diff --git a/lib/configfiles/jessie.xml b/lib/configfiles/jessie.xml index 0d70716c..b2aac784 100644 --- a/lib/configfiles/jessie.xml +++ b/lib/configfiles/jessie.xml @@ -217,7 +217,7 @@ http { ## # Uncomment it if you installed nginx-passenger ## - + #passenger_root /usr; #passenger_ruby /usr/bin/ruby; @@ -233,17 +233,17 @@ http { #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript -# +# # # auth_http localhost/auth.php; # # pop3_capabilities "TOP" "USER"; # # imap_capabilities "IMAP4rev1" "UIDPLUS"; -# +# # server { # listen localhost:110; # protocol pop3; # proxy on; # } -# +# # server { # listen localhost:143; # protocol imap; @@ -1116,7 +1116,7 @@ data_directory = /var/lib/postfix #default_privs = nobody # INTERNET HOST AND DOMAIN NAMES -# +# # The myhostname parameter specifies the internet hostname of this # mail system. The default is to use the fully-qualified domain name # from gethostname(). $myhostname is used as a default value for many @@ -1133,7 +1133,7 @@ myhostname = mail.$mydomain mydomain = # SENDING MAIL -# +# # The myorigin parameter specifies the domain that locally-posted # mail appears to come from. The default is to append $myhostname, # which is fine for small sites. If you run a domain with multiple @@ -1235,7 +1235,7 @@ mydomain = # # - You define $mydestination domain recipients in files other than # /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. -# For example, you define $mydestination domain recipients in +# For example, you define $mydestination domain recipients in # the $virtual_mailbox_maps files. # # - You redefine the local delivery agent in master.cf. @@ -1255,7 +1255,7 @@ mydomain = # The right-hand side of the lookup tables is conveniently ignored. # In the left-hand side, specify a bare username, an @domain.tld # wild-card, or specify a user@domain.tld address. -# +# #local_recipient_maps = unix:passwd.byname $alias_maps #local_recipient_maps = proxy:unix:passwd.byname $alias_maps #local_recipient_maps = @@ -1287,16 +1287,16 @@ unknown_local_recipient_reject_code = 550 # clients in the same IP subnetworks as the local machine. # On Linux, this does works correctly only with interfaces specified # with the "ifconfig" command. -# +# # Specify "mynetworks_style = class" when Postfix should "trust" SMTP # clients in the same IP class A/B/C networks as the local machine. # Don't do this with a dialup site - it would cause Postfix to "trust" # your entire provider's network. Instead, specify an explicit # mynetworks list by hand, as described below. -# +# # Specify "mynetworks_style = host" when Postfix should "trust" # only the local machine. -# +# #mynetworks_style = class #mynetworks_style = subnet #mynetworks_style = host @@ -1326,7 +1326,7 @@ mynetworks = 127.0.0.0/8 # - from "untrusted" clients to destinations that match $relay_domains or # subdomains thereof, except addresses with sender-specified routing. # The default relay_domains value is $mydestination. -# +# # In addition to the above, the Postfix SMTP server by default accepts mail # that Postfix is final destination for: # - destinations that match $inet_interfaces or $proxy_interfaces, @@ -1334,7 +1334,7 @@ mynetworks = 127.0.0.0/8 # - destinations that match $virtual_alias_domains, # - destinations that match $virtual_mailbox_domains. # These destinations do not need to be listed in $relay_domains. -# +# # Specify a list of hosts or domains, /file/name patterns or type:name # lookup tables, separated by commas and/or whitespace. Continue # long lines by starting the next line with whitespace. A file name @@ -1379,7 +1379,7 @@ mynetworks = 127.0.0.0/8 # The right-hand side of the lookup tables is conveniently ignored. # In the left-hand side, specify an @domain.tld wild-card, or specify # a user@domain.tld address. -# +# #relay_recipient_maps = hash:/etc/postfix/relay_recipients # INPUT RATE CONTROL @@ -1388,15 +1388,15 @@ mynetworks = 127.0.0.0/8 # flow control. This feature is turned on by default, although it # still needs further development (it's disabled on SCO UNIX due # to an SCO bug). -# +# # A Postfix process will pause for $in_flow_delay seconds before # accepting a new message, when the message arrival rate exceeds the # message delivery rate. With the default 100 SMTP server process # limit, this limits the mail inflow to 100 messages a second more # than the number of messages delivered per second. -# +# # Specify 0 to disable the feature. Valid delays are 0..10. -# +# #in_flow_delay = 1s # ADDRESS REWRITING @@ -1426,7 +1426,7 @@ mynetworks = 127.0.0.0/8 # On systems with NIS, the default is to search the local alias # database, then the NIS alias database. See aliases(5) for syntax # details. -# +# # If you change the alias database, run "postalias /etc/aliases" (or # wherever your system stores the mail alias file), or simply run # "newaliases" to build the necessary DBM or DB file. @@ -1469,7 +1469,7 @@ mynetworks = 127.0.0.0/8 # #home_mailbox = Mailbox #home_mailbox = Maildir/ - + # The mail_spool_directory parameter specifies the directory where # UNIX-style mailboxes are kept. The default setting depends on the # system type. @@ -1511,7 +1511,7 @@ mynetworks = 127.0.0.0/8 # # NOTE: if you use this feature for accounts not in the UNIX password # file, then you must update the "local_recipient_maps" setting in -# the main.cf file, otherwise the SMTP server will reject mail for +# the main.cf file, otherwise the SMTP server will reject mail for # non-UNIX accounts with "User unknown in local recipient table". # # Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd" @@ -1533,7 +1533,7 @@ mynetworks = 127.0.0.0/8 # # NOTE: if you use this feature for accounts not in the UNIX password # file, then you must update the "local_recipient_maps" setting in -# the main.cf file, otherwise the SMTP server will reject mail for +# the main.cf file, otherwise the SMTP server will reject mail for # non-UNIX accounts with "User unknown in local recipient table". # #fallback_transport = lmtp:unix:/file/name @@ -1556,15 +1556,15 @@ mynetworks = 127.0.0.0/8 # # NOTE: if you use this feature for accounts not in the UNIX password # file, then you must specify "local_recipient_maps =" (i.e. empty) in -# the main.cf file, otherwise the SMTP server will reject mail for +# the main.cf file, otherwise the SMTP server will reject mail for # non-UNIX accounts with "User unknown in local recipient table". # #luser_relay = $user@other.host #luser_relay = $local@other.host #luser_relay = admin+$local - + # JUNK MAIL CONTROLS -# +# # The controls listed here are only a very small subset. The file # SMTPD_ACCESS_README provides an overview. @@ -1586,11 +1586,11 @@ mynetworks = 127.0.0.0/8 # deferred mail, so that mail can be flushed quickly with the SMTP # "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". # See the ETRN_README document for a detailed description. -# +# # The fast_flush_domains parameter controls what destinations are # eligible for this service. By default, they are all domains that # this server is willing to relay mail to. -# +# #fast_flush_domains = $relay_domains # SHOW SOFTWARE VERSION OR NOT @@ -1616,7 +1616,7 @@ smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) # too many are run at the same time. With SMTP deliveries, 10 # simultaneous connections to the same domain could be sufficient to # raise eyebrows. -# +# # Each message delivery transport has its XXX_destination_concurrency_limit # parameter. The default is $default_destination_concurrency_limit for # most delivery transports. For the local delivery agent the default is 2. @@ -1674,10 +1674,10 @@ debugger_command = # INSTALL-TIME CONFIGURATION INFORMATION # # The following parameters are used when installing a new Postfix version. -# +# # sendmail_path: The full pathname of the Postfix sendmail command. # This is the Sendmail-compatible mail posting interface. -# +# sendmail_path = /usr/sbin/sendmail # newaliases_path: The full pathname of the Postfix newaliases command. @@ -1687,7 +1687,7 @@ newaliases_path = /usr/bin/newaliases # mailq_path: The full pathname of the Postfix mailq command. This # is the Sendmail-compatible mail queue listing command. -# +# mailq_path = /usr/bin/mailq # setgid_group: The group for mail submission and queue management @@ -1724,9 +1724,9 @@ smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_recipient smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, - permit_sasl_authenticated, - reject_unknown_helo_hostname, - reject_unknown_recipient_domain, + permit_sasl_authenticated, + reject_unknown_helo_hostname, + reject_unknown_recipient_domain, reject_unknown_sender_domain smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, @@ -1734,7 +1734,7 @@ smtpd_client_restrictions = permit_mynetworks, # Postfix 2.10 requires this option. Postfix < 2.10 ignores this. # The option is intentionally left empty. -smtpd_relay_restrictions = +smtpd_relay_restrictions = # Maximum size of Message in bytes (50MB) message_size_limit = 52428800 @@ -1954,7 +1954,7 @@ dovecot unix - n n - - pipe # Enable installed protocols !include_try /usr/share/dovecot/protocols.d/*.protocol -# A comma separated list of IPs or hosts where to listen in for connections. +# A comma separated list of IPs or hosts where to listen in for connections. # "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces. # If you want to specify non-default ports or anything more complex, # edit conf.d/master.conf. @@ -1979,7 +1979,7 @@ dovecot unix - n n - - pipe #login_trusted_networks = # Space separated list of login access check sockets (e.g. tcpwrap) -#login_access_sockets = +#login_access_sockets = # With proxy_maybe=yes if proxy destination matches any of these IPs, don't do # proxying. This isn't necessary normally, but may be useful if the destination @@ -2068,7 +2068,7 @@ dict { # ); # Database driver: mysql, pgsql, sqlite -driver = mysql +driver = mysql # Database connection string. This is driver-specific setting. # @@ -2095,7 +2095,7 @@ driver = mysql # option_file - Read options from the given file instead of # the default my.cnf location # option_group - Read options from the given group (default: client) -# +# # You can connect to UNIX sockets by using host: host=/var/run/mysql.sock # Note that currently you can't use spaces in parameters. # @@ -2134,7 +2134,7 @@ default_pass_scheme = CRYPT # %u = entire user@domain # %n = user part of user@domain # %d = domain part of user@domain -# +# # Note that these can be used only as input to SQL query. If the query outputs # any of these substitutions, they're not touched. Otherwise it would be # difficult to have eg. usernames containing '%' characters. @@ -2218,7 +2218,7 @@ password_query = SELECT username AS user, password_enc AS password, CONCAT(homed # Default realm/domain to use if none was specified. This is used for both # SASL realms and appending @domain to username in plaintext logins. -#auth_default_realm = +#auth_default_realm = # List of allowed characters in username. If the user-given username contains # a character not listed in here, the login automatically fails. This is just @@ -2261,7 +2261,7 @@ password_query = SELECT username AS user, password_enc AS password, CONCAT(homed # Kerberos keytab to use for the GSSAPI mechanism. Will use the system # default (usually /etc/krb5.keytab) if not specified. You may need to change # the auth service to run as root to be able to read this file. -#auth_krb5_keytab = +#auth_krb5_keytab = # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and # ntlm_auth helper. @@ -2276,9 +2276,9 @@ password_query = SELECT username AS user, password_enc AS password, CONCAT(homed # Require a valid SSL client certificate or the authentication fails. #auth_ssl_require_client_cert = no -# Take the username from client's SSL certificate, using +# Take the username from client's SSL certificate, using # X509_NAME_get_text_by_NID() which returns the subject's DN's -# CommonName. +# CommonName. #auth_ssl_username_from_cert = no # Space separated list of wanted authentication mechanisms: @@ -2368,11 +2368,11 @@ namespace inbox { # Hierarchy separator to use. You should use the same separator for all # namespaces or some clients get confused. '/' is usually a good one. # The default however depends on the underlying mail storage format. - #separator = + #separator = # Prefix required to access this namespace. This needs to be different for # all namespaces. For example "Public/". - #prefix = + #prefix = # Physical location of the mailbox. This is in same format as # mail_location, which is also the default for it. @@ -2501,7 +2501,7 @@ mail_access_groups = vmail # WARNING: Never add directories here which local users can modify, that # may lead to root exploit. Usually this should be done only if you don't # allow shell access for users. -#valid_chroot_dirs = +#valid_chroot_dirs = # Default chroot directory for mail processes. This can be overridden for # specific users in user database by giving /./ in user's home directory @@ -2509,7 +2509,7 @@ mail_access_groups = vmail # need to do chrooting, Dovecot doesn't allow users to access files outside # their mail directory anyway. If your home directories are prefixed with # the chroot directory, append "/." to mail_chroot. -#mail_chroot = +#mail_chroot = # UNIX socket path to master authentication server to find users. # This is used by imap (for shared users) and lda. @@ -2520,7 +2520,7 @@ mail_access_groups = vmail # Space separated list of plugins to load for all services. Plugins specific to # IMAP, LDA, etc. are added to this list in their own .conf files. -#mail_plugins = +#mail_plugins = ## ## Mailbox handling optimizations @@ -2626,7 +2626,7 @@ mail_access_groups = vmail # fallbacks to re-reading the whole mbox file whenever something in mbox isn't # how it's expected to be. The only real downside to this setting is that if # some other MUA changes message flags, Dovecot doesn't notice it immediately. -# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK +# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK # commands. #mbox_dirty_syncs = yes @@ -2753,7 +2753,7 @@ service lmtp { #inet_listener lmtp { # Avoid making LMTP visible for the entire internet #address = - #port = + #port = #} } @@ -2787,8 +2787,8 @@ service auth { # permissions (e.g. 0777 allows everyone full permissions). unix_listener auth-userdb { #mode = 0666 - #user = - #group = + #user = + #group = } # Postfix smtp-auth @@ -2821,8 +2821,8 @@ service dict { # For example: mode=0660, group=vmail and global mail_access_groups=vmail unix_listener dict { #mode = 0600 - #user = - #group = + #user = + #group = } } ]]> @@ -2841,7 +2841,7 @@ postmaster_address = postmaster@ # Hostname to use in various parts of sent mails (e.g. in Message-Id) and # in LMTP replies. Default is the system's real hostname@domain. -#hostname = +#hostname = # If user is over quota, return with temporary failure instead of # bouncing the mail. @@ -2865,7 +2865,7 @@ postmaster_address = postmaster@ #recipient_delimiter = + # Header where the original recipient address (SMTP's RCPT TO: address) is taken -# from if not available elsewhere. With dovecot-lda -a parameter overrides this. +# from if not available elsewhere. With dovecot-lda -a parameter overrides this. # A commonly used header for this is X-Original-To. #lda_original_recipient_header = @@ -2901,7 +2901,7 @@ protocol lda { # Override the IMAP CAPABILITY response. If the value begins with '+', # add the given capabilities on top of the defaults (e.g. +XFOO XBAR). -#imap_capability = +#imap_capability = # How long to wait between "OK Still here" notifications when client is # IDLEing. @@ -2910,7 +2910,7 @@ protocol lda { # ID field names and values to send to clients. Using * as the value makes # Dovecot use the default value. The following fields have default values # currently: name, version, os, os-version, support-url, support-email. -#imap_id_send = +#imap_id_send = # ID fields sent by client to log. * means everything. #imap_id_log = @@ -2933,7 +2933,7 @@ protocol lda { # greyed out, instead of only later giving "not selectable" popup error. # # The list is space-separated. -#imap_client_workarounds = +#imap_client_workarounds = # Host allowed in URLAUTH URLs sent by client. "*" allows all. #imap_urlauth_host = @@ -3122,7 +3122,7 @@ protocol sieve { # Outlook Express and Netscape Mail breaks if end of headers-line is # missing. This option simply sends it if it's missing. # The list is space-separated. -#pop3_client_workarounds = +#pop3_client_workarounds = protocol pop3 { # Space separated list of plugins to load (default is global mail_plugins). @@ -3276,6 +3276,11 @@ plugin { + + "]]> + "]]> + + DelayEngine on @@ -3416,7 +3421,7 @@ Include /etc/proftpd/sql.conf # # This is used for FTPS connections # -#Include /etc/proftpd/tls.conf +Include /etc/proftpd/tls.conf # # Useful to keep VirtualHost/VirtualRoot directives separated @@ -3433,24 +3438,24 @@ Include /etc/proftpd/sql.conf # # Cosmetic changes, all files belongs to ftp user # DirFakeUser on ftp # DirFakeGroup on ftp -# +# # RequireValidShell off -# +# # # Limit the maximum number of anonymous logins # MaxClients 10 -# +# # # We want 'welcome.msg' displayed at login, and '.message' displayed # # in each newly chdired directory. # DisplayLogin welcome.msg # DisplayChdir .message -# +# # # Limit WRITE everywhere in the anonymous chroot # # # DenyAll # # -# +# # # Uncomment this if you're brave. # # # # # Umask 022 is a good standard umask to prevent new files and dirs @@ -3463,7 +3468,7 @@ Include /etc/proftpd/sql.conf # # AllowAll # # # # -# +# # # Include other custom configuration files @@ -3501,7 +3506,7 @@ LoadModule mod_sql.c #LoadModule mod_ldap.c # -# 'SQLBackend mysql' or 'SQLBackend postgres' (or any other valid backend) directives +# 'SQLBackend mysql' or 'SQLBackend postgres' (or any other valid backend) directives # are required to have SQL authorization working. You can also comment out the # unused module here, in alternative. # @@ -3510,7 +3515,7 @@ LoadModule mod_sql.c # mod_sql.c module to use this. LoadModule mod_sql_mysql.c -# Install proftpd-mod-pgsql and decomment the previous +# Install proftpd-mod-pgsql and decomment the previous # mod_sql.c module to use this. #LoadModule mod_sql_postgres.c @@ -3522,7 +3527,7 @@ LoadModule mod_sql_mysql.c # mod_sql.c module to use this #LoadModule mod_sql_odbc.c -# Install one of the previous SQL backends and decomment +# Install one of the previous SQL backends and decomment # the previous mod_sql.c module to use this #LoadModule mod_sql_passwd.c @@ -3533,7 +3538,7 @@ LoadModule mod_quotatab_file.c # Install proftpd-mod-ldap to use this #LoadModule mod_quotatab_ldap.c -# Install one of the previous SQL backends and decomment +# Install one of the previous SQL backends and decomment # the previous mod_sql.c module to use this LoadModule mod_quotatab_sql.c LoadModule mod_quotatab_radius.c @@ -3543,7 +3548,7 @@ LoadModule mod_load.c LoadModule mod_ban.c LoadModule mod_wrap2.c LoadModule mod_wrap2_file.c -# Install one of the previous SQL backends and decomment +# Install one of the previous SQL backends and decomment # the previous mod_sql.c module to use this #LoadModule mod_wrap2_sql.c LoadModule mod_dynmasq.c @@ -3554,7 +3559,7 @@ LoadModule mod_site_misc.c LoadModule mod_sftp.c LoadModule mod_sftp_pam.c -# Install one of the previous SQL backends and decomment +# Install one of the previous SQL backends and decomment # the previous mod_sql.c module to use this #LoadModule mod_sftp_sql.c @@ -3590,7 +3595,7 @@ AuthOrder mod_sql.c # # Choose a SQL backend among MySQL or PostgreSQL. -# Both modules are loaded in default configuration, so you have to specify the backend +# Both modules are loaded in default configuration, so you have to specify the backend # or comment out the unused module in /etc/proftpd/modules.conf. # Use 'mysql' or 'postgres' as possible values. # @@ -3599,13 +3604,13 @@ SQLBackend mysql SQLEngine on SQLAuthenticate on # -# Use both a crypted or plaintext password +# Use both a crypted or plaintext password SQLAuthTypes Crypt SQLAuthenticate users* groups* # -# Connection +# Connection SQLConnectInfo @ # # Describes both users/groups tables @@ -3635,6 +3640,33 @@ SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_ SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies + +]]> + + + + +TLSEngine on +TLSLog /var/log/proftpd/tls.log +TLSProtocol TLSv1 TLSv1.1 TLSv1.2 +TLSRSACertificateFile /etc/ssl/certs/proftpd.crt +TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key +TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt +TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key +TLSOptions NoCertRequest NoSessionReuseRequired +TLSVerifyClient off + +# Are clients required to use FTP over TLS when talking to this server? +#TLSRequired on + +# Allow SSL/TLS renegotiations when the client requests them, but +# do not force the renegotations. Some clients do not support +# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these +# clients will close the data connection, or there will be a timeout +# on an idle data connection. +# +#TLSRenegotiate required off ]]> @@ -3777,7 +3809,7 @@ MYSQLGetGID SELECT gid FROM ftp_users WHERE username="\L" AND login_enabled= MYSQLGetDir SELECT homedir FROM ftp_users WHERE username="\L" AND login_enabled="y" -# Optional : query to get the maximal number of files +# Optional : query to get the maximal number of files # Pure-FTPd must have been compiled with virtual quotas support. # MySQLGetQTAFS SELECT QuotaFiles FROM users WHERE User='\L' @@ -3971,7 +4003,7 @@ password - @@ -4074,7 +4106,7 @@ aliases: files - diff --git a/lib/configfiles/precise.xml b/lib/configfiles/precise.xml index a8d15084..f99805c5 100644 --- a/lib/configfiles/precise.xml +++ b/lib/configfiles/precise.xml @@ -1098,6 +1098,11 @@ MYSQL_AUXOPTIONS_FIELD CONCAT("allowimap=",imap,",allowpop3=",pop3) + + "]]> + "]]> + + @@ -1337,6 +1342,33 @@ SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_ SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies + +]]> + + + + +TLSEngine on +TLSLog /var/log/proftpd/tls.log +TLSProtocol TLSv1 TLSv1.1 TLSv1.2 +TLSRSACertificateFile /etc/ssl/certs/proftpd.crt +TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key +TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt +TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key +TLSOptions NoCertRequest NoSessionReuseRequired +TLSVerifyClient off + +# Are clients required to use FTP over TLS when talking to this server? +#TLSRequired on + +# Allow SSL/TLS renegotiations when the client requests them, but +# do not force the renegotations. Some clients do not support +# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these +# clients will close the data connection, or there will be a timeout +# on an idle data connection. +# +#TLSRenegotiate required off ]]> diff --git a/lib/configfiles/trusty.xml b/lib/configfiles/trusty.xml index ecee60fd..f610fdec 100644 --- a/lib/configfiles/trusty.xml +++ b/lib/configfiles/trusty.xml @@ -1101,6 +1101,11 @@ MYSQL_AUXOPTIONS_FIELD CONCAT("allowimap=",imap,",allowpop3=",pop3) + + "]]> + "]]> + + @@ -1340,6 +1345,33 @@ SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_ SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies + +]]> + + + + +TLSEngine on +TLSLog /var/log/proftpd/tls.log +TLSProtocol TLSv1 TLSv1.1 TLSv1.2 +TLSRSACertificateFile /etc/ssl/certs/proftpd.crt +TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key +TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt +TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key +TLSOptions NoCertRequest NoSessionReuseRequired +TLSVerifyClient off + +# Are clients required to use FTP over TLS when talking to this server? +#TLSRequired on + +# Allow SSL/TLS renegotiations when the client requests them, but +# do not force the renegotations. Some clients do not support +# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these +# clients will close the data connection, or there will be a timeout +# on an idle data connection. +# +#TLSRenegotiate required off ]]> diff --git a/lib/configfiles/wheezy.xml b/lib/configfiles/wheezy.xml index 54fb579d..440c6ab1 100644 --- a/lib/configfiles/wheezy.xml +++ b/lib/configfiles/wheezy.xml @@ -4381,6 +4381,11 @@ MYSQL_AUXOPTIONS_FIELD CONCAT("allowimap=",imap,",allowpop3=",pop3) + + "]]> + "]]> + + +]]> + + + + +TLSEngine on +TLSLog /var/log/proftpd/tls.log +TLSProtocol TLSv1 TLSv1.1 TLSv1.2 +TLSRSACertificateFile /etc/ssl/certs/proftpd.crt +TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key +TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt +TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key +TLSOptions NoCertRequest NoSessionReuseRequired +TLSVerifyClient off + +# Are clients required to use FTP over TLS when talking to this server? +#TLSRequired on + +# Allow SSL/TLS renegotiations when the client requests them, but +# do not force the renegotations. Some clients do not support +# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these +# clients will close the data connection, or there will be a timeout +# on an idle data connection. +# +#TLSRenegotiate required off ]]>