Posts by bytesplit

    To everyone who is using policyd-weight, Please check your configuration in /etc/policyd-weight.conf. If you have this line:

    Code
    1. # line 62 in my config'rhsbl.ahbl.org', 1.8, 0, 'AHBL',


    Delete this line and do 'service policyd-weight restart'! Otherwise all mail will get banned by AHBL as they answer every query with YES. Check /var/log/mail.log:

    Code
    1. Jan 7 16:15:14 maggie postfix/smtpd[18814]: NOQUEUE: reject: RCPT from mxphxpool1028.ebay.com[66.211.184.94]: 550 5.7.1 <[email protected]>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; in rhsbl.ahbl.org; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mxphxpool1028.ebay.com>


    This german article has more on the topic: http://www.heise.de/newsticker…-Betrieb-ein-2513094.html.


    Most of today's email got banned this way.

    I'd check what happens if you start pptpd manually. Perhaps some configuration file is wrong/has a typo. Please look into the init script and find the command to call the pptpd and then do it at a console. Probably you have to remove some deamon mode. Try something like pptpd --help to see the commands.


    But then some big warning: PPTP is an old insecure protocol. If you want to VPN to your server try L2TP/IPsec which is hard to configure but Windows native client. I highly can recommend OpenVPN as well, which also has a good Windows client available. There are many tutorials available around the internet on how to setup a simple OpenVPN server.

    Hi Siggi


    I think the pool is configured in here: /etc/php5/fpm/pool.d/$yourdomain.com.conf. The problem is that this file is rewritten when the customer changes mentioned setting. Check here: /etc/imscp/php-fpm/working. The file there is adjusted and then copied to the php5/fpm path. So if you adjust the template file, it will be reused. But the template could be recreated during imscp panel updates.


    For Apache2 there is /etc/apache2/imscp where you can put custom config stuff for each domain. Edits here will only work with mod_php. Probably such an include could make sense for php-fpm as well?

    Hi all,


    I've just updated the SSL setup howto found here. It's now referencing the SHA2 version of the chain certificates. When you correctly create a key/signing request in SHA2, then StartSSL will automatically sign this correctly in SHA2 as well. It's Google who is ending SHA1 as it seems insecure today. Please keep in mind though, that you must revoke a certificate if it's not outdated. This costs around 35 EUR at StartSSL. So it's better to do this change once your certificate is about to expire anyhow.


    A certifcate signing request in SHA2 with 4096 bits is done like this:

    Code
    1. openssl req -nodes -sha256 -new -newkey rsa:4096 -out csr.pem


    I can highly suggest checking your server once configured using a tool like the Qualys SSLLabs Test: https://www.ssllabs.com/ssltest/. There is a comprehensive list of webserver settings here: https://cipherli.st/. And once you have some spare time for reading: https://bettercrypto.org/static/applied-crypto-hardening.pdf. This also mentions Postfix and Dovecot (no courier though!).


    Disclaimer: I'm not related to any of these sites or their owners. I only want to share the security concerns with other users <3 .

    Thanks for the clarification. When it's not in the changelog it can also mean it's not the default, but possible.


    And I checked the Courier stuff. Seems that it uses encrypt and thus the OS specific password schemes. Should be good to go. So the works:

    • database change password string to something hashed (by hand for testing)
    • config changes for dovecot and courier
    • GUI changes for password set/change procedure
    • conversion script for changing scheme (see the samples here in this forum post) and updating iMSCP

    What has been done already? Where is to help? We may also follow up in PM or on IRC!?

    Just wondering... 1.2 has been released. My database was kept as plain.


    i-MSCP 1.2.0 provide update that encrypts all passwords (using CRYPT eg: SHA512)


    Can I call this manually somewhere? In Mail pass PLAIN in DB you write that conversion is automatic. At least with my horrible test server setup passwords were not converted. And although I could translate everything manually, I'd prefer the official way with upgrade safety and users able to change their passwords via web ui.



    Thanks!

    I'm learning all the time and always willing to continue my learning. Please let's stay polite... I wasn't stating that something IS wrong. I was asking if something COULD be wrong and I am wondering if there is room for improvement. No software is perfect and no developer is perfect neither, but that's not the problem... don't be offended by my comments. We are both pro's here.


    autoinstaller/Adapter/DebianAdapter.pm has php5enmod ...json... (line 290)

    Code
    1. # Make sure that PHP modules are enabledif(-x '/usr/sbin/php5enmod') {my($stdout, $stderr);my $rs = execute('php5enmod gd imap intl json mcrypt mysql mysqli mysqlnd pdo pdo_mysql', \$stdout, \$stderr);debug($stdout) if $stdout;error($stderr) if $stderr && $rs;return $rs if $rs;}


    If I remove /etc/php5/mods-available/json.ini (which is not included in the dotdeb 5.4 package) php5enmod says:

    Code
    1. ERROR: /etc/php5/mods-available/json.ini does not exist


    And thus autoinstaller will fail. But according to php5 -m, php5-cgi -m and php5-whatever -m json is there because it is compiled in. Thus it (in my honest personal opinion) is not 100% perfect to use php5enmod for things that could be compiled in. :) That's all I'm talking about.


    I hope this was clear enough :)


    OTOH: if PHP 5.6 is requirement for running iMSCP 1.2 then please point me where I have missed this information. You may retry your test with PHP 5.4, but I wouldn't insist on this to happen.

    Hi Nuxwin,


    sorry for the missing bits... I don't know if my hacked up testing machine can be seen as reference. Thus I was more overly interested in the process of checking for modules by searching for ini files. It seems not the perfect approach ;)...


    installer stopped because it was missing the json.ini in /etc/php5/mods-available. But the file couldn't be there when json is compiled in the main application. So I just created an empty file, ok for the installer. And on we go...


    The interesting information was that nginx is using php5-cgi. I have Apache using FPM, so nginx just could use another pool. That was what I thought. /etc/php/cgi didn't exist, so mcrypt was not active for cgi. Reinstalling php5-cgi solved the problem. So it seems that while we have validation for the used modules by checking mods-available, we do not validate if those mods are loaded at all.


    So perhaps some room for improvements here... :P

    Hi there,


    it looks kind of strange to me. During upgrade to 1.2 first I had the autoinstall not recognize json. It was missing /etc/php5/mods-available/json.ini. My PHP is from dotdeb.org which has json compiled in. I fixed this by simply adding an empty json.ini.


    Now when going to http://serverip:8080/ I get this:

    Code
    1. An exception has been thrown in file /var/www/imscp/gui/library/shared-functions.php at line 3226:
    2. PHP extension 'mcrypt' not loaded!


    But mcrypt is loaded at least with 'php -m' and using a phpinfo() on the Apache website. I'm checking through the logs but by default everything seems disabled as all logs are empty. What information could be useful? Where should I check next?


    First of all, as I also saw past issues on Trac with PHP modules. Can't we use php -m to check for modules instead of scanning the ini's? The ini approach looks a bit error prone to me.



    Happy new year!

    Thanks Nuxwin!


    Revision now after git up to 1.1.21 is 197. The po_active is now there, so at least here the migration did succeed. Makes me confident that you know what you are doing :)! After fixing the permissions on my custom tables (sql quota and expires) for dovecot_user everything is fine and smooth.


    I will do the migration with 1.2 now that it also has encrypted passwords again. I will report back with my experiences then... I guess ispcp 1.0.7 to imscp 1.2 should work directly!?


    And yes, I've read the news about Dovecot becoming the default. Prayers have been heard, this far at least...


    Final words for this year: I think those still on Courier just have no other choice (time, works for me, etc) but those still on Lenny have no excuse. Lenny (5.0) is to my finding not supported anymore. Yes, we also do have systems still running squeeze which indeed is the first LTS from Debian. But Lenny?


    Whatever, let's not fight about the details. Let's make some users (e.g. wifes) happy!