From f4205518886a64646d587740f5013d07fce552fc Mon Sep 17 00:00:00 2001 From: Michael Kaufmann Date: Sun, 14 Jan 2024 09:40:33 +0100 Subject: [PATCH] added configuration adjustment for prodtpd if renew-hook for lets encrypt is used; updater-compatibility if gui_access field is not present yet (froxlor <2.2); removed depercated gentoo config templates Signed-off-by: Michael Kaufmann --- index.php | 20 +- lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php | 19 +- lib/Froxlor/Install/Install/Core.php | 23 +- lib/configfiles/bookworm.xml | 1 + lib/configfiles/bullseye.xml | 1 + lib/configfiles/focal.xml | 1 + lib/configfiles/gentoo.xml | 2890 ------------------ lib/configfiles/jammy.xml | 1 + 8 files changed, 43 insertions(+), 2913 deletions(-) delete mode 100644 lib/configfiles/gentoo.xml diff --git a/index.php b/index.php index d3e9b76d..ee63cbde 100644 --- a/index.php +++ b/index.php @@ -165,12 +165,16 @@ if ($action == '2fa_entercode') { $loginname = Validate::validate($_POST['loginname'], 'loginname'); $password = Validate::validate($_POST['password'], 'password'); + $select_additional = ''; + if (Settings::Get('panel.db_version') >= 202312230) { + $select_additional = ' AND `gui_access` = 1'; + } $stmt = Database::prepare(" SELECT `loginname` AS `customer` FROM `" . TABLE_PANEL_CUSTOMERS . "` - WHERE `loginname`= :loginname - AND `gui_access` = 1 - "); + WHERE `loginname`= :loginname" . + $select_additional + ); Database::pexecute($stmt, [ "loginname" => $loginname ]); @@ -243,12 +247,16 @@ if ($action == '2fa_entercode') { exit(); } } else { + $select_additional = ''; + if (Settings::Get('panel.db_version') >= 202312230) { + $select_additional = ' AND `gui_access` = 1'; + } $stmt = Database::prepare(" SELECT `loginname` AS `admin` FROM `" . TABLE_PANEL_ADMINS . "` - WHERE `loginname`= :loginname - AND `gui_access` = 1 - "); + WHERE `loginname`= :loginname" . + $select_additional + ); Database::pexecute($stmt, [ "loginname" => $loginname ]); diff --git a/lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php b/lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php index e50746f4..fee2a25a 100644 --- a/lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php +++ b/lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php @@ -621,6 +621,7 @@ EOC; $certificate_folder = self::getCertificateFolder(strtolower(Settings::Get('system.hostname'))); $fullchain = FileDir::makeCorrectFile($certificate_folder . '/fullchain.cer'); $keyfile = FileDir::makeCorrectFile($certificate_folder . '/' . strtolower(Settings::Get('system.hostname')) . '.key'); + $ca_file = FileDir::makeCorrectFile($certificate_folder . '/ca.cer'); if (Settings::IsInList('system.le_renew_services', 'postfix')) { // "postconf -e" for postfix @@ -641,7 +642,23 @@ EOSSL; file_put_contents($dovecot_conf, $ssl_content); } if (Settings::IsInList('system.le_renew_services', 'proftpd')) { - // @todo + $proftpd_conf = '/etc/proftpd/tls.conf'; // @fixme setting? + if (strpos($certificate_folder, '_ecc') === false) { + // comment out RSA related settings + FileDir::safe_exec("sed -i.bak 's|^TLSRSACertificateFile|# TLSRSACertificateFile|' " . escapeshellarg($proftpd_conf)); + FileDir::safe_exec("sed -i.bak 's|^TLSRSACertificateKeyFile|# TLSRSACertificateKeyFile|' " . escapeshellarg($proftpd_conf)); + // add ECC directives + FileDir::safe_exec("sed -i.bak 's|^#\?\s\?TLSECCertificateFile.*|TLSECCertificateFile " . $fullchain . "|' " . escapeshellarg($proftpd_conf)); + FileDir::safe_exec("sed -i.bak 's|^#\?\s\?TLSECCertificateKeyFile.*|TLSECCertificateKeyFile " . $keyfile . "|' " . escapeshellarg($proftpd_conf)); + } else { + // comment out ECC related settings + FileDir::safe_exec("sed -i.bak 's|^TLSECCertificateFile|# TLSECCertificateFile|' " . escapeshellarg($proftpd_conf)); + FileDir::safe_exec("sed -i.bak 's|^TLSECCertificateKeyFile|# TLSECCertificateKeyFile|' " . escapeshellarg($proftpd_conf)); + // add RSA directives + FileDir::safe_exec("sed -i.bak 's|^#\?\s\?TLSRSACertificateFile.*|TLSRSACertificateFile " . $fullchain . "|' " . escapeshellarg($proftpd_conf)); + FileDir::safe_exec("sed -i.bak 's|^#\?\s\?TLSRSACertificateKeyFile.*|TLSRSACertificateKeyFile " . $keyfile . "|' " . escapeshellarg($proftpd_conf)); + } + FileDir::safe_exec("sed -i.bak 's|^#\?\s\?TLSCACertificateFile.*|TLSCACertificateFile " . $ca_file . "|' " . escapeshellarg($proftpd_conf)); } // reload the services FileDir::safe_exec(Settings::Get('system.le_renew_hook')); diff --git a/lib/Froxlor/Install/Install/Core.php b/lib/Froxlor/Install/Install/Core.php index 39e6ddb6..0e6f994f 100644 --- a/lib/Froxlor/Install/Install/Core.php +++ b/lib/Froxlor/Install/Install/Core.php @@ -431,23 +431,14 @@ class Core // check currently used php version and set values of fpm/fcgid accordingly if (defined('PHP_MAJOR_VERSION') && defined('PHP_MINOR_VERSION')) { - // gentoo specific - if ($this->validatedData['distribution'] == 'gentoo') { - // php-fpm - $reload = "/etc/init.d/php-fpm restart"; - $config_dir = "/etc/php/fpm-php" . PHP_MAJOR_VERSION . "." . PHP_MINOR_VERSION . "/fpm.d/"; - // fcgid - $binary = "/usr/bin/php-cgi"; + // php-fpm + $reload = "service php" . PHP_MAJOR_VERSION . "." . PHP_MINOR_VERSION . "-fpm restart"; + $config_dir = "/etc/php/" . PHP_MAJOR_VERSION . "." . PHP_MINOR_VERSION . "/fpm/pool.d/"; + // fcgid + if ($this->validatedData['distribution'] == 'bookworm') { + $binary = "/usr/bin/php-cgi" . PHP_MAJOR_VERSION . "." . PHP_MINOR_VERSION; } else { - // php-fpm - $reload = "service php" . PHP_MAJOR_VERSION . "." . PHP_MINOR_VERSION . "-fpm restart"; - $config_dir = "/etc/php/" . PHP_MAJOR_VERSION . "." . PHP_MINOR_VERSION . "/fpm/pool.d/"; - // fcgid - if ($this->validatedData['distribution'] == 'bookworm') { - $binary = "/usr/bin/php-cgi" . PHP_MAJOR_VERSION . "." . PHP_MINOR_VERSION; - } else { - $binary = "/usr/bin/php" . PHP_MAJOR_VERSION . "." . PHP_MINOR_VERSION . "-cgi"; - } + $binary = "/usr/bin/php" . PHP_MAJOR_VERSION . "." . PHP_MINOR_VERSION . "-cgi"; } $db_user->query("UPDATE `" . TABLE_PANEL_FPMDAEMONS . "` SET `reload_cmd` = '" . $reload . "', `config_dir` = '" . $config_dir . "' WHERE `id` ='1';"); $db_user->query("UPDATE `" . TABLE_PANEL_PHPCONFIGS . "` SET `binary` = '" . $binary . "';"); diff --git a/lib/configfiles/bookworm.xml b/lib/configfiles/bookworm.xml index 2a6ab0ac..72e5ab62 100644 --- a/lib/configfiles/bookworm.xml +++ b/lib/configfiles/bookworm.xml @@ -3056,6 +3056,7 @@ TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key +# TLSCACertificateFile TLSOptions NoSessionReuseRequired TLSVerifyClient off diff --git a/lib/configfiles/bullseye.xml b/lib/configfiles/bullseye.xml index edda85d7..16cff610 100644 --- a/lib/configfiles/bullseye.xml +++ b/lib/configfiles/bullseye.xml @@ -4624,6 +4624,7 @@ TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key +# TLSCACertificateFile TLSOptions NoSessionReuseRequired TLSVerifyClient off diff --git a/lib/configfiles/focal.xml b/lib/configfiles/focal.xml index 89945256..bd736cd6 100644 --- a/lib/configfiles/focal.xml +++ b/lib/configfiles/focal.xml @@ -3843,6 +3843,7 @@ TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key +# TLSCACertificateFile TLSOptions NoSessionReuseRequired TLSVerifyClient off diff --git a/lib/configfiles/gentoo.xml b/lib/configfiles/gentoo.xml deleted file mode 100644 index 81d5f70c..00000000 --- a/lib/configfiles/gentoo.xml +++ /dev/null @@ -1,2890 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - {{settings.system.apacheconf_vhost}} - - - - - {{settings.system.apacheconf_vhost}} - - - - - - - {{settings.system.apacheconf_diroptions}} - - - - - {{settings.system.apacheconf_diroptions}} - - - - - - - - - {{settings.system.deactivateddocroot}} - - - - - - - - - //service[@type='http']/general/commands - - {{settings.phpfpm.enabled}} - - - FastCgiIpcDir - - - Require all granted - Require env REDIRECT_STATUS - - -]]> - - - - {{settings.system.leenabled}} - - - Require all granted - -]]> - - - - - - - - - - " -server.port = 80 -server.bind = "" -url.access-deny = ("~", ".inc") - -include "mime-types.conf" -#include "mod_cgi.conf" - -fastcgi.server = ( -".php" => ( - "localhost" => ( - "socket" => "/tmp/lighttpd-fcgi-sock-lighttpd", - "broken-scriptfilename" => "enable", - "bin-path" => "/usr/bin/php-cgi", - "min-procs" => 1, - "max-procs" => 1, - "max-load-per-proc" => 4, - "idle-timeout" => 60, - "bin-environment" => ( - "UID" => "lighttpd", - "GID" => "lighttpd", - "PHP_FCGI_CHILDREN" => "0", - "PHP_FCGI_MAX_REQUESTS" => "10000" - ), - "bin-copy-environment" => ( "" ) - ) - ) -) - -alias.url += ("/.well-known/acme-challenge/" => "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge/") - -]]> - - - //service[@type='http']/general/commands - - {{settings.system.apacheconf_vhost}} - - > /etc/lighttpd/lighttpd.conf]]> - - - {{settings.system.apacheconf_vhost}} - - > /etc/lighttpd/lighttpd.conf]]> - - - {{settings.system.apacheconf_diroptions}} - - > /etc/lighttpd/lighttpd.conf]]> - - - {{settings.system.apacheconf_diroptions}} - - > /etc/lighttpd/lighttpd.conf]]> - - - - - - - - - - - - - - - - - {{settings.system.leenabled}} - - - - - - {{settings.phpfpm.enabled}} - - {{settings.system.mod_fcgid}} - - - - - //service[@type='http']/general/commands - - {{settings.phpfpm.enabled}} - - {{settings.system.mod_fcgid}} - - - - - {{settings.phpfpm.enabled}} - - {{settings.system.mod_fcgid}} - - - - - - - - - - - - - - - IN MX 10 mail - -* IN A - IN MX 10 mail - -ns IN A - -mail IN A - IN MX 10 mail -]]> - - - > /etc/bind/named.conf]]> - - - - - - - - - - - -################################# -# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. -# -# allow-dnsupdate-from=127.0.0.0/8,::1 - -################################# -# also-notify When notifying a domain, also notify these nameservers -# -# also-notify= - -################################# -# any-to-tcp Answer ANY queries with tc=1, shunting to TCP -# -# any-to-tcp=no - -################################# -# cache-ttl Seconds to store packets in the PacketCache -# -# cache-ttl=20 - -################################# -# carbon-interval Number of seconds between carbon (graphite) updates -# -# carbon-interval=30 - -################################# -# carbon-ourname If set, overrides our reported hostname for carbon stats -# -# carbon-ourname= - -################################# -# carbon-server If set, send metrics in carbon (graphite) format to this server -# -# carbon-server= - -################################# -# chroot If set, chroot to this directory for more security -# -# chroot= - -################################# -# config-dir Location of configuration directory (pdns.conf) -# -config-dir=/etc/powerdns - -################################# -# config-name Name of this virtual configuration - will rename the binary image -# -# config-name= - -################################# -# control-console Debugging switch - don't use -# -# control-console=no - -################################# -# daemon Operate as a daemon -# -daemon=yes - -################################# -# default-ksk-algorithms Default KSK algorithms -# -# default-ksk-algorithms=rsasha256 - -################################# -# default-ksk-size Default KSK size (0 means default) -# -# default-ksk-size=0 - -################################# -# default-soa-mail mail address to insert in the SOA record if none set in the backend -# -# default-soa-mail= - -################################# -# default-soa-name name to insert in the SOA record if none set in the backend -# -# default-soa-name=a.misconfigured.powerdns.server - -################################# -# default-ttl Seconds a result is valid if not set otherwise -# -# default-ttl=3600 - -################################# -# default-zsk-algorithms Default ZSK algorithms -# -# default-zsk-algorithms=rsasha256 - -################################# -# default-zsk-size Default ZSK size (0 means default) -# -# default-zsk-size=0 - -################################# -# direct-dnskey Fetch DNSKEY RRs from backend during DNSKEY synthesis -# -# direct-dnskey=no - -################################# -# disable-axfr Disable zonetransfers but do allow TCP queries -# -# disable-axfr=no - -################################# -# disable-axfr-rectify Disable the rectify step during an outgoing AXFR. Only required for regression testing. -# -# disable-axfr-rectify=no - -################################# -# disable-tcp Do not listen to TCP queries -# -# disable-tcp=no - -################################# -# distributor-threads Default number of Distributor (backend) threads to start -# -# distributor-threads=3 - -################################# -# do-ipv6-additional-processing Do AAAA additional processing -# -# do-ipv6-additional-processing=yes - -################################# -# edns-subnet-processing If we should act on EDNS Subnet options -# -# edns-subnet-processing=no - -################################# -# entropy-source If set, read entropy from this file -# -# entropy-source=/dev/urandom - -################################# -# experimental-api-key REST API Static authentication key (required for API use) -# -# experimental-api-key= - -################################# -# experimental-api-readonly If the JSON API should disallow data modification -# -# experimental-api-readonly=no - -################################# -# experimental-dname-processing If we should support DNAME records -# -# experimental-dname-processing=no - -################################# -# experimental-dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no. -# -# experimental-dnsupdate=no - -################################# -# experimental-json-interface If the webserver should serve JSON data -# -# experimental-json-interface=no - -################################# -# experimental-logfile Filename of the log file for JSON parser -# -# experimental-logfile=/var/log/pdns.log - -################################# -# forward-dnsupdate A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master. -# -# forward-dnsupdate=yes - -################################# -# guardian Run within a guardian process -# -guardian=yes - -################################# -# include-dir Include *.conf files from this directory -# -# include-dir= - -################################# -# launch Which backends to launch and order to query them in -# -# launch= - -################################# -# load-modules Load this module - supply absolute or relative path -# -# load-modules= - -################################# -# local-address Local IP addresses to which we bind -# -local-address=,127.0.0.1 - -################################# -# local-address-nonexist-fail Fail to start if one or more of the local-address's do not exist on this server -# -# local-address-nonexist-fail=yes - -################################# -# local-ipv6 Local IP address to which we bind -# -# local-ipv6= - -################################# -# local-ipv6-nonexist-fail Fail to start if one or more of the local-ipv6 addresses do not exist on this server -# -# local-ipv6-nonexist-fail=yes - -################################# -# local-port The port on which we listen -# -local-port=53 - -################################# -# log-dns-details If PDNS should log DNS non-erroneous details -# -log-dns-details=yes - -################################# -# log-dns-queries If PDNS should log all incoming DNS queries -# -# log-dns-queries=no - -################################# -# logging-facility Log under a specific facility -# -# logging-facility= - -################################# -# loglevel Amount of logging. Higher is more. Do not set below 3 -# -# loglevel=4 - -################################# -# lua-prequery-script Lua script with prequery handler -# -# lua-prequery-script= - -################################# -# master Act as a master -# -master=yes - -################################# -# max-cache-entries Maximum number of cache entries -# -# max-cache-entries=1000000 - -################################# -# max-ent-entries Maximum number of empty non-terminals in a zone -# -# max-ent-entries=100000 - -################################# -# max-nsec3-iterations Limit the number of NSEC3 hash iterations -# -# max-nsec3-iterations=500 - -################################# -# max-queue-length Maximum queuelength before considering situation lost -# -# max-queue-length=5000 - -################################# -# max-signature-cache-entries Maximum number of signatures cache entries -# -# max-signature-cache-entries= - -################################# -# max-tcp-connections Maximum number of TCP connections -# -# max-tcp-connections=10 - -################################# -# module-dir Default directory for modules -# -module-dir=/usr/lib/powerdns/pdns/ - -################################# -# negquery-cache-ttl Seconds to store negative query results in the QueryCache -# -# negquery-cache-ttl=60 - -################################# -# no-shuffle Set this to prevent random shuffling of answers - for regression testing -# -# no-shuffle=off - -################################# -# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks -# -# only-notify=0.0.0.0/0,::/0 - -################################# -# out-of-zone-additional-processing Do out of zone additional processing -# -# out-of-zone-additional-processing=yes - -################################# -# overload-queue-length Maximum queuelength moving to packetcache only -# -# overload-queue-length=0 - -################################# -# pipebackend-abi-version Version of the pipe backend ABI -# -# pipebackend-abi-version=1 - -################################# -# prevent-self-notification Don't send notifications to what we think is ourself -# -# prevent-self-notification=yes - -################################# -# query-cache-ttl Seconds to store query results in the QueryCache -# -# query-cache-ttl=20 - -################################# -# query-local-address Source IP address for sending queries -# -# query-local-address=0.0.0.0 - -################################# -# query-local-address6 Source IPv6 address for sending queries -# -# query-local-address6=:: - -################################# -# query-logging Hint backends that queries should be logged -# -# query-logging=no - -################################# -# queue-limit Maximum number of milliseconds to queue a query -# -# queue-limit=1500 - -################################# -# receiver-threads Default number of receiver threads to start -# -# receiver-threads=1 - -################################# -# retrieval-threads Number of AXFR-retrieval threads for slave operation -# -# retrieval-threads=2 - -################################# -# reuseport Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket -# -# reuseport=no - -################################# -# security-poll-suffix Domain name from which to query security update notifications -# -# security-poll-suffix=secpoll.powerdns.com. - -################################# -# send-root-referral Send out old-fashioned root-referral instead of ServFail in case of no authority -# -# send-root-referral=no - -################################# -# server-id Returned when queried for 'server.id' TXT or NSID, defaults to hostname - disabled or custom -# -# server-id= - -################################# -# setgid If set, change group id to this gid for more security -# -setgid=pdns - -################################# -# setuid If set, change user id to this uid for more security -# -setuid=pdns - -################################# -# signing-threads Default number of signer threads to start -# -# signing-threads=3 - -################################# -# slave Act as a slave -# -# slave=no - -################################# -# slave-cycle-interval Reschedule failed SOA serial checks once every .. seconds -# -# slave-cycle-interval=60 - -################################# -# slave-renotify If we should send out notifications for slaved updates -# -# slave-renotify=no - -################################# -# soa-expire-default Default SOA expire -# -# soa-expire-default=604800 - -################################# -# soa-minimum-ttl Default SOA minimum ttl -# -# soa-minimum-ttl=3600 - -################################# -# soa-refresh-default Default SOA refresh -# -# soa-refresh-default=10800 - -################################# -# soa-retry-default Default SOA retry -# -# soa-retry-default=3600 - -################################# -# socket-dir Where the controlsocket will live -# -socket-dir=/var/run - -################################# -# tcp-control-address If set, PowerDNS can be controlled over TCP on this address -# -# tcp-control-address= - -################################# -# tcp-control-port If set, PowerDNS can be controlled over TCP on this address -# -# tcp-control-port=53000 - -################################# -# tcp-control-range If set, remote control of PowerDNS is possible over these networks only -# -# tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 - -################################# -# tcp-control-secret If set, PowerDNS can be controlled over TCP after passing this secret -# -# tcp-control-secret= - -################################# -# traceback-handler Enable the traceback handler (Linux only) -# -# traceback-handler=yes - -################################# -# trusted-notification-proxy IP address of incoming notification proxy -# -# trusted-notification-proxy= - -################################# -# udp-truncation-threshold Maximum UDP response size before we truncate -# -# udp-truncation-threshold=1680 - -################################# -# version-string PowerDNS version in packets - full, anonymous, powerdns or custom -# -version-string=powerdns - -################################# -# webserver Start a webserver for monitoring -# -# webserver=no - -################################# -# webserver-address IP Address of webserver to listen on -# -# webserver-address=127.0.0.1 - -################################# -# webserver-allow-from Webserver access is only allowed from these subnets -# -# webserver-allow-from=0.0.0.0/0,::/0 - -################################# -# webserver-password Password required for accessing the webserver -# -# webserver-password= - -################################# -# webserver-port Port of webserver to listen on -# -# webserver-port=8081 - -################################# -# webserver-print-arguments If the webserver should print arguments -# -# webserver-print-arguments=no - -# include froxlor-specific config -include-dir=/etc/powerdns/froxlor/ -]]> - - - - - - - - - - - - - - -################################# -# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. -# -# allow-dnsupdate-from=127.0.0.0/8,::1 - -################################# -# also-notify When notifying a domain, also notify these nameservers -# -# also-notify= - -################################# -# any-to-tcp Answer ANY queries with tc=1, shunting to TCP -# -# any-to-tcp=no - -################################# -# cache-ttl Seconds to store packets in the PacketCache -# -# cache-ttl=20 - -################################# -# carbon-interval Number of seconds between carbon (graphite) updates -# -# carbon-interval=30 - -################################# -# carbon-ourname If set, overrides our reported hostname for carbon stats -# -# carbon-ourname= - -################################# -# carbon-server If set, send metrics in carbon (graphite) format to this server -# -# carbon-server= - -################################# -# chroot If set, chroot to this directory for more security -# -# chroot= - -################################# -# config-dir Location of configuration directory (pdns.conf) -# -config-dir=/etc/powerdns - -################################# -# config-name Name of this virtual configuration - will rename the binary image -# -# config-name= - -################################# -# control-console Debugging switch - don't use -# -# control-console=no - -################################# -# daemon Operate as a daemon -# -daemon=yes - -################################# -# default-ksk-algorithms Default KSK algorithms -# -# default-ksk-algorithms=rsasha256 - -################################# -# default-ksk-size Default KSK size (0 means default) -# -# default-ksk-size=0 - -################################# -# default-soa-mail mail address to insert in the SOA record if none set in the backend -# -# default-soa-mail= - -################################# -# default-soa-name name to insert in the SOA record if none set in the backend -# -# default-soa-name=a.misconfigured.powerdns.server - -################################# -# default-ttl Seconds a result is valid if not set otherwise -# -# default-ttl=3600 - -################################# -# default-zsk-algorithms Default ZSK algorithms -# -# default-zsk-algorithms=rsasha256 - -################################# -# default-zsk-size Default ZSK size (0 means default) -# -# default-zsk-size=0 - -################################# -# direct-dnskey Fetch DNSKEY RRs from backend during DNSKEY synthesis -# -# direct-dnskey=no - -################################# -# disable-axfr Disable zonetransfers but do allow TCP queries -# -disable-axfr=yes - -################################# -# disable-axfr-rectify Disable the rectify step during an outgoing AXFR. Only required for regression testing. -# -# disable-axfr-rectify=no - -################################# -# disable-tcp Do not listen to TCP queries -# -# disable-tcp=no - -################################# -# distributor-threads Default number of Distributor (backend) threads to start -# -# distributor-threads=3 - -################################# -# do-ipv6-additional-processing Do AAAA additional processing -# -# do-ipv6-additional-processing=yes - -################################# -# edns-subnet-processing If we should act on EDNS Subnet options -# -# edns-subnet-processing=no - -################################# -# entropy-source If set, read entropy from this file -# -# entropy-source=/dev/urandom - -################################# -# experimental-api-key REST API Static authentication key (required for API use) -# -# experimental-api-key= - -################################# -# experimental-api-readonly If the JSON API should disallow data modification -# -# experimental-api-readonly=no - -################################# -# experimental-dname-processing If we should support DNAME records -# -# experimental-dname-processing=no - -################################# -# experimental-dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no. -# -# experimental-dnsupdate=no - -################################# -# experimental-json-interface If the webserver should serve JSON data -# -# experimental-json-interface=no - -################################# -# experimental-logfile Filename of the log file for JSON parser -# -# experimental-logfile=/var/log/pdns.log - -################################# -# forward-dnsupdate A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master. -# -# forward-dnsupdate=yes - -################################# -# guardian Run within a guardian process -# -guardian=yes - -################################# -# include-dir Include *.conf files from this directory -# -# include-dir= - -################################# -# launch Which backends to launch and order to query them in -# -launch=bind - -################################# -# load-modules Load this module - supply absolute or relative path -# -# load-modules= - -################################# -# local-address Local IP addresses to which we bind -# -local-address=,127.0.0.1 - -################################# -# local-address-nonexist-fail Fail to start if one or more of the local-address's do not exist on this server -# -# local-address-nonexist-fail=yes - -################################# -# local-ipv6 Local IP address to which we bind -# -# local-ipv6= - -################################# -# local-ipv6-nonexist-fail Fail to start if one or more of the local-ipv6 addresses do not exist on this server -# -# local-ipv6-nonexist-fail=yes - -################################# -# local-port The port on which we listen -# -local-port=53 - -################################# -# log-dns-details If PDNS should log DNS non-erroneous details -# -log-dns-details=yes - -################################# -# log-dns-queries If PDNS should log all incoming DNS queries -# -# log-dns-queries=no - -################################# -# logging-facility Log under a specific facility -# -# logging-facility= - -################################# -# loglevel Amount of logging. Higher is more. Do not set below 3 -# -# loglevel=4 - -################################# -# lua-prequery-script Lua script with prequery handler -# -# lua-prequery-script= - -################################# -# master Act as a master -# -master=yes - -################################# -# max-cache-entries Maximum number of cache entries -# -# max-cache-entries=1000000 - -################################# -# max-ent-entries Maximum number of empty non-terminals in a zone -# -# max-ent-entries=100000 - -################################# -# max-nsec3-iterations Limit the number of NSEC3 hash iterations -# -# max-nsec3-iterations=500 - -################################# -# max-queue-length Maximum queuelength before considering situation lost -# -# max-queue-length=5000 - -################################# -# max-signature-cache-entries Maximum number of signatures cache entries -# -# max-signature-cache-entries= - -################################# -# max-tcp-connections Maximum number of TCP connections -# -# max-tcp-connections=10 - -################################# -# module-dir Default directory for modules -# -module-dir=/usr/lib/powerdns/pdns/ - -################################# -# negquery-cache-ttl Seconds to store negative query results in the QueryCache -# -# negquery-cache-ttl=60 - -################################# -# no-shuffle Set this to prevent random shuffling of answers - for regression testing -# -# no-shuffle=off - -################################# -# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks -# -# only-notify=0.0.0.0/0,::/0 - -################################# -# out-of-zone-additional-processing Do out of zone additional processing -# -# out-of-zone-additional-processing=yes - -################################# -# overload-queue-length Maximum queuelength moving to packetcache only -# -# overload-queue-length=0 - -################################# -# pipebackend-abi-version Version of the pipe backend ABI -# -# pipebackend-abi-version=1 - -################################# -# prevent-self-notification Don't send notifications to what we think is ourself -# -# prevent-self-notification=yes - -################################# -# query-cache-ttl Seconds to store query results in the QueryCache -# -# query-cache-ttl=20 - -################################# -# query-local-address Source IP address for sending queries -# -# query-local-address=0.0.0.0 - -################################# -# query-local-address6 Source IPv6 address for sending queries -# -# query-local-address6=:: - -################################# -# query-logging Hint backends that queries should be logged -# -# query-logging=no - -################################# -# queue-limit Maximum number of milliseconds to queue a query -# -# queue-limit=1500 - -################################# -# receiver-threads Default number of receiver threads to start -# -# receiver-threads=1 - -################################# -# retrieval-threads Number of AXFR-retrieval threads for slave operation -# -# retrieval-threads=2 - -################################# -# reuseport Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket -# -# reuseport=no - -################################# -# security-poll-suffix Domain name from which to query security update notifications -# -# security-poll-suffix=secpoll.powerdns.com. - -################################# -# send-root-referral Send out old-fashioned root-referral instead of ServFail in case of no authority -# -# send-root-referral=no - -################################# -# server-id Returned when queried for 'server.id' TXT or NSID, defaults to hostname - disabled or custom -# -# server-id= - -################################# -# setgid If set, change group id to this gid for more security -# -setgid=pdns - -################################# -# setuid If set, change user id to this uid for more security -# -setuid=pdns - -################################# -# signing-threads Default number of signer threads to start -# -# signing-threads=3 - -################################# -# slave Act as a slave -# -# slave=no - -################################# -# slave-cycle-interval Reschedule failed SOA serial checks once every .. seconds -# -# slave-cycle-interval=60 - -################################# -# slave-renotify If we should send out notifications for slaved updates -# -# slave-renotify=no - -################################# -# soa-expire-default Default SOA expire -# -# soa-expire-default=604800 - -################################# -# soa-minimum-ttl Default SOA minimum ttl -# -# soa-minimum-ttl=3600 - -################################# -# soa-refresh-default Default SOA refresh -# -# soa-refresh-default=10800 - -################################# -# soa-retry-default Default SOA retry -# -# soa-retry-default=3600 - -################################# -# socket-dir Where the controlsocket will live -# -socket-dir=/var/run - -################################# -# tcp-control-address If set, PowerDNS can be controlled over TCP on this address -# -# tcp-control-address= - -################################# -# tcp-control-port If set, PowerDNS can be controlled over TCP on this address -# -# tcp-control-port=53000 - -################################# -# tcp-control-range If set, remote control of PowerDNS is possible over these networks only -# -# tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 - -################################# -# tcp-control-secret If set, PowerDNS can be controlled over TCP after passing this secret -# -# tcp-control-secret= - -################################# -# traceback-handler Enable the traceback handler (Linux only) -# -# traceback-handler=yes - -################################# -# trusted-notification-proxy IP address of incoming notification proxy -# -# trusted-notification-proxy= - -################################# -# udp-truncation-threshold Maximum UDP response size before we truncate -# -# udp-truncation-threshold=1680 - -################################# -# version-string PowerDNS version in packets - full, anonymous, powerdns or custom -# -version-string=powerdns - -################################# -# webserver Start a webserver for monitoring -# -# webserver=no - -################################# -# webserver-address IP Address of webserver to listen on -# -# webserver-address=127.0.0.1 - -################################# -# webserver-allow-from Webserver access is only allowed from these subnets -# -# webserver-allow-from=0.0.0.0/0,::/0 - -################################# -# webserver-password Password required for accessing the webserver -# -# webserver-password= - -################################# -# webserver-port Port of webserver to listen on -# -# webserver-port=8081 - -################################# -# webserver-print-arguments If the webserver should print arguments -# -# webserver-print-arguments=no - -# include froxlor-bind-specific config -include-dir=/etc/powerdns/froxlor/ -]]> - - - - - named.conf -bind-check-interval=180 -]]> - - - - - - - - - - - - {{settings.system.vmail_gid}} - - - - - {{settings.system.vmail_uid}} - - - - - - - - - - - - - - - -password = -dbname = -hosts = -query = SELECT destination FROM mail_virtual AS v, panel_customers AS c WHERE c.customerid = v.customerid AND c.deactivated = 0 AND v.email = '%s' AND trim(v.destination) <> '' -]]> - - - - -password = -dbname = -hosts = -query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' AND deactivated = 0 -]]> - - - - -password = -dbname = -expansion_limit = 1 -hosts = -query = SELECT CONCAT(homedir,maildir) FROM mail_users WHERE email = '%s' -]]> - - - - -password = -dbname = -hosts = -query = SELECT DISTINCT username FROM mail_users WHERE email in ((SELECT mail_virtual.email_full FROM mail_virtual WHERE mail_virtual.email = '%s' UNION SELECT mail_virtual.destination FROM mail_virtual WHERE mail_virtual.email = '%s')); -]]> - - - - -password = -dbname = -expansion_limit = 1 -hosts = -query = SELECT uid FROM mail_users WHERE email = '%s' -]]> - - - - -password = -dbname = -expansion_limit = 1 -hosts = -query = SELECT gid FROM mail_users WHERE email = '%s' -]]> - - - - -]]> - - - - - - - - - - - - //service[@type='smtp']/general/commands[@index=1] - - > /etc/portage/package.use/froxlor]]> - //service[@type='smtp']/general/installs[@index=1] - - //service[@type='smtp']/general/commands[@index=2] - - - - -# set myhostname to $mydomain because Froxlor already uses a FQDN -myhostname = $mydomain - -mydestination = $myhostname, - $mydomain, - localhost.$myhostname, - localhost.$mydomain, - localhost -mynetworks = 127.0.0.0/8 -inet_interfaces = all -append_dot_mydomain = no -biff = no - -# Postfix performance settings -default_destination_concurrency_limit = 20 -local_destination_concurrency_limit = 2 - -# SMTPD Settings -smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) -smtpd_helo_required = yes -smtpd_recipient_restrictions = permit_mynetworks, - permit_sasl_authenticated, - reject_unauth_destination, - reject_unauth_pipelining, - reject_non_fqdn_recipient -smtpd_sender_restrictions = permit_mynetworks, - reject_sender_login_mismatch, - permit_sasl_authenticated, - reject_unknown_hostname, - reject_unknown_recipient_domain, - reject_unknown_sender_domain -smtpd_client_restrictions = permit_mynetworks, - permit_sasl_authenticated, - reject_unknown_client - -smtpd_relay_restrictions = permit_mynetworks, - permit_sasl_authenticated, - defer_unauth_destination - -# Maximum size of Message in bytes (512MB) -message_size_limit = 536870912 - -## SASL Auth Settings -smtpd_sasl_auth_enable = yes -smtpd_sasl_local_domain = $myhostname -smtpd_sasl_security_options = noanonymous -broken_sasl_auth_clients = yes -## Dovecot Settings for deliver, SASL Auth and virtual transport -mailbox_command = /usr/libexec/dovecot/deliver -smtpd_sasl_type = dovecot -smtpd_sasl_path = private/auth -virtual_transport = dovecot -dovecot_destination_recipient_limit = 1 - -# Virtual delivery settings -virtual_mailbox_base = / -virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf -virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf -virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf -smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_permissions.cf -virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uid_maps.cf -virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gid_maps.cf - -# Local delivery settings -local_transport = local -alias_database = hash:/etc/mail/aliases -alias_maps = $alias_database - -# Default Mailbox size, is set to 0 which means unlimited! -mailbox_size_limit = 0 -virtual_mailbox_limit = 0 - -### TLS settings -### -## TLS for outgoing mails from the server to another server -smtp_tls_security_level = may -smtp_tls_note_starttls_offer = yes -## TLS for incoming connections (clients or other mail servers) -smtpd_tls_security_level = may -smtpd_tls_cert_file = -smtpd_tls_key_file = -#smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt -smtpd_tls_loglevel = 1 -smtpd_tls_received_header = yes -smtp_use_tls = yes -smtpd_use_tls = yes -smtpd_tls_session_cache_timeout = 3600s -#tls_random_source = dev:/dev/urandom - -### Quota Settings with vda useflag -## I use only virtual as localdelivery... This permits me to have full -## virtual domain hosting without using a lot of maps -#virtual_transport = virtual -## Generate maildirsize files or not -#virtual_create_maildirsize = yes -#virtual_mailbox_extended = yes -## Limits only INBOX part (useful when -## using when you have IMAP users) -#virtual_mailbox_limit_inbox = yes -## maps of soft disk quotas -#virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf -#virtual_mailbox_limit_override = yes -#virtual_maildir_limit_message = Sorry, this user has overdrawn their diskspace quota. Please try again later. -#virtual_overquota_bounce = yes - -debugger_command = - PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin - ddd $daemon_directory/$process_name $process_id & sleep 5 -]]> - - - //service[@type='smtp']/general/files[@index=0] - - - - - //service[@type='smtp']/general/commands[@index=3] - - - - - //service[@type='smtp']/general/commands[@index=1] - - > /etc/portage/package.use/froxlor]]> - //service[@type='smtp']/general/installs[@index=1] - - //service[@type='smtp']/general/commands[@index=2] - - - -myhostname = $mydomain - -mydestination = $myhostname, - localhost.$myhostname, - localhost.$mydomain, - localhost -mynetworks = 127.0.0.0/8 -inet_interfaces = all -append_dot_mydomain = no -biff = no - -# Postfix performance settings -default_destination_concurrency_limit = 20 -local_destination_concurrency_limit = 2 - -# SMTPD Settings -smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) -smtpd_helo_required = yes -smtpd_recipient_restrictions = permit_mynetworks, - permit_sasl_authenticated, - reject_unauth_destination, - reject_unauth_pipelining, - reject_non_fqdn_recipient -smtpd_sender_restrictions = permit_mynetworks, - reject_sender_login_mismatch, - permit_sasl_authenticated, - reject_unknown_hostname, - reject_unknown_recipient_domain, - reject_unknown_sender_domain -smtpd_client_restrictions = permit_mynetworks, - permit_sasl_authenticated, - reject_unknown_client - -smtpd_relay_restrictions = permit_mynetworks, - permit_sasl_authenticated, - defer_unauth_destination - -# Maximum size of Message in bytes (512MB) -message_size_limit = 536870912 - -## SASL Auth Settings -smtpd_sasl_auth_enable = yes -smtpd_sasl_local_domain = $myhostname -smtpd_sasl_security_options = noanonymous -broken_sasl_auth_clients = yes -## Dovecot Settings for deliver, SASL Auth and virtual transport -mailbox_command = /usr/libexec/dovecot/deliver -smtpd_sasl_type = dovecot -smtpd_sasl_path = private/auth -virtual_transport = dovecot -dovecot_destination_recipient_limit = 1 - -# Virtual delivery settings -virtual_mailbox_base = / -virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf -virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf -virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf -smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_permissions.cf -virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uid_maps.cf -virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gid_maps.cf - -# Local delivery settings -local_transport = local -alias_database = hash:/etc/mail/aliases -alias_maps = $alias_database - -# Default Mailbox size, is set to 0 which means unlimited! -mailbox_size_limit = 0 -virtual_mailbox_limit = 0 - -### TLS settings -### -## TLS for outgoing mails from the server to another server -#smtp_use_tls = yes -#smtp_tls_note_starttls_offer = yes -## TLS for email client -#smtpd_tls_cert_file = /etc/ssl/server/server.pem -#smtpd_tls_key_file = /etc/ssl/server/server.key -#smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt -#smtpd_tls_CAfile = /etc/ssl/cacert.class3.crt # Just an example for CACert.org -#smtpd_tls_auth_only = no -#smtpd_tls_loglevel = 1 -#smtpd_tls_received_header = yes -#smtpd_tls_session_cache_timeout = 3600s -#tls_random_source = dev:/dev/urandom - -### Quota Settings with vda useflag -## I use only virtual as localdelivery... This permits me to have full -## virtual domain hosting without using a lot of maps -#virtual_transport = virtual -## Generate maildirsize files or not -#virtual_create_maildirsize = yes -#virtual_mailbox_extended = yes -## Limits only INBOX part (useful when -## using when you have IMAP users) -#virtual_mailbox_limit_inbox = yes -## maps of soft disk quotas -#virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf -#virtual_mailbox_limit_override = yes -#virtual_maildir_limit_message = Sorry, this user has overdrawn their diskspace quota. Please try again later. -#virtual_overquota_bounce = yes - -debugger_command = - PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin - ddd $daemon_directory/$process_name $process_id & sleep 5 -]]> - - - //service[@type='smtp']/general/files[@index=0] - - - - - //service[@type='smtp']/general/commands[@index=3] - - - - - - - - > /etc/portage/package.use/froxlor]]> - - - -ssl_key = < -ssl_dh = - sendmail_path = /usr/sbin/sendmail - lda_mailbox_autocreate = 1 -} -]]> - - - - dbname= user= password=" -#default_pass_scheme = CRYPT -password_query = "SELECT username AS user, password_enc AS password, CONCAT(homedir, maildir) AS userdb_home, uid AS userdb_uid, gid AS userdb_gid, CONCAT('maildir:', homedir, maildir) AS userdb_mail, CONCAT('*:storage=', quota,'M') AS userdb_quota_rule FROM mail_users WHERE (username = '%u' OR email = '%u') AND ((imap = 1 AND '%Ls' = 'imap') OR (pop3 = 1 AND '%Ls' = 'pop3') OR ((postfix = 'Y' AND '%Ls' = 'smtp') OR (postfix = 'Y' AND '%Ls' = 'sieve')))" -user_query = "SELECT CONCAT(homedir, maildir) AS home, CONCAT('maildir:', homedir, maildir) AS mail, uid, gid, CONCAT('*:storage=', quota,'M') AS quota_rule FROM mail_users WHERE (username = '%u' OR email = '%u')" -iterate_query = "SELECT username AS user FROM mail_users WHERE (imap = 1 OR pop3 = 1)" -]]> - - - - - #service_count = 1 - - # Number of processes to always keep waiting for more connections. - #process_min_avail = 0 - - # If you set service_count=0, you probably need to grow this. - #vsz_limit = 64M -} - -#service managesieve { - # Max. number of ManageSieve processes (connections) - #process_limit = 1024 -#} - -# Service configuration - -protocol sieve { - # Maximum ManageSieve command line length in bytes. ManageSieve usually does - # not involve overly long command lines, so this setting will not normally - # need adjustment - #managesieve_max_line_length = 65536 - - # Maximum number of ManageSieve connections allowed for a user from each IP - # address. - # NOTE: The username is compared case-sensitively. - #mail_max_userip_connections = 10 - - # Space separated list of plugins to load (none known to be useful so far). - # Do NOT try to load IMAP plugins here. - #mail_plugins = - - # MANAGESIEVE logout format string: - # %i - total number of bytes read from client - # %o - total number of bytes sent to client - #managesieve_logout_format = bytes=%i/%o - - # To fool ManageSieve clients that are focused on CMU's timesieved you can - # specify the IMPLEMENTATION capability that Dovecot reports to clients. - # For example: 'Cyrus timsieved v2.2.13' - #managesieve_implementation_string = Dovecot Pigeonhole - - # Explicitly specify the SIEVE and NOTIFY capability reported by the server - # before login. If left unassigned these will be reported dynamically - # according to what the Sieve interpreter supports by default (after login - # this may differ depending on the user). - #managesieve_sieve_capability = - #managesieve_notify_capability = - - # The maximum number of compile errors that are returned to the client upon - # script upload or script verification. - #managesieve_max_compile_errors = 5 - - # Refer to 90-sieve.conf for script quota configuration and configuration of - # Sieve execution limits. -} -]]> - - - - :]path[; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - //service[@type='antispam']/general/installs[@index=1] - - //service[@type='antispam']/general/commands[@index=2] - - //service[@type='antispam']/general/files[@index=1] - - //service[@type='antispam']/general/commands[@index=3] - - - - - - - - > /etc/portage/package.use/froxlor]]> - - - " -[ -f /etc/ssl/certs/proftpd_ec.crt ] || openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp521r1) -keyout /etc/ssl/private/proftpd_ec.key -out /etc/ssl/certs/proftpd_ec.crt -days 3650 -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=" -chmod 0600 /etc/ssl/private/proftpd.key /etc/ssl/private/proftpd_ec.key -]]> - - - - - - - - FTP Server" -ServerType standalone -ServerIdent off -DefaultServer on -Port 21 -MaxInstances 50 - -# General settings -DeferWelcome on -ShowSymlinks on -AllowOverwrite on -AllowStoreRestart on -AllowRetrieveRestart on -ListOptions "-al" -DisplayChdir .message -UseIPv6 off - -# Modules settings -#DelayEngine off - -# Timeout settings -TimeoutLogin 120 -TimeoutNoTransfer 600 -TimeoutStalled 600 -TimeoutIdle 600 - -# Security settings -RootLogin off -RequireValidShell off -User nobody -Group nogroup -Umask 133 022 -DefaultRoot ~ -DenyFilter \*.*/ - -# Per-Directory settings - -Umask 133 022 -AllowOverwrite on - - -# SQL settings -SQLAuthTypes Crypt OpenSSL -SQLAuthenticate users* groups* -SQLConnectInfo @ -SQLUserInfo ftp_users username password uid gid homedir shell -SQLGroupInfo ftp_groups groupname gid members -SQLUserWhereClause "login_enabled = 'y'" - -SQLLog PASS login -SQLNamedQuery login UPDATE "last_login=now(), login_count=login_count+1 WHERE username='%u'" ftp_users - -SQLLog RETR download -SQLNamedQuery download UPDATE "down_count=down_count+1, down_bytes=down_bytes+%b WHERE username='%u'" ftp_users - -SQLLog STOR upload -SQLNamedQuery upload UPDATE "up_count=up_count+1, up_bytes=up_bytes+%b WHERE username='%u'" ftp_users - -# Quota settings -QuotaEngine on -QuotaShowQuotas on -QuotaDisplayUnits Mb -QuotaLock /var/lock/ftpd.quotatab.lock -QuotaLimitTable sql:/get-quota-limit -QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally -SQLNamedQuery get-quota-limit SELECT "ftp_users.username AS name, ftp_quotalimits.quota_type, ftp_quotalimits.per_session, ftp_quotalimits.limit_type, panel_customers.diskspace*1024 AS bytes_in_avail, ftp_quotalimits.bytes_out_avail, ftp_quotalimits.bytes_xfer_avail, ftp_quotalimits.files_in_avail, ftp_quotalimits.files_out_avail, ftp_quotalimits.files_xfer_avail FROM ftp_users, ftp_quotalimits, panel_customers WHERE ftp_users.username = '%{0}' AND panel_customers.loginname = SUBSTRING_INDEX('%{0}', 'ftp', 1) AND quota_type ='%{1}'" -SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_used, bytes_xfer_used, files_in_used, files_out_used,files_xfer_used FROM ftp_quotatallies WHERE name = '%{0}' AND quota_type = '%{1}'" -SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies -SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies - -# TLS settings - -TLSEngine on -TLSLog /var/log/proftpd-tls.log -TLSProtocol TLSv1.2 TLSv1.3 -#TLSTimeoutHandshake 120 -# Really important for WinClients and some clients -TLSOptions NoSessionReuseRequired -TLSRSACertificateFile /etc/ssl/certs/proftpd.crt -TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key -TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt -TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key - -# Authenticate client that want to use FTP over TLS? -TLSVerifyClient off -# Uncomment the following line to force tls login -TLSRequired on - - -# LOG settings -# Logging Formats -LogFormat default "%h %1 %u %t \"%r\" %s %b" -LogFormat auth "%v [%P] %h %t \"%r\" %s" -LogFormat write "%h %l %u %t \"%r\" %s %b" -# Activate Logging -# all logins -ExtendedLog /var/log/proftpd-auth.log AUTH auth -# file/dir access -ExtendedLog /var/log/proftpd-access.log WRITE,READ write -# everything (be careful, generates_ very_ big logfiles) -#ExtendedLog /var/log/proftpd-all.log ALL default - -# make proftpd faster / do not perform ident and reverse dns lookup -UseReverseDNS off - - -From 127.0.0.1 - - -MaxLoginAttempts 3 - - - BanEngine off - - - BanEngine on - -BanLog /var/log/proftpd-ban.log -BanTable /etc/proftpd/ban.tab -BanMessage "User %u was banned." -BanOnEvent ClientConnectRate 5/00:00:02 12:00:00 "Stop connecting frequently" -BanOnEvent MaxLoginAttempts 3/00:30:00 12:00:00 -BanOnEvent AnonRejectPasswords 1/01:00:00 99:99:99 -BanControlsACLs all allow user root - - - -BanEngine off -DelayEngine off - -]]> - - - - - - - - > /etc/portage/package.use/froxlor]]> - - - " -openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 3072 -chmod 0600 /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd-dhparams.pem -]]> - - - - - - - - - - - - -#MYSQLPort 3306 -MYSQLSocket /var/run/mysqld/mysqld.sock -MYSQLUser -MYSQLPassword -MYSQLDatabase -MYSQLCrypt any -MYSQLGetPW SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y" -MYSQLGetUID SELECT uid FROM ftp_users WHERE username="\L" AND login_enabled="y" -MYSQLGetGID SELECT gid FROM ftp_users WHERE username="\L" AND login_enabled="y" -MYSQLGetDir SELECT homedir FROM ftp_users WHERE username="\L" AND login_enabled="y" -MySQLGetQTASZ SELECT CASE WHEN panel_customers.diskspace = 0 THEN -1 WHEN panel_customers.diskspace <= -1 THEN 0 ELSE panel_customers.diskspace/1024 END AS QuotaSize FROM panel_customers, ftp_users WHERE username = "\L" AND panel_customers.loginname = SUBSTRING_INDEX('\L', 'ftp', 1) -]]> - - - - - - - - > /etc/portage/package.use/froxlor]]> - - - FTP service. -#deny_email_enable=YES -#banned_email_file=/etc/vsftpd.banned_emails -# chroot_list_enable below. -chroot_local_user=YES -chroot_list_enable=YES -allow_writeable_chroot=YES -#chroot_list_file=/etc/vsftpd.chroot_list -#ls_recurse_enable=YES -secure_chroot_dir=/run/vsftpd/empty -pam_service_name=vsftpd -#rsa_cert_file=/etc/vsftpd/ssl/.pem -#rsa_private_key_file=/etc/vsftpd/ssl/.pem -#ssl_enable=YES -#ssl_tlsv1=YES -#ssl_sslv2=NO -#ssl_sslv3=NO -force_local_data_ssl=NO -force_local_logins_ssl=NO -allow_anon_ssl=NO -require_ssl_reuse=NO -ssl_ciphers=HIGH -]]> - - - passwd= host= db= table=ftp_users usercolumn=username passwdcolumn=password [where=login_enabled="Y"] crypt=1 -account required pam_mysql.so user= passwd= host= db= table=ftp_users usercolumn=username passwdcolumn=password [where=login_enabled="Y"] crypt=1 - -#auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed - -# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so. - -# Standard pam includes -#@include common-account -#@include common-session -#@include common-auth -#auth required pam_shells.so -]]> - - - - - - - - - - - - - - - - - - - - - - - - - - - -database -username -password -socket /var/run/mysqld/mysqld.sock -]]> - - - - - {{sql.socket}} - - - - -password -]]> - - - - - - - - - - - - - - - - *.log { - missingok - daily - rotate 7 - compress - delaycompress - notifempty - create - sharedscripts - postrotate - > /dev/null 2>&1 || true - endscript -} -]]> - - - - - - - - - - - - - - - - - - - - - - - - > /etc/portage/package.use/froxlor]]> - - - {{settings.system.webserver}} - - > /etc/portage/package.use/froxlor]]> - - - {{settings.system.mod_fcgid}} - - > /etc/portage/package.use/froxlor]]> - - - {{settings.system.webserver}} - - - - - {{settings.system.webserver}} - - - - - {{settings.system.mod_fcgid_ownvhost}} - - - - - - - - {{settings.system.webserver}} - - - - - - - - - - > /etc/portage/package.use/froxlor]]> - - - {{settings.system.webserver}} - - > /etc/portage/package.use/froxlor]]> - - - {{settings.system.webserver}} - - - - - {{settings.phpfpm.enabled}} - - > /etc/portage/package.use/froxlor]]> - - - {{settings.system.webserver}} - - - - - {{settings.phpfpm.enabled_ownvhost}} - - {{settings.phpfpm.vhost_httpuser}} - - - - - - {{settings.system.webserver}} - - {{settings.phpfpm.enabled_ownvhost}} - - - - - - - - - - bin/froxlor-cli /usr/local/bin/froxlor-cli]]> - bin/froxlor-cli froxlor:cron --run-task 99]]> - - - - - - diff --git a/lib/configfiles/jammy.xml b/lib/configfiles/jammy.xml index 1de7be5b..1686c447 100644 --- a/lib/configfiles/jammy.xml +++ b/lib/configfiles/jammy.xml @@ -3835,6 +3835,7 @@ TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key +# TLSCACertificateFile TLSOptions NoSessionReuseRequired TLSVerifyClient off