Posts by UncleSam

@Nuxwin

OK I removed the "smtp_tls_security_level = may" which is missing - and checked again. After removing it there was no ssl connection between the servers.

So it seemed for me that it is acting as client. After searching in the internet I found an article which says that postfix ist always acting as server for incoming mails and as client for sending mails. If this is correct the "smtp_tls_security_level = may" setting is needed too (like it is now for my environment)).

Sources: http://serverfault.com/a/521420 or http://www.ceus-now.com/when-does-postfix-act-like-a-client/

I am not as deep into postfix as your are - so it would be great if you could check/verify that if possible. For me I am adding this client configuration setting because it is working and seem to be needed (for me).

@Ninos
Ah great! Would love to be your pre alpha tester for this modification

@Ninos
No it is still not working.

Message:

(Seems like after adding my line(s) there is a mistage inside the command line)

@Ninos

Now I got some errors creating new Let's encrypt certs. The mistake was to modify the "certbot_cmd_create_options" parameter by adding the line:

Is there any possibility in the current plugin to use the renew hook (or any post hook which is called on updating certs)?

Hello,

I found this document: https://bettercrypto.org/static/applied-crypto-hardening.pdf
It describes how to stronger the encryption of different services. By checking it I found (maybe) a problem regarding postfix server to server ssl connection.

Postfix
currently I-MSCP is supporting secure connections for the postfix service - but there are two missing configuration properties which are telling it to use it:
(This can be tested using https://www.checktls.com/perl/TestSender.pl)

Can you include it in the I-MSCP configuration part?

Short description:
may = Tries to send and receive E-Mails using ssl encryption. If not possible send it plain text.
NO_COMPRESSION: There could be a security risk using compression

Dovecot
like Postfix: disable compression

Hello,

Is it possible to create an export and import possibility for keys? Some days ago I moved the server and had to update all DNS settings on my external DNS server. For me it would be easier to import keys again as to update all DNS records.

@FloRet88 Ok if HSTS is already redirecting it would be ok for me

Hello,

at the momenta every plugin which needs some configuraiton uses its own "config.php" file. This file is overwritten by updating the plugin over webinterface. It would be great to not loose any config files.

Maybe you could create a backup archive of the plugin before updating it and store it inside a subfolder. So the admin is able to switch to any previouse version or to extract the config files if he forgot to backup it (and maybe to restore plugins or the config file from webinterface).

For the Let's Encrypt I have some suggestions:

• Option to enable it global for a domain: for all current and all future subdomains
• Option to enable hsts for each domain/subdomain if there is a letsencrypt cert for it
• Option to automatically redirec from http to https
• Somthing like a "cancel" and "retry" button if there is an error requesting a certificate

ok I tested it now doing the following steps:

• created the webpages for the service and admin interface url
• enabled the let's encrypt for both
• created a backup of the original files:
  
  
  • /etc/imscp/your_admin_domain_path.pem (depending on your domain)
  • /etc/imscp/imscp_services.pem
• symlinked both certs:
  
  
  • ln -s /var/www/imscp/gui/data/certs/your_admin_domain_path.pem /etc/imscp/your_admin_domain_path.pem
  • ln -s /var/www/imscp/gui/data/certs/your_service_domain.pem /etc/imscp/imscp_services.pem
• gave the symlinks the same permissions like they had before (no idea if this is needed - just to be sure nothing changed for the system):
  
  
  • chown -h root:imscp /etc/imscp/your_admin_domain_path.pem
  • chown -h root:imscp /etc/imscp/imscp_services.pem
• reloaded all services
  
  
  • service nginx reload
  • service proftpd reload
  • service dovecot reload
  • service postfix reload
• verified the new certs using following tools:
  
  
  • Tool (for ports 465, 587): https://www.digicert.com/util/ (can show which cert is used on a given port or address)
  • Onlin E-Mail server ssl check: https://de.ssl-tools.net/mailservers
  • Filezilla for ftpes (shows cert dialog on ftpes connect - just enter servername: "ftpes://your_service_domain")
  • Browser for administration interface ssl cert
• added certbot posthook to reload all services
  
  
  • open "/var/www/imscp/gui/plugins/LetsEncrypt/config.php"
  • add a new array line for post hooks (should look like this if you do not have changed it before):
    
    Code

    1. 'certbot_cmd_create_options' => array(
    2. '--rsa-key-size 4096',
    3. '--renew-hook "service nginx reload && service postfix reload && service dovecot reload && service proftpd reload"'
    4. ),

    (I have choosen to use "--renew-hook" instead of "--post-hook" because it is only called once upon renew process. "--post-hook" is called on every new certificate too which is not needed.)
    

  • go into the admin panel an reload the plugins (to apply the config.php changes)

And that should be enought. The last part using the "--renew-hook" is not tested (sry have no idea how to test that).