{{settings.system.apacheconf_vhost}} {{settings.system.apacheconf_vhost}} {{settings.system.apacheconf_diroptions}} {{settings.system.apacheconf_diroptions}} {{settings.system.deactivateddocroot}} //service[@type='http']/general/commands {{settings.system.use_ssl}} {{settings.phpfpm.enabled}} FastCgiIpcDir Order Deny,Allow Deny from All # Prevent accessing this path directly Allow from env=REDIRECT_STATUS ]]> {{settings.system.leenabled}} Order allow,deny Allow from all ]]> //service[@type='http']/general/commands {{settings.system.use_ssl}} {{settings.phpfpm.enabled}} FastCgiIpcDir Require all granted Require env REDIRECT_STATUS ]]> {{settings.system.leenabled}} Require all granted ]]> " server.port = 80 server.bind = "" url.access-deny = ("~", ".inc") fastcgi.server = ( ".php" => ( "localhost" => ( "socket" => "/tmp/lighttpd-fcgi-sock-lighttpd", "broken-scriptfilename" => "enable", "bin-path" => "/usr/bin/php5-cgi", "min-procs" => 1, "max-procs" => 1, "max-load-per-proc" => 4, "idle-timeout" => 60, "bin-environment" => ( "UID" => "www-data", "GID" => "www-data", "PHP_FCGI_CHILDREN" => "0", "PHP_FCGI_MAX_REQUESTS" => "10000" ), "bin-copy-environment" => ( "" ) ) ) ) alias.url += ("/.well-known/acme-challenge/" => "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge/") #### external configuration files ## mimetype mapping include_shell "/usr/share/lighttpd/create-mime.assign.pl" ]]> //service[@type='http']/general/commands {{settings.system.apacheconf_vhost}} > /etc/lighttpd/lighttpd.conf]]> {{settings.system.apacheconf_vhost}} > /etc/lighttpd/lighttpd.conf]]> {{settings.system.apacheconf_diroptions}} > /etc/lighttpd/lighttpd.conf]]> {{settings.system.apacheconf_diroptions}} > /etc/lighttpd/lighttpd.conf]]> {{settings.phpfpm.enabled}} {{settings.system.mod_fcgid}} {{settings.system.leenabled}} {{settings.phpfpm.enabled}} {{settings.system.mod_fcgid}} //service[@type='http']/general/commands {{settings.phpfpm.enabled}} {{settings.system.mod_fcgid}} > /etc/bind/named.conf]]> # add these entries to the list if any speficied: allow-recursion=127.0.0.1 config-dir=/etc/powerdns daemon=yes guardian=yes lazy-recursion=yes local-port=53 master=yes module-dir=/usr/lib/powerdns setgid=pdns setuid=pdns socket-dir=/var/run version-string=powerdns include-dir=/etc/powerdns/froxlor/ ]]> # add these entries to the list if any speficied: allow-recursion=127.0.0.1 config-dir=/etc/powerdns daemon=yes guardian=yes launch=bind lazy-recursion=yes local-port=53 master=yes module-dir=/usr/lib/powerdns setgid=pdns setuid=pdns socket-dir=/var/run version-string=powerdns bind-config=named.conf bind-check-interval=300 include-dir=/etc/powerdns/froxlor/ ]]> # add these entries to the list if any speficied: #local-ipv6=YOUR_IPv6_(if_any) bind-config=named.conf bind-check-interval=180 log-dns-details=yes local-address=,127.0.0.1 ]]> {{settings.system.vmail_gid}} {{settings.system.vmail_uid}} password = dbname = hosts = query = SELECT destination FROM mail_virtual WHERE email = '%s' AND trim(destination) <> '' ]]> password = dbname = hosts = query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' ]]> password = dbname = expansion_limit = 1 hosts = query = SELECT CONCAT(homedir,maildir) FROM mail_users WHERE email = '%s' ]]> password = dbname = hosts = query = SELECT DISTINCT username FROM mail_users WHERE email in ((SELECT mail_virtual.email_full FROM mail_virtual WHERE mail_virtual.email = '%s' UNION SELECT mail_virtual.destination FROM mail_virtual WHERE mail_virtual.email = '%s')); ]]> password = dbname = expansion_limit = 1 hosts = query = SELECT uid FROM mail_users WHERE email = '%s' ]]> password = dbname = expansion_limit = 1 hosts = query = SELECT gid FROM mail_users WHERE email = '%s' ]]> ]]> //service[@type='smtp']/general/commands[@index=1] //service[@type='smtp']/general/installs[@index=1] //service[@type='smtp']/general/commands[@index=2] # set myhostname to $mydomain because Froxlor alrady uses a FQDN myhostname = $mydomain mydestination = $myhostname, $mydomain, localhost.$myhostname, localhost.$mydomain, localhost mynetworks = 127.0.0.0/8 inet_interfaces = all append_dot_mydomain = no biff = no # Postfix performance settings default_destination_concurrency_limit = 20 local_destination_concurrency_limit = 2 # SMTPD Settings smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_recipient smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_unknown_helo_hostname, reject_unknown_recipient_domain, reject_unknown_sender_domain smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname # Postfix 2.10 requires this option. Postfix < 2.10 ignores this. # The option is intentionally left empty. smtpd_relay_restrictions = # Maximum size of Message in bytes (50MB) message_size_limit = 52428800 ## SASL Auth Settings smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes ## Dovecot Settings for deliver, SASL Auth and virtual transport smtpd_sasl_type = dovecot virtual_transport = dovecot dovecot_destination_recipient_limit = 1 smtpd_sasl_path = private/dovecot-auth # Virtual delivery settings virtual_mailbox_base = / virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_alias_maps.cf smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual_sender_permissions.cf virtual_uid_maps = static: virtual_gid_maps = static: # Local delivery settings local_transport = local alias_maps = $alias_database # Default Mailbox size, is set to 0 which means unlimited! mailbox_size_limit = 0 virtual_mailbox_limit = 0 ### TLS settings ### ## TLS for outgoing mails from the server to another server #smtp_tls_security_level = may #smtp_tls_note_starttls_offer = yes ## TLS for incoming connections (clients or other mail servers) #smtpd_tls_security_level = may #smtpd_tls_cert_file = /etc/ssl/server/.pem #smtpd_tls_key_file = $smtpd_tls_cert_file #smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt #smtpd_tls_loglevel = 1 #smtpd_tls_received_header = yes debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 ]]> //service[@type='smtp']/general/files[@index=0] //service[@type='smtp']/general/commands[@index=3] //service[@type='smtp']/general/commands[@index=1] //service[@type='smtp']/general/installs[@index=1] //service[@type='smtp']/general/commands[@index=2] # should be different from $mydomain eg. "mail.$mydomain" myhostname = mail.$mydomain mydestination = $myhostname, $mydomain, localhost.$myhostname, localhost.$mydomain, localhost mynetworks = 127.0.0.0/8 inet_interfaces = all append_dot_mydomain = no biff = no # Postfix performance settings default_destination_concurrency_limit = 20 local_destination_concurrency_limit = 2 # SMTPD Settings smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_recipient smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_unknown_helo_hostname, reject_unknown_recipient_domain, reject_unknown_sender_domain smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname # Postfix 2.10 requires this option. Postfix < 2.10 ignores this. # The option is intentionally left empty. smtpd_relay_restrictions = # Maximum size of Message in bytes (50MB) message_size_limit = 52428800 ## SASL Auth Settings smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes # Virtual delivery settings virtual_mailbox_base = / virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_alias_maps.cf smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual_sender_permissions.cf virtual_uid_maps = static: virtual_gid_maps = static: # Local delivery settings local_transport = local alias_maps = $alias_database # Default Mailbox size, is set to 0 which means unlimited! mailbox_size_limit = 0 virtual_mailbox_limit = 0 ### TLS settings ### ## TLS for outgoing mails from the server to another server #smtp_tls_security_level = may #smtp_tls_note_starttls_offer = yes ## TLS for email client #smtpd_tls_security_level = may #smtpd_tls_cert_file = /etc/ssl/server/.pem #smtpd_tls_key_file = $smtpd_tls_cert_file #smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt #smtpd_tls_loglevel = 1 #smtpd_tls_received_header = yes debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 ]]> //service[@type='smtp']/general/files[@index=0] sql_user: sql_passwd: sql_database: sql_select: SELECT password FROM mail_users WHERE username='%u@%r' OR email='%u@%r' ]]> //service[@type='smtp']/general/commands[@index=3] mail_plugins = sieve quota quota_full_tempfail = yes deliver_log_format = msgid=%m: %$ rejection_reason = Your message to <%t> was automatically rejected:%n%r } # Plugins configuration plugin { sieve=~/.dovecot.sieve sieve_dir=~/sieve quota = maildir } # Authentication configuration auth_mechanisms = plain login service auth { # Postfix smtp-auth unix_listener /var/spool/postfix/private/dovecot-auth { mode = 0660 user = postfix group = postfix } } ]]> to characters. For example "#@/@" means # that '#' and '/' characters are translated to '@'. #auth_username_translation = # Username formatting before it's looked up from databases. You can use # the standard variables here, eg. %Lu would lowercase the username, %n would # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into # "-AT-". This translation is done after auth_username_translation changes. #auth_username_format = # If you want to allow master users to log in by specifying the master # username within the normal username string (ie. not using SASL mechanism's # support for it), you can specify the separator character here. The format # is then . UW-IMAP uses "*" as the # separator, so that could be a good choice. #auth_master_user_separator = # Username to use for users logging in with ANONYMOUS SASL mechanism #auth_anonymous_username = anonymous # Maximum number of dovecot-auth worker processes. They're used to execute # blocking passdb and userdb queries (eg. MySQL and PAM). They're # automatically created and destroyed as needed. #auth_worker_max_count = 30 # Host name to use in GSSAPI principal names. The default is to use the # name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab # entries. #auth_gssapi_hostname = # Kerberos keytab to use for the GSSAPI mechanism. Will use the system # default (usually /etc/krb5.keytab) if not specified. You may need to change # the auth service to run as root to be able to read this file. #auth_krb5_keytab = # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and # ntlm_auth helper. #auth_use_winbind = no # Path for Samba's ntlm_auth helper binary. #auth_winbind_helper_path = /usr/bin/ntlm_auth # Time to delay before replying to failed authentications. #auth_failure_delay = 2 secs # Require a valid SSL client certificate or the authentication fails. #auth_ssl_require_client_cert = no # Take the username from client's SSL certificate, using # X509_NAME_get_text_by_NID() which returns the subject's DN's # CommonName. #auth_ssl_username_from_cert = no # Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey # gss-spnego # NOTE: See also disable_plaintext_auth setting. auth_mechanisms = plain login ## ## Password and user databases ## # # Password database is used to verify user's password (and nothing more). # You can have multiple passdbs and userdbs. This is useful if you want to # allow both system users (/etc/passwd) and virtual users to login without # duplicating the system users into virtual database. # # # # User database specifies where mails are located and what user/group IDs # own them. For single-UID configuration use "static" userdb. # # #!include auth-deny.conf.ext #!include auth-master.conf.ext #!include auth-system.conf.ext !include auth-sql.conf.ext #!include auth-ldap.conf.ext #!include auth-passwdfile.conf.ext #!include auth-checkpassword.conf.ext #!include auth-vpopmail.conf.ext #!include auth-static.conf.ext ]]> dbname= user= password= default_pass_scheme = CRYPT password_query = SELECT username AS user, password_enc AS password, CONCAT(homedir, maildir) AS userdb_home, uid AS userdb_uid, gid AS userdb_gid, CONCAT('maildir:', homedir, maildir) AS userdb_mail, CONCAT('*:storage=', quota, 'M') as userdb_quota_rule FROM mail_users WHERE (username = '%u' OR email = '%u') AND ((imap = 1 AND '%Ls' = 'imap') OR (pop3 = 1 AND '%Ls' = 'pop3') OR ((postfix = 'Y' AND '%Ls' = 'smtp') OR (postfix = 'Y' AND '%Ls' = 'sieve'))) user_query = SELECT CONCAT(homedir, maildir) AS home, CONCAT('maildir:', homedir, maildir) AS mail, uid, gid, CONCAT('*:storage=', quota, 'M') as quota_rule FROM mail_users WHERE (username = '%u' OR email = '%u') iterate_query = SELECT username AS user FROM mail_users WHERE (imap = 1 OR pop3 = 1) ]]> MYSQL_USERNAME MYSQL_PASSWORD MYSQL_PORT 3306 MYSQL_DATABASE MYSQL_USER_TABLE mail_users MYSQL_CRYPT_PWFIELD password_enc MYSQL_UID_FIELD uid MYSQL_GID_FIELD gid MYSQL_LOGIN_FIELD username MYSQL_HOME_FIELD homedir MYSQL_MAILDIR_FIELD maildir MYSQL_QUOTA_FIELD (quota*1024*1024) MYSQL_AUXOPTIONS_FIELD CONCAT("allowimap=",imap,",allowpop3=",pop3) ]]> " [ -f /etc/ssl/certs/proftpd_ec.crt ] || openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp521r1) -keyout /etc/ssl/private/proftpd_ec.key -out /etc/ssl/certs/proftpd_ec.crt -days 3650 -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=" chmod 0600 /etc/ssl/private/proftpd.key /etc/ssl/private/proftpd_ec.key ]]> FTP Server" ServerType standalone DeferWelcome off MultilineRFC2228 on DefaultServer on ShowSymlinks on TimeoutNoTransfer 600 TimeoutStalled 600 TimeoutIdle 1200 DisplayLogin welcome.msg DisplayChdir .message true ListOptions "-l" DenyFilter \*.*/ # Use this to jail all users in their homes # DefaultRoot ~ # Users require a valid shell listed in /etc/shells to login. # Use this directive to release that constrain. # RequireValidShell off # Port 21 is the standard FTP port. Port 21 # In some cases you have to specify passive ports range to by-pass # firewall limitations. Ephemeral ports can be used for that, but # feel free to use a more narrow range. # PassivePorts 49152 65534 # If your host was NATted, this option is useful in order to # allow passive tranfers to work. You have to use your public # address and opening the passive ports used on your firewall as well. # MasqueradeAddress 1.2.3.4 # This is useful for masquerading address with dynamic IPs: # refresh any configured MasqueradeAddress directives every 8 hours # DynMasqRefresh 28800 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 30 # Set the user and group that the server normally runs at. User proftpd Group nogroup # Umask 022 is a good standard umask to prevent new files and dirs # (second parm) from being group and world writable. Umask 022 022 # Normally, we want files to be overwriteable. AllowOverwrite on # Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords: # PersistentPasswd off # This is required to use both PAM-based authentication and local passwords # AuthOrder mod_auth_pam.c* mod_auth_unix.c # Be warned: use of this directive impacts CPU average load! # Uncomment this if you like to see progress and transfer rate with ftpwho # in downloads. That is not needed for uploads rates. # # UseSendFile off TransferLog /var/log/proftpd/xferlog SystemLog /var/log/proftpd/proftpd.log # Allow up- and downloads to be continued AllowRetrieveRestart On AllowStoreRestart On QuotaEngine on Ratios off # Delay engine reduces impact of the so-called Timing Attack described in # http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02 # It is on by default. DelayEngine off ControlsEngine off ControlsMaxClients 2 ControlsLog /var/log/proftpd/controls.log ControlsInterval 5 ControlsSocket /var/run/proftpd/proftpd.sock AdminControlsEngine off # # Alternative authentication frameworks # #Include /etc/proftpd/ldap.conf Include /etc/proftpd/sql.conf # # This is used for FTPS connections # Include /etc/proftpd/tls.conf ]]> DefaultRoot ~ RequireValidShell off AuthOrder mod_sql.c SQLBackend mysql SQLEngine on SQLAuthenticate on SQLAuthTypes Crypt SQLAuthenticate users* groups* SQLConnectInfo @ SQLUserInfo ftp_users username password uid gid homedir shell SQLGroupInfo ftp_groups groupname gid members SQLUserWhereClause "login_enabled = 'y'" SQLLog PASS login SQLNamedQuery login UPDATE "last_login=now(), login_count=login_count+1 WHERE username='%u'" ftp_users SQLLog RETR download SQLNamedQuery download UPDATE "down_count=down_count+1, down_bytes=down_bytes+%b WHERE username='%u'" ftp_users SQLLog STOR upload SQLNamedQuery upload UPDATE "up_count=up_count+1, up_bytes=up_bytes+%b WHERE username='%u'" ftp_users QuotaEngine on QuotaShowQuotas on QuotaDisplayUnits Mb QuotaLock /var/lock/ftpd.quotatab.lock QuotaLimitTable sql:/get-quota-limit QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally SQLNamedQuery get-quota-limit SELECT "ftp_users.username AS name, ftp_quotalimits.quota_type, ftp_quotalimits.per_session, ftp_quotalimits.limit_type, panel_customers.diskspace*1024 AS bytes_in_avail, ftp_quotalimits.bytes_out_avail, ftp_quotalimits.bytes_xfer_avail, ftp_quotalimits.files_in_avail, ftp_quotalimits.files_out_avail, ftp_quotalimits.files_xfer_avail FROM ftp_users, ftp_quotalimits, panel_customers WHERE ftp_users.username = '%{0}' AND panel_customers.loginname = SUBSTRING_INDEX('%{0}', 'ftp', 1) AND quota_type ='%{1}'" SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_used, bytes_xfer_used, files_in_used, files_out_used,files_xfer_used FROM ftp_quotatallies WHERE name = '%{0}' AND quota_type = '%{1}'" SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies ]]> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol TLSv1 TLSv1.1 TLSv1.2 TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key #TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt #TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key TLSOptions NoCertRequest NoSessionReuseRequired TLSVerifyClient off # Are clients required to use FTP over TLS when talking to this server? #TLSRequired on # Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotations. Some clients do not support # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these # clients will close the data connection, or there will be a timeout # on an idle data connection. # #TLSRenegotiate required off ]]> MYSQLUser MYSQLPassword MYSQLDatabase MYSQLCrypt any MYSQLGetPW SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y" MYSQLGetUID SELECT uid FROM ftp_users WHERE username="\L" AND login_enabled="y" MYSQLGetGID SELECT gid FROM ftp_users WHERE username="\L" AND login_enabled="y" MYSQLGetDir SELECT homedir FROM ftp_users WHERE username="\L" AND login_enabled="y" MySQLGetQTASZ SELECT panel_customers.diskspace/1024 AS QuotaSize FROM panel_customers, ftp_users WHERE username = "\L" AND panel_customers.loginname = SUBSTRING_INDEX('\L', 'ftp', 1) ]]> scripts/froxlor_master_cronjob.php ]]> database username password socket /var/run/mysqld/mysqld.sock ]]> {{sql.socket}} password ]]> *.log { missingok weekly rotate 4 compress delaycompress notifempty create sharedscripts postrotate > /dev/null 2>&1 || true endscript } ]]> {{settings.system.mod_fcgid_ownvhost}} {{settings.system.webserver}} {{settings.system.webserver}} {{settings.system.webserver}} {{settings.phpfpm.enabled_ownvhost}} {{settings.phpfpm.vhost_httpuser}} {{settings.system.webserver}} {{settings.phpfpm.enabled_ownvhost}} {{settings.system.webserver}}