should the ipv6 IP addresses also be created in the imscp panel under Service-Ports?
e.g. service IMAP - IP 2041:0000:140F::875B:131B - Port 143
should the ipv6 IP addresses also be created in the imscp panel under Service-Ports?
e.g. service IMAP - IP 2041:0000:140F::875B:131B - Port 143
since today after sury.org update the setup breaks
The following packages have unmet dependencies:
php-common : Breaks: php-apcu (< 5.1.21+4.0.11-7~)
E: Error, pkgProblemResolver::Resolve generated breaks, this may be caused by held packages.
after following update & autoremove:
any idea?
- IMSCP: 1.5.3
- Distribution: Debian 10
- IMSCP: 1.5.3
- Distribution: Debian 9
With my DC provider, the ipv6 shortened is also displayed in the DC default network setup e.g.
Original: 2041:0000:140F:0000:0000:0000:875B:131B
Short: 2041:0000:140F::875B:131B
In the short ipv6 (default) version, the zeros are replaced by a :: wildcard, MXtoolbox finds the right SPF entry with it, but I've seen problems with hotmail and outlook since the ipv6 setup.
Can I use the short ipv6 IP address in postfix and DNS zone or should I convert it as a complete original ipv6 address?
e.g. via:
https://dnschecker.org/ipv6-expand.php
spf looks like this right now:
Because of the use of external DNS, I have created an internal A and AAAA record in the panel for the ipv4 & ipv6 panel domain name, then I revoked the letsencrypt certificate and applied for a new one, now it works!
the current ipv6 entry for the panel looks like this
this wildcard entry does not seem to work and shows an invalid certificate message
shouldn't it contain the complete ipv6 address instead of listen [::]?
Display Morei-mscp.net/wcf/attachment/2790/Make sure to add your IPv6-IP/net to /etc/network/interfaces (at least this is true for Ubuntu).
Regarding imscp it's basically two files:
10_apache2_dualstack.pl => add your IP
20_named_dualstack.pl=> add your IP
10_postfix_tuning.pl => add your directives (described below)
For postfix you need to add:
smtp_bind_address6 = <your_IPv6>
inet_protocols = all
=> http://www.postfix.org/IPV6_README.html
Dovecot might already work out of the box.
If not: add your directive to 40_dovecot_tweaks.pl.
As far as I remember for proftpd I didn't change anything.
many thanks!
postfix is already running I use:
inet_protocols = ipv4, ipv6
you can check ipv6 from here:
https://www.mythic-beasts.com/ipv6/health-check
should I add the 20_named_dualstack.pl when external NS are used?
result
i would like to make all services available via ipv6 in addition to ipv4, what is required for this - are there already listener files which can be used to allow connections for both?
Wenn die Zugangsdaten irgendwo in einem externen Emailaccount abgefischt wurden kann man nichts tun (ausser in den Logindaten darauf hinweisen diese nicht in Email Postfächern aufzuheben).
Fail2ban blockiert Fehl Logins, wenn es agressive Attacken sind muß die Fail rate entsprechend gering eingestellt werden. Postfwd sorgt dafür das nicht tausende Emails auf einmal rausgehen, ausserdem kann man ein Monitoring (mailqueue limit trigger) einsetzen z.b. mit Zabbix etc.
can same cyphers be used in /etc/nginx/nginx.conf too? inx/nginx.conf
ssl_protocols TLSv1.2;
ssl_ciphers ....
#### edit ###
got it w/ A+ score!
for buster I use:
https://ssl-config.mozilla.org…nssl=1.1.1d&guideline=5.6
Display More1. Edit /etc/apache2/sites-enabled/00_nameserver.conf
A. Substitute
with:
B. Substitute
Code
- SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
with:
Code
- SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256
2. Restart apache2
3. Test with ssllabs.com
Your changes should be kept on reconfigurations also. If you need to reinstall or to run the installer again, you'll need to reapply these changes.
Hope it helps,
bye Kess.
Thanks Kess, looks good to me!
I did several tests this morning (snap certbot) with your OpenSSL.pm patch:
- Create, renew, revoke and restore works for all LE Certificates
- Installing purchased certificates works
- it survives an i-mscp reconfiguration (setup) no errors occurred
- even after the reconfiguration everything works as above (create, renew, revoke, restore incl. edit and save purchased certificates)
so everything should work!
Display MoreOK guys, it seems I found the way to renew certificates per cron job in the normal way.
Thank you to vege.net for you hint here LetsEncrypt - SSL certificate is not valid but unfortunately it's not complete.
The following little modifications, works for LE certificates and for paid certificates.
Edit file /var/www/imscp/engine/PerlLib/iMSCP/OpenSSL.pm and instead of modifying line 134 as stated in the previous post, just add the little code below.
Display MoreCode
- 132. my $cmd = [
- 133. 'openssl', 'verify',
- 134. ( ( $self->{'ca_bundle_container_path'} ne '' ) ? ( '-CAfile', $self->{'ca_bundle_container_path'} ) : () ),
- 135. '-purpose', 'sslserver', $self->{'certificate_container_path'}
- 136. ];
- 137.
- 138. my $rs = execute( $cmd, \ my $stdout, \ my $stderr );
- 139. debug( $stdout ) if $stdout;
- # BEGIN: Check certificates validity for Let's Encrypt certificates on renewal
- if ( $rs && ( $self->{'ca_bundle_container_path'} ne '' ) ) {
- $cmd = [
- 'openssl', 'verify',
- '-purpose', 'sslserver', $self->{'certificate_container_path'}
- ];
- $rs = execute( $cmd, \ $stdout, \ $stderr );
- debug( $stdout ) if $stdout;
- }
- # END: Check certificates validity for Let's Encrypt certificates on renewal
Please let me know if it works for you also,
bye Kess.