{{settings.system.apacheconf_vhost}} {{settings.system.apacheconf_vhost}} {{settings.system.apacheconf_diroptions}} {{settings.system.apacheconf_diroptions}} {{settings.system.deactivateddocroot}} //service[@type='http']/general/commands {{settings.system.use_ssl}} {{settings.phpfpm.enabled}} {{settings.system.leenabled}} Require all granted ]]> "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge/") # default listening port for IPv6 falls back to the IPv4 port include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port include_shell "/usr/share/lighttpd/create-mime.assign.pl" include_shell "/usr/share/lighttpd/include-conf-enabled.pl" ]]> //service[@type='http']/general/commands {{settings.system.apacheconf_vhost}} > /etc/lighttpd/lighttpd.conf]]> {{settings.system.apacheconf_vhost}} > /etc/lighttpd/lighttpd.conf]]> {{settings.system.apacheconf_diroptions}} > /etc/lighttpd/lighttpd.conf]]> {{settings.system.apacheconf_diroptions}} > /etc/lighttpd/lighttpd.conf]]> {{settings.phpfpm.enabled}} {{settings.system.mod_fcgid}} {{settings.system.leenabled}} {{settings.phpfpm.enabled}} {{settings.system.mod_fcgid}} //service[@type='http']/general/commands {{settings.phpfpm.enabled}} {{settings.system.mod_fcgid}} > /etc/bind/named.conf.local]]> ################################# # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # # allow-dnsupdate-from=127.0.0.0/8,::1 ################################# # allow-recursion List of subnets that are allowed to recurse # allow-recursion=127.0.0.1 ################################# # also-notify When notifying a domain, also notify these nameservers # # also-notify= ################################# # any-to-tcp Answer ANY queries with tc=1, shunting to TCP # # any-to-tcp=no ################################# # cache-ttl Seconds to store packets in the PacketCache # # cache-ttl=20 ################################# # carbon-interval Number of seconds between carbon (graphite) updates # # carbon-interval=30 ################################# # carbon-ourname If set, overrides our reported hostname for carbon stats # # carbon-ourname= ################################# # carbon-server If set, send metrics in carbon (graphite) format to this server # # carbon-server= ################################# # chroot If set, chroot to this directory for more security # # chroot= ################################# # config-dir Location of configuration directory (pdns.conf) # config-dir=/etc/powerdns ################################# # config-name Name of this virtual configuration - will rename the binary image # # config-name= ################################# # control-console Debugging switch - don't use # # control-console=no ################################# # daemon Operate as a daemon # daemon=yes ################################# # default-ksk-algorithms Default KSK algorithms # # default-ksk-algorithms=rsasha256 ################################# # default-ksk-size Default KSK size (0 means default) # # default-ksk-size=0 ################################# # default-soa-mail mail address to insert in the SOA record if none set in the backend # # default-soa-mail= ################################# # default-soa-name name to insert in the SOA record if none set in the backend # # default-soa-name=a.misconfigured.powerdns.server ################################# # default-ttl Seconds a result is valid if not set otherwise # # default-ttl=3600 ################################# # default-zsk-algorithms Default ZSK algorithms # # default-zsk-algorithms=rsasha256 ################################# # default-zsk-size Default ZSK size (0 means default) # # default-zsk-size=0 ################################# # direct-dnskey Fetch DNSKEY RRs from backend during DNSKEY synthesis # # direct-dnskey=no ################################# # disable-axfr Disable zonetransfers but do allow TCP queries # # disable-axfr=no ################################# # disable-axfr-rectify Disable the rectify step during an outgoing AXFR. Only required for regression testing. # # disable-axfr-rectify=no ################################# # disable-tcp Do not listen to TCP queries # # disable-tcp=no ################################# # distributor-threads Default number of Distributor (backend) threads to start # # distributor-threads=3 ################################# # do-ipv6-additional-processing Do AAAA additional processing # # do-ipv6-additional-processing=yes ################################# # edns-subnet-processing If we should act on EDNS Subnet options # # edns-subnet-processing=no ################################# # entropy-source If set, read entropy from this file # # entropy-source=/dev/urandom ################################# # experimental-api-key REST API Static authentication key (required for API use) # # experimental-api-key= ################################# # experimental-api-readonly If the JSON API should disallow data modification # # experimental-api-readonly=no ################################# # experimental-dname-processing If we should support DNAME records # # experimental-dname-processing=no ################################# # experimental-dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no. # # experimental-dnsupdate=no ################################# # experimental-json-interface If the webserver should serve JSON data # # experimental-json-interface=no ################################# # experimental-logfile Filename of the log file for JSON parser # # experimental-logfile=/var/log/pdns.log ################################# # forward-dnsupdate A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master. # # forward-dnsupdate=yes ################################# # guardian Run within a guardian process # guardian=yes ################################# # include-dir Include *.conf files from this directory # # include-dir= ################################# # launch Which backends to launch and order to query them in # # launch= ################################# # load-modules Load this module - supply absolute or relative path # # load-modules= ################################# # local-address Local IP addresses to which we bind # local-address=,127.0.0.1 ################################# # local-address-nonexist-fail Fail to start if one or more of the local-address's do not exist on this server # # local-address-nonexist-fail=yes ################################# # local-ipv6 Local IP address to which we bind # # local-ipv6= ################################# # local-ipv6-nonexist-fail Fail to start if one or more of the local-ipv6 addresses do not exist on this server # # local-ipv6-nonexist-fail=yes ################################# # local-port The port on which we listen # # local-port=53 ################################# # log-dns-details If PDNS should log DNS non-erroneous details # # log-dns-details=no ################################# # log-dns-queries If PDNS should log all incoming DNS queries # # log-dns-queries=no ################################# # logging-facility Log under a specific facility # # logging-facility= ################################# # loglevel Amount of logging. Higher is more. Do not set below 3 # # loglevel=4 ################################# # lua-prequery-script Lua script with prequery handler # # lua-prequery-script= ################################# # master Act as a master # master=yes ################################# # max-cache-entries Maximum number of cache entries # # max-cache-entries=1000000 ################################# # max-ent-entries Maximum number of empty non-terminals in a zone # # max-ent-entries=100000 ################################# # max-nsec3-iterations Limit the number of NSEC3 hash iterations # # max-nsec3-iterations=500 ################################# # max-queue-length Maximum queuelength before considering situation lost # # max-queue-length=5000 ################################# # max-signature-cache-entries Maximum number of signatures cache entries # # max-signature-cache-entries= ################################# # max-tcp-connections Maximum number of TCP connections # # max-tcp-connections=10 ################################# # module-dir Default directory for modules # # module-dir=/usr/lib/TRIPLET/pdns ################################# # negquery-cache-ttl Seconds to store negative query results in the QueryCache # # negquery-cache-ttl=60 ################################# # no-shuffle Set this to prevent random shuffling of answers - for regression testing # # no-shuffle=off ################################# # only-notify Only send AXFR NOTIFY to these IP addresses or netmasks # # only-notify=0.0.0.0/0,::/0 ################################# # out-of-zone-additional-processing Do out of zone additional processing # # out-of-zone-additional-processing=yes ################################# # overload-queue-length Maximum queuelength moving to packetcache only # # overload-queue-length=0 ################################# # pipebackend-abi-version Version of the pipe backend ABI # # pipebackend-abi-version=1 ################################# # prevent-self-notification Don't send notifications to what we think is ourself # # prevent-self-notification=yes ################################# # query-cache-ttl Seconds to store query results in the QueryCache # # query-cache-ttl=20 ################################# # query-local-address Source IP address for sending queries # # query-local-address=0.0.0.0 ################################# # query-local-address6 Source IPv6 address for sending queries # # query-local-address6=:: ################################# # query-logging Hint backends that queries should be logged # # query-logging=no ################################# # queue-limit Maximum number of milliseconds to queue a query # # queue-limit=1500 ################################# # receiver-threads Default number of receiver threads to start # # receiver-threads=1 ################################# # recursive-cache-ttl Seconds to store packets for recursive queries in the PacketCache # # recursive-cache-ttl=10 ################################# # recursor If recursion is desired, IP address of a recursing nameserver # # recursor=no ################################# # retrieval-threads Number of AXFR-retrieval threads for slave operation # # retrieval-threads=2 ################################# # reuseport Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket # # reuseport=no ################################# # security-poll-suffix Domain name from which to query security update notifications # # security-poll-suffix=secpoll.powerdns.com. ################################# # send-root-referral Send out old-fashioned root-referral instead of ServFail in case of no authority # # send-root-referral=no ################################# # server-id Returned when queried for 'server.id' TXT or NSID, defaults to hostname - disabled or custom # # server-id= ################################# # setgid If set, change group id to this gid for more security # setgid=pdns ################################# # setuid If set, change user id to this uid for more security # setuid=pdns ################################# # signing-threads Default number of signer threads to start # # signing-threads=3 ################################# # slave Act as a slave # # slave=no ################################# # slave-cycle-interval Reschedule failed SOA serial checks once every .. seconds # # slave-cycle-interval=60 ################################# # slave-renotify If we should send out notifications for slaved updates # # slave-renotify=no ################################# # soa-expire-default Default SOA expire # # soa-expire-default=604800 ################################# # soa-minimum-ttl Default SOA minimum ttl # # soa-minimum-ttl=3600 ################################# # soa-refresh-default Default SOA refresh # # soa-refresh-default=10800 ################################# # soa-retry-default Default SOA retry # # soa-retry-default=3600 ################################# # socket-dir Where the controlsocket will live # # socket-dir=/var/run ################################# # tcp-control-address If set, PowerDNS can be controlled over TCP on this address # # tcp-control-address= ################################# # tcp-control-port If set, PowerDNS can be controlled over TCP on this address # # tcp-control-port=53000 ################################# # tcp-control-range If set, remote control of PowerDNS is possible over these networks only # # tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 ################################# # tcp-control-secret If set, PowerDNS can be controlled over TCP after passing this secret # # tcp-control-secret= ################################# # traceback-handler Enable the traceback handler (Linux only) # # traceback-handler=yes ################################# # trusted-notification-proxy IP address of incoming notification proxy # # trusted-notification-proxy= ################################# # udp-truncation-threshold Maximum UDP response size before we truncate # # udp-truncation-threshold=1680 ################################# # version-string PowerDNS version in packets - full, anonymous, powerdns or custom # version-string=powerdns ################################# # webserver Start a webserver for monitoring # # webserver=no ################################# # webserver-address IP Address of webserver to listen on # # webserver-address=127.0.0.1 ################################# # webserver-allow-from Webserver access is only allowed from these subnets # # webserver-allow-from=0.0.0.0/0,::/0 ################################# # webserver-password Password required for accessing the webserver # # webserver-password= ################################# # webserver-port Port of webserver to listen on # # webserver-port=8081 ################################# # webserver-print-arguments If the webserver should print arguments # # webserver-print-arguments=no # include froxlor-bind-specific config include-dir=/etc/powerdns/froxlor/ ]]> ################################# # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # # allow-dnsupdate-from=127.0.0.0/8,::1 ################################# # allow-recursion List of subnets that are allowed to recurse # allow-recursion=127.0.0.1 ################################# # also-notify When notifying a domain, also notify these nameservers # # also-notify= ################################# # any-to-tcp Answer ANY queries with tc=1, shunting to TCP # # any-to-tcp=no ################################# # cache-ttl Seconds to store packets in the PacketCache # # cache-ttl=20 ################################# # carbon-interval Number of seconds between carbon (graphite) updates # # carbon-interval=30 ################################# # carbon-ourname If set, overrides our reported hostname for carbon stats # # carbon-ourname= ################################# # carbon-server If set, send metrics in carbon (graphite) format to this server # # carbon-server= ################################# # chroot If set, chroot to this directory for more security # # chroot= ################################# # config-dir Location of configuration directory (pdns.conf) # config-dir=/etc/powerdns ################################# # config-name Name of this virtual configuration - will rename the binary image # # config-name= ################################# # control-console Debugging switch - don't use # # control-console=no ################################# # daemon Operate as a daemon # daemon=yes ################################# # default-ksk-algorithms Default KSK algorithms # # default-ksk-algorithms=rsasha256 ################################# # default-ksk-size Default KSK size (0 means default) # # default-ksk-size=0 ################################# # default-soa-mail mail address to insert in the SOA record if none set in the backend # # default-soa-mail= ################################# # default-soa-name name to insert in the SOA record if none set in the backend # # default-soa-name=a.misconfigured.powerdns.server ################################# # default-ttl Seconds a result is valid if not set otherwise # # default-ttl=3600 ################################# # default-zsk-algorithms Default ZSK algorithms # # default-zsk-algorithms=rsasha256 ################################# # default-zsk-size Default ZSK size (0 means default) # # default-zsk-size=0 ################################# # direct-dnskey Fetch DNSKEY RRs from backend during DNSKEY synthesis # # direct-dnskey=no ################################# # disable-axfr Disable zonetransfers but do allow TCP queries # # disable-axfr=no ################################# # disable-axfr-rectify Disable the rectify step during an outgoing AXFR. Only required for regression testing. # # disable-axfr-rectify=no ################################# # disable-tcp Do not listen to TCP queries # # disable-tcp=no ################################# # distributor-threads Default number of Distributor (backend) threads to start # # distributor-threads=3 ################################# # do-ipv6-additional-processing Do AAAA additional processing # # do-ipv6-additional-processing=yes ################################# # edns-subnet-processing If we should act on EDNS Subnet options # # edns-subnet-processing=no ################################# # entropy-source If set, read entropy from this file # # entropy-source=/dev/urandom ################################# # experimental-api-key REST API Static authentication key (required for API use) # # experimental-api-key= ################################# # experimental-api-readonly If the JSON API should disallow data modification # # experimental-api-readonly=no ################################# # experimental-dname-processing If we should support DNAME records # # experimental-dname-processing=no ################################# # experimental-dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no. # # experimental-dnsupdate=no ################################# # experimental-json-interface If the webserver should serve JSON data # # experimental-json-interface=no ################################# # experimental-logfile Filename of the log file for JSON parser # # experimental-logfile=/var/log/pdns.log ################################# # forward-dnsupdate A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master. # # forward-dnsupdate=yes ################################# # guardian Run within a guardian process # guardian=yes ################################# # include-dir Include *.conf files from this directory # # include-dir= ################################# # launch Which backends to launch and order to query them in # # launch= launch=bind ################################# # load-modules Load this module - supply absolute or relative path # # load-modules= ################################# # local-address Local IP addresses to which we bind # local-address=,127.0.0.1 ################################# # local-address-nonexist-fail Fail to start if one or more of the local-address's do not exist on this server # # local-address-nonexist-fail=yes ################################# # local-ipv6 Local IP address to which we bind # # local-ipv6= ################################# # local-ipv6-nonexist-fail Fail to start if one or more of the local-ipv6 addresses do not exist on this server # # local-ipv6-nonexist-fail=yes ################################# # local-port The port on which we listen # # local-port=53 ################################# # log-dns-details If PDNS should log DNS non-erroneous details # # log-dns-details=no ################################# # log-dns-queries If PDNS should log all incoming DNS queries # # log-dns-queries=no ################################# # logging-facility Log under a specific facility # # logging-facility= ################################# # loglevel Amount of logging. Higher is more. Do not set below 3 # # loglevel=4 ################################# # lua-prequery-script Lua script with prequery handler # # lua-prequery-script= ################################# # master Act as a master # master=yes ################################# # max-cache-entries Maximum number of cache entries # # max-cache-entries=1000000 ################################# # max-ent-entries Maximum number of empty non-terminals in a zone # # max-ent-entries=100000 ################################# # max-nsec3-iterations Limit the number of NSEC3 hash iterations # # max-nsec3-iterations=500 ################################# # max-queue-length Maximum queuelength before considering situation lost # # max-queue-length=5000 ################################# # max-signature-cache-entries Maximum number of signatures cache entries # # max-signature-cache-entries= ################################# # max-tcp-connections Maximum number of TCP connections # # max-tcp-connections=10 ################################# # module-dir Default directory for modules # # module-dir=/usr/lib/TRIPLET/pdns ################################# # negquery-cache-ttl Seconds to store negative query results in the QueryCache # # negquery-cache-ttl=60 ################################# # no-shuffle Set this to prevent random shuffling of answers - for regression testing # # no-shuffle=off ################################# # only-notify Only send AXFR NOTIFY to these IP addresses or netmasks # # only-notify=0.0.0.0/0,::/0 ################################# # out-of-zone-additional-processing Do out of zone additional processing # # out-of-zone-additional-processing=yes ################################# # overload-queue-length Maximum queuelength moving to packetcache only # # overload-queue-length=0 ################################# # pipebackend-abi-version Version of the pipe backend ABI # # pipebackend-abi-version=1 ################################# # prevent-self-notification Don't send notifications to what we think is ourself # # prevent-self-notification=yes ################################# # query-cache-ttl Seconds to store query results in the QueryCache # # query-cache-ttl=20 ################################# # query-local-address Source IP address for sending queries # # query-local-address=0.0.0.0 ################################# # query-local-address6 Source IPv6 address for sending queries # # query-local-address6=:: ################################# # query-logging Hint backends that queries should be logged # # query-logging=no ################################# # queue-limit Maximum number of milliseconds to queue a query # # queue-limit=1500 ################################# # receiver-threads Default number of receiver threads to start # # receiver-threads=1 ################################# # recursive-cache-ttl Seconds to store packets for recursive queries in the PacketCache # # recursive-cache-ttl=10 ################################# # recursor If recursion is desired, IP address of a recursing nameserver # # recursor=no ################################# # retrieval-threads Number of AXFR-retrieval threads for slave operation # # retrieval-threads=2 ################################# # reuseport Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket # # reuseport=no ################################# # security-poll-suffix Domain name from which to query security update notifications # # security-poll-suffix=secpoll.powerdns.com. ################################# # send-root-referral Send out old-fashioned root-referral instead of ServFail in case of no authority # # send-root-referral=no ################################# # server-id Returned when queried for 'server.id' TXT or NSID, defaults to hostname - disabled or custom # # server-id= ################################# # setgid If set, change group id to this gid for more security # setgid=pdns ################################# # setuid If set, change user id to this uid for more security # setuid=pdns ################################# # signing-threads Default number of signer threads to start # # signing-threads=3 ################################# # slave Act as a slave # # slave=no ################################# # slave-cycle-interval Reschedule failed SOA serial checks once every .. seconds # # slave-cycle-interval=60 ################################# # slave-renotify If we should send out notifications for slaved updates # # slave-renotify=no ################################# # soa-expire-default Default SOA expire # # soa-expire-default=604800 ################################# # soa-minimum-ttl Default SOA minimum ttl # # soa-minimum-ttl=3600 ################################# # soa-refresh-default Default SOA refresh # # soa-refresh-default=10800 ################################# # soa-retry-default Default SOA retry # # soa-retry-default=3600 ################################# # socket-dir Where the controlsocket will live # # socket-dir=/var/run ################################# # tcp-control-address If set, PowerDNS can be controlled over TCP on this address # # tcp-control-address= ################################# # tcp-control-port If set, PowerDNS can be controlled over TCP on this address # # tcp-control-port=53000 ################################# # tcp-control-range If set, remote control of PowerDNS is possible over these networks only # # tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 ################################# # tcp-control-secret If set, PowerDNS can be controlled over TCP after passing this secret # # tcp-control-secret= ################################# # traceback-handler Enable the traceback handler (Linux only) # # traceback-handler=yes ################################# # trusted-notification-proxy IP address of incoming notification proxy # # trusted-notification-proxy= ################################# # udp-truncation-threshold Maximum UDP response size before we truncate # # udp-truncation-threshold=1680 ################################# # version-string PowerDNS version in packets - full, anonymous, powerdns or custom # version-string=powerdns ################################# # webserver Start a webserver for monitoring # # webserver=no ################################# # webserver-address IP Address of webserver to listen on # # webserver-address=127.0.0.1 ################################# # webserver-allow-from Webserver access is only allowed from these subnets # # webserver-allow-from=0.0.0.0/0,::/0 ################################# # webserver-password Password required for accessing the webserver # # webserver-password= ################################# # webserver-port Port of webserver to listen on # # webserver-port=8081 ################################# # webserver-print-arguments If the webserver should print arguments # # webserver-print-arguments=no # include froxlor-bind-specific config include-dir=/etc/powerdns/froxlor/ ]]> named.conf # How often to check for zone changes. See 'Operation' section. bind-check-interval=180 # Uncomment to enable Huffman compression on zone data. # Currently saves around 20% of memory actually used, but slows down operation. # bind-enable-huffman ]]> {{settings.system.vmail_gid}} {{settings.system.vmail_uid}} password = dbname = hosts = query = SELECT destination FROM mail_virtual AS v, panel_customers AS c WHERE c.customerid = v.customerid AND c.deactivated = 0 AND v.email = '%s' AND trim(v.destination) <> '' ]]> password = dbname = hosts = query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' AND deactivated = 0 ]]> password = dbname = expansion_limit = 1 hosts = query = SELECT CONCAT(homedir,maildir) FROM mail_users WHERE email = '%s' ]]> password = dbname = hosts = query = SELECT DISTINCT username FROM mail_users WHERE email in ((SELECT mail_virtual.email_full FROM mail_virtual WHERE mail_virtual.email = '%s' UNION SELECT mail_virtual.destination FROM mail_virtual WHERE mail_virtual.email = '%s')); ]]> password = dbname = expansion_limit = 1 hosts = query = SELECT uid FROM mail_users WHERE email = '%s' ]]> password = dbname = expansion_limit = 1 hosts = query = SELECT gid FROM mail_users WHERE email = '%s' ]]> ]]> //service[@type='smtp']/general/commands[@index=1] //service[@type='smtp']/general/installs[@index=1] //service[@type='smtp']/general/commands[@index=2] mydestination = $myhostname, localhost.$mydomain, localhost #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, # mail.$mydomain, www.$mydomain, ftp.$mydomain # The default setting is 550 (reject mail) but it is safer to start # with 450 (try again later) until you are certain that your # local_recipient_maps settings are OK. # unknown_local_recipient_reject_code = 550 # The mailbox_command parameter specifies the optional external # command to use instead of mailbox delivery. The command is run as # the recipient with proper HOME, SHELL and LOGNAME environment settings. # Exception: delivery for root is done as $default_user. # # Other environment variables of interest: USER (recipient username), # EXTENSION (address extension), DOMAIN (domain part of address), # and LOCAL (the address localpart). # # Unlike other Postfix configuration parameters, the mailbox_command # parameter is not subjected to $parameter substitutions. This is to # make it easier to specify shell syntax (see example below). # # Avoid shell meta characters because they will force Postfix to run # an expensive shell process. Procmail alone is expensive enough. # # IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN # ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. # mailbox_command = /usr/lib/dovecot/deliver #mailbox_command = /usr/bin/procmail -a "$EXTENSION" # The debugger_command specifies the external command that is executed # when a Postfix daemon program is run with the -D option. # # Use "command .. & sleep 5" so that the debugger can attach before # the process marches on. If you use an X-based debugger, be sure to # set up your XAUTHORITY environment variable before starting Postfix. # debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 inet_protocols = ipv4 smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_recipient smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_unknown_helo_hostname, reject_unknown_recipient_domain, reject_unknown_sender_domain smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname # Postfix 2.10 requires this option. Postfix < 2.10 ignores this. # The option is intentionally left empty. smtpd_relay_restrictions = # Maximum size of Message in bytes (50MB) message_size_limit = 52428800 ## SASL Auth Settings smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes ## Dovecot Settings for deliver, SASL Auth and virtual transport smtpd_sasl_type = dovecot virtual_transport = dovecot dovecot_destination_recipient_limit = 1 smtpd_sasl_path = private/auth # Virtual delivery settings virtual_mailbox_base = / virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_permissions.cf virtual_uid_maps = static: virtual_gid_maps = static: # Local delivery settings local_transport = local alias_maps = $alias_database # Default Mailbox size, is set to 0 which means unlimited! mailbox_size_limit = 0 virtual_mailbox_limit = 0 ### TLS settings ### ## TLS for outgoing mails from the server to another server smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes ## TLS for incoming connections (clients or other mail servers) smtpd_tls_security_level = may smtpd_tls_cert_file = smtpd_tls_key_file = #smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtp_use_tls = yes smtpd_use_tls = yes smtpd_tls_session_cache_timeout = 3600s ]]> //service[@type='smtp']/general/files[@index=0] //service[@type='smtp']/general/commands[@index=3] dbname= user= password=" user_query = SELECT CONCAT(homedir, maildir) AS home, CONCAT('maildir:', homedir, maildir) AS mail, uid, gid, CONCAT('*:storage=', quota, 'M') as quota_rule FROM mail_users WHERE (username = '%u' OR email = '%u') password_query = SELECT username AS user, password_enc AS password, CONCAT(homedir, maildir) AS userdb_home, uid AS userdb_uid, gid AS userdb_gid, CONCAT('maildir:', homedir, maildir) AS userdb_mail, CONCAT('*:storage=', quota, 'M') as userdb_quota_rule FROM mail_users WHERE (username = '%u' OR email = '%u') AND ((imap = 1 AND '%Ls' = 'imap') OR (pop3 = 1 AND '%Ls' = 'pop3') OR ((postfix = 'Y' AND '%Ls' = 'smtp') OR (postfix = 'Y' AND '%Ls' = 'sieve'))) iterate_query = "SELECT username AS user FROM mail_users WHERE (imap = 1 OR pop3 = 1)" ]]> ssl_key = < ssl_dh = protocol imap { mail_plugins = $mail_plugins quota imap_quota } pop3_logout_format = in=%i out=%o top=%t/%p, retr=%r/%b, del=%d/%m, size=%s plugin { sieve = file:~/sieve;active=~/.dovecot.sieve sieve_dir = ~/sieve } plugin { quota = maildir:User quota } ]]> //service[@type='mail']/general/installs[@index=1] //service[@type='mail']/general/files[@index=1] //service[@type='mail']/general/commands[@index=1] /dev/null]]> /etc/apt/sources.list.d/rspamd.list]]> > /etc/apt/sources.list.d/rspamd.list]]> //service[@type='antispam']/general/commands[@index=1] //service[@type='antispam']/general/installs[@index=1] //service[@type='antispam']/general/commands[@index=2] //service[@type='antispam']/general/files[@index=1] //service[@type='antispam']/general/commands[@index=3] " [ -f /etc/ssl/certs/proftpd_ec.crt ] || openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp521r1) -keyout /etc/ssl/private/proftpd_ec.key -out /etc/ssl/certs/proftpd_ec.crt -days 3650 -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=" chmod 0600 /etc/ssl/private/proftpd.key /etc/ssl/private/proftpd_ec.key ]]> IdentLookups off ServerName " FTP Server" ServerType standalone DeferWelcome off DefaultServer on ShowSymlinks on TimeoutNoTransfer 600 TimeoutStalled 600 TimeoutIdle 1200 DisplayLogin welcome.msg DisplayChdir .message true ListOptions "-l" DenyFilter \*.*/ # Use this to jail all users in their homes # DefaultRoot ~ # Users require a valid shell listed in /etc/shells to login. # Use this directive to release that constrain. # RequireValidShell off # Port 21 is the standard FTP port. Port 21 # In some cases you have to specify passive ports range to by-pass # firewall limitations. Ephemeral ports can be used for that, but # feel free to use a more narrow range. # PassivePorts 49152 65534 # If your host was NATted, this option is useful in order to # allow passive transfers to work. You have to use your public # address and opening the passive ports used on your firewall as well. # MasqueradeAddress 1.2.3.4 # This is useful for masquerading address with dynamic IPs: # refresh any configured MasqueradeAddress directives every 8 hours # DynMasqRefresh 28800 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 30 # Set the user and group that the server normally runs at. User proftpd Group nogroup # Umask 022 is a good standard umask to prevent new files and dirs # (second parm) from being group and world writable. Umask 022 022 # Normally, we want files to be overwritable. AllowOverwrite on # Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords: # PersistentPasswd off # This is required to use both PAM-based authentication and local passwords # AuthOrder mod_auth_pam.c* mod_auth_unix.c # Be warned: use of this directive impacts CPU average load! # Uncomment this if you like to see progress and transfer rate with ftpwho # in downloads. That is not needed for uploads rates. # # UseSendFile off TransferLog /var/log/proftpd/xferlog SystemLog /var/log/proftpd/proftpd.log # Logging onto /var/log/lastlog is enabled but set to off by default #UseLastlog on # In order to keep log file dates consistent after chroot, use timezone info # from /etc/localtime. If this is not set, and proftpd is configured to # chroot (e.g. DefaultRoot or ), it will use the non-daylight # savings timezone regardless of whether DST is in effect. #SetEnv TZ :/etc/localtime QuotaEngine on Ratios off # Delay engine reduces impact of the so-called Timing Attack described in # http://www.securityfocus.com/bid/11430/discuss # It is on by default. DelayEngine on ControlsEngine off ControlsMaxClients 2 ControlsLog /var/log/proftpd/controls.log ControlsInterval 5 ControlsSocket /var/run/proftpd/proftpd.sock AdminControlsEngine off # # Alternative authentication frameworks # #Include /etc/proftpd/ldap.conf Include /etc/proftpd/sql.conf # # This is used for FTPS connections # Include /etc/proftpd/tls.conf # # Useful to keep VirtualHost/VirtualRoot directives separated # #Include /etc/proftpd/virtuals.conf # A basic anonymous configuration, no upload directories. # # User ftp # Group nogroup # # We want clients to be able to login with "anonymous" as well as "ftp" # UserAlias anonymous ftp # # Cosmetic changes, all files belongs to ftp user # DirFakeUser on ftp # DirFakeGroup on ftp # # RequireValidShell off # # # Limit the maximum number of anonymous logins # MaxClients 10 # # # We want 'welcome.msg' displayed at login, and '.message' displayed # # in each newly chdired directory. # DisplayLogin welcome.msg # DisplayChdir .message # # # Limit WRITE everywhere in the anonymous chroot # # # DenyAll # # # # # Uncomment this if you're brave. # # # # # Umask 022 is a good standard umask to prevent new files and dirs # # # (second parm) from being group and world writable. # # Umask 022 022 # # # # DenyAll # # # # # # AllowAll # # # # # # # Include other custom configuration files Include /etc/proftpd/conf.d/ ]]> DefaultRoot ~ RequireValidShell off AuthOrder mod_sql.c # # Choose a SQL backend among MySQL or PostgreSQL. # Both modules are loaded in default configuration, so you have to specify the backend # or comment out the unused module in /etc/proftpd/modules.conf. # Use 'mysql' or 'postgres' as possible values. # SQLBackend mysql # SQLEngine on SQLAuthenticate on # # Use both an encrypted or plaintext password SQLAuthTypes Crypt OpenSSL SQLAuthenticate users* groups* # # Connection SQLConnectInfo @ # # Describes both users/groups tables # SQLUserInfo ftp_users username password uid gid homedir shell SQLGroupInfo ftp_groups groupname gid members # SQLUserWhereClause "login_enabled = 'y'" SQLLog PASS login SQLNamedQuery login UPDATE "last_login=now(), login_count=login_count+1 WHERE username='%u'" ftp_users SQLLog RETR download SQLNamedQuery download UPDATE "down_count=down_count+1, down_bytes=down_bytes+%b WHERE username='%u'" ftp_users SQLLog STOR upload SQLNamedQuery upload UPDATE "up_count=up_count+1, up_bytes=up_bytes+%b WHERE username='%u'" ftp_users QuotaEngine on QuotaShowQuotas on QuotaDisplayUnits Mb QuotaLock /var/lock/ftpd.quotatab.lock QuotaLimitTable sql:/get-quota-limit QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally SQLNamedQuery get-quota-limit SELECT "ftp_users.username AS name, ftp_quotalimits.quota_type, ftp_quotalimits.per_session, ftp_quotalimits.limit_type, panel_customers.diskspace*1024 AS bytes_in_avail, ftp_quotalimits.bytes_out_avail, ftp_quotalimits.bytes_xfer_avail, ftp_quotalimits.files_in_avail, ftp_quotalimits.files_out_avail, ftp_quotalimits.files_xfer_avail FROM ftp_users, ftp_quotalimits, panel_customers WHERE ftp_users.username = '%{0}' AND panel_customers.loginname = SUBSTRING_INDEX('%{0}', 'ftp', 1) AND quota_type ='%{1}'" SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_used, bytes_xfer_used, files_in_used, files_out_used,files_xfer_used FROM ftp_quotatallies WHERE name = '%{0}' AND quota_type = '%{1}'" SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies ]]> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol TLSv1.2 TLSv1.3 TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key # TLSCACertificateFile TLSOptions NoSessionReuseRequired TLSVerifyClient off # Are clients required to use FTP over TLS when talking to this server? TLSRequired on # Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotiations. Some clients do not support # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these # clients will close the data connection, or there will be a timeout # on an idle data connection. # #TLSRenegotiate required off ]]> From 127.0.0.1 MaxLoginAttempts 3 BanEngine off BanEngine on BanLog /var/log/proftpd/ban.log BanTable /etc/proftpd/ban.tab BanMessage "User %u was banned." BanOnEvent ClientConnectRate 10/00:00:02 02:00:00 "Stop connecting frequently" BanOnEvent MaxLoginAttempts 3/00:30:00 12:00:00 BanOnEvent AnonRejectPasswords 1/01:00:00 99:99:99 BanControlsACLs all allow user root BanEngine off DelayEngine off ]]> " openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 3072 chmod 0600 /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd-dhparams.pem ]]> # Mandatory : user password. You must have a password. MYSQLPassword # Mandatory : database to open. MYSQLDatabase # Mandatory : how passwords are stored # Valid values are : "cleartext", "crypt", "sha1", "md5" and "password" # ("password" = MySQL password() function) # You can also use "any" to try "crypt", "sha1", "md5" *and* "password" MYSQLCrypt any # In the following directives, parts of the strings are replaced at # run-time before performing queries : # # \L is replaced by the login of the user trying to authenticate. # \I is replaced by the IP address the user connected to. # \P is replaced by the port number the user connected to. # \R is replaced by the IP address the user connected from. # \D is replaced by the remote IP address, as a long decimal number. # # Very complex queries can be performed using these substitution strings, # especially for virtual hosting. # Query to execute in order to fetch the password MYSQLGetPW SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y" # Query to execute in order to fetch the system user name or uid MYSQLGetUID SELECT uid FROM ftp_users WHERE username="\L" AND login_enabled="y" # Optional : default UID - if set this overrides MYSQLGetUID #MYSQLDefaultUID 1000 # Query to execute in order to fetch the system user group or gid MYSQLGetGID SELECT gid FROM ftp_users WHERE username="\L" AND login_enabled="y" # Optional : default GID - if set this overrides MYSQLGetGID #MYSQLDefaultGID 1000 # Query to execute in order to fetch the home directory MYSQLGetDir SELECT homedir FROM ftp_users WHERE username="\L" AND login_enabled="y" # Optional : query to get the maximal number of files # Pure-FTPd must have been compiled with virtual quotas support. # MySQLGetQTAFS SELECT QuotaFiles FROM users WHERE User='\L' # Optional : query to get the maximal disk usage (virtual quotas) # The number should be in Megabytes. # Pure-FTPd must have been compiled with virtual quotas support. MySQLGetQTASZ SELECT CASE WHEN panel_customers.diskspace = 0 THEN -1 WHEN panel_customers.diskspace <= -1 THEN 0 ELSE panel_customers.diskspace/1024 END AS QuotaSize FROM panel_customers, ftp_users WHERE username = "\L" AND panel_customers.loginname = SUBSTRING_INDEX('\L', 'ftp', 1) # Optional : ratios. The server has to be compiled with ratio support. # MySQLGetRatioUL SELECT ULRatio FROM users WHERE User='\L' # MySQLGetRatioDL SELECT DLRatio FROM users WHERE User='\L' # Optional : bandwidth throttling. # The server has to be compiled with throttling support. # Values are in KB/s . # MySQLGetBandwidthUL SELECT ULBandwidth FROM users WHERE User='\L' # MySQLGetBandwidthDL SELECT DLBandwidth FROM users WHERE User='\L' # Enable ~ expansion. NEVER ENABLE THIS BLINDLY UNLESS : # 1) You know what you are doing. # 2) Real and virtual users match. # MySQLForceTildeExpansion 1 # If you're using a transactionnal storage engine, you can enable SQL # transactions to avoid races. Leave this commented if you are using the # traditional MyIsam engine. # MySQLTransactions On ]]> //service[@type='smtp']/general/commands[@index=3] *.log { missingok daily rotate 7 compress delaycompress notifempty create sharedscripts postrotate > /dev/null 2>&1 || true endscript } ]]> {{settings.system.mod_fcgid_ownvhost}} {{settings.system.webserver}} {{settings.system.webserver}} {{settings.phpfpm.enabled_ownvhost}} {{settings.phpfpm.vhost_httpuser}} {{settings.system.webserver}} {{settings.phpfpm.enabled_ownvhost}} {{settings.system.webserver}} bin/froxlor-cli /usr/local/bin/froxlor-cli]]> bin/froxlor-cli froxlor:cron --run-task 99]]>