhancement - Reject abusive hosts in EximAssuming we are logging more data from issue #283, we can then blacklist (or greylist?) abusive hosts using sympl-firewall, which should deal with attempts to brute-force account details.Assuming we are logging more data from issue #283, we can then blacklist (or greylist?) abusive hosts using sympl-firewall, which should deal with attempts to brute-force account details.https://gitlab.com/sympl.io/sympl/-/issues/286sympl-mail: Review Exim configuration2020-04-20T11:28:55ZPaul Cammishsympl-mail: Review Exim configurationThe Exim configuration has been inherited from older versions of Symbiosis, and has diverged a fair bit from the default Debian configuration. It's worth a full review of the config to bring it more in line and avoid issues later on.
On...The Exim configuration has been inherited from older versions of Symbiosis, and has diverged a fair bit from the default Debian configuration. It's worth a full review of the config to bring it more in line and avoid issues later on.
One specific mention was that we should
> Comment out the rfc_1413 lines in 00-main/60-general-options and add a separate file with an ‘official’ exim4 recipe for turning ident off.
...which seems like a good start.https://gitlab.com/sympl.io/sympl/-/issues/287sympl-mail: Man pages broken for support scripts2020-04-20T11:35:18ZPaul Cammishsympl-mail: Man pages broken for support scriptsThe man pages for:
```text
sympl-mail-dict-proxy
sympl-mail-encrypt-passwords
sympl-mail-poppassd
```
Only contain the Groff header, and should be fixed.The man pages for:
```text
sympl-mail-dict-proxy
sympl-mail-encrypt-passwords
sympl-mail-poppassd
```
Only contain the Groff header, and should be fixed.https://gitlab.com/sympl.io/sympl/-/issues/288sympl-core: Man page broken for sympl-ssl2020-04-20T11:37:33ZPaul Cammishsympl-core: Man page broken for sympl-sslThis is likely as the sympl-ssl man pages are built from the ruby normally, which currently has a wrapper to fix IPv6 support.
This should be fixed soon if possible, otherwise it will be fixed as part of issue #278.This is likely as the sympl-ssl man pages are built from the ruby normally, which currently has a wrapper to fix IPv6 support.
This should be fixed soon if possible, otherwise it will be fixed as part of issue #278.https://gitlab.com/sympl.io/sympl/-/issues/289sympl-firewall: The firewall shouldn't destroy other chains, and should be le...2020-04-20T14:05:48ZPaul Cammishsympl-firewall: The firewall shouldn't destroy other chains, and should be less ambiguous.This would be a change to existing operation, but Sympl shouldn't wipe out the all other iptables chains when it runs, and only modify rules it created itself (ie: comments).
Similarly, the ambiguously named blacklist and whitelist shou...This would be a change to existing operation, but Sympl shouldn't wipe out the all other iptables chains when it runs, and only modify rules it created itself (ie: comments).
Similarly, the ambiguously named blacklist and whitelist should have names referencing Sympl.https://gitlab.com/sympl.io/sympl/-/issues/290sympl-core: sympl-filesystem-security removes +x flag from /etc/sympl/firewal...2020-04-27T17:06:12ZPaul Cammishsympl-core: sympl-filesystem-security removes +x flag from /etc/sympl/firewall/local.d/*The directory contains scripts run at the end of sympl-firewall, which need to be executable, but `sympl-filesystem-security` currently removes that flag.The directory contains scripts run at the end of sympl-firewall, which need to be executable, but `sympl-filesystem-security` currently removes that flag.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/291sympl-webmail: Getting roundcube to work2020-04-22T11:49:34ZPaul Cammishsympl-webmail: Getting roundcube to workNot that I use roundcube - but it's useful backup. The system seems to have the right database tables, but cannot access them and there are some other minor tiny changes to make to it work. Now it maybe that it does work... I couldn't ge...Not that I use roundcube - but it's useful backup. The system seems to have the right database tables, but cannot access them and there are some other minor tiny changes to make to it work. Now it maybe that it does work... I couldn't get it to log me in. So I did this lot:
1) Install apt install php-net-idna2
the install script complains about this
2) ```cd /usr/share/roundcube```
```ln -s /var/lib/roundcube/temp```
Roundcube is looking in /var/lib/roundcube or so it says.
3) Change /etc/defaults.inc.php
This line:
```
$config['db_dsnw'] = 'mysql://roundcube:@localhost/roundcubemail';
```
points to roundcubeemail - where the mysql database is roundcube. So change that.
Now run dpkg-reconfigure roundcube-core
it creates debian-db.php, which contains a password. This still isn't roundcube's password,
so
```
# mysql mysql
> alter user 'roundcube'@'localhost' identified by 'THE PASSWORD IN THE FILE';
> FLUSH PRIVILEGES;
```
check that the password works - and add it into /etc/defaults.inc.php after the colon.
It should all now spring into life.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/292sympl-web: Seperate packages needed for i386, amd64 and armhf2020-04-22T11:56:50ZPaul Cammishsympl-web: Seperate packages needed for i386, amd64 and armhfAt the moment, the `sympl-web` package is marked as 'all' architectures, but contains some compiled Go in the form of sympl-web-logger, which isn't portable to armhf, and logs continual errors to /var/log/apache2/error.log as it can't st...At the moment, the `sympl-web` package is marked as 'all' architectures, but contains some compiled Go in the form of sympl-web-logger, which isn't portable to armhf, and logs continual errors to /var/log/apache2/error.log as it can't start it.
This should be a reasonably simple fix to cross-compile it and package it appropriately.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/293sympl-web: SSL Stapling is enabled for self-signed certs2020-04-22T11:58:37ZPaul Cammishsympl-web: SSL Stapling is enabled for self-signed certsFrom https://forum.sympl.host/t/error-message-in-apache-error-log/113/4?u=kelduum
```
[Tue Apr 21 19:07:29.793000 2020] [ssl:error] [pid 585] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: CN=raspberrypi.l...From https://forum.sympl.host/t/error-message-in-apache-error-log/113/4?u=kelduum
```
[Tue Apr 21 19:07:29.793000 2020] [ssl:error] [pid 585] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: CN=raspberrypi.localdomain / issuer: CN=raspberrypi.localdomain / serial: 5E9F307C / notbefore: Apr 21 17:42:20 2020 GMT / notafter: Apr 21 17:42:20 2021 GMT]
[Tue Apr 21 19:07:29.793961 2020] [ssl:error] [pid 585] AH02604: Unable to configure certificate raspberrypi.localdomain:443:0 for stapling
```
It looks like `sympl-web/lib/symbiosis/config_files/apache.rb` has the relevant code, and probably needs a tweak to move the decision to use SSL stapling there if it's a self-signed cert, and out of the templates.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/294sympl-web: php-zip package is not installed by default2020-09-09T17:23:53ZPaul Cammishsympl-web: php-zip package is not installed by defaultIt probably should be included in typical installs, as windows-centric stuff is likely to expect it to be there.It probably should be included in typical installs, as windows-centric stuff is likely to expect it to be there.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/295sympl-cli: running some commands as root doesn't ensure result has the right ...2020-09-09T17:23:53ZPaul Cammishsympl-cli: running some commands as root doesn't ensure result has the right ownerExample: `sudo sympl web create example.com` creates the directory in /srv with the owner as root.
https://forum.sympl.host/t/sympl-cli-feature-discussion/30/8Example: `sudo sympl web create example.com` creates the directory in /srv with the owner as root.
https://forum.sympl.host/t/sympl-cli-feature-discussion/30/8Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/296sympl-web: /etc/sympl/apache.d/non-ssl.template.erb sets ssl_access.log & ssl...2020-09-09T17:23:25ZPaul Cammishsympl-web: /etc/sympl/apache.d/non-ssl.template.erb sets ssl_access.log & ssl_error.log# Summary
Access and error logs for non-ssl enabled sites are incorrectly named, see below.
# Steps to reproduce
Create a non-ssl site in /srv, run /usr/sbin/sympl-web-configure and you'll find the logs are going into /srv/site/publi...# Summary
Access and error logs for non-ssl enabled sites are incorrectly named, see below.
# Steps to reproduce
Create a non-ssl site in /srv, run /usr/sbin/sympl-web-configure and you'll find the logs are going into /srv/site/public/logs/ssl_access.log and ssl_error.log
# Example Project
n/a
# What is the current bug behavior?
Configurations are generated for non-ssl sites where the logfiles are ssl_access.log and ssl_error.log
The non-ssl virtualhost for an ssl enabled site correctly sets access.log and error.log.
Template (/etc/sympl/apache.d/non-ssl.template.erb has typos in the relevant config lines.
# What is the expected correct behavior?
Would expect the logs to be access.log and error.log as per non-ssl virtual server on an ssl enabled site.
# Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output,
logs, and code as it's very hard to read otherwise.)
# Possible fixes
```
--- non_ssl.template.erb 2020-07-01 22:25:28.000000000 +0100
+++ non_ssl.template.erb.fixed 2020-07-01 22:26:08.000000000 +0100
@@ -87,8 +87,8 @@
</Directory>
# Write logs directly.
- ErrorLog "<%= domain.log_dir %>/ssl_error.log"
- CustomLog "<%= domain.log_dir %>/ssl_access.log" combined
+ ErrorLog "<%= domain.log_dir %>/error.log"
+ CustomLog "<%= domain.log_dir %>/access.log" combined
</VirtualHost>
```
[non_ssl.template.erb.patch](/uploads/3d78c3b9e56263e31a66c8d5c513cbbf/non_ssl.template.erb.patch)
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/297sympl-backup: `backup2l -r <regexp>` in Buster only restores directories, and...2020-07-06T12:45:46ZPaul Cammishsympl-backup: `backup2l -r <regexp>` in Buster only restores directories, and no filesFrom: https://forum.sympl.host/t/problem-restoring-with-backup2l/138/7
In short, the 'extract' functionality is missing from the TAR driver for backup2l, meaning it can do everything apart from actually extract the relevant files.
The ...From: https://forum.sympl.host/t/problem-restoring-with-backup2l/138/7
In short, the 'extract' functionality is missing from the TAR driver for backup2l, meaning it can do everything apart from actually extract the relevant files.
The files are backed up okay, but the automatic restore functionality is broken.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/298sympl-filesystem-security: public-group doesn't work2020-09-09T17:23:53ZPaul Cammishsympl-filesystem-security: public-group doesn't work# Summary
When putting a group into `<domain>/config/public-group`, running `sympl-filesystem-security` produces the output `id: ‘<group>’: no such user`. Found on sympl-core/stretch 9.0.200510.0.
# Steps to reproduce
Place the name o...# Summary
When putting a group into `<domain>/config/public-group`, running `sympl-filesystem-security` produces the output `id: ‘<group>’: no such user`. Found on sympl-core/stretch 9.0.200510.0.
# Steps to reproduce
Place the name of a group that isn't `www-data` in `<domain>/config/public-group` and run `sympl-filesystem-security`.
# Possible fixes
https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/buster/core/sbin/sympl-filesystem-security#L50 (and 51) use `id -g $gid`, which seems like it should find the GID of a group, but actually finds the GID of the primary group of user $gid. If no user of the same name as the requested group exists, this fails. The script seems like it will need to use `getent group` and `cut` or `awk` to get the right fields.
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/299sympl-core: sympl-filesystem-security reset permissions on public/cgi-bin2020-09-09T17:23:53ZPaul Cammishsympl-core: sympl-filesystem-security reset permissions on public/cgi-binThis causes cgi-bin scripts to fail, and various headaches for anyone with older stuff.This causes cgi-bin scripts to fail, and various headaches for anyone with older stuff.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/300sympl-web: Support for Apache Includes2020-09-10T08:28:06ZPaul Cammishsympl-web: Support for Apache IncludesA great idea in https://forum.sympl.host/t/auto-updating-ssl-certs-with-custom-apache-site-config/69/3?u=kelduum is to add an IncludeOptional directive to load extra configuration files from the config directory.A great idea in https://forum.sympl.host/t/auto-updating-ssl-certs-with-custom-apache-site-config/69/3?u=kelduum is to add an IncludeOptional directive to load extra configuration files from the config directory.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/301sympl-firewall: "Another app is currently holding the xtables lock"2020-09-17T13:30:58ZPaul Cammishsympl-firewall: "Another app is currently holding the xtables lock"One user was reporting emails like this, coming from `/usr/sbin/sympl-firewall` and `/usr/sbin/sympl-firewall-blacklist` on two hosts.
```text
From: Cron Daemon <root@hostname.fqdn>
Date: Mon, 14 Sep 2020 at 19:00
Subject: Cron <root@ho...One user was reporting emails like this, coming from `/usr/sbin/sympl-firewall` and `/usr/sbin/sympl-firewall-blacklist` on two hosts.
```text
From: Cron Daemon <root@hostname.fqdn>
Date: Mon, 14 Sep 2020 at 19:00
Subject: Cron <root@hostname> [ -x /usr/sbin/sympl-firewall ] &&
/usr/sbin/sympl-firewall
To: <root@hostname.fqdn>
Another app is currently holding the xtables lock. Perhaps you want to use
the -w option?
sympl-firewall: Firewall script failed.
sympl-firewall: Flushing /sbin/iptables rules and chains.
sympl-firewall: Flushing /sbin/ip6tables rules and chains.
sympl-firewall: Restoring old iptables rules and chains.
sympl-firewall: Restoring old ip6tables rules and chains.
sympl-firewall: Left firewall script in
/tmp/user/0/sympl-firewall-20200914-1505-1srb1j3-saved for inspection.
```
The direct cause is unclear at the moment, and they don't happen all the time (once a day or so, apparently), so it may simply be a race condition.https://gitlab.com/sympl.io/sympl/-/issues/302sympl-ssl and sympl-web-configure don't show automatic www subdomains2020-10-18T11:49:59ZPaul Cammishsympl-ssl and sympl-web-configure don't show automatic www subdomains`sympl-ssl --verbose` and `sympl-web-configure --verbose` don't list the www subdomains if they are created automatically, i.e. they don't have their own `/srv/www.example.org` but instead exist as a result of `/srv/example.org`. I was s...`sympl-ssl --verbose` and `sympl-web-configure --verbose` don't list the www subdomains if they are created automatically, i.e. they don't have their own `/srv/www.example.org` but instead exist as a result of `/srv/example.org`. I was struggling to diagnose a configuration problem today and I couldn't work out whether my .htaccess file was incorrect or the www subdomain wasn't configured, and the fact that it wasn't listed in the output of either command made me think the latter.
I think it would be useful if the two commands printed the www subdomains as well, either by default or as an extra flag.
Example:
```
sudo sympl-ssl --verbose
[sudo] password for sympl:
* Examining certificates for politicsgeek.com
Current SSL set 0: signed by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3, expires 2021-01-16 10:11:33 UTC
```
politicsgeek.com is included because it is the CN for the certificate, but there's no mention that the certificate also includes www.politicsgeek.com as the Subject Alternative Name.https://gitlab.com/sympl.io/sympl/-/issues/303sympl-firewall: Traffic on the local IPv6 network can trigger blacklisting of...2021-01-23T17:45:17ZPaul Cammishsympl-firewall: Traffic on the local IPv6 network can trigger blacklisting of the LANSympl will track IPv6 traffic at a /64 resolution, but this means if something on the same LAN is flagged and blacklisted, it will effectively disable IPv6 traffic from the same /64, which can interfere with monitoring or similar.
What ...Sympl will track IPv6 traffic at a /64 resolution, but this means if something on the same LAN is flagged and blacklisted, it will effectively disable IPv6 traffic from the same /64, which can interfere with monitoring or similar.
What should probably happen is that Sympl is a bit more granular with it's filtering of V6 addresses on the same /64, and instead only blocks individual IPs if it sees them acting suspicious.https://gitlab.com/sympl.io/sympl/-/issues/304sympl11 - Exim configuration uses tainting workaround2021-08-13T16:12:36ZPaul Cammishsympl11 - Exim configuration uses tainting workaroundThe configuration in Exim 4.94 has introduced the concept of training for user-submitted variables.
This causes some issues with the Sympl configuration as we need to be able to read the relevant information based on the input to route ...The configuration in Exim 4.94 has introduced the concept of training for user-submitted variables.
This causes some issues with the Sympl configuration as we need to be able to read the relevant information based on the input to route mail correctly.
A workaround has been applied to the relevant parts, but this should be removed before it leaves testing.https://gitlab.com/sympl.io/sympl/-/issues/305Update copyright dates to 2023, and license to GPL32023-05-26T10:55:17ZPaul CammishUpdate copyright dates to 2023, and license to GPL3The licence for Sympl 11 should be updated to the more modern GPL3, which is a bit clearer in a few cases.
Similarly, copyright dates should also be updated.The licence for Sympl 11 should be updated to the more modern GPL3, which is a bit clearer in a few cases.
Similarly, copyright dates should also be updated.Sympl 12 (bookworm)https://gitlab.com/sympl.io/sympl/-/issues/306Sympl 11: Installing sympl-mysql doesnt write the password to /home/sympl2021-02-15T11:33:44ZPaul CammishSympl 11: Installing sympl-mysql doesnt write the password to /home/symplThis is currently causing the testing to fail, and will need looking into.This is currently causing the testing to fail, and will need looking into.Sympl 11 for Debian BullseyePaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/307Sympl 11: sympl-mail - Update exim configurations (historic)2021-02-12T18:21:16ZPaul CammishSympl 11: sympl-mail - Update exim configurations (historic)Changes to the Exim configuration were needed to pass the existing test suite.
These were done in 7dc9c294 15c8c20f 5a1b47ae 33d97665 6b4fbe1c
See also #304 which is related as it involved a workaround.Changes to the Exim configuration were needed to pass the existing test suite.
These were done in 7dc9c294 15c8c20f 5a1b47ae 33d97665 6b4fbe1c
See also #304 which is related as it involved a workaround.Sympl 11 for Debian Bullseyehttps://gitlab.com/sympl.io/sympl/-/issues/308sympl11 - Re-enable testing CI2021-08-13T16:12:17ZPaul Cammishsympl11 - Re-enable testing CINo testing branch at present with public packages to test against, so CI was disabled temporarily in 05713c43.
Will need re-enabling once the testing branch has been publicly built.No testing branch at present with public packages to test against, so CI was disabled temporarily in 05713c43.
Will need re-enabling once the testing branch has been publicly built.Sympl 11 for Debian BullseyePaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/309sympl11 - Re-enable stable CI2021-08-13T16:08:34ZPaul Cammishsympl11 - Re-enable stable CINo stable branch at present with public packages to test against, so CI was disabled temporarily in 05713c43.
Will need re-enabling once the stable branch has been publicly built.No stable branch at present with public packages to test against, so CI was disabled temporarily in 05713c43.
Will need re-enabling once the stable branch has been publicly built.Sympl 11 for Debian BullseyePaul CammishPaul Cammish2021-06-01https://gitlab.com/sympl.io/sympl/-/issues/310sympl-mail: config/antispam doesn't work as expected2024-03-19T17:05:32ZPaul Cammishsympl-mail: config/antispam doesn't work as expectedWhat is expected to happen:
* With the `antispam` file at `/srv/example.com/config/antispam` and empty, spam mail identified as spam should be rejected.
* With the `antispam` file at `/srv/example.com/config/antispam` and containing `t...What is expected to happen:
* With the `antispam` file at `/srv/example.com/config/antispam` and empty, spam mail identified as spam should be rejected.
* With the `antispam` file at `/srv/example.com/config/antispam` and containing `tag`, spam mail should:
1. have the `X-Spam-Status: spam` header set, and the mail accepted.
2. be delivered to the `Spam` mail folder of the user.
What actually happens is that `1` works as expected, but `2` rejects the mail as spam regardless of the tag setting, *unless* the `config/antispam` file is world-readable, which it likely shouldn't be.
In no instance (apparently inherited from Symbiosis) does the mail actually get placed in the users Spam folder, although it would be *possible* to create a sieve filter to do this, or for Dovecot to handle it, the mail is placed in the normal mail folder.
A quick fix would be to change `/etc/exim4/sympl.d/10-acl/50-acl-check-rcpt/80-enable-antispam-check` to:
```
${if match{${extract{smode}{${stat:VHOST_DIR/${domain}/VHOST_CONFIG_DIR/antispam}}}}{\Nr\N}{\
```
A fix for tagging spam properly would be to enable the subject rewrites by default, by adding the following to `/etc/exim4/system_filter`:
```
if $h_X-Spam-Status: contains "spam"
then
headers add "Original-Subject: $h_subject"
headers remove "Subject"
headers add "Subject: *** SPAM *** $h_original-subject"
endif
```
Note this also affects config/antivirus, which has a similar (undocumented) tagging function for virus infected emails in `/etc/exim4/sympl.d/10-acl/50-acl-check-rcpt/85-enable-antivirus-check`.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/311sympl-core: MOTD refers to v9.0 and v10.02021-04-13T11:38:10ZPaul Cammishsympl-core: MOTD refers to v9.0 and v10.0Since switching to continuous releases, we should remove the '.0' references on the MOTDSince switching to continuous releases, we should remove the '.0' references on the MOTDhttps://gitlab.com/sympl.io/sympl/-/issues/312sympl-firewall: iptables-persistent conflict2022-03-28T10:01:35ZPaul Cammishsympl-firewall: iptables-persistent conflictIt looks like when iptables-persistent is installed with a reasonable standard config, it can prevent DNS lookups when there's no IPv4 resolvers, which leads to the sympl-firewall hook waiting indefinitely and eventually being killed, an...It looks like when iptables-persistent is installed with a reasonable standard config, it can prevent DNS lookups when there's no IPv4 resolvers, which leads to the sympl-firewall hook waiting indefinitely and eventually being killed, and therefore no IPv6 coming up (and therefore no DNS resolution) which leads to other oddities.
Likely fix: make sure the hook doesn't stall indefinitely and instead times out.https://gitlab.com/sympl.io/sympl/-/issues/313sympl-mail: Exim deny-unusual-characters acl is a little over-strict for outg...2021-07-01T13:14:18ZPaul Cammishsympl-mail: Exim deny-unusual-characters acl is a little over-strict for outgoing mail.Non-local domains deny `%` and `!` in email addresses, although they're valid, and it seems like Xero are using `!`'s in emails in some cases.
Replacing `local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./` with `local_parts = ^[./|] : ^.*@ :...Non-local domains deny `%` and `!` in email addresses, although they're valid, and it seems like Xero are using `!`'s in emails in some cases.
Replacing `local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./` with `local_parts = ^[./|] : ^.*@ : ^.*/\\.\\./` in https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/buster/mail/exim4/sympl.d/10-acl/50-acl-check-rcpt/20-deny-unusual-characters should fix this.https://gitlab.com/sympl.io/sympl/-/issues/314sympl-ftp: SSL cert isn't updated once rotated2021-09-20T22:46:56ZPaul Cammishsympl-ftp: SSL cert isn't updated once rotatedThere's nothing to restart the pure-ftpd service once the SSL cert is updated, so a monthly restart may be worthwhile.
From: https://forum.sympl.host/t/ftps-certificate-expired-error/225There's nothing to restart the pure-ftpd service once the SSL cert is updated, so a monthly restart may be worthwhile.
From: https://forum.sympl.host/t/ftps-certificate-expired-error/225https://gitlab.com/sympl.io/sympl/-/issues/315sympl-mail: sympl-mail-poppassd fails to start in Bullseye IPv6-only2021-08-23T07:35:18ZPaul Cammishsympl-mail: sympl-mail-poppassd fails to start in Bullseye IPv6-onlyIt seems that on an IPv6-only instance running Bullseye falls fowl of a change in Ruby which prevents it from binding to 127.0.0.1, but adding a IPv4 address on loopback means it's okay, and this is fine with prior debian versions.
As a...It seems that on an IPv6-only instance running Bullseye falls fowl of a change in Ruby which prevents it from binding to 127.0.0.1, but adding a IPv4 address on loopback means it's okay, and this is fine with prior debian versions.
As a short-term work-around, adjusting https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/bullseye/mail/sbin/sympl-mail-poppassd and changing:
```ruby
EventMachine.run do
begin
EventMachine.start_server "127.0.0.1", port, Symbiosis::Email::PoppassHandler
rescue StandardError => err
syslog.info "Caught #{err.to_s} "
EM.stop
end
end
```
to:
```ruby
EventMachine.run do
begin
EventMachine.start_server "127.0.0.1", port, Symbiosis::Email::PoppassHandler
rescue StandardError => err
begin
EventMachine.start_server "::", port, Symbiosis::Email::PoppassHandler
rescue StandardError => err
syslog.info "Caught #{err.to_s} "
EM.stop
end
end
end
```
Will have it fallback and still bind to 127.0.0.1. This also binds to other addresses, but it's firewalled so shouldn't be an issue.Sympl 11 for Debian BullseyePaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/316install: fails on Debian 11 without gnupg if debconf-set-selections already i...2021-08-23T07:37:11ZPaul Cammishinstall: fails on Debian 11 without gnupg if debconf-set-selections already installed# Summary
Using a fresh Debian 11 image on Linode, the install script exits at the following line due to lack of gnupg
```
root@localhost:~# wget -qO- https://mirror.mythic-beasts.com/mythic/support@mythic-beasts.com.gpg.key | apt-key ...# Summary
Using a fresh Debian 11 image on Linode, the install script exits at the following line due to lack of gnupg
```
root@localhost:~# wget -qO- https://mirror.mythic-beasts.com/mythic/support@mythic-beasts.com.gpg.key | apt-key add -
E: gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation
```
# Steps to reproduce
Using a fresh Debian 11 image on Linode, the install script exits at the following line due to lack of gnupg
- create linode with Debian 11 image
- follow documentation to install (https://wiki.sympl.host/view/Installing_Sympl)
- a) `wget https://gitlab.mythic-beasts.com/sympl/install/raw/master/install.sh`
- b) `bash install.sh`
- watch installer die at `Adding repository key...`
- specifically, `apt-key` fails to add the gpg public key due to missing dependency, see logs below
EDIT: It appears that `gnupg` is already listed as a dependency in the install script, but never installed since `debconf-set-selections` is already installed on the Linode image
# Example Project
Follow documentation (https://wiki.sympl.host/view/Installing_Sympl) on Debian 11 image which doesn't contain a gnupg package, such as Linode's Debian 11 image
# What is the current bug behavior?
Installer dies part way though, as above
# What is the expected correct behavior?
Installer completes successfully! :sunglasses:
# Relevant logs and/or screenshots
Before running script
```
root@localhost:~# which debconf-set-selections
/usr/bin/debconf-set-selections
```
Installer failing:
```
-----------------------------------------------------------------------
Sympl Installer v20210818
-----------------------------------------------------------------------
This script will help you install Sympl on a Debian Linux or Raspberry
Pi OS server with minimal hassle, and give you some intial pointers.
Installing initial dependencies...
All packages are up to date.
Installing Sympl from 'bullseye' repository.
Setting defaults...
Adding repository key...root@localhost:~#
```
Failing line ran separately:
```
root@localhost:~# wget -qO- https://mirror.mythic-beasts.com/mythic/support@mythic-beasts.com.gpg.key | apt-key add -
E: gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation
```
# Possible fixes
Lines causing issues:
- `if [ "x$(which debconf-set-selections)" = "x" ]; then`
- `wget -qO- https://mirror.mythic-beasts.com/mythic/support@mythic-beasts.com.gpg.key | apt-key add -`
Either remove the check around dependency `debconf-set-selections` installation, or separate `gnupg` into a separate dependency installation block
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/317sympl-mail: /srv/example.com/mailboxes is required to accept mail2021-09-23T21:15:58ZPaul Cammishsympl-mail: /srv/example.com/mailboxes is required to accept mailDue to the changes in Exim in Debian 11, the config now expects the /srv/example.com/mailboxes directory to exist for incoming mail, and fails if it doesn't (ie: theres aliases or default forward, etc).
Reported in https://forum.sympl.h...Due to the changes in Exim in Debian 11, the config now expects the /srv/example.com/mailboxes directory to exist for incoming mail, and fails if it doesn't (ie: theres aliases or default forward, etc).
Reported in https://forum.sympl.host/t/mail-aliases-in-config-aliases/234Paul CammishPaul Cammish2021-09-24https://gitlab.com/sympl.io/sympl/-/issues/318sympl-core: Cross signed Let's Encrypt bundle flags all LE certs as expired2021-10-04T10:11:53ZPaul Cammishsympl-core: Cross signed Let's Encrypt bundle flags all LE certs as expiredThis is caused by the current Ruby codebase which uses the OpenSSL library to build a certificate store, used to validate certificates.
The bundle now includes an extra cert with a copy of the normal intermediate signed by the now-expir...This is caused by the current Ruby codebase which uses the OpenSSL library to build a certificate store, used to validate certificates.
The bundle now includes an extra cert with a copy of the normal intermediate signed by the now-expired DST X3 Root certificate (used as a workaround for old devices which don't have the new X1 root cert), meaning the bundle is effectively signed twice.
This is fine in the vast majority of cases, but in this instance, the presence of an intermediate signed by an expired root raises an error, which then means sympl-ssl.rb considers the whole chain invalid, leading to it retrieving new certs on every run.
A workaround has been put together in sympl-ssl to remove the expired intermediate from the ssl.bundle and ssl.combined when preceded by the normal cert in !243 !244 !245.
Longer-term, the existing sympl-ssl will be replaced by the new version in development.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/319multiple: 'tempfile is deprecated; consider using mktemp instead.'2022-03-28T10:02:58ZPaul Cammishmultiple: 'tempfile is deprecated; consider using mktemp instead.'Reported in https://forum.sympl.host/t/tempfile-is-deprecated-messages/245
Cron weekly (and likely others) report `WARNING: tempfile is deprecated; consider using mktemp instead. ` when running the jobs.
On investigation, `tempfile` is...Reported in https://forum.sympl.host/t/tempfile-is-deprecated-messages/245
Cron weekly (and likely others) report `WARNING: tempfile is deprecated; consider using mktemp instead. ` when running the jobs.
On investigation, `tempfile` is used in:
```list
core/lib/symbiosis/config_file.rb
core/test.d/tc_utils.rb
core/test.d/tc_config_file.rb
dns/lib/symbiosis/config_files/tinydns.rb
firewall/sbin/sympl-firewall-blacklist
firewall/sbin/sympl-firewall-whitelist
firewall/sbin/sympl-firewall
firewall/test.d/tc_blacklistdb.r
ftp/test.d/tc_ftp.rb
mail/sympl/test.d/tc_poppassd.rb
mail/sympl/test.d/tc_dict_handler.rb
web/lib/symbiosis/config_files/apache.rb
web/lib/symbiosis/config_files/webalizer.rb
web/test.d/tc_apache_logger.rb
web/test.d/tb_sympl_web_configure.rb
```
More investigation is probably needed as it looks to be originating with the ruby tempfile.rb library.https://gitlab.com/sympl.io/sympl/-/issues/320sympl-firewall: does not play nicely with iptables-persistent2021-12-06T19:55:39ZPaul Cammishsympl-firewall: does not play nicely with iptables-persistentYou can get in an odd state if you don't have any v4 DNS resolvers and have iptables-persistent installed, where it will eventually fail to bring up the IPv6 address on the server, after timing out, and sympl-fireall will fail in an odd ...You can get in an odd state if you don't have any v4 DNS resolvers and have iptables-persistent installed, where it will eventually fail to bring up the IPv6 address on the server, after timing out, and sympl-fireall will fail in an odd was, meaning the server acts unusually.
Adding iptables-persistent (and friends) to the conflicts list should prevent this.https://gitlab.com/sympl.io/sympl/-/issues/321Add DNS records without preventing automatic generation2023-03-16T12:58:49ZPaul CammishAdd DNS records without preventing automatic generationI have my domain sign my emails with DKIM, using the host name as a selector, but I can also use an external SMTP server for some things, which has given me a public key to add to DNS. I guess in this case, I want to be able to add recor...I have my domain sign my emails with DKIM, using the host name as a selector, but I can also use an external SMTP server for some things, which has given me a public key to add to DNS. I guess in this case, I want to be able to add records to the DNS for the domain, but if I edit the DNS file, all other records will stop being updated. It would be good if there could be a different file for additional records so that the automatic file would still match its checksum.https://gitlab.com/sympl.io/sympl/-/issues/323disable-filesystem-security: Can’t disable with config/disable-filesystem-sec...2024-03-19T17:05:31ZPaul Cammishdisable-filesystem-security: Can’t disable with config/disable-filesystem-security# Summary
According to multiple pages in the wiki, you can use `/srv/example.com/config/disable-filesystem-security` to disable on a **per-site** basis. However only `${domain}/config/do-not-secure` for per-site or `/etc/sympl/disable-f...# Summary
According to multiple pages in the wiki, you can use `/srv/example.com/config/disable-filesystem-security` to disable on a **per-site** basis. However only `${domain}/config/do-not-secure` for per-site or `/etc/sympl/disable-filesystem-security` for server-wide works.
https://wiki.sympl.io/view/Website_Configuration_Reference#Filesystem_Permissions
https://wiki.sympl.io/view/Configuration_Reference
See line 170 in the `sympl-filesystem-security` script
https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/bullseye/core/sbin/sympl-filesystem-security#L170
# Steps to reproduce
- Create `/srv/example.com/config/disable-filesystem-security`
- change ownership of any file in the `public` directory
- run `sudo sympl-filesystem-security`
- the ownership is changed back, despite the script supposedly being disabled for this domain
# Example Project
See the script’s code, it doesn’t check on the file described in the wiki. It only checks the **global** config file, not the **domain specific** one.
https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/bullseye/core/sbin/sympl-filesystem-security#L170
# What is the current bug behavior?
Doesn’t disable filesystem ownership changes in the domain
`/srv/example.com/config/disable-filesystem-security`
# What is the expected correct behavior?
According to multiple pages in the wiki, you can use `/srv/example.com/config/disable-filesystem-security` to disable on a **per-site** basis. However only `${domain}/config/do-not-secure` works.
https://wiki.sympl.io/view/Website_Configuration_Reference#Filesystem_Permissions
https://wiki.sympl.io/view/Configuration_Reference
# Possible fixes
See line 170 in the `sympl-filesystem-security` script
https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/bullseye/core/sbin/sympl-filesystem-security#L170
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/324FTP logs should be written to /var/log/pure-ftp/connection.log or similar2022-04-25T11:58:29ZPaul CammishFTP logs should be written to /var/log/pure-ftp/connection.log or similarAt the moment they only get written to `/var/log/messages`, which isn't that logical as there's also a `/var/log/pure-ftpd/` directory, where you'd expect to find them.
Also, we shouldn't be logging the RDNS for connections without the ...At the moment they only get written to `/var/log/messages`, which isn't that logical as there's also a `/var/log/pure-ftpd/` directory, where you'd expect to find them.
Also, we shouldn't be logging the RDNS for connections without the IP where at all possible, as it's trivial to fake.