maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity
Files
09038ac7aa59b657c09107831a7aa7b812e66e25
Froxlor/lib/configfiles/gentoo.xml
Stefan Weil 09038ac7aa Fix some typos (found by codespell) (#969) 
Signed-off-by: Stefan Weil <sw@weilnetz.de>
2021-07-31 09:51:54 +02:00

3873 lines
120 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<froxlor>
<distribution name="Gentoo" version="2.2"
defaulteditor="/usr/bin/nano">
<services>
<!-- HTTP -->
<service type="http" title="{{lng.admin.configfiles.http}}">
<!-- general HTTP commands -->
<general>
<commands index="1">
<command>
<visibility mode="isdir">{{settings.system.apacheconf_vhost}}
</visibility>
<content><![CDATA[mkdir -p {{settings.system.apacheconf_vhost}}]]></content>
</command>
<command>
<visibility mode="isfile">{{settings.system.apacheconf_vhost}}
</visibility>
<content><![CDATA[touch {{settings.system.apacheconf_vhost}}]]></content>
</command>
<command><![CDATA[chown root:0 {{settings.system.apacheconf_vhost}}]]></command>
<command><![CDATA[chmod 0600 {{settings.system.apacheconf_vhost}}]]></command>
<command>
<visibility mode="isdir">{{settings.system.apacheconf_diroptions}}
</visibility>
<content><![CDATA[mkdir -p {{settings.system.apacheconf_diroptions}}]]></content>
</command>
<command>
<visibility mode="isfile">{{settings.system.apacheconf_diroptions}}
</visibility>
<content><![CDATA[touch {{settings.system.apacheconf_diroptions}}]]></content>
</command>
<command><![CDATA[chown root:0 {{settings.system.apacheconf_diroptions}}]]></command>
<command><![CDATA[chmod 0600 {{settings.system.apacheconf_diroptions}}]]></command>
<command><![CDATA[mkdir -p {{settings.system.documentroot_prefix}}]]></command>
<command><![CDATA[mkdir -p {{settings.system.logfiles_directory}}]]></command>
<command><![CDATA[mkdir -p {{settings.system.mod_fcgid_tmpdir}}]]></command>
<command><![CDATA[chmod 1777 {{settings.system.mod_fcgid_tmpdir}}]]></command>
<command>
<visibility mode="notempty">{{settings.system.deactivateddocroot}}
</visibility>
<content><![CDATA[mkdir -p {{settings.system.deactivateddocroot}}]]></content>
</command>
</commands>
</general>
<!-- HTTP Apache -->
<daemon name="apache" version="2.2" title="Apache 2.2"
default="true">
<install><![CDATA[emerge www-servers/apache]]></install>
<include>//service[@type='http']/general/commands</include>
<file name="/etc/apache2/modules.d/70_fastcgi.conf">
<visibility mode="true">{{settings.phpfpm.enabled}}
</visibility>
<content><![CDATA[
<IfModule mod_fastcgi.c>
FastCgiIpcDir <FPM_IPCDIR>
<Location "/fastcgiphp">
Order Deny,Allow
Deny from All
# Prevent accessing this path directly
Allow from env=REDIRECT_STATUS
</Location>
</IfModule>
]]>
</content>
</file>
<file name="{{settings.system.letsencryptacmeconf}}">
<visibility mode="true">{{settings.system.leenabled}}
</visibility>
<content><![CDATA[
Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
Order allow,deny
Allow from all
</Directory>
]]>
</content>
</file>
<command><![CDATA[rc-update add apache2 default]]></command>
<command><![CDATA[/etc/init.d/apache2 restart]]></command>
</daemon>
<daemon name="apache" version="2.4" title="Apache 2.4">
<include>//service[@type='http']/general/commands</include>
<file name="/etc/apache2/modules.d/70_fastcgi.conf">
<visibility mode="true">{{settings.phpfpm.enabled}}
</visibility>
<content><![CDATA[
<IfModule mod_fastcgi.c>
FastCgiIpcDir <FPM_IPCDIR>
<Location "/fastcgiphp">
Require all granted
Require env REDIRECT_STATUS
</Location>
</IfModule>
]]>
</content>
</file>
<file name="{{settings.system.letsencryptacmeconf}}">
<visibility mode="true">{{settings.system.leenabled}}
</visibility>
<content><![CDATA[
Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
Require all granted
</Directory>
]]>
</content>
</file>
<command><![CDATA[rc-update add apache2 default]]></command>
<command><![CDATA[/etc/init.d/apache2 restart]]></command>
</daemon>
<!-- HTTP Lighttpd -->
<daemon name="lighttpd" title="LigHTTPd">
<install><![CDATA[emerge www-servers/lighttpd]]></install>
<file name="/etc/lighttpd/lighttpd.conf">
<content><![CDATA[
###############################################################################
# Default lighttpd.conf for Froxlor.
###############################################################################
var.basedir = "/var/www"
var.logdir = "/var/log/lighttpd"
var.statedir = "/var/lib/lighttpd"
server.modules = (
"mod_rewrite",
"mod_redirect",
"mod_alias",
"mod_access",
"mod_auth",
"mod_fastcgi",
"mod_cgi",
"mod_setenv",
"mod_accesslog"
)
server.username = "lighttpd"
server.groupname = "lighttpd"
server.document-root = var.basedir
server.pid-file = "/var/run/lighttpd.pid"
accesslog.filename = var.logdir + "/access.log"
server.errorlog = var.logdir + "/error.log"
server.indexfiles = ("index.php", "index.html",
"index.htm", "default.htm")
server.name = "<SERVERNAME>"
server.port = 80
server.bind = "<SERVERIP>"
url.access-deny = ("~", ".inc")
include "mime-types.conf"
#include "mod_cgi.conf"
fastcgi.server = (
".php" => (
"localhost" => (
"socket" => "/tmp/lighttpd-fcgi-sock-lighttpd",
"broken-scriptfilename" => "enable",
"bin-path" => "/usr/bin/php-cgi",
"min-procs" => 1,
"max-procs" => 1,
"max-load-per-proc" => 4,
"idle-timeout" => 60,
"bin-environment" => (
"UID" => "lighttpd",
"GID" => "lighttpd",
"PHP_FCGI_CHILDREN" => "0",
"PHP_FCGI_MAX_REQUESTS" => "10000"
),
"bin-copy-environment" => ( "" )
)
)
)
alias.url += ("/.well-known/acme-challenge/" => "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge/")
]]>
</content>
</file>
<include>//service[@type='http']/general/commands</include>
<command>
<visibility mode="isdir">{{settings.system.apacheconf_vhost}}
</visibility>
<content><![CDATA[echo -e '\\ninclude_shell "cat {{settings.system.apacheconf_vhost}}*.conf"' >> /etc/lighttpd/lighttpd.conf]]></content>
</command>
<command>
<visibility mode="isfile">{{settings.system.apacheconf_vhost}}
</visibility>
<content><![CDATA[echo -e '\\ninclude "{{settings.system.apacheconf_vhost}}"' >> /etc/lighttpd/lighttpd.conf]]></content>
</command>
<command>
<visibility mode="isdir">{{settings.system.apacheconf_diroptions}}
</visibility>
<content><![CDATA[echo -e '\\ninclude_shell "cat {{settings.system.apacheconf_diroptions}}*.conf"' >> /etc/lighttpd/lighttpd.conf]]></content>
</command>
<command>
<visibility mode="isfile">{{settings.system.apacheconf_diroptions}}
</visibility>
<content><![CDATA[echo -e '\\ninclude "{{settings.system.apacheconf_diroptions}}"' >> /etc/lighttpd/lighttpd.conf]]></content>
</command>
<command><![CDATA[rc-update add lighttpd default]]></command>
<command><![CDATA[/etc/init.d/lighttpd restart]]></command>
</daemon>
<!-- HTTP Nginx -->
<daemon name="nginx" title="nginx">
<install><![CDATA[emerge www-servers/nginx]]></install>
<file name="/etc/nginx/nginx.conf">
<content><![CDATA[
user nginx;
worker_processes 4;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
sendfile on;
tcp_nodelay on;
keepalive_timeout 65;
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
]]>
</content>
</file>
<file name="/etc/nginx/fastcgi_params">
<content><![CDATA[
fastcgi_connect_timeout 65;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
]]>
</content>
</file>
<file name="{{settings.system.letsencryptacmeconf}}">
<visibility mode="true">{{settings.system.leenabled}}
</visibility>
<content><![CDATA[
location /.well-known/acme-challenge {
alias {{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge;
location ~ /.well-known/acme-challenge/(.*) {
default_type text/plain;
}
}
]]>
</content>
</file>
<file name="/etc/init.d/php-fcgi" chmod="u+x">
<visibility mode="false">{{settings.phpfpm.enabled}}
</visibility>
<visibility mode="false">{{settings.system.mod_fcgid}}
</visibility>
<content><![CDATA[
#!/bin/bash
BIND="127.0.0.1:8888"
USER="nginx"
PHP_FCGI_CHILDREN="15"
PHP_FCGI_MAX_REQUESTS="1000"
PHP_CGI="/usr/bin/php-cgi"
PHP_CGI_NAME="$(basename ${PHP_CGI})"
PHP_CGI_ARGS="- USER=${USER} PATH=/usr/bin PHP_FCGI_CHILDREN=${PHP_FCGI_CHILDREN} PHP_FCGI_MAX_REQUESTS=${PHP_FCGI_MAX_REQUESTS} ${PHP_CGI} -b ${BIND}"
RETVAL="0"
start() {
echo -n "Starting PHP FastCGI: "
start-stop-daemon --quiet --start --background --chuid "$USER" --exec /usr/bin/env -- $PHP_CGI_ARGS
RETVAL="$?"
echo "${PHP_CGI_NAME}."
}
stop() {
echo -n "Stopping PHP FastCGI: "
killall -q -w -u ${USER} ${PHP_CGI}
RETVAL="$?"
echo "${PHP_CGI_NAME}."
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo "Usage: php-fastcgi {start|stop|restart}"
exit 1
;;
esac
exit "$RETVAL"
]]>
</content>
</file>
<include>//service[@type='http']/general/commands</include>
<command>
<visibility mode="false">{{settings.phpfpm.enabled}}
</visibility>
<visibility mode="false">{{settings.system.mod_fcgid}}
</visibility>
<content><![CDATA[rc-update add php-fcgi default]]></content>
</command>
<command>
<visibility mode="false">{{settings.phpfpm.enabled}}
</visibility>
<visibility mode="false">{{settings.system.mod_fcgid}}
</visibility>
<content><![CDATA[/etc/init.d/php-fcgi restart]]></content>
</command>
<command><![CDATA[rc-update add nginx default]]></command>
<command><![CDATA[/etc/init.d/nginx restart]]></command>
</daemon>
</service>
<!--DNS -->
<service type="dns" title="{{lng.admin.configfiles.dns}}">
<!--Bind9 -->
<daemon name="bind" title="Bind9 nameserver" default="true">
<install><![CDATA[emerge net-dns/bind]]></install>
<file name="/etc/bind/default.zone">
<content><![CDATA[
$TTL 1W
@ IN SOA ns root (
2015020101 ; serial
8H ; refresh
2H ; retry
1W ; expiry
11h) ; minimum
IN NS ns
IN MX 10 mail
IN A <SERVERIP>
IN MX 10 mail
* IN A <SERVERIP>
IN MX 10 mail
ns IN A <SERVERIP>
mail IN A <SERVERIP>
IN MX 10 mail
]]>
</content>
</file>
<command><![CDATA[echo "include \"{{settings.system.bindconf_directory}}froxlor_bind.conf\";" >> /etc/bind/named.conf]]></command>
<command><![CDATA[touch {{settings.system.bindconf_directory}}froxlor_bind.conf]]></command>
<command><![CDATA[chown named:0 {{settings.system.bindconf_directory}}froxlor_bind.conf]]></command>
<command><![CDATA[chmod 0644 {{settings.system.bindconf_directory}}froxlor_bind.conf]]></command>
<command><![CDATA[rc-update add named default]]></command>
<command><![CDATA[/etc/init.d/named restart]]></command>
</daemon>
<daemon name="powerdns" title="PowerDNS (standalone)">
<install><![CDATA[emerge net-dns/pdns]]></install>
<file name="/etc/powerdns/pdns.conf" backup="true" chmod="600">
<content><![CDATA[
# Autogenerated configuration file template
#################################
# allow-axfr-ips Allow zonetransfers only to these subnets
#
allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
# add these entries to the list if any specified: <AXFRSERVERS>
#################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
#
# allow-dnsupdate-from=127.0.0.0/8,::1
#################################
# also-notify When notifying a domain, also notify these nameservers
#
# also-notify=
#################################
# any-to-tcp Answer ANY queries with tc=1, shunting to TCP
#
# any-to-tcp=no
#################################
# cache-ttl Seconds to store packets in the PacketCache
#
# cache-ttl=20
#################################
# carbon-interval Number of seconds between carbon (graphite) updates
#
# carbon-interval=30
#################################
# carbon-ourname If set, overrides our reported hostname for carbon stats
#
# carbon-ourname=
#################################
# carbon-server If set, send metrics in carbon (graphite) format to this server
#
# carbon-server=
#################################
# chroot If set, chroot to this directory for more security
#
# chroot=
#################################
# config-dir Location of configuration directory (pdns.conf)
#
config-dir=/etc/powerdns
#################################
# config-name Name of this virtual configuration - will rename the binary image
#
# config-name=
#################################
# control-console Debugging switch - don't use
#
# control-console=no
#################################
# daemon Operate as a daemon
#
daemon=yes
#################################
# default-ksk-algorithms Default KSK algorithms
#
# default-ksk-algorithms=rsasha256
#################################
# default-ksk-size Default KSK size (0 means default)
#
# default-ksk-size=0
#################################
# default-soa-mail mail address to insert in the SOA record if none set in the backend
#
# default-soa-mail=
#################################
# default-soa-name name to insert in the SOA record if none set in the backend
#
# default-soa-name=a.misconfigured.powerdns.server
#################################
# default-ttl Seconds a result is valid if not set otherwise
#
# default-ttl=3600
#################################
# default-zsk-algorithms Default ZSK algorithms
#
# default-zsk-algorithms=rsasha256
#################################
# default-zsk-size Default ZSK size (0 means default)
#
# default-zsk-size=0
#################################
# direct-dnskey Fetch DNSKEY RRs from backend during DNSKEY synthesis
#
# direct-dnskey=no
#################################
# disable-axfr Disable zonetransfers but do allow TCP queries
#
# disable-axfr=no
#################################
# disable-axfr-rectify Disable the rectify step during an outgoing AXFR. Only required for regression testing.
#
# disable-axfr-rectify=no
#################################
# disable-tcp Do not listen to TCP queries
#
# disable-tcp=no
#################################
# distributor-threads Default number of Distributor (backend) threads to start
#
# distributor-threads=3
#################################
# do-ipv6-additional-processing Do AAAA additional processing
#
# do-ipv6-additional-processing=yes
#################################
# edns-subnet-processing If we should act on EDNS Subnet options
#
# edns-subnet-processing=no
#################################
# entropy-source If set, read entropy from this file
#
# entropy-source=/dev/urandom
#################################
# experimental-api-key REST API Static authentication key (required for API use)
#
# experimental-api-key=
#################################
# experimental-api-readonly If the JSON API should disallow data modification
#
# experimental-api-readonly=no
#################################
# experimental-dname-processing If we should support DNAME records
#
# experimental-dname-processing=no
#################################
# experimental-dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
#
# experimental-dnsupdate=no
#################################
# experimental-json-interface If the webserver should serve JSON data
#
# experimental-json-interface=no
#################################
# experimental-logfile Filename of the log file for JSON parser
#
# experimental-logfile=/var/log/pdns.log
#################################
# forward-dnsupdate A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master.
#
# forward-dnsupdate=yes
#################################
# guardian Run within a guardian process
#
guardian=yes
#################################
# include-dir Include *.conf files from this directory
#
# include-dir=
#################################
# launch Which backends to launch and order to query them in
#
# launch=
#################################
# load-modules Load this module - supply absolute or relative path
#
# load-modules=
#################################
# local-address Local IP addresses to which we bind
#
local-address=<SERVERIP>,127.0.0.1
#################################
# local-address-nonexist-fail Fail to start if one or more of the local-address's do not exist on this server
#
# local-address-nonexist-fail=yes
#################################
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=
#################################
# local-ipv6-nonexist-fail Fail to start if one or more of the local-ipv6 addresses do not exist on this server
#
# local-ipv6-nonexist-fail=yes
#################################
# local-port The port on which we listen
#
local-port=53
#################################
# log-dns-details If PDNS should log DNS non-erroneous details
#
log-dns-details=yes
#################################
# log-dns-queries If PDNS should log all incoming DNS queries
#
# log-dns-queries=no
#################################
# logging-facility Log under a specific facility
#
# logging-facility=
#################################
# loglevel Amount of logging. Higher is more. Do not set below 3
#
# loglevel=4
#################################
# lua-prequery-script Lua script with prequery handler
#
# lua-prequery-script=
#################################
# master Act as a master
#
master=yes
#################################
# max-cache-entries Maximum number of cache entries
#
# max-cache-entries=1000000
#################################
# max-ent-entries Maximum number of empty non-terminals in a zone
#
# max-ent-entries=100000
#################################
# max-nsec3-iterations Limit the number of NSEC3 hash iterations
#
# max-nsec3-iterations=500
#################################
# max-queue-length Maximum queuelength before considering situation lost
#
# max-queue-length=5000
#################################
# max-signature-cache-entries Maximum number of signatures cache entries
#
# max-signature-cache-entries=
#################################
# max-tcp-connections Maximum number of TCP connections
#
# max-tcp-connections=10
#################################
# module-dir Default directory for modules
#
module-dir=/usr/lib/powerdns/pdns/
#################################
# negquery-cache-ttl Seconds to store negative query results in the QueryCache
#
# negquery-cache-ttl=60
#################################
# no-shuffle Set this to prevent random shuffling of answers - for regression testing
#
# no-shuffle=off
#################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
#
# only-notify=0.0.0.0/0,::/0
#################################
# out-of-zone-additional-processing Do out of zone additional processing
#
# out-of-zone-additional-processing=yes
#################################
# overload-queue-length Maximum queuelength moving to packetcache only
#
# overload-queue-length=0
#################################
# pipebackend-abi-version Version of the pipe backend ABI
#
# pipebackend-abi-version=1
#################################
# prevent-self-notification Don't send notifications to what we think is ourself
#
# prevent-self-notification=yes
#################################
# query-cache-ttl Seconds to store query results in the QueryCache
#
# query-cache-ttl=20
#################################
# query-local-address Source IP address for sending queries
#
# query-local-address=0.0.0.0
#################################
# query-local-address6 Source IPv6 address for sending queries
#
# query-local-address6=::
#################################
# query-logging Hint backends that queries should be logged
#
# query-logging=no
#################################
# queue-limit Maximum number of milliseconds to queue a query
#
# queue-limit=1500
#################################
# receiver-threads Default number of receiver threads to start
#
# receiver-threads=1
#################################
# retrieval-threads Number of AXFR-retrieval threads for slave operation
#
# retrieval-threads=2
#################################
# reuseport Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket
#
# reuseport=no
#################################
# security-poll-suffix Domain name from which to query security update notifications
#
# security-poll-suffix=secpoll.powerdns.com.
#################################
# send-root-referral Send out old-fashioned root-referral instead of ServFail in case of no authority
#
# send-root-referral=no
#################################
# server-id Returned when queried for 'server.id' TXT or NSID, defaults to hostname - disabled or custom
#
# server-id=
#################################
# setgid If set, change group id to this gid for more security
#
setgid=pdns
#################################
# setuid If set, change user id to this uid for more security
#
setuid=pdns
#################################
# signing-threads Default number of signer threads to start
#
# signing-threads=3
#################################
# slave Act as a slave
#
# slave=no
#################################
# slave-cycle-interval Reschedule failed SOA serial checks once every .. seconds
#
# slave-cycle-interval=60
#################################
# slave-renotify If we should send out notifications for slaved updates
#
# slave-renotify=no
#################################
# soa-expire-default Default SOA expire
#
# soa-expire-default=604800
#################################
# soa-minimum-ttl Default SOA minimum ttl
#
# soa-minimum-ttl=3600
#################################
# soa-refresh-default Default SOA refresh
#
# soa-refresh-default=10800
#################################
# soa-retry-default Default SOA retry
#
# soa-retry-default=3600
#################################
# socket-dir Where the controlsocket will live
#
socket-dir=/var/run
#################################
# tcp-control-address If set, PowerDNS can be controlled over TCP on this address
#
# tcp-control-address=
#################################
# tcp-control-port If set, PowerDNS can be controlled over TCP on this address
#
# tcp-control-port=53000
#################################
# tcp-control-range If set, remote control of PowerDNS is possible over these networks only
#
# tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10
#################################
# tcp-control-secret If set, PowerDNS can be controlled over TCP after passing this secret
#
# tcp-control-secret=
#################################
# traceback-handler Enable the traceback handler (Linux only)
#
# traceback-handler=yes
#################################
# trusted-notification-proxy IP address of incoming notification proxy
#
# trusted-notification-proxy=
#################################
# udp-truncation-threshold Maximum UDP response size before we truncate
#
# udp-truncation-threshold=1680
#################################
# version-string PowerDNS version in packets - full, anonymous, powerdns or custom
#
version-string=powerdns
#################################
# webserver Start a webserver for monitoring
#
# webserver=no
#################################
# webserver-address IP Address of webserver to listen on
#
# webserver-address=127.0.0.1
#################################
# webserver-allow-from Webserver access is only allowed from these subnets
#
# webserver-allow-from=0.0.0.0/0,::/0
#################################
# webserver-password Password required for accessing the webserver
#
# webserver-password=
#################################
# webserver-port Port of webserver to listen on
#
# webserver-port=8081
#################################
# webserver-print-arguments If the webserver should print arguments
#
# webserver-print-arguments=no
# include froxlor-specific config
include-dir=/etc/powerdns/froxlor/
]]>
</content>
</file>
<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
chown="root:root" chmod="600">
<content><![CDATA[
# mysql-settings / you need to create the power-dns database for yourself!
launch=gmysql
gmysql-host=127.0.0.1
gmysql-port=3306
gmysql-dbname=pdns
gmysql-user=powerdns
gmysql-group=client
gmysql-password=
]]>
</content>
</file>
<command><![CDATA[/etc/init.d/pdns restart]]></command>
</daemon>
<daemon name="powerdns_bind"
title="PowerDNS via bind-backend">
<install><![CDATA[emerge net-dns/pdns]]></install>
<file name="/etc/powerdns/pdns.conf" backup="true" chmod="600">
<content><![CDATA[
# Autogenerated configuration file template
#################################
# allow-axfr-ips Allow zonetransfers only to these subnets
#
allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
# add these entries to the list if any specified: <AXFRSERVERS>
#################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
#
# allow-dnsupdate-from=127.0.0.0/8,::1
#################################
# also-notify When notifying a domain, also notify these nameservers
#
# also-notify=
#################################
# any-to-tcp Answer ANY queries with tc=1, shunting to TCP
#
# any-to-tcp=no
#################################
# cache-ttl Seconds to store packets in the PacketCache
#
# cache-ttl=20
#################################
# carbon-interval Number of seconds between carbon (graphite) updates
#
# carbon-interval=30
#################################
# carbon-ourname If set, overrides our reported hostname for carbon stats
#
# carbon-ourname=
#################################
# carbon-server If set, send metrics in carbon (graphite) format to this server
#
# carbon-server=
#################################
# chroot If set, chroot to this directory for more security
#
# chroot=
#################################
# config-dir Location of configuration directory (pdns.conf)
#
config-dir=/etc/powerdns
#################################
# config-name Name of this virtual configuration - will rename the binary image
#
# config-name=
#################################
# control-console Debugging switch - don't use
#
# control-console=no
#################################
# daemon Operate as a daemon
#
daemon=yes
#################################
# default-ksk-algorithms Default KSK algorithms
#
# default-ksk-algorithms=rsasha256
#################################
# default-ksk-size Default KSK size (0 means default)
#
# default-ksk-size=0
#################################
# default-soa-mail mail address to insert in the SOA record if none set in the backend
#
# default-soa-mail=
#################################
# default-soa-name name to insert in the SOA record if none set in the backend
#
# default-soa-name=a.misconfigured.powerdns.server
#################################
# default-ttl Seconds a result is valid if not set otherwise
#
# default-ttl=3600
#################################
# default-zsk-algorithms Default ZSK algorithms
#
# default-zsk-algorithms=rsasha256
#################################
# default-zsk-size Default ZSK size (0 means default)
#
# default-zsk-size=0
#################################
# direct-dnskey Fetch DNSKEY RRs from backend during DNSKEY synthesis
#
# direct-dnskey=no
#################################
# disable-axfr Disable zonetransfers but do allow TCP queries
#
disable-axfr=yes
#################################
# disable-axfr-rectify Disable the rectify step during an outgoing AXFR. Only required for regression testing.
#
# disable-axfr-rectify=no
#################################
# disable-tcp Do not listen to TCP queries
#
# disable-tcp=no
#################################
# distributor-threads Default number of Distributor (backend) threads to start
#
# distributor-threads=3
#################################
# do-ipv6-additional-processing Do AAAA additional processing
#
# do-ipv6-additional-processing=yes
#################################
# edns-subnet-processing If we should act on EDNS Subnet options
#
# edns-subnet-processing=no
#################################
# entropy-source If set, read entropy from this file
#
# entropy-source=/dev/urandom
#################################
# experimental-api-key REST API Static authentication key (required for API use)
#
# experimental-api-key=
#################################
# experimental-api-readonly If the JSON API should disallow data modification
#
# experimental-api-readonly=no
#################################
# experimental-dname-processing If we should support DNAME records
#
# experimental-dname-processing=no
#################################
# experimental-dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
#
# experimental-dnsupdate=no
#################################
# experimental-json-interface If the webserver should serve JSON data
#
# experimental-json-interface=no
#################################
# experimental-logfile Filename of the log file for JSON parser
#
# experimental-logfile=/var/log/pdns.log
#################################
# forward-dnsupdate A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master.
#
# forward-dnsupdate=yes
#################################
# guardian Run within a guardian process
#
guardian=yes
#################################
# include-dir Include *.conf files from this directory
#
# include-dir=
#################################
# launch Which backends to launch and order to query them in
#
launch=bind
#################################
# load-modules Load this module - supply absolute or relative path
#
# load-modules=
#################################
# local-address Local IP addresses to which we bind
#
local-address=<SERVERIP>,127.0.0.1
#################################
# local-address-nonexist-fail Fail to start if one or more of the local-address's do not exist on this server
#
# local-address-nonexist-fail=yes
#################################
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=
#################################
# local-ipv6-nonexist-fail Fail to start if one or more of the local-ipv6 addresses do not exist on this server
#
# local-ipv6-nonexist-fail=yes
#################################
# local-port The port on which we listen
#
local-port=53
#################################
# log-dns-details If PDNS should log DNS non-erroneous details
#
log-dns-details=yes
#################################
# log-dns-queries If PDNS should log all incoming DNS queries
#
# log-dns-queries=no
#################################
# logging-facility Log under a specific facility
#
# logging-facility=
#################################
# loglevel Amount of logging. Higher is more. Do not set below 3
#
# loglevel=4
#################################
# lua-prequery-script Lua script with prequery handler
#
# lua-prequery-script=
#################################
# master Act as a master
#
master=yes
#################################
# max-cache-entries Maximum number of cache entries
#
# max-cache-entries=1000000
#################################
# max-ent-entries Maximum number of empty non-terminals in a zone
#
# max-ent-entries=100000
#################################
# max-nsec3-iterations Limit the number of NSEC3 hash iterations
#
# max-nsec3-iterations=500
#################################
# max-queue-length Maximum queuelength before considering situation lost
#
# max-queue-length=5000
#################################
# max-signature-cache-entries Maximum number of signatures cache entries
#
# max-signature-cache-entries=
#################################
# max-tcp-connections Maximum number of TCP connections
#
# max-tcp-connections=10
#################################
# module-dir Default directory for modules
#
module-dir=/usr/lib/powerdns/pdns/
#################################
# negquery-cache-ttl Seconds to store negative query results in the QueryCache
#
# negquery-cache-ttl=60
#################################
# no-shuffle Set this to prevent random shuffling of answers - for regression testing
#
# no-shuffle=off
#################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
#
# only-notify=0.0.0.0/0,::/0
#################################
# out-of-zone-additional-processing Do out of zone additional processing
#
# out-of-zone-additional-processing=yes
#################################
# overload-queue-length Maximum queuelength moving to packetcache only
#
# overload-queue-length=0
#################################
# pipebackend-abi-version Version of the pipe backend ABI
#
# pipebackend-abi-version=1
#################################
# prevent-self-notification Don't send notifications to what we think is ourself
#
# prevent-self-notification=yes
#################################
# query-cache-ttl Seconds to store query results in the QueryCache
#
# query-cache-ttl=20
#################################
# query-local-address Source IP address for sending queries
#
# query-local-address=0.0.0.0
#################################
# query-local-address6 Source IPv6 address for sending queries
#
# query-local-address6=::
#################################
# query-logging Hint backends that queries should be logged
#
# query-logging=no
#################################
# queue-limit Maximum number of milliseconds to queue a query
#
# queue-limit=1500
#################################
# receiver-threads Default number of receiver threads to start
#
# receiver-threads=1
#################################
# retrieval-threads Number of AXFR-retrieval threads for slave operation
#
# retrieval-threads=2
#################################
# reuseport Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket
#
# reuseport=no
#################################
# security-poll-suffix Domain name from which to query security update notifications
#
# security-poll-suffix=secpoll.powerdns.com.
#################################
# send-root-referral Send out old-fashioned root-referral instead of ServFail in case of no authority
#
# send-root-referral=no
#################################
# server-id Returned when queried for 'server.id' TXT or NSID, defaults to hostname - disabled or custom
#
# server-id=
#################################
# setgid If set, change group id to this gid for more security
#
setgid=pdns
#################################
# setuid If set, change user id to this uid for more security
#
setuid=pdns
#################################
# signing-threads Default number of signer threads to start
#
# signing-threads=3
#################################
# slave Act as a slave
#
# slave=no
#################################
# slave-cycle-interval Reschedule failed SOA serial checks once every .. seconds
#
# slave-cycle-interval=60
#################################
# slave-renotify If we should send out notifications for slaved updates
#
# slave-renotify=no
#################################
# soa-expire-default Default SOA expire
#
# soa-expire-default=604800
#################################
# soa-minimum-ttl Default SOA minimum ttl
#
# soa-minimum-ttl=3600
#################################
# soa-refresh-default Default SOA refresh
#
# soa-refresh-default=10800
#################################
# soa-retry-default Default SOA retry
#
# soa-retry-default=3600
#################################
# socket-dir Where the controlsocket will live
#
socket-dir=/var/run
#################################
# tcp-control-address If set, PowerDNS can be controlled over TCP on this address
#
# tcp-control-address=
#################################
# tcp-control-port If set, PowerDNS can be controlled over TCP on this address
#
# tcp-control-port=53000
#################################
# tcp-control-range If set, remote control of PowerDNS is possible over these networks only
#
# tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10
#################################
# tcp-control-secret If set, PowerDNS can be controlled over TCP after passing this secret
#
# tcp-control-secret=
#################################
# traceback-handler Enable the traceback handler (Linux only)
#
# traceback-handler=yes
#################################
# trusted-notification-proxy IP address of incoming notification proxy
#
# trusted-notification-proxy=
#################################
# udp-truncation-threshold Maximum UDP response size before we truncate
#
# udp-truncation-threshold=1680
#################################
# version-string PowerDNS version in packets - full, anonymous, powerdns or custom
#
version-string=powerdns
#################################
# webserver Start a webserver for monitoring
#
# webserver=no
#################################
# webserver-address IP Address of webserver to listen on
#
# webserver-address=127.0.0.1
#################################
# webserver-allow-from Webserver access is only allowed from these subnets
#
# webserver-allow-from=0.0.0.0/0,::/0
#################################
# webserver-password Password required for accessing the webserver
#
# webserver-password=
#################################
# webserver-port Port of webserver to listen on
#
# webserver-port=8081
#################################
# webserver-print-arguments If the webserver should print arguments
#
# webserver-print-arguments=no
# include froxlor-bind-specific config
include-dir=/etc/powerdns/froxlor/
]]>
</content>
</file>
<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
chown="root:root" chmod="600">
<content><![CDATA[
#local-ipv6=YOUR_IPv6_(if_any)
bind-config=<BIND_CONFIG_PATH>named.conf
bind-check-interval=180
]]>
</content>
</file>
<command><![CDATA[/etc/init.d/pdns restart]]></command>
</daemon>
</service>
<!-- SMTP services -->
<service type="smtp" title="{{lng.admin.configfiles.smtp}}">
<!-- general SMTP commands -->
<general>
<commands index="1">
<command>
<visibility mode="groupnotexists">{{settings.system.vmail_gid}}
</visibility>
<content><![CDATA[groupadd -g {{settings.system.vmail_gid}} vmail]]></content>
</command>
<command>
<visibility mode="usernotexists">{{settings.system.vmail_uid}}
</visibility>
<content><![CDATA[useradd -u {{settings.system.vmail_uid}} -g vmail vmail]]></content>
</command>
</commands>
<installs index="1">
<install><![CDATA[emerge mail-mta/postfix]]></install>
</installs>
<commands index="2">
<command><![CDATA[mkdir -p {{settings.system.vmail_homedir}}]]></command>
<command><![CDATA[chown -R {{settings.system.vmail_uid}}:{{settings.system.vmail_gid}} {{settings.system.vmail_homedir}}]]></command>
<command><![CDATA[chmod 0750 {{settings.system.vmail_homedir}}]]></command>
</commands>
<files index="0">
<file name="/etc/postfix/mysql-virtual_alias_maps.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
hosts = <SQL_HOST>
query = SELECT destination FROM mail_virtual AS v, panel_customers AS c WHERE c.customerid = v.customerid AND c.deactivated = 0 AND v.email = '%s' AND trim(v.destination) <> ''
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_mailbox_domains.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
hosts = <SQL_HOST>
query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1'
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_mailbox_maps.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
expansion_limit = 1
hosts = <SQL_HOST>
query = SELECT CONCAT(homedir,maildir) FROM mail_users WHERE email = '%s'
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_sender_permissions.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
hosts = <SQL_HOST>
query = SELECT DISTINCT username FROM mail_users WHERE email in ((SELECT mail_virtual.email_full FROM mail_virtual WHERE mail_virtual.email = '%s' UNION SELECT mail_virtual.destination FROM mail_virtual WHERE mail_virtual.email = '%s'));
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_uid_maps.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
expansion_limit = 1
hosts = <SQL_HOST>
query = SELECT uid FROM mail_users WHERE email = '%s'
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_gid_maps.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
expansion_limit = 1
hosts = <SQL_HOST>
query = SELECT gid FROM mail_users WHERE email = '%s'
]]>
</content>
</file>
<file name="/etc/mail/aliases" backup="true">
<content><![CDATA[
# /etc/aliases
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
# change this to a valid e-mail address you can access
root: root@<SERVERNAME>
]]>
</content>
</file>
</files>
<commands index="3">
<command><![CDATA[newaliases]]></command>
<command><![CDATA[rc-update add postfix default]]></command>
<command><![CDATA[/etc/init.d/postfix restart]]></command>
</commands>
</general>
<!-- postfix with dovecot -->
<daemon name="postfix_dovecot" version="2.x"
title="Postfix 2 with dovecot">
<include>//service[@type='smtp']/general/commands[@index=1]
</include>
<command><![CDATA[echo "mail-mta/postfix dovecot-sasl -sasl" >> /etc/portage/package.use]]></command>
<include>//service[@type='smtp']/general/installs[@index=1]
</include>
<include>//service[@type='smtp']/general/commands[@index=2]
</include>
<file name="/etc/postfix/main.cf" chown="root:root"
chmod="0644" backup="true">
<content><![CDATA[
# Postfix programs paths settings
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
program_directory = /usr/libexec/postfix
sendmail_path = /usr/sbin/sendmail
## General Postfix configuration
# FQDN from Froxlor
mydomain = <SERVERNAME>
# set myhostname to $mydomain because Froxlor already uses a FQDN
myhostname = $mydomain
mydestination = $myhostname,
$mydomain,
localhost.$myhostname,
localhost.$mydomain,
localhost
mynetworks = 127.0.0.0/8
inet_interfaces = all
append_dot_mydomain = no
biff = no
# Postfix performance settings
default_destination_concurrency_limit = 20
local_destination_concurrency_limit = 2
# SMTPD Settings
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
reject_non_fqdn_recipient
smtpd_sender_restrictions = permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_unknown_hostname,
reject_unknown_recipient_domain,
reject_unknown_sender_domain
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_client
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination
# Maximum size of Message in bytes (512MB)
message_size_limit = 536870912
## SASL Auth Settings
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
## Dovecot Settings for deliver, SASL Auth and virtual transport
mailbox_command = /usr/libexec/dovecot/deliver
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
# Virtual delivery settings
virtual_mailbox_base = /
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_alias_maps.cf
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual_sender_permissions.cf
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uid_maps.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gid_maps.cf
# Local delivery settings
local_transport = local
alias_database = hash:/etc/mail/aliases
alias_maps = $alias_database
# Default Mailbox size, is set to 0 which means unlimited!
mailbox_size_limit = 0
virtual_mailbox_limit = 0
### TLS settings
###
## TLS for outgoing mails from the server to another server
#smtp_use_tls = yes
#smtp_tls_note_starttls_offer = yes
## TLS for incoming connections (clients or other mail servers)
#smtpd_tls_cert_file = /etc/ssl/server/server.pem
#smtpd_tls_key_file = /etc/ssl/server/server.key
#smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtpd_tls_CAfile = /etc/ssl/cacert.class3.crt # Just an example for CACert.org
#smtpd_tls_auth_only = no
#smtpd_tls_loglevel = 1
#smtpd_tls_received_header = yes
#smtpd_tls_session_cache_timeout = 3600s
#tls_random_source = dev:/dev/urandom
### Quota Settings with vda useflag
## I use only virtual as localdelivery... This permits me to have full
## virtual domain hosting without using a lot of maps
#virtual_transport = virtual
## Generate maildirsize files or not
#virtual_create_maildirsize = yes
## I use Courier IMAP compatibles files.
#virtual_mailbox_extended = yes
## Limits only INBOX part (useful when
## using when you have IMAP users)
#virtual_mailbox_limit_inbox = yes
## maps of soft disk quotas
#virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
#virtual_mailbox_limit_override = yes
#virtual_maildir_limit_message = Sorry, this user has overdrawn their diskspace quota. Please try again later.
#virtual_overquota_bounce = yes
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
]]>
</content>
</file>
<include>//service[@type='smtp']/general/files[@index=0]</include>
<file name="/etc/postfix/master.cf" chown="root:root"
chmod="0644" backup="true" mode="append">
<content><![CDATA[
# Add this lines to be able to use dovecot as delivery agent
# Dovecot LDA
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -d ${recipient}
]]>
</content>
</file>
<include>//service[@type='smtp']/general/commands[@index=3]
</include>
</daemon>
<!-- postfix with dovecot -->
<daemon name="postfix_dovecot" version="3.x"
title="Postfix 3 with dovecot" default="true">
<include>//service[@type='smtp']/general/commands[@index=1]
</include>
<command><![CDATA[echo "mail-mta/postfix dovecot-sasl -sasl" >> /etc/portage/package.use]]></command>
<include>//service[@type='smtp']/general/installs[@index=1]
</include>
<include>//service[@type='smtp']/general/commands[@index=2]
</include>
<file name="/etc/postfix/main.cf" chown="root:root"
chmod="0644" backup="true">
<content><![CDATA[
# Postfix programs paths settings
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
program_directory = /usr/libexec/postfix
sendmail_path = /usr/sbin/sendmail
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix/${mail_version}
compatibility_level = 2
## General Postfix configuration
# should be the default domain from your provider eg. "server100.provider.tld"
mydomain = <SERVERNAME>
# should be different from $mydomain eg. "mail.$mydomain"
myhostname = mail.$mydomain
mydestination = $myhostname,
$mydomain,
localhost.$myhostname,
localhost.$mydomain,
localhost
mynetworks = 127.0.0.0/8
inet_interfaces = all
append_dot_mydomain = no
biff = no
# Postfix performance settings
default_destination_concurrency_limit = 20
local_destination_concurrency_limit = 2
# SMTPD Settings
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
reject_non_fqdn_recipient
smtpd_sender_restrictions = permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_unknown_hostname,
reject_unknown_recipient_domain,
reject_unknown_sender_domain
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_client
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination
# Maximum size of Message in bytes (512MB)
message_size_limit = 536870912
## SASL Auth Settings
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
## Dovecot Settings for deliver, SASL Auth and virtual transport
mailbox_command = /usr/libexec/dovecot/deliver
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
# Virtual delivery settings
virtual_mailbox_base = /
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_alias_maps.cf
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual_sender_permissions.cf
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uid_maps.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gid_maps.cf
# Local delivery settings
local_transport = local
alias_database = hash:/etc/mail/aliases
alias_maps = $alias_database
# Default Mailbox size, is set to 0 which means unlimited!
mailbox_size_limit = 0
virtual_mailbox_limit = 0
### TLS settings
###
## TLS for outgoing mails from the server to another server
#smtp_use_tls = yes
#smtp_tls_note_starttls_offer = yes
## TLS for email client
#smtpd_tls_cert_file = /etc/ssl/server/server.pem
#smtpd_tls_key_file = /etc/ssl/server/server.key
#smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtpd_tls_CAfile = /etc/ssl/cacert.class3.crt # Just an example for CACert.org
#smtpd_tls_auth_only = no
#smtpd_tls_loglevel = 1
#smtpd_tls_received_header = yes
#smtpd_tls_session_cache_timeout = 3600s
#tls_random_source = dev:/dev/urandom
### Quota Settings with vda useflag
## I use only virtual as localdelivery... This permits me to have full
## virtual domain hosting without using a lot of maps
#virtual_transport = virtual
## Generate maildirsize files or not
#virtual_create_maildirsize = yes
## I use Courier IMAP compatibles files.
#virtual_mailbox_extended = yes
## Limits only INBOX part (useful when
## using when you have IMAP users)
#virtual_mailbox_limit_inbox = yes
## maps of soft disk quotas
#virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
#virtual_mailbox_limit_override = yes
#virtual_maildir_limit_message = Sorry, this user has overdrawn their diskspace quota. Please try again later.
#virtual_overquota_bounce = yes
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
]]>
</content>
</file>
<include>//service[@type='smtp']/general/files[@index=0]</include>
<file name="/etc/postfix/master.cf" chown="root:root"
chmod="0644" backup="true" mode="append">
<content><![CDATA[
# Add this lines to be able to use dovecot as delivery agent
# Dovecot LDA
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -d ${recipient}
]]>
</content>
</file>
<include>//service[@type='smtp']/general/commands[@index=3]
</include>
</daemon>
<!-- postfix with courier -->
<daemon name="postfix_courier" version="2.x"
title="Postfix 2 with courier">
<include>//service[@type='smtp']/general/commands[@index=1]
</include>
<command><![CDATA[echo "mail-mta/postfix -dovecot-sasl sasl" >> /etc/portage/package.use]]></command>
<include>//service[@type='smtp']/general/installs[@index=1]
</include>
<include>//service[@type='smtp']/general/commands[@index=2]
</include>
<file name="/etc/postfix/main.cf" chown="root:root"
chmod="0644" backup="true">
<content><![CDATA[
# Postfix programs paths settings
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
program_directory = /usr/libexec/postfix
sendmail_path = /usr/sbin/sendmail
## General Postfix configuration
# should be the default domain from your provider eg. "server100.provider.tld"
mydomain = <SERVERNAME>
# should be different from $mydomain eg. "mail.$mydomain"
myhostname = mail.$mydomain
mydestination = $myhostname,
$mydomain,
localhost.$myhostname,
localhost.$mydomain,
localhost
mynetworks = 127.0.0.0/8
inet_interfaces = all
append_dot_mydomain = no
biff = no
# Postfix performance settings
default_destination_concurrency_limit = 20
local_destination_concurrency_limit = 2
# SMTPD Settings
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
reject_non_fqdn_recipient
smtpd_sender_restrictions = permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_unknown_hostname,
reject_unknown_recipient_domain,
reject_unknown_sender_domain
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_hostname
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination
# Maximum size of Message in bytes (512MB)
message_size_limit = 536870912
## SASL Auth Settings
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
# Virtual delivery settings
virtual_mailbox_base = /
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_alias_maps.cf
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual_sender_permissions.cf
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uid_maps.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gid_maps.cf
# Local delivery settings
local_transport = local
alias_database = hash:/etc/mail/aliases
alias_maps = $alias_database
# Default Mailbox size, is set to 0 which means unlimited!
mailbox_size_limit = 0
virtual_mailbox_limit = 0
### TLS settings
###
## TLS for outgoing mails from the server to another server
#smtp_tls_security_level = may
#smtp_tls_note_starttls_offer = yes
## TLS for email client
#smtpd_tls_security_level = may
#smtpd_tls_cert_file = /etc/ssl/postfix/server.pem
#smtpd_tls_key_file = /etc/ssl/postfix/server.key
#smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtpd_tls_loglevel = 1
#smtpd_tls_received_header = yes
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
]]>
</content>
</file>
<include>//service[@type='smtp']/general/files[@index=0]</include>
<file name="/etc/sasl2/smtpd.conf" chown="root:root"
chmod="0600">
<content><![CDATA[
pwcheck_method: auxprop
auxprop_plugin: sql
allowanonymouslogin: no
allowplaintext: yes
mech_list: PLAIN LOGIN
password_format: crypt
sql_engine: mysql
sql_hostnames: <SQL_HOST>
sql_user: <SQL_UNPRIVILEGED_USER>
sql_passwd: <SQL_UNPRIVILEGED_PASSWORD>
sql_database: <SQL_DB>
sql_select: SELECT password_enc FROM mail_users WHERE username='%u@%r' OR email='%u@%r'
]]>
</content>
</file>
<include>//service[@type='smtp']/general/commands[@index=3]
</include>
</daemon>
</service>
<!-- IMAP/POP3 services -->
<service type="mail" title="{{lng.admin.configfiles.mail}}">
<!-- Dovecot -->
<daemon name="dovecot" version="2" title="Dovecot"
default="true">
<command><![CDATA[echo "net-mail/dovecot mysql managesieve sieve" >> /etc/portage/package.use]]></command>
<install><![CDATA[emerge net-mail/dovecot]]></install>
<file name="/etc/dovecot/dovecot.conf" chown="root:root"
chmod="0640" backup="true">
<content><![CDATA[
auth_mechanisms = plain login
## allow Plaintext Logins from foreign IP if the Connection doesn't use TLS
disable_plaintext_auth = no
listen = *
mail_access_groups = vmail
mail_debug = no
protocols = imap pop3 sieve
### SSL Settings
### After you obtained an SSL-certificate enable ssl here and
### set disable_plaintext_auth to yes (see above)
ssl = no
#ssl_cert = </etc/ssl/server/<SERVERNAME>.pem
#ssl_key = </etc/ssl/server/<SERVERNAME>.key
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
plugin {
quota = maildir:User Quota
# Sieve-Configuration
sieve = ~/sieve/.dovecot.sieve
sieve_dir = ~/sieve
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-master {
group = vmail
mode = 0660
user = vmail
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
service managesieve {
}
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
protocol imap {
mail_plugins = quota imap_quota
# IMAP logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
imap_logout_format = in=%i out=%o
}
protocol pop3 {
mail_plugins = quota
pop3_uidl_format = UID%u-%v
# POP3 logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
# %t - number of TOP commands
# %p - number of bytes sent to client as a result of TOP command
# %r - number of RETR commands
# %b - number of bytes sent to client as a result of RETR command
# %d - number of deleted messages
# %m - number of messages (before deletion)
# %s - mailbox size in bytes (before deletion)
# %u - old/new UIDL hash. may help finding out if UIDLs changed unexpectedly
pop3_logout_format = in=%i out=%o top=%t/%p retr=%r/%b del=%d/%m size=%s
}
protocol sieve {
}
lda_mailbox_autocreate = yes
protocol lda {
auth_socket_path = /var/run/dovecot/auth-master
mail_plugins = quota sieve
# postmaster is the one in charge of the mail system. MUST be set to a valid address!
postmaster_address = postmaster@<SERVERNAME>
sendmail_path = /usr/sbin/sendmail
lda_mailbox_autocreate = 1
}
]]>
</content>
</file>
<file name="/etc/dovecot/dovecot-sql.conf.ext"
chown="root:root" chmod="0600" backup="true">
<content><![CDATA[
driver = mysql
connect = host=<SQL_HOST> dbname=<SQL_DB> user=<SQL_UNPRIVILEGED_USER> password=<SQL_UNPRIVILEGED_PASSWORD>
default_pass_scheme = CRYPT
password_query = "SELECT username AS user, password_enc AS password, CONCAT(homedir, maildir) AS userdb_home, uid AS userdb_uid, gid AS userdb_gid, CONCAT('maildir:', homedir, maildir) AS userdb_mail, CONCAT('*:storage=', quota,'M') AS userdb_quota_rule FROM mail_users WHERE (username = '%u' OR email = '%u') AND ((imap = 1 AND '%Ls' = 'imap') OR (pop3 = 1 AND '%Ls' = 'pop3') OR ((postfix = 'Y' AND '%Ls' = 'smtp') OR (postfix = 'Y' AND '%Ls' = 'sieve')))"
user_query = "SELECT CONCAT(homedir, maildir) AS home, CONCAT('maildir:', homedir, maildir) AS mail, uid, gid, CONCAT('*:storage=', quota,'M') AS quota_rule FROM mail_users WHERE (username = '%u' OR email = '%u')"
iterate_query = "SELECT username AS user FROM mail_users WHERE (imap = 1 OR pop3 = 1)"
]]>
</content>
</file>
<file name="/etc/dovecot/conf.d/20-managesieve.conf"
chown="root:root" chmod="0644" backup="true">
<content><![CDATA[
##
## ManageSieve specific settings
##
# Uncomment to enable managesieve protocol:
protocols = $protocols sieve
# Service definitions
service managesieve-login {
inet_listener sieve {
port = 4190
}
#inet_listener sieve_deprecated {
# port = 2000
#}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
#service_count = 1
# Number of processes to always keep waiting for more connections.
#process_min_avail = 0
# If you set service_count=0, you probably need to grow this.
#vsz_limit = 64M
}
#service managesieve {
# Max. number of ManageSieve processes (connections)
#process_limit = 1024
#}
# Service configuration
protocol sieve {
# Maximum ManageSieve command line length in bytes. ManageSieve usually does
# not involve overly long command lines, so this setting will not normally
# need adjustment
#managesieve_max_line_length = 65536
# Maximum number of ManageSieve connections allowed for a user from each IP
# address.
# NOTE: The username is compared case-sensitively.
#mail_max_userip_connections = 10
# Space separated list of plugins to load (none known to be useful so far).
# Do NOT try to load IMAP plugins here.
#mail_plugins =
# MANAGESIEVE logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
#managesieve_logout_format = bytes=%i/%o
# To fool ManageSieve clients that are focused on CMU's timesieved you can
# specify the IMPLEMENTATION capability that Dovecot reports to clients.
# For example: 'Cyrus timsieved v2.2.13'
#managesieve_implementation_string = Dovecot Pigeonhole
# Explicitly specify the SIEVE and NOTIFY capability reported by the server
# before login. If left unassigned these will be reported dynamically
# according to what the Sieve interpreter supports by default (after login
# this may differ depending on the user).
#managesieve_sieve_capability =
#managesieve_notify_capability =
# The maximum number of compile errors that are returned to the client upon
# script upload or script verification.
#managesieve_max_compile_errors = 5
# Refer to 90-sieve.conf for script quota configuration and configuration of
# Sieve execution limits.
}
]]>
</content>
</file>
<file name="/etc/dovecot/conf.d/90-sieve.conf"
chown="root:root" chmod="0644" backup="true">
<content><![CDATA[
##
## Settings for the Sieve interpreter
##
# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
# by adding it to the respective mail_plugins= settings.
# The Sieve interpreter can retrieve Sieve scripts from several types of
# locations. The default `file' location type is a local filesystem path
# pointing to a Sieve script file or a directory containing multiple Sieve
# script files. More complex setups can use other location types such as
# `ldap' or `dict' to fetch Sieve scripts from remote databases.
#
# All settings that specify the location of one ore more Sieve scripts accept
# the following syntax:
#
# location = [<type>:]path[;<option>[=<value>][;...]]
#
# If the type prefix is omitted, the script location type is 'file' and the
# location is interpreted as a local filesystem path pointing to a Sieve script
# file or directory. Refer to Pigeonhole wiki or INSTALL file for more
# information.
plugin {
# The location of the user's main Sieve script or script storage. The LDA
# Sieve plugin uses this to find the active script for Sieve filtering at
# delivery. The "include" extension uses this location for retrieving
# :personal" scripts. This is also where the ManageSieve service will store
# the user's scripts, if supported.
#
# Currently only the 'file:' location type supports ManageSieve operation.
# Other location types like 'dict:' and 'ldap:' can currently only
# be used as a read-only script source ().
#
# For the 'file:' type: use the ';active=' parameter to specify where the
# active script symlink is located.
# For other types: use the ';name=' parameter to specify the name of the
# default/active script.
sieve = file:~/sieve;active=~/sieve/.dovecot.sieve
# The default Sieve script when the user has none. This is the location of a
# global sieve script file, which gets executed ONLY if user's personal Sieve
# script doesn't exist. Be sure to pre-compile this script manually using the
# sievec command line tool if the binary is not stored in a global location.
# --> See sieve_before for executing scripts before the user's personal
# script.
#sieve_default = /var/lib/dovecot/sieve/default.sieve
# The name by which the default Sieve script (as configured by the
# sieve_default setting) is visible to the user through ManageSieve.
#sieve_default_name =
# Location for ":global" include scripts as used by the "include" extension.
#sieve_global =
# Location Sieve of scripts that need to be executed before the user's
# personal script. If a 'file' location path points to a directory, all the
# Sieve scripts contained therein (with the proper `.sieve' extension) are
# executed. The order of execution within that directory is determined by the
# file names, using a normal 8bit per-character comparison.
#
# Multiple script locations can be specified by appending an increasing number
# to the setting name. The Sieve scripts found from these locations are added
# to the script execution sequence in the specified order. Reading the
# numbered sieve_before settings stops at the first missing setting, so no
# numbers may be skipped.
#sieve_before = /var/lib/dovecot/sieve.d/
#sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
#sieve_before3 = (etc...)
# Identical to sieve_before, only the specified scripts are executed after the
# user's script (only when keep is still in effect!). Multiple script
# locations can be specified by appending an increasing number.
#sieve_after =
#sieve_after2 =
#sieve_after2 = (etc...)
# Which Sieve language extensions are available to users. By default, all
# supported extensions are available, except for deprecated extensions or
# those that are still under development. Some system administrators may want
# to disable certain Sieve extensions or enable those that are not available
# by default. This setting can use '+' and '-' to specify differences relative
# to the default. For example `sieve_extensions = +imapflags' will enable the
# deprecated imapflags extension in addition to all extensions were already
# enabled by default.
#sieve_extensions = +notify +imapflags
# Which Sieve language extensions are ONLY available in global scripts. This
# can be used to restrict the use of certain Sieve extensions to administrator
# control, for instance when these extensions can cause security concerns.
# This setting has higher precedence than the `sieve_extensions' setting
# (above), meaning that the extensions enabled with this setting are never
# available to the user's personal script no matter what is specified for the
# `sieve_extensions' setting. The syntax of this setting is similar to the
# `sieve_extensions' setting, with the difference that extensions are
# enabled or disabled for exclusive use in global scripts. Currently, no
# extensions are marked as such by default.
#sieve_global_extensions =
# The Pigeonhole Sieve interpreter can have plugins of its own. Using this
# setting, the used plugins can be specified. Check the Dovecot wiki
# (wiki2.dovecot.org) or the pigeonhole website
# (http://pigeonhole.dovecot.org) for available plugins.
# The sieve_extprograms plugin is included in this release.
#sieve_plugins =
# The separator that is expected between the :user and :detail
# address parts introduced by the subaddress extension. This may
# also be a sequence of characters (e.g. '--'). The current
# implementation looks for the separator from the left of the
# localpart and uses the first one encountered. The :user part is
# left of the separator and the :detail part is right. This setting
# is also used by Dovecot's LMTP service.
#recipient_delimiter = +
# The maximum size of a Sieve script. The compiler will refuse to compile any
# script larger than this limit. If set to 0, no limit on the script size is
# enforced.
#sieve_max_script_size = 1M
# The maximum number of actions that can be performed during a single script
# execution. If set to 0, no limit on the total number of actions is enforced.
#sieve_max_actions = 32
# The maximum number of redirect actions that can be performed during a single
# script execution. If set to 0, no redirect actions are allowed.
#sieve_max_redirects = 4
# The maximum number of personal Sieve scripts a single user can have. If set
# to 0, no limit on the number of scripts is enforced.
# (Currently only relevant for ManageSieve)
#sieve_quota_max_scripts = 0
# The maximum amount of disk storage a single user's scripts may occupy. If
# set to 0, no limit on the used amount of disk storage is enforced.
# (Currently only relevant for ManageSieve)
#sieve_quota_max_storage = 0
}
]]>
</content>
</file>
<command><![CDATA[rc-update add dovecot default]]></command>
<command><![CDATA[/etc/init.d/dovecot restart]]></command>
</daemon>
<!-- Courier -->
<daemon name="courier" title="Courier">
<install><![CDATA[emerge net-mail/courier-imap]]></install>
<file name="/etc/courier/authlib/authdaemonrc" chown="root:0"
chmod="0600" backup="true">
<content><![CDATA[
##VERSION: $Id: authdaemonrc.in,v 1.12 2005/07/05 12:25:08 mrsam Exp $
#
# Copyright 2000-2005 Double Precision, Inc. See COPYING for
# distribution information.
#
# authdaemonrc created from authdaemonrc.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
# This file configures authdaemond, the resident authentication daemon.
#
# Comments in this file are ignored. Although this file is intended to
# be sourced as a shell script, authdaemond parses it manually, so
# the acceptable syntax is a bit limited. Multiline variable contents,
# with the \ continuation character, are not allowed. Everything must
# fit on one line. Do not use any additional whitespace for indentation,
# or anything else.
##NAME: authmodulelist:2
#
# The authentication modules that are linked into authdaemond. The
# default list is installed. You may selectively disable modules simply
# by removing them from the following list. The available modules you
# can use are: authuserdb authpam authshadow authmysql authcustom authpipe
authmodulelist="authmysql"
##NAME: authmodulelistorig:3
#
# This setting is used by Courier's webadmin module, and should be left
# alone
authmodulelistorig="authuserdb authpam authshadow authmysql authcustom authpipe"
##NAME: daemons:0
#
# The number of daemon processes that are started. authdaemon is typically
# installed where authentication modules are relatively expensive: such
# as authldap, or authmysql, so it's better to have a number of them running.
# PLEASE NOTE: Some platforms may experience a problem if there's more than
# one daemon. Specifically, SystemV derived platforms that use TLI with
# socket emulation. I'm suspicious of TLI's ability to handle multiple
# processes accepting connections on the same filesystem domain socket.
#
# You may need to increase daemons if as your system load increases. Symptoms
# include sporadic authentication failures. If you start getting
# authentication failures, increase daemons. However, the default of 5
# SHOULD be sufficient. Bumping up daemon count is only a short-term
# solution. The permanent solution is to add more resources: RAM, faster
# disks, faster CPUs...
daemons=5
##NAME: authdaemonvar:2
#
# authdaemonvar is here, but is not used directly by authdaemond. It's
# used by various configuration and build scripts, so don't touch it!
authdaemonvar=/var/lib/courier/authdaemon
##NAME: DEBUG_LOGIN:0
#
# Dump additional diagnostics to syslog
#
# DEBUG_LOGIN=0 - turn off debugging
# DEBUG_LOGIN=1 - turn on debugging
# DEBUG_LOGIN=2 - turn on debugging + log passwords too
#
# ** YES ** - DEBUG_LOGIN=2 places passwords into syslog.
#
# Note that most information is sent to syslog at level 'debug', so
# you may need to modify your /etc/syslog.conf to be able to see it.
DEBUG_LOGIN=0
##NAME: DEFAULTOPTIONS:0
#
# A comma-separated list of option=value pairs. Each option is applied
# to an account if the account does not have its own specific value for
# that option. So for example, you can set
# DEFAULTOPTIONS="disablewebmail=1,disableimap=1"
# and then enable webmail and/or imap on individual accounts by setting
# disablewebmail=0 and/or disableimap=0 on the account.
DEFAULTOPTIONS=""
##NAME: LOGGEROPTS:0
#
# courierlogger(1) options, e.g. to set syslog facility
#
LOGGEROPTS=""
]]>
</content>
</file>
<file name="/etc/courier/authlib/authmysqlrc" chown="root:0"
chmod="0600" backup="true">
<content><![CDATA[
MYSQL_SERVER <SQL_HOST>
MYSQL_USERNAME <SQL_UNPRIVILEGED_USER>
MYSQL_PASSWORD <SQL_UNPRIVILEGED_PASSWORD>
MYSQL_PORT 0
MYSQL_DATABASE <SQL_DB>
MYSQL_USER_TABLE mail_users
MYSQL_CRYPT_PWFIELD password_enc
MYSQL_UID_FIELD uid
MYSQL_GID_FIELD gid
MYSQL_LOGIN_FIELD username
MYSQL_HOME_FIELD homedir
MYSQL_MAILDIR_FIELD maildir
MYSQL_QUOTA_FIELD (quota*1024*1024)
MYSQL_AUXOPTIONS_FIELD CONCAT("allowimap=",imap,",allowpop3=",pop3)
]]>
</content>
</file>
<file name="/etc/courier-imap/pop3d" chown="root:0"
chmod="0600" backup="true">
<content><![CDATA[
##VERSION: $Id: pop3d.dist.in,v 1.11 2004/10/30 15:39:38 mrsam Exp $
#
# pop3d created from pop3d.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
# Copyright 1998 - 2004 Double Precision, Inc. See COPYING for
# distribution information.
#
# Courier POP3 daemon configuration
#
##NAME: PIDFILE:0
#
PIDFILE=/var/run/pop3d.pid
##NAME: MAXDAEMONS:0
#
# Maximum number of POP3 servers started
#
MAXDAEMONS=50
##NAME: MAXPERIP:4
#
# Maximum number of connections to accept from the same IP address
MAXPERIP=5
##NAME: POP3AUTH:1
#
# To advertise the SASL capability, per RFC 2449, uncomment the POP3AUTH
# variable:
#
# POP3AUTH="LOGIN"
#
# If you have configured the CRAM-MD5 or CRAM-SHA1, set POP3AUTH to something
# like this:
#
# POP3AUTH="LOGIN CRAM-MD5 CRAM-SHA1"
POP3AUTH=""
##NAME: POP3AUTH_ORIG:0
#
# For use by webadmin
POP3AUTH_ORIG="LOGIN CRAM-MD5 CRAM-SHA1"
##NAME: POP3AUTH_TLS:1
#
# To also advertise SASL PLAIN if SSL is enabled, uncomment the
# POP3AUTH_TLS environment variable:
#
# POP3AUTH_TLS="LOGIN PLAIN"
POP3AUTH_TLS=""
##NAME: POP3AUTH_TLS_ORIG:0
#
# For use by webadmin
POP3AUTH_TLS_ORIG="LOGIN PLAIN"
##NAME: POP3_PROXY:0
#
# Enable proxying. See README.proxy
POP3_PROXY=0
##NAME: PORT:1
#
# Port to listen on for connections. The default is port 110.
#
# Multiple port numbers can be separated by commas. When multiple port
# numbers are used it is possibly to select a specific IP address for a
# given port as "ip.port". For example, "127.0.0.1.900,192.68.0.1.900"
# accepts connections on port 900 on IP addresses 127.0.0.1 and 192.68.0.1
# The ADDRESS setting is a default for ports that do not have a specified
# IP address.
PORT=110
##NAME: ADDRESS:0
#
# IP address to listen on. 0 means all IP addresses.
ADDRESS=0
##NAME: TCPDOPTS:0
#
# Other couriertcpd(1) options. The following defaults should be fine.
#
TCPDOPTS="-nodnslookup -noidentlookup"
##NAME: POP3DSTART:0
#
# POP3DSTART is not referenced anywhere in the standard Courier programs
# or scripts. Rather, this is a convenient flag to be read by your system
# startup script in /etc/rc.d, like this:
#
# . /etc/courier-imap/pop3d
# case x$POP3DSTART in
# x[yY]*)
# /usr/lib/courier-imap/pop3d.rc start
# ;;
# esac
#
# The default setting is going to be NO, until Courier is shipped by default
# with enough platforms so that people get annoyed with having to flip it to
# YES every time.
POP3DSTART=YES
##NAME: MAILDIRPATH:0
#
# MAILDIRPATH - directory name of the maildir directory.
#
MAILDIRPATH=Maildir
#Hardwire a value for ${MAILDIR}
MAILDIR=.maildir
MAILDIRPATH=.maildir
#Put any program for ${PRERUN} here
PRERUN=
]]>
</content>
</file>
<file name="/etc/courier-imap/imapd" chown="root:0"
chmod="0600" backup="true">
<content><![CDATA[
##VERSION: $Id: imapd.dist.in,v 1.32 2004/11/25 04:57:04 mrsam Exp $
#
# imapd created from imapd.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
# Copyright 1998 - 2004 Double Precision, Inc. See COPYING for
# distribution information.
#
# This configuration file sets various options for the Courier-IMAP server
# when used with the couriertcpd server.
# A lot of the stuff here is documented in the manual page for couriertcpd.
#
# NOTE - do not use \ to split long variable contents on multiple lines.
# This will break the default imapd.rc script, which parses this file.
#
##NAME: ADDRESS:0
#
# Address to listen on, can be set to a single IP address.
#
# ADDRESS=127.0.0.1
ADDRESS=0
##NAME: PORT:1
#
# Port numbers that connections are accepted on. The default is 143,
# the standard IMAP port.
#
# Multiple port numbers can be separated by commas. When multiple port
# numbers are used it is possible to select a specific IP address for a
# given port as "ip.port". For example, "127.0.0.1.900,192.68.0.1.900"
# accepts connections on port 900 on IP addresses 127.0.0.1 and 192.68.0.1
# The previous ADDRESS setting is a default for ports that do not have
# a specified IP address.
PORT=143
##NAME: AUTHSERVICE:0
#
# It's possible to authenticate using a different 'service' parameter
# depending on the connection's port. This only works with authentication
# modules that use the 'service' parameter, such as PAM. Example:
#
# AUTHSERVICE143=imap
# AUTHSERVICE993=imaps
##NAME: MAXDAEMONS:0
#
# Maximum number of IMAP servers started
#
MAXDAEMONS=50
##NAME: MAXPERIP:0
#
# Maximum number of connections to accept from the same IP address
MAXPERIP=10
##NAME: PIDFILE:0
#
# File where couriertcpd will save its process ID
#
PIDFILE=/var/run/imapd.pid
##NAME: TCPDOPTS:0
#
# Miscellaneous couriertcpd options that shouldn't be changed.
#
TCPDOPTS="-nodnslookup -noidentlookup"
##NAME: IMAP_CAPABILITY:1
#
# IMAP_CAPABILITY specifies what most of the response should be to the
# CAPABILITY command.
#
# If you have properly configured Courier to use CRAM-MD5 or CRAM-SHA1
# authentication (see INSTALL), set IMAP_CAPABILITY as follows:
#
# IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 IDLE"
#
IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE"
##NAME: KEYWORDS_CAPABILITY:0
#
# IMAP_KEYWORDS=1 enables custom IMAP keywords. Set this option to 0 to
# disable custom keywords.
IMAP_KEYWORDS=1
##NAME: SMAP1_CAPABILITY:0
#
# EXPERIMENTAL
#
# To enable the experimental "Simple Mail Access Protocol" extensions,
# uncomment the following setting.
#
# SMAP_CAPABILITY=SMAP1
##NAME: IMAP_CAPABILITY_ORIG:1
#
# For use by webadmin
IMAP_CAPABILITY_ORIG="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 IDLE"
##NAME: IMAP_PROXY:0
#
# Enable proxying. See README.proxy
IMAP_PROXY=0
##NAME: IMAP_PROXY_FOREIGN:0
#
# Proxying to non-Courier servers. Re-sends the CAPABILITY command after
# logging in to the remote server. May not work with all IMAP clients.
IMAP_PROXY_FOREIGN=0
##NAME: IMAP_IDLE_TIMEOUT:0
#
# This setting controls how often
# the server polls for changes to the folder, in IDLE mode (in seconds).
IMAP_IDLE_TIMEOUT=60
##NAME: IMAP_CAPABILITY_TLS:0
#
# The following setting will advertise SASL PLAIN authentication after
# STARTTLS is established. If you want to allow SASL PLAIN authentication
# with or without TLS then just comment this out, and add AUTH=PLAIN to
# IMAP_CAPABILITY
IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN"
##NAME: IMAP_TLS_ORIG:0
#
# For use by webadmin
IMAP_CAPABILITY_TLS_ORIG="$IMAP_CAPABILITY_ORIG AUTH=PLAIN"
##NAME: IMAP_DISABLETHREADSORT:0
#
# Set IMAP_DISABLETHREADSORT to disable the THREAD and SORT commands -
# server side sorting and threading.
#
# Those capabilities will still be advertised, but the server will reject
# them. Set this option if you want to disable all the extra load from
# server-side threading and sorting. Not advertising those capabilities
# will simply result in the clients reading the entire folder, and sorting
# it on the client side. That will still put some load on the server.
# advertising these capabilities, but rejecting the commands, will stop this
# silliness.
#
IMAP_DISABLETHREADSORT=0
##NAME: IMAP_CHECK_ALL_FOLDERS:0
#
# Set IMAP_CHECK_ALL_FOLDERS to 1 if you want the server to check for new
# mail in every folder. Not all IMAP clients use the IMAP's new mail
# indicator, but some do. Normally new mail is checked only in INBOX,
# because it is a comparatively time consuming operation, and it would be
# a complete waste of time unless mail filters are used to deliver
# mail directly to folders.
#
# When IMAP clients are used which support new mail indication, and when
# mail filters are used to sort incoming mail into folders, setting
# IMAP_CHECK_ALL_FOLDERS to 1 will allow IMAP clients to announce new
# mail in folders. Note that this will result in slightly more load on the
# server.
#
IMAP_CHECK_ALL_FOLDERS=0
##NAME: IMAP_OBSOLETE_CLIENT:0
#
# Set IMAP_OBSOLETE_CLIENT if your IMAP client expects \\NoInferiors to mean
# what \\HasNoChildren really means.
IMAP_OBSOLETE_CLIENT=0
##NAME: IMAP_UMASK:0
#
# IMAP_UMASK sets the umask of the server process. The value of IMAP_UMASK is
# simply passed to the "umask" command. The default value is 022.
#
# This feature is mostly useful for shared folders, where the file permissions
# of the messages may be important.
IMAP_UMASK=027
##NAME: IMAP_ULIMITD:0
#
# IMAP_ULIMITD sets the maximum size of the data segment of the server
# process. The value of IMAP_ULIMITD is simply passed to the "ulimit -d"
# command (or ulimit -v). The argument to ulimi sets the upper limit on the
# size of the data segment of the server process, in kilobytes. The default
# value of 65536 sets a very generous limit of 64 megabytes, which should
# be more than plenty for anyone.
#
# This feature is used as an additional safety check that should stop
# any potential denial-of-service attacks that exploit any kind of
# a memory leak to exhaust all the available memory on the server.
# It is theoretically possible that obscenely huge folders will also
# result in the server running out of memory when doing server-side
# sorting (by my calculations you have to have at least 100,000 messages
# in a single folder, for that to happen).
IMAP_ULIMITD=65536
##NAME: IMAP_USELOCKS:0
#
# Setting IMAP_USELOCKS to 1 will use dot-locking to support concurrent
# multiple access to the same folder. This incurs slight additional
# overhead. Concurrent multiple access will still work without this setting,
# however occasionally a minor race condition may result in an IMAP client
# downloading the same message twice, or a keyword update will fail.
#
# IMAP_USELOCKS=1 is strongly recommended when shared folders are used.
IMAP_USELOCKS=1
##NAME: IMAP_SHAREDINDEXFILE:0
#
# The index of all accessible folders. Do not change this setting unless
# you know what you're doing. See README.sharedfolders for additional
# information.
IMAP_SHAREDINDEXFILE=/etc/courier-imap/shared/index
##NAME: IMAP_ENHANCEDIDLE:0
#
# If Courier was compiled with the File Alteration Monitor, setting
# IMAP_ENHANCEDIDLE to 1 enables enhanced IDLE mode, where multiple
# clients may open the same folder concurrently, and receive updates to
# folder contents in realtime. See the imapd(8) man page for additional
# information.
#
# IMPORTANT: IMAP_USELOCKS *MUST* also be set to 1, and IDLE must be included
# in the IMAP_CAPABILITY list.
#
IMAP_ENHANCEDIDLE=0
##NAME: IMAP_TRASHFOLDERNAME:0
#
# The name of the magic trash Folder. For MSOE compatibility,
# you can set IMAP_TRASHFOLDERNAME="Deleted Items".
#
# IMPORTANT: If you change this, you must also change IMAP_EMPTYTRASH
IMAP_TRASHFOLDERNAME=Trash
##NAME: IMAP_EMPTYTRASH:0
#
# The following setting is optional, and causes messages from the given
# folder to be automatically deleted after the given number of days.
# IMAP_EMPTYTRASH is a comma-separated list of folder:days. The default
# setting, below, purges 7 day old messages from the Trash folder.
# Another useful setting would be:
#
# IMAP_EMPTYTRASH=Trash:7,Sent:30
#
# This would also delete messages from the Sent folder (presumably copies
# of sent mail) after 30 days. This is a global setting that is applied to
# every mail account, and is probably useful in a controlled, corporate
# environment.
#
# Important: the purging is controlled by CTIME, not MTIME (the file time
# as shown by ls). It is perfectly ordinary to see stuff in Trash that's
# a year old. That's the file modification time, MTIME, that's displayed.
# This is generally when the message was originally delivered to this
# mailbox. Purging is controlled by a different timestamp, CTIME, which is
# changed when the file is moved to the Trash folder (and at other times too).
#
# You might want to disable this setting in certain situations - it results
# in a stat() of every file in each folder, at login and logout.
#
IMAP_EMPTYTRASH=Trash:7
##NAME: IMAP_MOVE_EXPUNGE_TO_TRASH:0
#
# Set IMAP_MOVE_EXPUNGE_TO_TRASH to move expunged messages to Trash. This
# effectively allows an undo of message deletion by fishing the deleted
# mail from trash. Trash can be manually expunged as usually, and mail
# will get automatically expunged from Trash according to IMAP_EMPTYTRASH.
#
# NOTE: shared folders are still expunged as usual. Shared folders are
# not affected.
#
IMAP_MOVE_EXPUNGE_TO_TRASH=0
##NAME: OUTBOX:0
#
# The next set of options deal with the "Outbox" enhancement.
# Uncomment the following setting to create a special folder, named
# INBOX.Outbox
#
# OUTBOX=.Outbox
##NAME: SENDMAIL:0
#
# If OUTBOX is defined, mail can be sent via the IMAP connection by copying
# a message to the INBOX.Outbox folder. For all practical matters,
# INBOX.Outbox looks and behaves just like any other IMAP folder. If this
# folder doesn't exist it must be created by the IMAP mail client, just
# like any other IMAP folder. The kicker: any message copied or moved to
# this folder is will be E-mailed by the Courier-IMAP server, by running
# the SENDMAIL program. Therefore, messages copied or moved to this
# folder must be well-formed RFC-2822 messages, with the recipient list
# specified in the To:, Cc:, and Bcc: headers. Courier-IMAP relies on
# SENDMAIL to read the recipient list from these headers (and delete the Bcc:
# header) by running the command "$SENDMAIL -oi -t -f $SENDER", with the
# message piped on standard input. $SENDER will be the return address
# of the message, which is set by the authentication module.
#
# DO NOT MODIFY SENDMAIL, below, unless you know what you're doing.
#
SENDMAIL=/usr/sbin/sendmail
##NAME: HEADERFROM:0
#
# For administrative and oversight purposes, the return address, $SENDER
# will also be saved in the X-IMAP-Sender mail header. This header gets
# added to the sent E-mail (but it doesn't get saved in the copy of the
# message that's saved in the folder)
#
# WARNING - By enabling OUTBOX above, *every* IMAP mail client will receive
# the magic OUTBOX treatment. Therefore advance LARTing is in order for
# _all_ of your lusers, until every one of them is aware of this. Otherwise if
# OUTBOX is left at its default setting - a folder name that might be used
# accidentally - some people may be in for a rude surprise. You can redefine
# the name of the magic folder by changing OUTBOX, above. You should do that
# and pick a less-obvious name. Perhaps brand it with your organizational
# name ( OUTBOX=.WidgetsAndSonsOutbox )
HEADERFROM=X-IMAP-Sender
##NAME: IMAPDSTART:0
#
# IMAPDSTART is not used directly. Rather, this is a convenient flag to
# be read by your system startup script in /etc/rc.d, like this:
#
# . /etc/courier-imap/imapd
#
# case x$IMAPDSTART in
# x[yY]*)
# /usr/lib/courier-imap/imapd.rc start
# ;;
# esac
#
# The default setting is going to be NO, so you'll have to manually flip
# it to yes.
IMAPDSTART=YES
##NAME: MAILDIRPATH:0
#
# MAILDIRPATH - directory name of the maildir directory.
#
MAILDIRPATH=Maildir
#Hardwire a value for ${MAILDIR}
MAILDIR=.maildir
MAILDIRPATH=.maildir
#Put any program for ${PRERUN} here
PRERUN=
]]>
</content>
</file>
<file name="/etc/courier-imap/pop3d-ssl" chown="root:0"
chmod="0600" backup="true">
<content><![CDATA[
##VERSION: $Id: pop3d-ssl.dist.in,v 1.12 2004/10/21 00:45:35 mrsam Exp $
#
# pop3d-ssl created from pop3d-ssl.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
# Copyright 2000-2004 Double Precision, Inc. See COPYING for
# distribution information.
#
# This configuration file sets various options for the Courier-IMAP server
# when used to handle SSL POP3 connections.
#
# SSL and non-SSL connections are handled by a dedicated instance of the
# couriertcpd daemon. If you are accepting both SSL and non-SSL POP3
# connections, you will start two instances of couriertcpd, one on the
# POP3 port 110, and another one on the POP3-SSL port 995.
#
# Download OpenSSL from http://www.openssl.org/
#
##NAME: SSLPORT:0
#
# Options in the pop3d-ssl configuration file AUGMENT the options in the
# pop3d configuration file. First the pop3d configuration file is read,
# then the pop3d-ssl configuration file, so we do not have to redefine
# anything.
#
# However, some things do have to be redefined. The port number is
# specified by SSLPORT, instead of PORT. The default port is port 995.
#
# Multiple port numbers can be separated by commas. When multiple port
# numbers are used it is possibly to select a specific IP address for a
# given port as "ip.port". For example, "127.0.0.1.900,192.68.0.1.900"
# accepts connections on port 900 on IP addresses 127.0.0.1 and 192.68.0.1
# The SSLADDRESS setting is a default for ports that do not have
# a specified IP address.
SSLPORT=995
##NAME: SSLADDRESS:0
#
# Address to listen on, can be set to a single IP address.
#
# SSLADDRESS=127.0.0.1
SSLADDRESS=0
##NAME: SSLPIDFILE:0
#
#
#
SSLPIDFILE=/var/run/pop3d-ssl.pid
##NAME: POP3DSSLSTART:0
#
# Whether or not to start POP3 over SSL on spop3 port:
POP3DSSLSTART=YES
##NAME: POP3_STARTTLS:0
#
# Whether or not to implement the POP3 STLS extension:
POP3_STARTTLS=YES
##NAME: POP3_TLS_REQUIRED:1
#
# Set POP3_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone.
# (this option advertises the LOGINDISABLED POP3 capability, until STARTTLS
# is issued).
POP3_TLS_REQUIRED=0
##NAME: COURIERTLS:0
#
# The following variables configure POP3 over SSL. If OpenSSL is available
# during configuration, the couriertls helper gets compiled, and upon
# installation a dummy TLS_CERTFILE gets generated. courieresmtpd will
# automatically advertise the ESMTP STARTTLS extension if both TLS_CERTFILE
# and COURIERTLS exist.
#
# WARNING: Peer certificate verification has NOT yet been tested. Proceed
# at your own risk. Only the basic SSL/TLS functionality is known to be
# working. Keep this in mind as you play with the following variables.
COURIERTLS=/usr/sbin/couriertls
##NAME: TLS_PROTOCOL:0
#
# TLS_PROTOCOL sets the protocol version. The possible versions are:
#
# SSL2 - SSLv2
# SSL3 - SSLv3
# TLS1 - TLS1
TLS_PROTOCOL=SSL3
##NAME: TLS_STARTTLS_PROTOCOL:0
#
# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the POP3 STARTTLS
# extension, as opposed to POP3 over SSL on port 995.
#
TLS_STARTTLS_PROTOCOL=TLS1
##NAME: TLS_CIPHER_LIST:0
#
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST
# undefined
#
# TLS_CIPHER_LIST="ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"
##NAME: TLS_TIMEOUT:0
# TLS_TIMEOUT is currently not implemented, and reserved for future use.
# This is supposed to be an inactivity timeout, but its not yet implemented.
#
##NAME: TLS_DHCERTFILE:0
#
# TLS_DHCERTFILE - PEM file that stores our Diffie-Hellman cipher pair.
# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA
# you must generate a DH pair that will be used. In most situations the
# DH pair is to be treated as confidential, and the file specified by
# TLS_DHCERTFILE must not be world-readable.
#
# TLS_DHCERTFILE=
##NAME: TLS_CERTFILE:0
#
# TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS
# servers, and is optional for SSL/TLS clients. TLS_CERTFILE is usually
# treated as confidential, and must not be world-readable.
#
TLS_CERTFILE=/etc/ssl/postfix/server.pem
##NAME: TLS_TRUSTCERTS:0
#
# TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
# pathname can be a file or a directory. If a file, the file should
# contain a list of trusted certificates, in PEM format. If a
# directory, the directory should contain the trusted certificates,
# in PEM format, one per file and hashed using OpenSSL's c_rehash
# script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying
# the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set
# to PEER or REQUIREPEER).
#
#
TLS_TRUSTCERTS=/etc/ssl/certs
##NAME: TLS_VERIFYPEER:0
#
# TLS_VERIFYPEER - how to verify client certificates. The possible values of
# this setting are:
#
# NONE - do not verify anything
#
# PEER - verify the client certificate, if one's presented
#
# REQUIREPEER - require a client certificate, fail if one's not presented
#
#
TLS_VERIFYPEER=NONE
##NAME: TLS_CACHE:0
#
# A TLS/SSL session cache may slightly improve response for long-running
# POP3 clients. TLS_CACHEFILE will be automatically created, TLS_CACHESIZE
# bytes long, and used as a cache buffer.
#
# This is an experimental feature and should be disabled if it causes
# problems with SSL clients. Disable SSL caching by commenting out the
# following settings:
TLS_CACHEFILE=/var/lib/courier-imap/couriersslcache
TLS_CACHESIZE=524288
##NAME: MAILDIRPATH:0
#
# MAILDIRPATH - directory name of the maildir directory.
#
MAILDIRPATH=Maildir
#Hardwire a value for ${MAILDIR}
MAILDIRPATH=.maildir
]]>
</content>
</file>
<file name="/etc/courier-imap/imapd-ssl" chown="root:0"
chmod="0600" backup="true">
<content><![CDATA[
##VERSION: $Id: imapd-ssl.dist.in,v 1.11 2004/10/21 00:45:35 mrsam Exp $
#
# imapd-ssl created from imapd-ssl.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
# Copyright 2000 - 2004 Double Precision, Inc. See COPYING for
# distribution information.
#
# This configuration file sets various options for the Courier-IMAP server
# when used to handle SSL IMAP connections.
#
# SSL and non-SSL connections are handled by a dedicated instance of the
# couriertcpd daemon. If you are accepting both SSL and non-SSL IMAP
# connections, you will start two instances of couriertcpd, one on the
# IMAP port 143, and another one on the IMAP-SSL port 993.
#
# Download OpenSSL from http://www.openssl.org/
#
##NAME: SSLPORT:1
#
# Options in the imapd-ssl configuration file AUGMENT the options in the
# imapd configuration file. First the imapd configuration file is read,
# then the imapd-ssl configuration file, so we do not have to redefine
# anything.
#
# However, some things do have to be redefined. The port number is
# specified by SSLPORT, instead of PORT. The default port is port 993.
#
# Multiple port numbers can be separated by commas. When multiple port
# numbers are used it is possibly to select a specific IP address for a
# given port as "ip.port". For example, "127.0.0.1.900,192.68.0.1.900"
# accepts connections on port 900 on IP addresses 127.0.0.1 and 192.68.0.1
# The SSLADDRESS setting is a default for ports that do not have
# a specified IP address.
SSLPORT=993
##NAME: SSLADDRESS:0
#
# Address to listen on, can be set to a single IP address.
#
# SSLADDRESS=127.0.0.1
SSLADDRESS=0
##NAME: SSLPIDFILE:0
#
# That's the SSL IMAP port we'll listen on.
# Feel free to redefine MAXDAEMONS, TCPDOPTS, and MAXPERIP.
SSLPIDFILE=/var/run/imapd-ssl.pid
##NAME: IMAPDSSLSTART:0
#
# Different pid files, so that both instances of couriertcpd can coexist
# happily.
#
# You can also redefine IMAP_CAPABILITY, although I can't
# think of why you'd want to do that.
#
#
# Ok, the following settings are new to imapd-ssl:
#
# Whether or not to start IMAP over SSL on simap port:
IMAPDSSLSTART=YES
##NAME: IMAPDSTARTTLS:0
#
# Whether or not to implement IMAP STARTTLS extension instead:
IMAPDSTARTTLS=YES
##NAME: IMAP_TLS_REQUIRED:1
#
# Set IMAP_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone.
# (this option advertises the LOGINDISABLED IMAP capability, until STARTTLS
# is issued).
IMAP_TLS_REQUIRED=0
#########################################################################
#
# The following variables configure IMAP over SSL. If OpenSSL is available
# during configuration, the couriertls helper gets compiled, and upon
# installation a dummy TLS_CERTFILE gets generated. courieresmtpd will
# automatically advertise the ESMTP STARTTLS extension if both TLS_CERTFILE
# and COURIERTLS exist.
#
# WARNING: Peer certificate verification has NOT yet been tested. Proceed
# at your own risk. Only the basic SSL/TLS functionality is known to be
# working. Keep this in mind as you play with the following variables.
#
##NAME: COURIERTLS:0
#
COURIERTLS=/usr/sbin/couriertls
##NAME: TLS_PROTOCOL:0
#
# TLS_PROTOCOL sets the protocol version. The possible versions are:
#
# SSL2 - SSLv2
# SSL3 - SSLv3
# TLS1 - TLS1
TLS_PROTOCOL=SSL3
##NAME: TLS_STARTTLS_PROTOCOL:0
#
# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the IMAP STARTTLS
# extension, as opposed to IMAP over SSL on port 993.
#
TLS_STARTTLS_PROTOCOL=TLS1
##NAME: TLS_CIPHER_LIST:0
#
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST
# undefined
#
# TLS_CIPHER_LIST="ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"
##NAME: TLS_TIMEOUT:0
# TLS_TIMEOUT is currently not implemented, and reserved for future use.
# This is supposed to be an inactivity timeout, but its not yet implemented.
#
##NAME: TLS_DHCERTFILE:0
#
# TLS_DHCERTFILE - PEM file that stores our Diffie-Hellman cipher pair.
# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA
# you must generate a DH pair that will be used. In most situations the
# DH pair is to be treated as confidential, and the file specified by
# TLS_DHCERTFILE must not be world-readable.
#
# TLS_DHCERTFILE=
##NAME: TLS_CERTFILE:0
#
# TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS
# servers, and is optional for SSL/TLS clients. TLS_CERTFILE is usually
# treated as confidential, and must not be world-readable.
#
TLS_CERTFILE=/etc/ssl/postfix/server.pem
##NAME: TLS_TRUSTCERTS:0
#
# TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
# pathname can be a file or a directory. If a file, the file should
# contain a list of trusted certificates, in PEM format. If a
# directory, the directory should contain the trusted certificates,
# in PEM format, one per file and hashed using OpenSSL's c_rehash
# script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying
# the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set
# to PEER or REQUIREPEER).
#
#
TLS_TRUSTCERTS=/etc/ssl/certs
##NAME: TLS_VERIFYPEER:0
#
# TLS_VERIFYPEER - how to verify client certificates. The possible values of
# this setting are:
#
# NONE - do not verify anything
#
# PEER - verify the client certificate, if one's presented
#
# REQUIREPEER - require a client certificate, fail if one's not presented
#
#
TLS_VERIFYPEER=NONE
##NAME: TLS_CACHE:0
#
# A TLS/SSL session cache may slightly improve response for IMAP clients
# that open multiple SSL sessions to the server. TLS_CACHEFILE will be
# automatically created, TLS_CACHESIZE bytes long, and used as a cache
# buffer.
#
# This is an experimental feature and should be disabled if it causes
# problems with SSL clients. Disable SSL caching by commenting out the
# following settings:
TLS_CACHEFILE=/var/lib/courier-imap/couriersslcache
TLS_CACHESIZE=524288
##NAME: MAILDIRPATH:0
#
# MAILDIRPATH - directory name of the maildir directory.
#
MAILDIRPATH=Maildir
#Hardwire a value for ${MAILDIR}
MAILDIRPATH=.maildir
]]>
</content>
</file>
<command><![CDATA[rc-update add courier-authlib default]]></command>
<command><![CDATA[rc-update add courier-pop3d default]]></command>
<command><![CDATA[rc-update add courier-imapd default]]></command>
<command><![CDATA[/etc/init.d/courier-authlib restart]]></command>
<command><![CDATA[/etc/init.d/courier-pop3d restart]]></command>
<command><![CDATA[/etc/init.d/courier-imapd restart]]></command>
</daemon>
</service>
<!-- FTP services -->
<service type="ftp" title="{{lng.admin.configfiles.ftp}}">
<!-- Proftpd -->
<daemon name="proftpd" title="ProFTPd" default="true">
<command><![CDATA[echo "net-ftp/proftpd mysql" >> /etc/portage/package.use]]></command>
<install><![CDATA[emerge net-ftp/proftpd]]></install>
<file name="/etc/proftpd/create-cert.sh" chown="root:0"
chmod="0700">
<content><![CDATA[#!/bin/bash
[ -f /etc/ssl/certs/proftpd.crt ] || openssl req -new -x509 -newkey rsa:4096 -days 3650 -nodes -out /etc/ssl/certs/proftpd.crt -keyout /etc/ssl/private/proftpd.key -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"
[ -f /etc/ssl/certs/proftpd_ec.crt ] || openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp521r1) -keyout /etc/ssl/private/proftpd_ec.key -out /etc/ssl/certs/proftpd_ec.crt -days 3650 -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"
chmod 0600 /etc/ssl/private/proftpd.key /etc/ssl/private/proftpd_ec.key
]]>
</content>
</file>
<commands index="1">
<command><![CDATA[/etc/proftpd/create-cert.sh]]></command>
<command><![CDATA[rm -f /etc/proftpd/create-cert.sh]]></command>
</commands>
<file name="/etc/proftpd/proftpd.conf" chown="root:0"
chmod="0600" backup="true">
<content><![CDATA[
# Server settings
ServerName "<SERVERNAME> FTP Server"
ServerType standalone
ServerIdent off
DefaultServer on
Port 21
MaxInstances 50
# General settings
DeferWelcome on
MultilineRFC2228 on
ShowSymlinks on
AllowOverwrite on
AllowStoreRestart on
AllowRetrieveRestart on
ListOptions "-al"
DisplayChdir .message
UseIPv6 off
# Modules settings
#DelayEngine off
# Timeout settings
TimeoutLogin 120
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 600
# Security settings
RootLogin off
RequireValidShell off
User nobody
Group nogroup
Umask 133 022
DefaultRoot ~
DenyFilter \*.*/
# Per-Directory settings
<Directory /*>
Umask 133 022
AllowOverwrite on
</Directory>
# SQL settings
SQLAuthTypes Crypt
SQLAuthenticate users* groups*
SQLConnectInfo <SQL_DB>@<SQL_HOST> <SQL_UNPRIVILEGED_USER> <SQL_UNPRIVILEGED_PASSWORD>
SQLUserInfo ftp_users username password uid gid homedir shell
SQLGroupInfo ftp_groups groupname gid members
SQLUserWhereClause "login_enabled = 'y'"
SQLLog PASS login
SQLNamedQuery login UPDATE "last_login=now(), login_count=login_count+1 WHERE username='%u'" ftp_users
SQLLog RETR download
SQLNamedQuery download UPDATE "down_count=down_count+1, down_bytes=down_bytes+%b WHERE username='%u'" ftp_users
SQLLog STOR upload
SQLNamedQuery upload UPDATE "up_count=up_count+1, up_bytes=up_bytes+%b WHERE username='%u'" ftp_users
# Quota settings
QuotaEngine on
QuotaShowQuotas on
QuotaDisplayUnits Mb
QuotaLock /var/lock/ftpd.quotatab.lock
QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally
SQLNamedQuery get-quota-limit SELECT "ftp_users.username AS name, ftp_quotalimits.quota_type, ftp_quotalimits.per_session, ftp_quotalimits.limit_type, panel_customers.diskspace*1024 AS bytes_in_avail, ftp_quotalimits.bytes_out_avail, ftp_quotalimits.bytes_xfer_avail, ftp_quotalimits.files_in_avail, ftp_quotalimits.files_out_avail, ftp_quotalimits.files_xfer_avail FROM ftp_users, ftp_quotalimits, panel_customers WHERE ftp_users.username = '%{0}' AND panel_customers.loginname = SUBSTRING_INDEX('%{0}', 'ftp', 1) AND quota_type ='%{1}'"
SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_used, bytes_xfer_used, files_in_used, files_out_used,files_xfer_used FROM ftp_quotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies
# TLS settings
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd-tls.log
TLSProtocol TLSv1 TLSv1.1 TLSv1.2
#TLSTimeoutHandshake 120
# Really important for WinClients and some clients
TLSOptions NoCertRequest NoSessionReuseRequired
TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt
TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key
# Authenticate client that want to use FTP over TLS?
TLSVerifyClient off
# Uncomment the following line to force tls login
#TLSRequired on
</IfModule>
# LOG settings
# Logging Formats
LogFormat default "%h %1 %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
LogFormat write "%h %l %u %t \"%r\" %s %b"
# Activate Logging
# all logins
ExtendedLog /var/log/proftpd-auth.log AUTH auth
# file/dir access
ExtendedLog /var/log/proftpd-access.log WRITE,READ write
# everything (be careful, generates_ very_ big logfiles)
#ExtendedLog /var/log/proftpd-all.log ALL default
# make proftpd faster / do not perform ident and reverse dns lookup
UseReverseDNS off
]]>
</content>
</file>
<command><![CDATA[rc-update add proftpd default]]></command>
<command><![CDATA[/etc/init.d/proftpd restart]]></command>
</daemon>
<!-- Pureftpd -->
<daemon name="pureftpd" title="PureFTPd">
<command><![CDATA[echo "net-ftp/pure-ftpd mysql" >> /etc/portage/package.use]]></command>
<install><![CDATA[emerge net-ftp/pure-ftpd]]></install>
<file name="/etc/conf.d/pure-ftpd" chown="root:0" chmod="0644"
backup="true">
<content><![CDATA[
# Config file for /etc/init.d/pure-ftpd
# Configuration-template by Froxlor
IS_CONFIGURED="yes"
# Server/Port
SERVER="-S 21"
## Number of simultaneous connections in total, and per IP ##
MAX_CONN="-c 30"
MAX_CONN_IP="-C 10"
## Start daemonized in background ##
DAEMON="-B"
## Don't allow uploads if the partition is more full then this var ##
DISK_FULL="-k 90%"
## Authentication mechanism
AUTH="-l mysql:/etc/pureftpd-mysql.conf"
## Misc. Others ##
MISC_OTHER="-A -x -j -Z"
]]>
</content>
</file>
<file name="/etc/pureftpd-mysql.conf" chown="root:0"
chmod="0600" backup="true">
<content><![CDATA[
MYSQLServer <SQL_HOST>
#MYSQLPort 3306
MYSQLSocket /var/run/mysqld/mysqld.sock
MYSQLUser <SQL_UNPRIVILEGED_USER>
MYSQLPassword <SQL_UNPRIVILEGED_PASSWORD>
MYSQLDatabase <SQL_DB>
MYSQLCrypt Crypt
MYSQLGetPW SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y"
MYSQLGetUID SELECT uid FROM ftp_users WHERE username="\L" AND login_enabled="y"
MYSQLGetGID SELECT gid FROM ftp_users WHERE username="\L" AND login_enabled="y"
MYSQLGetDir SELECT homedir FROM ftp_users WHERE username="\L" AND login_enabled="y"
MySQLGetQTASZ SELECT panel_customers.diskspace/1024 AS QuotaSize FROM panel_customers, ftp_users WHERE username = "\L" AND panel_customers.loginname = SUBSTRING_INDEX('\L', 'ftp', 1)
]]>
</content>
</file>
<command><![CDATA[rc-update add pure-ftpd default]]></command>
<command><![CDATA[/etc/init.d/pure-ftpd restart]]></command>
</daemon>
<!-- Vsftpd -->
<daemon name="vsftpd" title="vsftpd">
<command><![CDATA[echo "net-ftp/vsftpd pam" >> /etc/portage/package.use]]></command>
<install><![CDATA[emerge net-ftp/vsftpd sys-auth/pam_mysql]]></install>
<file name="/etc/vsftpd/vsftpd.conf" chown="root:root"
chmod="0644" backup="true">
<content><![CDATA[
listen=YES
#listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
#chown_uploads=YES
#chown_username=whoever
#xferlog_file=/var/log/vsftpd.log
#xferlog_std_format=YES
idle_session_timeout=600
#data_connection_timeout=120
#nopriv_user=ftpsecure
#async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
ftpd_banner=Welcome to <SERVERNAME> FTP service.
#deny_email_enable=YES
#banned_email_file=/etc/vsftpd.banned_emails
# chroot_list_enable below.
chroot_local_user=YES
chroot_list_enable=YES
allow_writeable_chroot=YES
#chroot_list_file=/etc/vsftpd.chroot_list
#ls_recurse_enable=YES
secure_chroot_dir=/run/vsftpd/empty
pam_service_name=vsftpd
#rsa_cert_file=/etc/vsftpd/ssl/<SERVERNAME>.pem
#rsa_private_key_file=/etc/vsftpd/ssl/<SERVERNAME>.pem
#ssl_enable=YES
#ssl_tlsv1=YES
#ssl_sslv2=NO
#ssl_sslv3=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
allow_anon_ssl=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
]]></content>
</file>
<file name="/etc/pam.d/vsftpd" chown="root:root" chmod="0644">
<content><![CDATA[
# Standard behaviour for ftpd(8).
auth required pam_mysql.so user=<SQL_UNPRIVILEGED_USER> passwd=<SQL_UNPRIVILEGED_PASSWORD> host=<SQL_HOST> db=<SQL_DB> table=ftp_users usercolumn=username passwdcolumn=password [where=login_enabled="Y"] crypt=1
account required pam_mysql.so user=<SQL_UNPRIVILEGED_USER> passwd=<SQL_UNPRIVILEGED_PASSWORD> host=<SQL_HOST> db=<SQL_DB> table=ftp_users usercolumn=username passwdcolumn=password [where=login_enabled="Y"] crypt=1
#auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.
# Standard pam includes
#@include common-account
#@include common-session
#@include common-auth
#auth required pam_shells.so
]]></content>
</file>
<command><![CDATA[rc-update add vsftpd default]]></command>
<command><![CDATA[/etc/init.d/vsftpd restart]]></command>
</daemon>
</service>
<!-- System tools/services -->
<service type="system" title="{{lng.admin.configfiles.etc}}">
<!-- Cronjob -->
<daemon name="cron" title="Cronjob for froxlor"
mandatory="true">
<command><![CDATA[/usr/bin/php <BASE_PATH>scripts/froxlor_master_cronjob.php --run-task 99]]></command>
<command><![CDATA[{{settings.system.crondreload}}]]></command>
</daemon>
<!-- AWstats -->
<daemon name="awstats"
title="Awstats (webalizer alternative)">
<install><![CDATA[emerge www-misc/awstats]]></install>
<command><![CDATA[sed -i.bak 's/^DirData/# DirData/' {{settings.system.awstats_conf}}/awstats.model.conf]]></command>
<command><![CDATA[sed -i.bak 's|^\\(DirIcons=\\).*$|\\1\\"/awstats-icon\\"|' {{settings.system.awstats_conf}}/awstats.model.conf]]></command>
<command><![CDATA[rm /etc/cron.d/awstats]]></command>
</daemon>
<!-- libnss-mysql -->
<daemon name="libnss"
title="libnss-mysql (required for FCGID/php-fpm/mpm-itk)">
<install><![CDATA[emerge sys-auth/libnss-mysql]]></install>
<file name="/etc/libnss-mysql.cfg" chown="root:root"
chmod="0600" backup="true">
<content><![CDATA[
getpwnam SELECT username,'x',uid,gid,'Froxlor Customer',homedir,shell \
FROM ftp_users \
WHERE username='%1$s' \
AND login_enabled = 'Y' \
ORDER BY LENGTH(username) \
LIMIT 1
getpwuid SELECT username,'x',uid,gid,'Froxlor Customer',homedir,shell \
FROM ftp_users \
WHERE uid='%1$u' \
AND login_enabled = 'Y' \
ORDER BY LENGTH(username) \
LIMIT 1
getspnam SELECT username,password,FLOOR(UNIX_TIMESTAMP()/86400-1),'1','99999','7','-1','-1','0' \
FROM ftp_users \
WHERE username='%1$s' \
AND login_enabled = 'Y' \
ORDER BY LENGTH(username) \
LIMIT 1
getpwent SELECT username,'x',uid,gid,'Froxlor Customer',homedir,shell \
FROM ftp_users
getspent SELECT username,password,FLOOR(UNIX_TIMESTAMP()/86400-1),'1','99999','7','-1','-1','0' \
FROM ftp_users
getgrnam SELECT groupname,'x',gid \
FROM ftp_groups \
WHERE groupname='%1$s' \
LIMIT 1
getgrgid SELECT groupname,'x',gid \
FROM ftp_groups \
WHERE gid='%1$u' \
LIMIT 1
getgrent SELECT groupname,'x',gid \
FROM ftp_groups
memsbygid SELECT members \
FROM ftp_groups \
WHERE gid='%1$u'
gidsbymem SELECT CONCAT_WS(',', gid) as gid \
FROM ftp_groups \
WHERE FIND_IN_SET('%1$s', members)
host <SQL_HOST>
database <SQL_DB>
username <SQL_UNPRIVILEGED_USER>
password <SQL_UNPRIVILEGED_PASSWORD>
socket /var/run/mysqld/mysqld.sock
]]>
</content>
</file>
<command>
<!-- if a socket is set for the db-server use it -->
<visibility mode="notempty">{{sql.socket}}</visibility>
<content><![CDATA[sed -i.bak 's|^\\(socket\\).*$|\\1\\"{{sql.socket}}\\"|' /etc/libnss-mysql.cfg]]></content>
</command>
<file name="/etc/libnss-mysql-root.cfg" chown="root:root"
chmod="0600" backup="true">
<content><![CDATA[
username <SQL_UNPRIVILEGED_USER>
password <SQL_UNPRIVILEGED_PASSWORD>
]]>
</content>
</file>
<file name="/etc/nsswitch.conf" backup="true">
<content><![CDATA[
# Make sure that `passwd`, `group` and `shadow` have mysql in their lines
# You should place mysql at the end, so that it is queried after the other mechanisams
#
passwd: compat mysql
group: compat mysql
shadow: compat mysql
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
]]>
</content>
</file>
<command><![CDATA[rc-update add nscd default]]></command>
<command><![CDATA[/etc/init.d/nscd restart]]></command>
<!-- clear group cache -->
<command><![CDATA[nscd --invalidate=group]]></command>
</daemon>
<!-- Logrotate -->
<daemon name="logrotate" title="Logrotate">
<install><![CDATA[emerge app-admin/logrotate]]></install>
<file name="/etc/logrotate.d/froxlor" chown="root:root"
chmod="0644">
<content><![CDATA[
#
# Froxlor logrotate snippet
#
<CUSTOMER_LOGS>*.log {
missingok
daily
rotate 7
compress
delaycompress
notifempty
create
sharedscripts
postrotate
<WEBSERVER_RELOAD_CMD> > /dev/null 2>&1 || true
endscript
}
]]>
</content>
</file>
</daemon>
<!-- FCGID -->
<daemon name="fcgid" title="FCGID (alternative to mod_php)">
<command><![CDATA[echo "dev-lang/php cgi" >> /etc/portage/package.use]]></command>
<install><![CDATA[emerge dev-lang/php sys-auth/libnss-mysql]]></install>
<commands index="1">
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<command><![CDATA[echo "www-servers/apache suexec" >> /etc/portage/package.use]]></command>
</commands>
<install>
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<content><![CDATA[emerge www-servers/apache]]></content>
</install>
<commands index="2">
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<command><![CDATA[# add "-D SUEXEC -D FCGID" to /etc/conf.d/apache2]]></command>
</commands>
<commands index="3">
<visibility mode="true">{{settings.system.mod_fcgid_ownvhost}}
</visibility>
<command><![CDATA[groupadd -f {{settings.system.mod_fcgid_httpgroup}}]]></command>
<command><![CDATA[useradd -s /bin/false -g {{settings.system.mod_fcgid_httpgroup}} {{settings.system.mod_fcgid_httpuser}}]]></command>
<command><![CDATA[mkdir -p {{settings.system.mod_fcgid_configdir}}]]></command>
<command><![CDATA[mkdir -p {{settings.system.mod_fcgid_tmpdir}}]]></command>
<command>
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<content><![CDATA[# remove "-D PHP5" from /etc/conf.d/apache2]]></content>
</command>
</commands>
<!-- instead of just restarting apache, we let the cronjob do all the
dirty work -->
<command><![CDATA[php {{const.install_dir}}scripts/froxlor_master_cronjob.php --force]]></command>
</daemon>
<!-- PHP-FPM -->
<daemon name="php-fpm"
title="PHP-FPM (alternative to mod_php)">
<command><![CDATA[echo "dev-lang/php fpm" >> /etc/portage/package.use]]></command>
<install><![CDATA[emerge dev-lang/php sys-auth/libnss-mysql]]></install>
<commands index="1">
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<command><![CDATA[echo "www-servers/apache suexec" >> /etc/portage/package.use]]></command>
</commands>
<install>
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<content><![CDATA[emerge www-servers/apache www-apache/mod_fastcgi]]></content>
</install>
<commands index="2">
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<command><![CDATA[# add "-D FASTCGI -D SUEXEC" to /etc/conf.d/apache2]]></command>
</commands>
<commands index="3">
<visibility mode="true">{{settings.phpfpm.enabled_ownvhost}}
</visibility>
<visibility mode="usernamenotexists">{{settings.phpfpm.vhost_httpuser}}
</visibility>
<command><![CDATA[groupadd -f {{settings.phpfpm.vhost_httpgroup}}]]></command>
<command><![CDATA[useradd -s /bin/false -g {{settings.phpfpm.vhost_httpgroup}} {{settings.phpfpm.vhost_httpuser}}]]></command>
</commands>
<commands index="4">
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<visibility mode="true">{{settings.phpfpm.enabled_ownvhost}}
</visibility>
<command><![CDATA[# remove "-D PHP5" from /etc/conf.d/apache2]]></command>
</commands>
<!-- instead of just restarting apache, we let the cronjob do all the
dirty work -->
<command><![CDATA[php {{const.install_dir}}scripts/froxlor_master_cronjob.php --force]]></command>
</daemon>
</service>
</services>
</distribution>
</froxlor>
View Git Blame Copy Permalink