Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2023-06-10T20:43:59Zhttps://gitlab.com/sympl.io/sympl/-/issues/332Error: test_smtp_capabilities(TestEximLive)2023-06-10T20:43:59ZPaul CammishError: test_smtp_capabilities(TestEximLive)```
Error: test_smtp_capabilities(TestEximLive): OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=10.0.2.15:25 state=error: sslv3 alert illegal parameter
/usr/lib/ruby/3.1.0/net/protocol.rb:46:in `connect_nonblock'
/usr/li...```
Error: test_smtp_capabilities(TestEximLive): OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=10.0.2.15:25 state=error: sslv3 alert illegal parameter
/usr/lib/ruby/3.1.0/net/protocol.rb:46:in `connect_nonblock'
/usr/lib/ruby/3.1.0/net/protocol.rb:46:in `ssl_socket_connect'
/usr/lib/ruby/gems/3.1.0/gems/net-smtp-0.3.1/lib/net/smtp.rb:673:in `tlsconnect'
/usr/lib/ruby/gems/3.1.0/gems/net-smtp-0.3.1/lib/net/smtp.rb:649:in `do_start'
/usr/lib/ruby/gems/3.1.0/gems/net-smtp-0.3.1/lib/net/smtp.rb:604:in `start'
/etc/sympl/test.d/tc_exim4_live.rb:67:in `test_smtp_capabilities'
64: smtp = Net::SMTP.new('public_ip', 25)
65: smtp.debug_output = $stdout if $DEBUG
66:
=> 67: smtp.start do
68: assert(smtp.capable_starttls?,"STARTTLS is not advertised on port 25")
69: assert(!smtp.capable_plain_auth?, "AUTH PLAIN advertised without TLS on public IP")
70: assert(!smtp.capable_login_auth?, "AUTH LOGIN advertised without TLS on public IP")
```Sympl 12 (bookworm)https://gitlab.com/sympl.io/sympl/-/issues/331Failure: test_cgi(TestHTTP)2023-05-26T10:54:12ZPaul CammishFailure: test_cgi(TestHTTP)```
Failure: test_cgi(TestHTTP)
/etc/sympl/test.d/tc_http.rb:140:in `block in test_cgi'
137:
138: system ('sympl-web-configure')
139:
=> 140: assert_equal( "500", getCode( "/cgi-bin/test.cgi", @domain.name )...```
Failure: test_cgi(TestHTTP)
/etc/sympl/test.d/tc_http.rb:140:in `block in test_cgi'
137:
138: system ('sympl-web-configure')
139:
=> 140: assert_equal( "500", getCode( "/cgi-bin/test.cgi", @domain.name ),
141: "Fetching /cgi-bin/test.cgi did not return 500" )
142:
143: assert_equal( "500", getCode( "/cgi-bin/test.cgi", "www.#{@domain.name}" ),
/etc/sympl/test.d/tc_http.rb:131:in `test_cgi'
Fetching /cgi-bin/test.cgi did not return 500
<"500">(UTF-8) expected but was
<"404">(ASCII-8BIT)
diff:
? 500
? 4 4
? ? ?
? Encoding: UTF -8
? ASCII BIT
? ??? +++
```Sympl 12 (bookworm)https://gitlab.com/sympl.io/sympl/-/issues/305Update copyright dates to 2023, and license to GPL32023-05-26T10:55:17ZPaul CammishUpdate copyright dates to 2023, and license to GPL3The licence for Sympl 11 should be updated to the more modern GPL3, which is a bit clearer in a few cases.
Similarly, copyright dates should also be updated.The licence for Sympl 11 should be updated to the more modern GPL3, which is a bit clearer in a few cases.
Similarly, copyright dates should also be updated.Sympl 12 (bookworm)https://gitlab.com/sympl.io/sympl/-/issues/310sympl-mail: config/antispam doesn't work as expected2024-03-19T17:05:32ZPaul Cammishsympl-mail: config/antispam doesn't work as expectedWhat is expected to happen:
* With the `antispam` file at `/srv/example.com/config/antispam` and empty, spam mail identified as spam should be rejected.
* With the `antispam` file at `/srv/example.com/config/antispam` and containing `t...What is expected to happen:
* With the `antispam` file at `/srv/example.com/config/antispam` and empty, spam mail identified as spam should be rejected.
* With the `antispam` file at `/srv/example.com/config/antispam` and containing `tag`, spam mail should:
1. have the `X-Spam-Status: spam` header set, and the mail accepted.
2. be delivered to the `Spam` mail folder of the user.
What actually happens is that `1` works as expected, but `2` rejects the mail as spam regardless of the tag setting, *unless* the `config/antispam` file is world-readable, which it likely shouldn't be.
In no instance (apparently inherited from Symbiosis) does the mail actually get placed in the users Spam folder, although it would be *possible* to create a sieve filter to do this, or for Dovecot to handle it, the mail is placed in the normal mail folder.
A quick fix would be to change `/etc/exim4/sympl.d/10-acl/50-acl-check-rcpt/80-enable-antispam-check` to:
```
${if match{${extract{smode}{${stat:VHOST_DIR/${domain}/VHOST_CONFIG_DIR/antispam}}}}{\Nr\N}{\
```
A fix for tagging spam properly would be to enable the subject rewrites by default, by adding the following to `/etc/exim4/system_filter`:
```
if $h_X-Spam-Status: contains "spam"
then
headers add "Original-Subject: $h_subject"
headers remove "Subject"
headers add "Subject: *** SPAM *** $h_original-subject"
endif
```
Note this also affects config/antivirus, which has a similar (undocumented) tagging function for virus infected emails in `/etc/exim4/sympl.d/10-acl/50-acl-check-rcpt/85-enable-antivirus-check`.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/300sympl-web: Support for Apache Includes2020-09-10T08:28:06ZPaul Cammishsympl-web: Support for Apache IncludesA great idea in https://forum.sympl.host/t/auto-updating-ssl-certs-with-custom-apache-site-config/69/3?u=kelduum is to add an IncludeOptional directive to load extra configuration files from the config directory.A great idea in https://forum.sympl.host/t/auto-updating-ssl-certs-with-custom-apache-site-config/69/3?u=kelduum is to add an IncludeOptional directive to load extra configuration files from the config directory.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/299sympl-core: sympl-filesystem-security reset permissions on public/cgi-bin2020-09-09T17:23:53ZPaul Cammishsympl-core: sympl-filesystem-security reset permissions on public/cgi-binThis causes cgi-bin scripts to fail, and various headaches for anyone with older stuff.This causes cgi-bin scripts to fail, and various headaches for anyone with older stuff.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/298sympl-filesystem-security: public-group doesn't work2020-09-09T17:23:53ZPaul Cammishsympl-filesystem-security: public-group doesn't work# Summary
When putting a group into `<domain>/config/public-group`, running `sympl-filesystem-security` produces the output `id: ‘<group>’: no such user`. Found on sympl-core/stretch 9.0.200510.0.
# Steps to reproduce
Place the name o...# Summary
When putting a group into `<domain>/config/public-group`, running `sympl-filesystem-security` produces the output `id: ‘<group>’: no such user`. Found on sympl-core/stretch 9.0.200510.0.
# Steps to reproduce
Place the name of a group that isn't `www-data` in `<domain>/config/public-group` and run `sympl-filesystem-security`.
# Possible fixes
https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/buster/core/sbin/sympl-filesystem-security#L50 (and 51) use `id -g $gid`, which seems like it should find the GID of a group, but actually finds the GID of the primary group of user $gid. If no user of the same name as the requested group exists, this fails. The script seems like it will need to use `getent group` and `cut` or `awk` to get the right fields.
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/297sympl-backup: `backup2l -r <regexp>` in Buster only restores directories, and...2020-07-06T12:45:46ZPaul Cammishsympl-backup: `backup2l -r <regexp>` in Buster only restores directories, and no filesFrom: https://forum.sympl.host/t/problem-restoring-with-backup2l/138/7
In short, the 'extract' functionality is missing from the TAR driver for backup2l, meaning it can do everything apart from actually extract the relevant files.
The ...From: https://forum.sympl.host/t/problem-restoring-with-backup2l/138/7
In short, the 'extract' functionality is missing from the TAR driver for backup2l, meaning it can do everything apart from actually extract the relevant files.
The files are backed up okay, but the automatic restore functionality is broken.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/295sympl-cli: running some commands as root doesn't ensure result has the right ...2020-09-09T17:23:53ZPaul Cammishsympl-cli: running some commands as root doesn't ensure result has the right ownerExample: `sudo sympl web create example.com` creates the directory in /srv with the owner as root.
https://forum.sympl.host/t/sympl-cli-feature-discussion/30/8Example: `sudo sympl web create example.com` creates the directory in /srv with the owner as root.
https://forum.sympl.host/t/sympl-cli-feature-discussion/30/8Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/294sympl-web: php-zip package is not installed by default2020-09-09T17:23:53ZPaul Cammishsympl-web: php-zip package is not installed by defaultIt probably should be included in typical installs, as windows-centric stuff is likely to expect it to be there.It probably should be included in typical installs, as windows-centric stuff is likely to expect it to be there.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/293sympl-web: SSL Stapling is enabled for self-signed certs2020-04-22T11:58:37ZPaul Cammishsympl-web: SSL Stapling is enabled for self-signed certsFrom https://forum.sympl.host/t/error-message-in-apache-error-log/113/4?u=kelduum
```
[Tue Apr 21 19:07:29.793000 2020] [ssl:error] [pid 585] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: CN=raspberrypi.l...From https://forum.sympl.host/t/error-message-in-apache-error-log/113/4?u=kelduum
```
[Tue Apr 21 19:07:29.793000 2020] [ssl:error] [pid 585] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: CN=raspberrypi.localdomain / issuer: CN=raspberrypi.localdomain / serial: 5E9F307C / notbefore: Apr 21 17:42:20 2020 GMT / notafter: Apr 21 17:42:20 2021 GMT]
[Tue Apr 21 19:07:29.793961 2020] [ssl:error] [pid 585] AH02604: Unable to configure certificate raspberrypi.localdomain:443:0 for stapling
```
It looks like `sympl-web/lib/symbiosis/config_files/apache.rb` has the relevant code, and probably needs a tweak to move the decision to use SSL stapling there if it's a self-signed cert, and out of the templates.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/292sympl-web: Seperate packages needed for i386, amd64 and armhf2020-04-22T11:56:50ZPaul Cammishsympl-web: Seperate packages needed for i386, amd64 and armhfAt the moment, the `sympl-web` package is marked as 'all' architectures, but contains some compiled Go in the form of sympl-web-logger, which isn't portable to armhf, and logs continual errors to /var/log/apache2/error.log as it can't st...At the moment, the `sympl-web` package is marked as 'all' architectures, but contains some compiled Go in the form of sympl-web-logger, which isn't portable to armhf, and logs continual errors to /var/log/apache2/error.log as it can't start it.
This should be a reasonably simple fix to cross-compile it and package it appropriately.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/290sympl-core: sympl-filesystem-security removes +x flag from /etc/sympl/firewal...2020-04-27T17:06:12ZPaul Cammishsympl-core: sympl-filesystem-security removes +x flag from /etc/sympl/firewall/local.d/*The directory contains scripts run at the end of sympl-firewall, which need to be executable, but `sympl-filesystem-security` currently removes that flag.The directory contains scripts run at the end of sympl-firewall, which need to be executable, but `sympl-filesystem-security` currently removes that flag.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/281sympl-mail: filesystem loop in /srv causes errors with sympl-mail-dovecot-sni2020-04-20T10:41:32ZPaul Cammishsympl-mail: filesystem loop in /srv causes errors with sympl-mail-dovecot-sniObviously it should do this, and it looks like the search for certificates is looking far too wide, searching all of /srv rather than just /srv/*/config/ssl/current/Obviously it should do this, and it looks like the search for certificates is looking far too wide, searching all of /srv rather than just /srv/*/config/ssl/current/Paul CammishPaul Cammish2020-04-20https://gitlab.com/sympl.io/sympl/-/issues/280sympl-core: sympl-filesystem-security breaks access to config/stats-htaccess2020-04-20T10:41:34ZPaul Cammishsympl-core: sympl-filesystem-security breaks access to config/stats-htaccessReported by a user, the `config/stats-htaccess` file has it's permissions reset by `sympl-filesystem-security` to a configuration which prevents access by www-data, and therefore Apache denied all access to example.com/statsReported by a user, the `config/stats-htaccess` file has it's permissions reset by `sympl-filesystem-security` to a configuration which prevents access by www-data, and therefore Apache denied all access to example.com/statsPaul CammishPaul Cammish2020-04-20https://gitlab.com/sympl.io/sympl/-/issues/279sympl-monit: Security warning emails on hostname resolution failure2020-04-20T10:41:34ZPaul Cammishsympl-monit: Security warning emails on hostname resolution failureIf for some reason DNS fails for the system hostname, the systemd service at `/usr/lib/systemd/system/sympl-monit.service` will throw security warnings at the root user via email as sudo is not happy.If for some reason DNS fails for the system hostname, the systemd service at `/usr/lib/systemd/system/sympl-monit.service` will throw security warnings at the root user via email as sudo is not happy.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/278sympl-ssl: Reimplmentation2021-02-12T18:08:30ZPaul Cammishsympl-ssl: ReimplmentationComplete reimplementation of sympl-ssl in Python, maintaining all the existing functionality and resolving long-standing issues.Complete reimplementation of sympl-ssl in Python, maintaining all the existing functionality and resolving long-standing issues.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/276sympl-webmail: Roundcube fails to import contacts2020-01-28T13:26:56ZPaul Cammishsympl-webmail: Roundcube fails to import contactsSee https://forum.sympl.host/t/roundcube-fails-importing-contact-list/92?u=kelduum for details.
In short, uploads work fine for attachments but fail for contacts uploads, and likely other cases.See https://forum.sympl.host/t/roundcube-fails-importing-contact-list/92?u=kelduum for details.
In short, uploads work fine for attachments but fail for contacts uploads, and likely other cases.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/275"doveconf: Warning: please set ssl_dh"2020-01-28T00:25:23ZPaul Cammish"doveconf: Warning: please set ssl_dh"I'm getting an hourly email from /etc/cron.hourly/sympl-mail-dovecot-sni saying:
> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
> doveconf: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 s...I'm getting an hourly email from /etc/cron.hourly/sympl-mail-dovecot-sni saying:
> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
> doveconf: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem
It looks like from https://wiki2.dovecot.org/Upgrading/2.3#dhparams you can do just that in order to fix the issue, but not sure if there's something else that should be done instead/as well. I'm running the buster version of Sympl.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/241stretch-testing -> stretch2019-06-25T08:36:27ZPaul Cammishstretch-testing -> stretch# Testing to Stable
## Setup
* [x] Add example.com to /etc/hosts.
* [x] Start with a clean machine running the relevant version of Debian.
## Install
* [x] Run Install script as per https://wiki.sympl.host/Installation_Instructions w...# Testing to Stable
## Setup
* [x] Add example.com to /etc/hosts.
* [x] Start with a clean machine running the relevant version of Debian.
## Install
* [x] Run Install script as per https://wiki.sympl.host/Installation_Instructions without dpkg prompts.
* [x] User is pointed to https://wiki.sympl.host for docs, and https://forum.sympl.host for issues.
* [x] User has to set a new password for `sympl`, and is suggested to use an SSH key.
* [x] User can log in as the `sympl` user.
## Core
* [x] Banner happens on login and provides correct version/system stats.
* [x] Typical utilities such as vim, htop, etc are installed and work normally.
## Web
* [x] `mkdir -p /srv/example.com/public/htdocs`, make sure you are served a 'theres nothing here yet' page.
* [x] `echo 'Testing example.com' > /srv/example.com/public/htdocs/index.html`, check the page loads with the new content.
* [x] `echo '<?php phpinfo() ?>' > /srv/example.com/public/htdocs/index.php`, check the page loads with phpinfo.
* [x] `sudo sympl-web-configure --verbose`, check /srv/example.com/ contains public/logs, php_tmp, php_sessions.
* [x] Browse to http://example.com again, check logs are being written to `public/logs/access.log`.
* [x] Browse to https://example.com again (expect browser warning), check logs are being written to `public/logs/ssl_access.log`.
* [x] `sudo sympl-web-rotate-logs`, check logs have rotated.
* [x] `sudo sympl-web-generate-stats --verbose`, check stats have NOT been created.
* [x] `mkdir -p /srv/example.com/config ; echo selfsigned > /srv/example.com/config/ssl-provider ; sudo sympl-ssl --verbose`, check cert is generated.
* [x] `sudo sympl-web-configure --verbose`, check site now loads with self-signed certificate.
## FTP
* [x] Confirm you cannot login anonymously via FTP.
* [x] `echo some-password > /srv/example.com/config/ftp-password`, check you can log in with user `example.com` password `some-password` via FTP and are placed in public.
* [x] Confirm you can upload/download/delete files via FTP.
* [x] `echo someuser:someotherpass:htdocs:0M > /srv/example.com/config/ftp-users`, check you can log in with user `someuser@example.com` password `someotherpass` via FTP and are placed in htdocs.
* [x] Confirm you can download but not upload files via FTP.
* [x] `sudo sympl-password-test --verbose`, confirm password warning.
## Mail & WebMail
* [x] `mkdir -p /srv/example.com/mailboxes/user ; echo some-password > /srv/example.com/mailboxes/user/password ; sudo sympl-password-test --verbose`, confirm password warning.
* [x] Browse to https://example.com/webmail, log in with `user` and `password`
* [x] `echo new-password > /srv/example.com/mailboxes/user/password`, log out of webmail.
* [x] Confirm you cannot log in with old password.
* [x] Confirm you can log in with new password.
* [x] `sudo sympl-mail-encrypt-passwords --verbose`
* [x] Log out and back in again.
* [x] Send mail to a gmail address, confirm bounce/delivery.
* [x] `openssl genrsa -out /srv/example.com/config/dkim.key 2048 ; chmod 640 /srv/example.com/config/dkim.key ; chown admin:Debian-exim /srv/example.com/config/dkim.key ; touch /srv/example.com/config/dkim`
* [x] Send email again, check for DKIM record in bounce/delivery.
## Network
* [x] `ip a ; sympl-ip`, confirm IPs match.
* [x] `echo 10.111.234.56 > /srv/example.com/config/ip ; sudo sympl-configure-ips --verbose`, confirm new IP picked up.
* [x] `ip a ; sympl-ip`, confirm '10.111.234.56' now listed on both results.
* [x] `sudo iptables -L -n | grep -c ':1234'`, confirm result is 0.
* [x] `touch /etc/sympl/firewall/incoming.d/99-1234 ; sudo sympl-firewall`
* [x] `sudo iptables -L -n | grep -c ':1234'`, confirm result is 2.
* [x] `touch '/etc/sympl/firewall/blacklist.d/10.9.8.7|31' ; sudo sympl-firewall`
* [x] `sudo iptables -L -n | grep -c '10.9.8.6'`, confirm result is 1.
## MySQL / MariaDB & phpMyAdmin
* [x] `mysql -e 'show databases'`, confirm databases are listed.
* [x] Browse to http://example.com/phpmyadmin, confirm redirected to HTTPS.
* [x] `cat ~/mysql_password`, log in with user `sympl` and password.
* [x] Confirm no errors/warnings, database can be created.
## Monit
* [x] `sudo service apache2 stop ; sudo service apache2 status ; sudo sympl-monit ; sudo service apache2 status ;`, confirm apache is started again.Paul CammishPaul Cammish