clones/Froxlor
1
0
Fork 0
mirror of https://github.com/Froxlor/Froxlor.git synced 2024-09-21 10:27:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
main
Froxlor/lib/configfiles/focal.xml

4300 lines
145 KiB
XML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8"?>
<froxlor>
<distribution name="Ubuntu" codename="Focal"
version="20.04" defaulteditor="/bin/nano">
<!-- OS defaults to be loaded on installation -->
<defaults>
<default settinggroup="system" varname="nssextrausers" value="1"></default>
<default for="lighttpd" settinggroup="system" varname="apacheconf_vhost" value="/etc/lighttpd/conf-enabled/"></default>
<default for="lighttpd" settinggroup="system" varname="apacheconf_diroptions" value="/etc/lighttpd/froxlor-diroptions/"></default>
<default for="lighttpd" settinggroup="system" varname="apacheconf_htpasswddir" value="/etc/lighttpd/froxlor-htpasswd/"></default>
<default for="lighttpd" settinggroup="system" varname="apachereload_command" value="service lighttpd reload"></default>
<default for="lighttpd" settinggroup="system" varname="letsencryptacmeconf" value="/etc/lighttpd/acme.conf"></default>+
<default for="lighttpd" settinggroup="phpfpm" varname="fastcgi_ipcdir" value="/var/run/lighttpd/"></default>
<default for="nginx" settinggroup="system" varname="apacheconf_vhost" value="/etc/nginx/sites-enabled/"></default>
<default for="nginx" settinggroup="system" varname="apacheconf_diroptions" value="/etc/nginx/sites-enabled/"></default>
<default for="nginx" settinggroup="system" varname="apacheconf_htpasswddir" value="/etc/nginx/froxlor-htpasswd/"></default>
<default for="nginx" settinggroup="system" varname="apachereload_command" value="service nginx reload"></default>
<default for="nginx" settinggroup="system" varname="letsencryptacmeconf" value="/etc/nginx/acme.conf"></default>
<default for="nginx" settinggroup="phpfpm" varname="fastcgi_ipcdir" value="/var/run/nginx/"></default>
</defaults>
<services>
<!-- HTTP -->
<service type="http" title="{{lng.admin.configfiles.http}}">
<!-- general HTTP commands -->
<general>
<commands index="1">
<command>
<visibility mode="isdir">{{settings.system.apacheconf_vhost}}
</visibility>
<content><![CDATA[mkdir -p {{settings.system.apacheconf_vhost}}]]></content>
</command>
<command>
<visibility mode="isfile">{{settings.system.apacheconf_vhost}}
</visibility>
<content><![CDATA[touch {{settings.system.apacheconf_vhost}}]]></content>
</command>
<command><![CDATA[chown root:0 {{settings.system.apacheconf_vhost}}]]></command>
<command><![CDATA[chmod 0600 {{settings.system.apacheconf_vhost}}]]></command>
<command>
<visibility mode="isdir">{{settings.system.apacheconf_diroptions}}
</visibility>
<content><![CDATA[mkdir -p {{settings.system.apacheconf_diroptions}}]]></content>
</command>
<command>
<visibility mode="isfile">{{settings.system.apacheconf_diroptions}}
</visibility>
<content><![CDATA[touch {{settings.system.apacheconf_diroptions}}]]></content>
</command>
<command><![CDATA[chown root:0 {{settings.system.apacheconf_diroptions}}]]></command>
<command><![CDATA[chmod 0600 {{settings.system.apacheconf_diroptions}}]]></command>
<command><![CDATA[mkdir -p {{settings.system.documentroot_prefix}}]]></command>
<command><![CDATA[mkdir -p {{settings.system.logfiles_directory}}]]></command>
<command>
<visibility mode="notempty">{{settings.system.deactivateddocroot}}
</visibility>
<content><![CDATA[mkdir -p {{settings.system.deactivateddocroot}}]]></content>
</command>
</commands>
</general>
<!-- HTTP Apache -->
<daemon name="apache" version="2.4" title="Apache 2.4"
default="true">
<install><![CDATA[apt-get install apache2]]></install>
<include>//service[@type='http']/general/commands</include>
<command><![CDATA[a2dismod userdir]]></command>
<command><![CDATA[a2enmod headers]]></command>
<command>
<visibility mode="true">{{settings.system.use_ssl}}
</visibility>
<content><![CDATA[a2enmod ssl]]></content>
</command>
<command>
<visibility mode="true">{{settings.phpfpm.enabled}}
</visibility>
<content><![CDATA[
# Please remember to activate the use of mod_proxy / mod_proxy_fcgi in the PHP-FPM settings!!!
a2enmod proxy_fcgi
]]></content>
</command>
<file name="{{settings.system.letsencryptacmeconf}}">
<visibility mode="true">{{settings.system.leenabled}}
</visibility>
<content><![CDATA[
Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
Require all granted
</Directory>
]]>
</content>
</file>
<command><![CDATA[{{settings.system.apachereload_command}}]]></command>
</daemon>
<!-- HTTP Lighttpd -->
<daemon name="lighttpd" title="LigHTTPd (deprecated)">
<install><![CDATA[apt-get install lighttpd]]></install>
<file name="/etc/lighttpd/lighttpd.conf">
<content><![CDATA[
server.modules = (
"mod_access",
"mod_alias",
"mod_compress",
"mod_redirect",
"mod_rewrite",
"mod_setenv",
)
server.document-root = "/var/www"
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
server.errorlog = "/var/log/lighttpd/error.log"
server.pid-file = "/var/run/lighttpd.pid"
server.username = "www-data"
server.groupname = "www-data"
server.port = 80
index-file.names = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
compress.cache-dir = "/var/cache/lighttpd/compress/"
compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" )
alias.url += ("/.well-known/acme-challenge/" => "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge/")
# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.assign.pl"
include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
]]>
</content>
</file>
<include>//service[@type='http']/general/commands</include>
<command>
<visibility mode="isdir">{{settings.system.apacheconf_vhost}}
</visibility>
<content><![CDATA[echo -e '\\ninclude_shell "cat {{settings.system.apacheconf_vhost}}*.conf"' >> /etc/lighttpd/lighttpd.conf]]></content>
</command>
<command>
<visibility mode="isfile">{{settings.system.apacheconf_vhost}}
</visibility>
<content><![CDATA[echo -e '\\ninclude "{{settings.system.apacheconf_vhost}}"' >> /etc/lighttpd/lighttpd.conf]]></content>
</command>
<command>
<visibility mode="isdir">{{settings.system.apacheconf_diroptions}}
</visibility>
<content><![CDATA[echo -e '\\ninclude_shell "cat {{settings.system.apacheconf_diroptions}}*.conf"' >> /etc/lighttpd/lighttpd.conf]]></content>
</command>
<command>
<visibility mode="isfile">{{settings.system.apacheconf_diroptions}}
</visibility>
<content><![CDATA[echo -e '\\ninclude "{{settings.system.apacheconf_diroptions}}"' >> /etc/lighttpd/lighttpd.conf]]></content>
</command>
<command><![CDATA[lighty-disable-mod cgi]]></command>
<command><![CDATA[lighty-disable-mod fastcgi]]></command>
<command><![CDATA[{{settings.system.apachereload_command}}]]></command>
</daemon>
<!-- HTTP Nginx -->
<daemon name="nginx" title="nginx">
<install><![CDATA[apt-get install nginx]]></install>
<install>
<visibility mode="false">{{settings.phpfpm.enabled}}
</visibility>
<visibility mode="false">{{settings.system.mod_fcgid}}
</visibility>
<content><![CDATA[apt-get install php-cgi]]></content>
</install>
<file name="/etc/nginx/nginx.conf" backup="true">
<content><![CDATA[
user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
]]>
</content>
</file>
<file name="/etc/nginx/fastcgi_params" backup="true">
<content><![CDATA[
fastcgi_connect_timeout 65;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
]]>
</content>
</file>
<file name="{{settings.system.letsencryptacmeconf}}">
<visibility mode="true">{{settings.system.leenabled}}
</visibility>
<content><![CDATA[
location /.well-known/acme-challenge {
alias {{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge;
location ~ /.well-known/acme-challenge/(.*) {
default_type text/plain;
}
}
]]>
</content>
</file>
<file name="/etc/init.d/php-fcgi" backup="true" chmod="u+x">
<visibility mode="false">{{settings.phpfpm.enabled}}
</visibility>
<visibility mode="false">{{settings.system.mod_fcgid}}
</visibility>
<content><![CDATA[
#!/bin/bash
BIND="127.0.0.1:8888"
USER="www-data"
PHP_FCGI_CHILDREN="15"
PHP_FCGI_MAX_REQUESTS="1000"
PHP_CGI="/usr/bin/php-cgi"
PHP_CGI_NAME="$(basename ${PHP_CGI})"
PHP_CGI_ARGS="- USER=${USER} PATH=/usr/bin PHP_FCGI_CHILDREN=${PHP_FCGI_CHILDREN} PHP_FCGI_MAX_REQUESTS=${PHP_FCGI_MAX_REQUESTS} ${PHP_CGI} -b ${BIND}"
RETVAL="0"
start() {
echo -n "Starting PHP FastCGI: "
start-stop-daemon --quiet --start --background --chuid "$USER" --exec /usr/bin/env -- $PHP_CGI_ARGS
RETVAL="$?"
echo "${PHP_CGI_NAME}."
}
stop() {
echo -n "Stopping PHP FastCGI: "
killall -q -w -u ${USER} ${PHP_CGI}
RETVAL="$?"
echo "${PHP_CGI_NAME}."
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo "Usage: php-fastcgi {start|stop|restart}"
exit 1
;;
esac
exit "$RETVAL"
]]>
</content>
</file>
<include>//service[@type='http']/general/commands</include>
<command>
<visibility mode="false">{{settings.phpfpm.enabled}}
</visibility>
<visibility mode="false">{{settings.system.mod_fcgid}}
</visibility>
<content><![CDATA[/etc/init.d/php-fcgi restart]]></content>
</command>
<command><![CDATA[{{settings.system.apachereload_command}}]]></command>
</daemon>
</service>
<!--DNS -->
<service type="dns" title="{{lng.admin.configfiles.dns}}">
<!--Bind9 -->
<daemon name="bind" title="Bind9 nameserver" default="true">
<install><![CDATA[apt-get install bind9]]></install>
<command><![CDATA[echo "include \"{{settings.system.bindconf_directory}}froxlor_bind.conf\";" >> /etc/bind/named.conf.local]]></command>
<command><![CDATA[touch {{settings.system.bindconf_directory}}froxlor_bind.conf]]></command>
<command><![CDATA[chown bind:0 {{settings.system.bindconf_directory}}froxlor_bind.conf]]></command>
<command><![CDATA[chmod 0644 {{settings.system.bindconf_directory}}froxlor_bind.conf]]></command>
<command><![CDATA[service bind9 restart]]></command>
</daemon>
<daemon name="powerdns" title="PowerDNS (standalone)">
<install><![CDATA[apt-get install pdns-server pdns-backend-mysql]]></install>
<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
<content><![CDATA[
#################################
# allow-axfr-ips Allow zonetransfers only to these subnets
#
allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
#################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
#
# allow-dnsupdate-from=127.0.0.0/8,::1
#################################
# allow-recursion List of subnets that are allowed to recurse
#
allow-recursion=127.0.0.1
#################################
# also-notify When notifying a domain, also notify these nameservers
#
# also-notify=
#################################
# any-to-tcp Answer ANY queries with tc=1, shunting to TCP
#
# any-to-tcp=no
#################################
# cache-ttl Seconds to store packets in the PacketCache
#
# cache-ttl=20
#################################
# carbon-interval Number of seconds between carbon (graphite) updates
#
# carbon-interval=30
#################################
# carbon-ourname If set, overrides our reported hostname for carbon stats
#
# carbon-ourname=
#################################
# carbon-server If set, send metrics in carbon (graphite) format to this server
#
# carbon-server=
#################################
# chroot If set, chroot to this directory for more security
#
# chroot=
#################################
# config-dir Location of configuration directory (pdns.conf)
#
config-dir=/etc/powerdns
#################################
# config-name Name of this virtual configuration - will rename the binary image
#
# config-name=
#################################
# control-console Debugging switch - don't use
#
# control-console=no
#################################
# daemon Operate as a daemon
#
daemon=yes
#################################
# default-ksk-algorithms Default KSK algorithms
#
# default-ksk-algorithms=rsasha256
#################################
# default-ksk-size Default KSK size (0 means default)
#
# default-ksk-size=0
#################################
# default-soa-mail mail address to insert in the SOA record if none set in the backend
#
# default-soa-mail=
#################################
# default-soa-name name to insert in the SOA record if none set in the backend
#
# default-soa-name=a.misconfigured.powerdns.server
#################################
# default-ttl Seconds a result is valid if not set otherwise
#
# default-ttl=3600
#################################
# default-zsk-algorithms Default ZSK algorithms
#
# default-zsk-algorithms=rsasha256
#################################
# default-zsk-size Default ZSK size (0 means default)
#
# default-zsk-size=0
#################################
# direct-dnskey Fetch DNSKEY RRs from backend during DNSKEY synthesis
#
# direct-dnskey=no
#################################
# disable-axfr Disable zonetransfers but do allow TCP queries
#
# disable-axfr=no
#################################
# disable-axfr-rectify Disable the rectify step during an outgoing AXFR. Only required for regression testing.
#
# disable-axfr-rectify=no
#################################
# disable-tcp Do not listen to TCP queries
#
# disable-tcp=no
#################################
# distributor-threads Default number of Distributor (backend) threads to start
#
# distributor-threads=3
#################################
# do-ipv6-additional-processing Do AAAA additional processing
#
# do-ipv6-additional-processing=yes
#################################
# edns-subnet-processing If we should act on EDNS Subnet options
#
# edns-subnet-processing=no
#################################
# entropy-source If set, read entropy from this file
#
# entropy-source=/dev/urandom
#################################
# experimental-api-key REST API Static authentication key (required for API use)
#
# experimental-api-key=
#################################
# experimental-api-readonly If the JSON API should disallow data modification
#
# experimental-api-readonly=no
#################################
# experimental-dname-processing If we should support DNAME records
#
# experimental-dname-processing=no
#################################
# experimental-dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
#
# experimental-dnsupdate=no
#################################
# experimental-json-interface If the webserver should serve JSON data
#
# experimental-json-interface=no
#################################
# experimental-logfile Filename of the log file for JSON parser
#
# experimental-logfile=/var/log/pdns.log
#################################
# forward-dnsupdate A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master.
#
# forward-dnsupdate=yes
#################################
# guardian Run within a guardian process
#
guardian=yes
#################################
# include-dir Include *.conf files from this directory
#
# include-dir=
#################################
# launch Which backends to launch and order to query them in
#
# launch=
#################################
# load-modules Load this module - supply absolute or relative path
#
# load-modules=
#################################
# local-address Local IP addresses to which we bind
#
local-address=<SERVERIP>,127.0.0.1
#################################
# local-address-nonexist-fail Fail to start if one or more of the local-address's do not exist on this server
#
# local-address-nonexist-fail=yes
#################################
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=
#################################
# local-ipv6-nonexist-fail Fail to start if one or more of the local-ipv6 addresses do not exist on this server
#
# local-ipv6-nonexist-fail=yes
#################################
# local-port The port on which we listen
#
# local-port=53
#################################
# log-dns-details If PDNS should log DNS non-erroneous details
#
# log-dns-details=no
#################################
# log-dns-queries If PDNS should log all incoming DNS queries
#
# log-dns-queries=no
#################################
# logging-facility Log under a specific facility
#
# logging-facility=
#################################
# loglevel Amount of logging. Higher is more. Do not set below 3
#
# loglevel=4
#################################
# lua-prequery-script Lua script with prequery handler
#
# lua-prequery-script=
#################################
# master Act as a master
#
master=yes
#################################
# max-cache-entries Maximum number of cache entries
#
# max-cache-entries=1000000
#################################
# max-ent-entries Maximum number of empty non-terminals in a zone
#
# max-ent-entries=100000
#################################
# max-nsec3-iterations Limit the number of NSEC3 hash iterations
#
# max-nsec3-iterations=500
#################################
# max-queue-length Maximum queuelength before considering situation lost
#
# max-queue-length=5000
#################################
# max-signature-cache-entries Maximum number of signatures cache entries
#
# max-signature-cache-entries=
#################################
# max-tcp-connections Maximum number of TCP connections
#
# max-tcp-connections=10
#################################
# module-dir Default directory for modules
#
# module-dir=/usr/lib/TRIPLET/pdns
#################################
# negquery-cache-ttl Seconds to store negative query results in the QueryCache
#
# negquery-cache-ttl=60
#################################
# no-shuffle Set this to prevent random shuffling of answers - for regression testing
#
# no-shuffle=off
#################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
#
# only-notify=0.0.0.0/0,::/0
#################################
# out-of-zone-additional-processing Do out of zone additional processing
#
# out-of-zone-additional-processing=yes
#################################
# overload-queue-length Maximum queuelength moving to packetcache only
#
# overload-queue-length=0
#################################
# pipebackend-abi-version Version of the pipe backend ABI
#
# pipebackend-abi-version=1
#################################
# prevent-self-notification Don't send notifications to what we think is ourself
#
# prevent-self-notification=yes
#################################
# query-cache-ttl Seconds to store query results in the QueryCache
#
# query-cache-ttl=20
#################################
# query-local-address Source IP address for sending queries
#
# query-local-address=0.0.0.0
#################################
# query-local-address6 Source IPv6 address for sending queries
#
# query-local-address6=::
#################################
# query-logging Hint backends that queries should be logged
#
# query-logging=no
#################################
# queue-limit Maximum number of milliseconds to queue a query
#
# queue-limit=1500
#################################
# receiver-threads Default number of receiver threads to start
#
# receiver-threads=1
#################################
# recursive-cache-ttl Seconds to store packets for recursive queries in the PacketCache
#
# recursive-cache-ttl=10
#################################
# recursor If recursion is desired, IP address of a recursing nameserver
#
# recursor=no
#################################
# retrieval-threads Number of AXFR-retrieval threads for slave operation
#
# retrieval-threads=2
#################################
# reuseport Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket
#
# reuseport=no
#################################
# security-poll-suffix Domain name from which to query security update notifications
#
# security-poll-suffix=secpoll.powerdns.com.
#################################
# send-root-referral Send out old-fashioned root-referral instead of ServFail in case of no authority
#
# send-root-referral=no
#################################
# server-id Returned when queried for 'server.id' TXT or NSID, defaults to hostname - disabled or custom
#
# server-id=
#################################
# setgid If set, change group id to this gid for more security
#
setgid=pdns
#################################
# setuid If set, change user id to this uid for more security
#
setuid=pdns
#################################
# signing-threads Default number of signer threads to start
#
# signing-threads=3
#################################
# slave Act as a slave
#
# slave=no
#################################
# slave-cycle-interval Reschedule failed SOA serial checks once every .. seconds
#
# slave-cycle-interval=60
#################################
# slave-renotify If we should send out notifications for slaved updates
#
# slave-renotify=no
#################################
# soa-expire-default Default SOA expire
#
# soa-expire-default=604800
#################################
# soa-minimum-ttl Default SOA minimum ttl
#
# soa-minimum-ttl=3600
#################################
# soa-refresh-default Default SOA refresh
#
# soa-refresh-default=10800
#################################
# soa-retry-default Default SOA retry
#
# soa-retry-default=3600
#################################
# socket-dir Where the controlsocket will live
#
# socket-dir=/var/run
#################################
# tcp-control-address If set, PowerDNS can be controlled over TCP on this address
#
# tcp-control-address=
#################################
# tcp-control-port If set, PowerDNS can be controlled over TCP on this address
#
# tcp-control-port=53000
#################################
# tcp-control-range If set, remote control of PowerDNS is possible over these networks only
#
# tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10
#################################
# tcp-control-secret If set, PowerDNS can be controlled over TCP after passing this secret
#
# tcp-control-secret=
#################################
# traceback-handler Enable the traceback handler (Linux only)
#
# traceback-handler=yes
#################################
# trusted-notification-proxy IP address of incoming notification proxy
#
# trusted-notification-proxy=
#################################
# udp-truncation-threshold Maximum UDP response size before we truncate
#
# udp-truncation-threshold=1680
#################################
# version-string PowerDNS version in packets - full, anonymous, powerdns or custom
#
version-string=powerdns
#################################
# webserver Start a webserver for monitoring
#
# webserver=no
#################################
# webserver-address IP Address of webserver to listen on
#
# webserver-address=127.0.0.1
#################################
# webserver-allow-from Webserver access is only allowed from these subnets
#
# webserver-allow-from=0.0.0.0/0,::/0
#################################
# webserver-password Password required for accessing the webserver
#
# webserver-password=
#################################
# webserver-port Port of webserver to listen on
#
# webserver-port=8081
#################################
# webserver-print-arguments If the webserver should print arguments
#
# webserver-print-arguments=no
# include froxlor-bind-specific config
include-dir=/etc/powerdns/froxlor/
]]>
</content>
</file>
<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
chown="root:pdns" chmod="640">
<content><![CDATA[
# mysql-settings / you need to create the power-dns database for yourself!
launch=gmysql
gmysql-host=127.0.0.1
gmysql-port=3306
gmysql-dbname=pdns
gmysql-user=powerdns
gmysql-group=client
gmysql-password=
#gmysql-ssl-ca-file=
#gmysql-ssl-verify-server-certificate=0
]]>
</content>
</file>
<command><![CDATA[service pdns restart]]></command>
</daemon>
<daemon name="powerdns_bind"
title="PowerDNS via bind-backend">
<install><![CDATA[apt-get install pdns-server]]></install>
<file name="/etc/powerdns/pdns.conf" backup="true" chown="root:pdns" chmod="640">
<content><![CDATA[
#################################
# allow-axfr-ips Allow zonetransfers only to these subnets
#
# allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP>
#################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
#
# allow-dnsupdate-from=127.0.0.0/8,::1
#################################
# allow-recursion List of subnets that are allowed to recurse
#
allow-recursion=127.0.0.1
#################################
# also-notify When notifying a domain, also notify these nameservers
#
# also-notify=
#################################
# any-to-tcp Answer ANY queries with tc=1, shunting to TCP
#
# any-to-tcp=no
#################################
# cache-ttl Seconds to store packets in the PacketCache
#
# cache-ttl=20
#################################
# carbon-interval Number of seconds between carbon (graphite) updates
#
# carbon-interval=30
#################################
# carbon-ourname If set, overrides our reported hostname for carbon stats
#
# carbon-ourname=
#################################
# carbon-server If set, send metrics in carbon (graphite) format to this server
#
# carbon-server=
#################################
# chroot If set, chroot to this directory for more security
#
# chroot=
#################################
# config-dir Location of configuration directory (pdns.conf)
#
config-dir=/etc/powerdns
#################################
# config-name Name of this virtual configuration - will rename the binary image
#
# config-name=
#################################
# control-console Debugging switch - don't use
#
# control-console=no
#################################
# daemon Operate as a daemon
#
daemon=yes
#################################
# default-ksk-algorithms Default KSK algorithms
#
# default-ksk-algorithms=rsasha256
#################################
# default-ksk-size Default KSK size (0 means default)
#
# default-ksk-size=0
#################################
# default-soa-mail mail address to insert in the SOA record if none set in the backend
#
# default-soa-mail=
#################################
# default-soa-name name to insert in the SOA record if none set in the backend
#
# default-soa-name=a.misconfigured.powerdns.server
#################################
# default-ttl Seconds a result is valid if not set otherwise
#
# default-ttl=3600
#################################
# default-zsk-algorithms Default ZSK algorithms
#
# default-zsk-algorithms=rsasha256
#################################
# default-zsk-size Default ZSK size (0 means default)
#
# default-zsk-size=0
#################################
# direct-dnskey Fetch DNSKEY RRs from backend during DNSKEY synthesis
#
# direct-dnskey=no
#################################
# disable-axfr Disable zonetransfers but do allow TCP queries
#
# disable-axfr=no
#################################
# disable-axfr-rectify Disable the rectify step during an outgoing AXFR. Only required for regression testing.
#
# disable-axfr-rectify=no
#################################
# disable-tcp Do not listen to TCP queries
#
# disable-tcp=no
#################################
# distributor-threads Default number of Distributor (backend) threads to start
#
# distributor-threads=3
#################################
# do-ipv6-additional-processing Do AAAA additional processing
#
# do-ipv6-additional-processing=yes
#################################
# edns-subnet-processing If we should act on EDNS Subnet options
#
# edns-subnet-processing=no
#################################
# entropy-source If set, read entropy from this file
#
# entropy-source=/dev/urandom
#################################
# experimental-api-key REST API Static authentication key (required for API use)
#
# experimental-api-key=
#################################
# experimental-api-readonly If the JSON API should disallow data modification
#
# experimental-api-readonly=no
#################################
# experimental-dname-processing If we should support DNAME records
#
# experimental-dname-processing=no
#################################
# experimental-dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
#
# experimental-dnsupdate=no
#################################
# experimental-json-interface If the webserver should serve JSON data
#
# experimental-json-interface=no
#################################
# experimental-logfile Filename of the log file for JSON parser
#
# experimental-logfile=/var/log/pdns.log
#################################
# forward-dnsupdate A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master.
#
# forward-dnsupdate=yes
#################################
# guardian Run within a guardian process
#
guardian=yes
#################################
# include-dir Include *.conf files from this directory
#
# include-dir=
#################################
# launch Which backends to launch and order to query them in
#
# launch=
launch=bind
#################################
# load-modules Load this module - supply absolute or relative path
#
# load-modules=
#################################
# local-address Local IP addresses to which we bind
#
local-address=<SERVERIP>,127.0.0.1
#################################
# local-address-nonexist-fail Fail to start if one or more of the local-address's do not exist on this server
#
# local-address-nonexist-fail=yes
#################################
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=
#################################
# local-ipv6-nonexist-fail Fail to start if one or more of the local-ipv6 addresses do not exist on this server
#
# local-ipv6-nonexist-fail=yes
#################################
# local-port The port on which we listen
#
# local-port=53
#################################
# log-dns-details If PDNS should log DNS non-erroneous details
#
# log-dns-details=no
#################################
# log-dns-queries If PDNS should log all incoming DNS queries
#
# log-dns-queries=no
#################################
# logging-facility Log under a specific facility
#
# logging-facility=
#################################
# loglevel Amount of logging. Higher is more. Do not set below 3
#
# loglevel=4
#################################
# lua-prequery-script Lua script with prequery handler
#
# lua-prequery-script=
#################################
# master Act as a master
#
master=yes
#################################
# max-cache-entries Maximum number of cache entries
#
# max-cache-entries=1000000
#################################
# max-ent-entries Maximum number of empty non-terminals in a zone
#
# max-ent-entries=100000
#################################
# max-nsec3-iterations Limit the number of NSEC3 hash iterations
#
# max-nsec3-iterations=500
#################################
# max-queue-length Maximum queuelength before considering situation lost
#
# max-queue-length=5000
#################################
# max-signature-cache-entries Maximum number of signatures cache entries
#
# max-signature-cache-entries=
#################################
# max-tcp-connections Maximum number of TCP connections
#
# max-tcp-connections=10
#################################
# module-dir Default directory for modules
#
# module-dir=/usr/lib/TRIPLET/pdns
#################################
# negquery-cache-ttl Seconds to store negative query results in the QueryCache
#
# negquery-cache-ttl=60
#################################
# no-shuffle Set this to prevent random shuffling of answers - for regression testing
#
# no-shuffle=off
#################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
#
# only-notify=0.0.0.0/0,::/0
#################################
# out-of-zone-additional-processing Do out of zone additional processing
#
# out-of-zone-additional-processing=yes
#################################
# overload-queue-length Maximum queuelength moving to packetcache only
#
# overload-queue-length=0
#################################
# pipebackend-abi-version Version of the pipe backend ABI
#
# pipebackend-abi-version=1
#################################
# prevent-self-notification Don't send notifications to what we think is ourself
#
# prevent-self-notification=yes
#################################
# query-cache-ttl Seconds to store query results in the QueryCache
#
# query-cache-ttl=20
#################################
# query-local-address Source IP address for sending queries
#
# query-local-address=0.0.0.0
#################################
# query-local-address6 Source IPv6 address for sending queries
#
# query-local-address6=::
#################################
# query-logging Hint backends that queries should be logged
#
# query-logging=no
#################################
# queue-limit Maximum number of milliseconds to queue a query
#
# queue-limit=1500
#################################
# receiver-threads Default number of receiver threads to start
#
# receiver-threads=1
#################################
# recursive-cache-ttl Seconds to store packets for recursive queries in the PacketCache
#
# recursive-cache-ttl=10
#################################
# recursor If recursion is desired, IP address of a recursing nameserver
#
# recursor=no
#################################
# retrieval-threads Number of AXFR-retrieval threads for slave operation
#
# retrieval-threads=2
#################################
# reuseport Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket
#
# reuseport=no
#################################
# security-poll-suffix Domain name from which to query security update notifications
#
# security-poll-suffix=secpoll.powerdns.com.
#################################
# send-root-referral Send out old-fashioned root-referral instead of ServFail in case of no authority
#
# send-root-referral=no
#################################
# server-id Returned when queried for 'server.id' TXT or NSID, defaults to hostname - disabled or custom
#
# server-id=
#################################
# setgid If set, change group id to this gid for more security
#
setgid=pdns
#################################
# setuid If set, change user id to this uid for more security
#
setuid=pdns
#################################
# signing-threads Default number of signer threads to start
#
# signing-threads=3
#################################
# slave Act as a slave
#
# slave=no
#################################
# slave-cycle-interval Reschedule failed SOA serial checks once every .. seconds
#
# slave-cycle-interval=60
#################################
# slave-renotify If we should send out notifications for slaved updates
#
# slave-renotify=no
#################################
# soa-expire-default Default SOA expire
#
# soa-expire-default=604800
#################################
# soa-minimum-ttl Default SOA minimum ttl
#
# soa-minimum-ttl=3600
#################################
# soa-refresh-default Default SOA refresh
#
# soa-refresh-default=10800
#################################
# soa-retry-default Default SOA retry
#
# soa-retry-default=3600
#################################
# socket-dir Where the controlsocket will live
#
# socket-dir=/var/run
#################################
# tcp-control-address If set, PowerDNS can be controlled over TCP on this address
#
# tcp-control-address=
#################################
# tcp-control-port If set, PowerDNS can be controlled over TCP on this address
#
# tcp-control-port=53000
#################################
# tcp-control-range If set, remote control of PowerDNS is possible over these networks only
#
# tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10
#################################
# tcp-control-secret If set, PowerDNS can be controlled over TCP after passing this secret
#
# tcp-control-secret=
#################################
# traceback-handler Enable the traceback handler (Linux only)
#
# traceback-handler=yes
#################################
# trusted-notification-proxy IP address of incoming notification proxy
#
# trusted-notification-proxy=
#################################
# udp-truncation-threshold Maximum UDP response size before we truncate
#
# udp-truncation-threshold=1680
#################################
# version-string PowerDNS version in packets - full, anonymous, powerdns or custom
#
version-string=powerdns
#################################
# webserver Start a webserver for monitoring
#
# webserver=no
#################################
# webserver-address IP Address of webserver to listen on
#
# webserver-address=127.0.0.1
#################################
# webserver-allow-from Webserver access is only allowed from these subnets
#
# webserver-allow-from=0.0.0.0/0,::/0
#################################
# webserver-password Password required for accessing the webserver
#
# webserver-password=
#################################
# webserver-port Port of webserver to listen on
#
# webserver-port=8081
#################################
# webserver-print-arguments If the webserver should print arguments
#
# webserver-print-arguments=no
# include froxlor-bind-specific config
include-dir=/etc/powerdns/froxlor/
]]>
</content>
</file>
<command><![CDATA[mkdir -p /etc/powerdns/froxlor/]]></command>
<file name="/etc/powerdns/froxlor/pdns_froxlor.conf"
chown="root:pdns" chmod="640">
<content><![CDATA[
# Bind backend configuration
# Location of the Bind configuration file to parse.
bind-config=<BIND_CONFIG_PATH>named.conf
# How often to check for zone changes. See 'Operation' section.
bind-check-interval=180
# Uncomment to enable Huffman compression on zone data.
# Currently saves around 20% of memory actually used, but slows down operation.
# bind-enable-huffman
]]>
</content>
</file>
<command><![CDATA[service pdns restart]]></command>
</daemon>
</service>
<!-- SMTP services -->
<service type="smtp" title="{{lng.admin.configfiles.smtp}}">
<!-- general SMTP commands -->
<general>
<commands index="1">
<command>
<visibility mode="groupnotexists">{{settings.system.vmail_gid}}
</visibility>
<content><![CDATA[groupadd -g {{settings.system.vmail_gid}} vmail]]></content>
</command>
<command>
<visibility mode="usernotexists">{{settings.system.vmail_uid}}
</visibility>
<content><![CDATA[useradd -u {{settings.system.vmail_uid}} -g vmail vmail]]></content>
</command>
</commands>
<installs index="1">
<install><![CDATA[apt-get install postfix postfix-mysql]]></install>
</installs>
<commands index="2">
<command><![CDATA[mkdir -p /var/spool/postfix/etc/pam.d]]></command>
<command><![CDATA[mkdir -p /var/spool/postfix/var/run/mysqld]]></command>
<command><![CDATA[mkdir -p {{settings.system.vmail_homedir}}]]></command>
<command><![CDATA[chown -R {{settings.system.vmail_uid}}:{{settings.system.vmail_gid}} {{settings.system.vmail_homedir}}]]></command>
<command><![CDATA[chmod 0750 {{settings.system.vmail_homedir}}]]></command>
</commands>
<files index="0">
<file name="/etc/postfix/mysql-virtual_alias_maps.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
hosts = <SQL_HOST>
query = SELECT destination FROM mail_virtual AS v, panel_customers AS c WHERE c.customerid = v.customerid AND c.deactivated = 0 AND v.email = '%s' AND trim(v.destination) <> ''
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_mailbox_domains.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
hosts = <SQL_HOST>
query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' AND deactivated = 0
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_mailbox_maps.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
expansion_limit = 1
hosts = <SQL_HOST>
query = SELECT CONCAT(homedir,maildir) FROM mail_users WHERE email = '%s'
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_sender_permissions.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
hosts = <SQL_HOST>
query = SELECT DISTINCT username FROM mail_users WHERE email in ((SELECT mail_virtual.email_full FROM mail_virtual WHERE mail_virtual.email = '%s' UNION SELECT mail_virtual.destination FROM mail_virtual WHERE mail_virtual.email = '%s'));
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_uid_maps.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
expansion_limit = 1
hosts = <SQL_HOST>
query = SELECT uid FROM mail_users WHERE email = '%s'
]]>
</content>
</file>
<file name="/etc/postfix/mysql-virtual_gid_maps.cf"
chown="root:postfix" chmod="0640">
<content><![CDATA[
user = <SQL_UNPRIVILEGED_USER>
password = <SQL_UNPRIVILEGED_PASSWORD>
dbname = <SQL_DB>
expansion_limit = 1
hosts = <SQL_HOST>
query = SELECT gid FROM mail_users WHERE email = '%s'
]]>
</content>
</file>
<file name="/etc/aliases" backup="true">
<content><![CDATA[
# /etc/aliases
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
# change this to a valid e-mail address you can access
root: <ADMIN_MAIL>
]]>
</content>
</file>
</files>
<commands index="3">
<command><![CDATA[newaliases]]></command>
<command><![CDATA[service postfix restart]]></command>
</commands>
</general>
<!-- postfix with dovecot -->
<daemon name="postfix_dovecot" title="Postfix with dovecot"
default="true">
<include>//service[@type='smtp']/general/commands[@index=1]
</include>
<include>//service[@type='smtp']/general/installs[@index=1]
</include>
<include>//service[@type='smtp']/general/commands[@index=2]
</include>
<file name="/etc/postfix/main.cf" chown="root:root"
chmod="0644" backup="true">
<content><![CDATA[
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# INTERNET HOST AND DOMAIN NAMES
#
# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#
# Froxlor Note: $myhostname can and should be the same as $mydomain as long as
# you don't intend to send mail to it (it will be considered local, not virtual)
# for the case of a subdomain, $mydomain *must* be equal to $myhostname,
# otherwise you cannot use the main domain for virtual transport.
# also check the note about $mydomain below.
myhostname = $mydomain
#myhostname = virtual.domain.tld
# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#
# Froxlor Note: We are using a default here but that may or may not make sense,
# depending on your dns configuration, please check yourself.
# FQDN from Froxlor
mydomain = <SERVERNAME>
mydestination = $myhostname, localhost.$mydomain, localhost
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
# mail.$mydomain, www.$mydomain, ftp.$mydomain
# The default setting is 550 (reject mail) but it is safer to start
# with 450 (try again later) until you are certain that your
# local_recipient_maps settings are OK.
#
unknown_local_recipient_reject_code = 550
# The mailbox_command parameter specifies the optional external
# command to use instead of mailbox delivery. The command is run as
# the recipient with proper HOME, SHELL and LOGNAME environment settings.
# Exception: delivery for root is done as $default_user.
#
# Other environment variables of interest: USER (recipient username),
# EXTENSION (address extension), DOMAIN (domain part of address),
# and LOCAL (the address localpart).
#
# Unlike other Postfix configuration parameters, the mailbox_command
# parameter is not subjected to $parameter substitutions. This is to
# make it easier to specify shell syntax (see example below).
#
# Avoid shell meta characters because they will force Postfix to run
# an expensive shell process. Procmail alone is expensive enough.
#
# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
#
mailbox_command = /usr/lib/dovecot/deliver
#mailbox_command = /usr/bin/procmail -a "$EXTENSION"
# The debugger_command specifies the external command that is executed
# when a Postfix daemon program is run with the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
inet_protocols = ipv4
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
reject_non_fqdn_recipient
smtpd_sender_restrictions = permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_unknown_helo_hostname,
reject_unknown_recipient_domain,
reject_unknown_sender_domain
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_client_hostname
# Postfix 2.10 requires this option. Postfix < 2.10 ignores this.
# The option is intentionally left empty.
smtpd_relay_restrictions =
# Maximum size of Message in bytes (50MB)
message_size_limit = 52428800
## SASL Auth Settings
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
## Dovecot Settings for deliver, SASL Auth and virtual transport
smtpd_sasl_type = dovecot
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
smtpd_sasl_path = private/auth
# Virtual delivery settings
virtual_mailbox_base = /
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_permissions.cf
virtual_uid_maps = static:<VIRTUAL_UID_MAPS>
virtual_gid_maps = static:<VIRTUAL_GID_MAPS>
# Local delivery settings
local_transport = local
alias_maps = $alias_database
# Default Mailbox size, is set to 0 which means unlimited!
mailbox_size_limit = 0
virtual_mailbox_limit = 0
### TLS settings
###
## TLS for outgoing mails from the server to another server
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
## TLS for incoming connections (clients or other mail servers)
smtpd_tls_security_level = may
smtpd_tls_cert_file = <SSL_CERT_FILE>
smtpd_tls_key_file = <SSL_KEY_FILE>
#smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_session_cache_timeout = 3600s
]]>
</content>
</file>
<include>//service[@type='smtp']/general/files[@index=0]</include>
<file name="/etc/postfix/master.cf" chown="root:root"
chmod="0644" backup="true">
<content><![CDATA[
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
#smtp inet n - y - - smtpd
smtp inet n - y - 1 postscreen
smtpd pass - - y - - smtpd
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
#
# Dovecot LDA
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}
]]>
</content>
</file>
<include>//service[@type='smtp']/general/commands[@index=3]
</include>
</daemon>
</service>
<!-- IMAP/POP3 services -->
<service type="mail" title="{{lng.admin.configfiles.mail}}">
<!-- valid for both dovecots -->
<general>
<installs index="1">
<install><![CDATA[apt-get install dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-managesieved dovecot-sieve]]></install>
</installs>
<files index="1">
<file name="/etc/dovecot/dovecot.conf" chown="root:root"
chmod="0644" backup="true">
<content><![CDATA[
## Dovecot configuration file
# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.
# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace "
# Most (but not all) settings can be overridden by different protocols and/or
# source/destination IPs by placing the settings inside sections, for example:
# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var
# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
#listen = *, ::
# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/
# Name of this instance. In multi-instance setup doveadm and other commands
# can use -i <instance_name> to select which instance is used (an alternative
# to -c <config_path>). The instance name is also added to Dovecot processes
# in ps output.
#instance_name = dovecot
# Greeting message for clients.
#login_greeting = Dovecot ready.
# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =
# Space separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets =
# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
# proxying. This isn't necessary normally, but may be useful if the destination
# IP is e.g. a load balancer's IP.
#auth_proxy_self =
# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no
# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is e.g. because of a security fix).
#shutdown_clients = yes
# If non-zero, run mail commands via this many connections to doveadm server,
# instead of running them directly in the same process.
#doveadm_worker_count = 0
# UNIX socket or host:port used for connecting to doveadm server
#doveadm_socket_path = doveadm-server
# Space separated list of environment variables that are preserved on Dovecot
# startup and passed down to all of its child processes. You can also give
# key=value pairs to always set specific settings.
#import_environment = TZ
##
## Dictionary server settings
##
# Dictionary can be used to store key=value lists. This is used by several
# plugins. The dictionary can be accessed either directly or though a
# dictionary server. The following dict block maps dictionary names to URIs
# when the server is used. These can then be referenced using URIs in format
# "proxy::<name>".
dict {
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
#expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf
# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf
]]>
</content>
</file>
<file name="/etc/dovecot/dovecot-sql.conf.ext"
chown="root:root" chmod="0600" backup="true">
<content><![CDATA[
# This file is commonly accessed via passdb {} or userdb {} section in
# conf.d/auth-sql.conf.ext
# This file is opened as root, so it should be owned by root and mode 0600.
#
# http://wiki2.dovecot.org/AuthDatabase/SQL
#
# For the sql passdb module, you'll need a database with a table that
# contains fields for at least the username and password. If you want to
# use the user@domain syntax, you might want to have a separate domain
# field as well.
#
# If your users all have the same uig/gid, and have predictable home
# directories, you can use the static userdb module to generate the home
# dir based on the username and domain. In this case, you won't need fields
# for home, uid, or gid in the database.
#
# If you prefer to use the sql userdb module, you'll want to add fields
# for home, uid, and gid. Here is an example table:
#
# CREATE TABLE users (
# username VARCHAR(128) NOT NULL,
# domain VARCHAR(128) NOT NULL,
# password VARCHAR(64) NOT NULL,
# home VARCHAR(255) NOT NULL,
# uid INTEGER NOT NULL,
# gid INTEGER NOT NULL,
# active CHAR(1) DEFAULT 'Y' NOT NULL
# );
# Database driver: mysql, pgsql, sqlite
driver = mysql
# Database connection string. This is driver-specific setting.
#
# HA / round-robin load-balancing is supported by giving multiple host
# settings, like: host=sql1.host.org host=sql2.host.org
#
# pgsql:
# For available options, see the PostgreSQL documentation for the
# PQconnectdb function of libpq.
# Use maxconns=n (default 5) to change how many connections Dovecot can
# create to pgsql.
#
# mysql:
# Basic options emulate PostgreSQL option names:
# host, port, user, password, dbname
#
# But also adds some new settings:
# client_flags - See MySQL manual
# ssl_ca, ssl_ca_path - Set either one or both to enable SSL
# ssl_cert, ssl_key - For sending client-side certificates to server
# ssl_cipher - Set minimum allowed cipher security (default: HIGH)
# ssl_verify_server_cert - Verify that the name in the server SSL certificate
# matches the host (default: no)
# option_file - Read options from the given file instead of
# the default my.cnf location
# option_group - Read options from the given group (default: client)
#
# You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
# Note that currently you can't use spaces in parameters.
#
# sqlite:
# The path to the database file.
#
# Examples:
# connect = host=192.168.1.1 dbname=users
# connect = host=sql.example.com dbname=virtual user=virtual password=blarg
# connect = /etc/dovecot/authdb.sqlite
#
connect = "host=<SQL_HOST> dbname=<SQL_DB> user=<SQL_UNPRIVILEGED_USER> password=<SQL_UNPRIVILEGED_PASSWORD>"
# Default password scheme.
#
# List of supported schemes is in
# http://wiki2.dovecot.org/Authentication/PasswordSchemes
#
#default_pass_scheme = CRYPT
# passdb query to retrieve the password. It can return fields:
# password - The user's password. This field must be returned.
# user - user@domain from the database. Needed with case-insensitive lookups.
# username and domain - An alternative way to represent the "user" field.
#
# The "user" field is often necessary with case-insensitive lookups to avoid
# e.g. "name" and "nAme" logins creating two different mail directories. If
# your user and domain names are in separate fields, you can return "username"
# and "domain" fields instead of "user".
#
# The query can also return other fields which have a special meaning, see
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
#
# Commonly used available substitutions (see http://wiki2.dovecot.org/Variables
# for full list):
# %u = entire user@domain
# %n = user part of user@domain
# %d = domain part of user@domain
#
# Note that these can be used only as input to SQL query. If the query outputs
# any of these substitutions, they're not touched. Otherwise it would be
# difficult to have eg. usernames containing '%' characters.
#
# Example:
# password_query = SELECT userid AS user, pw AS password \
# FROM users WHERE userid = '%u' AND active = 'Y'
#
#password_query = \
# SELECT username, domain, password \
# FROM users WHERE username = '%n' AND domain = '%d'
# userdb query to retrieve the user information. It can return fields:
# uid - System UID (overrides mail_uid setting)
# gid - System GID (overrides mail_gid setting)
# home - Home directory
# mail - Mail location (overrides mail_location setting)
#
# None of these are strictly required. If you use a single UID and GID, and
# home or mail directory fits to a template string, you could use userdb static
# instead. For a list of all fields that can be returned, see
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
#
# Examples:
# user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
# user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
# user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
#
#user_query = \
# SELECT home, uid, gid \
# FROM users WHERE username = '%n' AND domain = '%d'
user_query = SELECT CONCAT(homedir, maildir) AS home, CONCAT('maildir:', homedir, maildir) AS mail, uid, gid, CONCAT('*:storage=', quota, 'M') as quota_rule FROM mail_users WHERE (username = '%u' OR email = '%u')
# If you wish to avoid two SQL lookups (passdb + userdb), you can use
# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
# also have to return userdb fields in password_query prefixed with "userdb_"
# string. For example:
#password_query = \
# SELECT userid AS user, password, \
# home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
# FROM users WHERE userid = '%u'
password_query = SELECT username AS user, password_enc AS password, CONCAT(homedir, maildir) AS userdb_home, uid AS userdb_uid, gid AS userdb_gid, CONCAT('maildir:', homedir, maildir) AS userdb_mail, CONCAT('*:storage=', quota, 'M') as userdb_quota_rule FROM mail_users WHERE (username = '%u' OR email = '%u') AND ((imap = 1 AND '%Ls' = 'imap') OR (pop3 = 1 AND '%Ls' = 'pop3') OR ((postfix = 'Y' AND '%Ls' = 'smtp') OR (postfix = 'Y' AND '%Ls' = 'sieve')))
# Query to get a list of all usernames.
iterate_query = "SELECT username AS user FROM mail_users WHERE (imap = 1 OR pop3 = 1)"
]]>
</content>
</file>
<file name="/etc/dovecot/conf.d/10-auth.conf" chown="root:0"
chmod="0644" backup="true">
<content><![CDATA[
##
## Authentication processes
##
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
disable_plaintext_auth = no
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour
# Space separated list of realms for SASL authentication mechanisms that need
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =
# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm =
# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =
# Username formatting before it's looked up from databases. You can use
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
#auth_username_format = %Lu
# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# support for it), you can specify the separator character here. The format
# is then <username><separator><master username>. UW-IMAP uses "*" as the
# separator, so that could be a good choice.
#auth_master_user_separator =
# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous
# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30
# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
#auth_gssapi_hostname =
# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
# default (usually /etc/krb5.keytab) if not specified. You may need to change
# the auth service to run as root to be able to read this file.
#auth_krb5_keytab =
# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
#auth_use_winbind = no
# Path for Samba's ntlm_auth helper binary.
#auth_winbind_helper_path = /usr/bin/ntlm_auth
# Time to delay before replying to failed authentications.
#auth_failure_delay = 2 secs
# Require a valid SSL client certificate or the authentication fails.
#auth_ssl_require_client_cert = no
# Take the username from client's SSL certificate, using
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName.
#auth_ssl_username_from_cert = no
# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain login
##
## Password and user databases
##
#
# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
# <doc/wiki/PasswordDatabase.txt>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>
#!include auth-deny.conf.ext
#!include auth-master.conf.ext
#!include auth-system.conf.ext
!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext
]]>
</content>
</file>
<file name="/etc/dovecot/conf.d/10-mail.conf" chown="root:0"
chmod="0644" backup="true">
<content><![CDATA[
##
## Mailbox locations and namespaces
##
# Location for users' mailboxes. The default is empty, which means that Dovecot
# tries to find the mailboxes automatically. This won't work if the user
# doesn't yet have any mail, so you should explicitly tell Dovecot the full
# location.
#
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
# kept. This is called the "root mail directory", and it must be the first
# path given in the mail_location setting.
#
# There are a few special variables you can use, eg.:
#
# %u - username
# %n - user part in user@domain, same as %u if there's no domain
# %d - domain part in user@domain, empty if there's no domain
# %h - home directory
#
# See doc/wiki/Variables.txt for full list. Some examples:
#
# mail_location = maildir:~/Maildir
# mail_location = mbox:~/mail:INBOX=/var/mail/%u
# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# <doc/wiki/MailLocation.txt>
#
mail_location = mbox:~/mail:INBOX=/var/mail/%u
# If you need to set multiple mailbox locations or want to change default
# namespace settings, you can do it by defining namespace sections.
#
# You can have private, shared and public namespaces. Private namespaces
# are for user's personal mails. Shared namespaces are for accessing other
# users' mailboxes that have been shared. Public namespaces are for shared
# mailboxes that are managed by sysadmin. If you create any shared or public
# namespaces you'll typically want to enable ACL plugin also, otherwise all
# users can access all the shared mailboxes, assuming they have permissions
# on filesystem level to do so.
namespace inbox {
# Namespace type: private, shared or public
#type = private
# Hierarchy separator to use. You should use the same separator for all
# namespaces or some clients get confused. '/' is usually a good one.
# The default however depends on the underlying mail storage format.
#separator =
# Prefix required to access this namespace. This needs to be different for
# all namespaces. For example "Public/".
#prefix =
# Physical location of the mailbox. This is in same format as
# mail_location, which is also the default for it.
#location =
# There can be only one INBOX, and this setting defines which namespace
# has it.
inbox = yes
# If namespace is hidden, it's not advertised to clients via NAMESPACE
# extension. You'll most likely also want to set list=no. This is mostly
# useful when converting from another server with different namespaces which
# you want to deprecate but still keep working. For example you can create
# hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
#hidden = no
# Show the mailboxes under this namespace with LIST command. This makes the
# namespace visible for clients that don't support NAMESPACE extension.
# "children" value lists child mailboxes, but hides the namespace prefix.
#list = yes
# Namespace handles its own subscriptions. If set to "no", the parent
# namespace handles them (empty prefix should always have this as "yes")
#subscriptions = yes
}
# Example shared namespace configuration
#namespace {
#type = shared
#separator = /
# Mailboxes are visible under "shared/user@domain/"
# %%n, %%d and %%u are expanded to the destination user.
#prefix = shared/%%u/
# Mail location for other users' mailboxes. Note that %variables and ~/
# expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
# destination user's data.
#location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
# Use the default namespace for saving subscriptions.
#subscriptions = no
# List the shared/ namespace only if there are visible shared mailboxes.
#list = children
#}
# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
#mail_shared_explicit_inbox = no
# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
# or names. <doc/wiki/UserIds.txt>
#mail_uid =
#mail_gid =
# Group to enable temporarily for privileged operations. Currently this is
# used only with INBOX when either its initial creation or dotlocking fails.
# Typically this is set to "mail" to give access to /var/mail.
#mail_privileged_group =
# Grant access to these supplementary groups for mail processes. Typically
# these are used to set up access to shared mailboxes. Note that it may be
# dangerous to set these if users can create symlinks (e.g. if "mail" group is
# set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
mail_access_groups = vmail
# Allow full filesystem access to clients. There's no access checks other than
# what the operating system does for the active UID/GID. It works with both
# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
# or ~user/.
#mail_full_filesystem_access = no
# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but
# soon intended to be used by METADATA as well.
#mail_attribute_dict =
##
## Mail processes
##
# Don't use mmap() at all. This is required if you store indexes to shared
# filesystems (NFS or clustered filesystem).
#mmap_disable = no
# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
# since version 3, so this should be safe to use nowadays by default.
#dotlock_use_excl = yes
# When to use fsync() or fdatasync() calls:
# optimized (default): Whenever necessary to avoid losing important data
# always: Useful with e.g. NFS when write()s are delayed
# never: Never use it (best performance, but crashes can lose data)
#mail_fsync = optimized
# Locking method for index files. Alternatives are fcntl, flock and dotlock.
# Dotlocking uses some tricks which may create more disk I/O than other locking
# methods. NFS users: flock doesn't work, remember to change mmap_disable.
#lock_method = fcntl
# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB.
#mail_temp_dir = /tmp
# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
#first_valid_uid = 500
#last_valid_uid = 0
# Valid GID range for users, defaults to non-root/wheel. Users having
# non-valid GID as primary group ID aren't allowed to log in. If user
# belongs to supplementary groups with non-valid GIDs, those groups are
# not set.
#first_valid_gid = 1
#last_valid_gid = 0
# Maximum allowed length for mail keyword name. It's only forced when trying
# to create new keywords.
#mail_max_keyword_length = 50
# ':' separated list of directories under which chrooting is allowed for mail
# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
# This setting doesn't affect login_chroot, mail_chroot or auth chroot
# settings. If this setting is empty, "/./" in home dirs are ignored.
# WARNING: Never add directories here which local users can modify, that
# may lead to root exploit. Usually this should be done only if you don't
# allow shell access for users. <doc/wiki/Chrooting.txt>
#valid_chroot_dirs =
# Default chroot directory for mail processes. This can be overridden for
# specific users in user database by giving /./ in user's home directory
# (eg. /home/./user chroots into /home). Note that usually there is no real
# need to do chrooting, Dovecot doesn't allow users to access files outside
# their mail directory anyway. If your home directories are prefixed with
# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
#mail_chroot =
# UNIX socket path to master authentication server to find users.
# This is used by imap (for shared users) and lda.
#auth_socket_path = /var/run/dovecot/auth-userdb
# Directory where to look up mail plugins.
#mail_plugin_dir = /usr/lib/dovecot/modules
# Space separated list of plugins to load for all services. Plugins specific to
# IMAP, LDA, etc. are added to this list in their own .conf files.
#mail_plugins =
##
## Mailbox handling optimizations
##
# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
# also required for IMAP NOTIFY extension to be enabled.
#mailbox_list_index = no
# The minimum number of mails in a mailbox before updates are done to cache
# file. This allows optimizing Dovecot's behavior to do less disk writes at
# the cost of more disk reads.
#mail_cache_min_mail_count = 0
# When IDLE command is running, mailbox is checked once in a while to see if
# there are any new mails or other changes. This setting defines the minimum
# time to wait between those checks. Dovecot can also use dnotify, inotify and
# kqueue to find out immediately when changes occur.
#mailbox_idle_check_interval = 30 secs
# Save mails with CR+LF instead of plain LF. This makes sending those mails
# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
# But it also creates a bit more disk I/O which may just make it slower.
# Also note that if other software reads the mboxes/maildirs, they may handle
# the extra CRs wrong and cause problems.
#mail_save_crlf = no
# Max number of mails to keep open and prefetch to memory. This only works with
# some mailbox formats and/or operating systems.
#mail_prefetch_count = 0
# How often to scan for stale temporary files and delete them (0 = never).
# These should exist only after Dovecot dies in the middle of saving mails.
#mail_temp_scan_interval = 1w
##
## Maildir-specific settings
##
# By default LIST command returns all entries in maildir beginning with a dot.
# Enabling this option makes Dovecot return only entries which are directories.
# This is done by stat()ing each entry, so it causes more disk I/O.
# (For systems setting struct dirent->d_type, this check is free and it's
# done always regardless of this setting)
#maildir_stat_dirs = no
# When copying a message, do it with hard links whenever possible. This makes
# the performance much better, and it's unlikely to have any side effects.
#maildir_copy_with_hardlinks = yes
# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
# when its mtime changes unexpectedly or when we can't find the mail otherwise.
#maildir_very_dirty_syncs = no
# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
# getting the mail's physical size, except when recalculating Maildir++ quota.
# This can be useful in systems where a lot of the Maildir filenames have a
# broken size. The performance hit for enabling this is very small.
#maildir_broken_filename_sizes = no
# Always move mails from new/ directory to cur/, even when the \Recent flags
# aren't being reset.
#maildir_empty_new = no
##
## mbox-specific settings
##
# Which locking methods to use for locking mbox. There are four available:
# dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
# solution. If you want to use /var/mail/ like directory, the users
# will need write access to that directory.
# dotlock_try: Same as dotlock, but if it fails because of permissions or
# because there isn't enough disk space, just skip it.
# fcntl : Use this if possible. Works with NFS too if lockd is used.
# flock : May not exist in all systems. Doesn't work with NFS.
# lockf : May not exist in all systems. Doesn't work with NFS.
#
# You can use multiple locking methods; if you do the order they're declared
# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
# locking methods as well. Some operating systems don't allow using some of
# them simultaneously.
#
# The Debian value for mbox_write_locks differs from upstream Dovecot. It is
# changed to be compliant with Debian Policy (section 11.6) for NFS safety.
# Dovecot: mbox_write_locks = dotlock fcntl
# Debian: mbox_write_locks = fcntl dotlock
#
#mbox_read_locks = fcntl
#mbox_write_locks = fcntl dotlock
# Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins
# If dotlock exists but the mailbox isn't modified in any way, override the
# lock file after this much time.
#mbox_dotlock_change_timeout = 2 mins
# When mbox changes unexpectedly we have to fully read it to find out what
# changed. If the mbox is large this can take a long time. Since the change
# is usually just a newly appended mail, it'd be faster to simply read the
# new mails. If this setting is enabled, Dovecot does this but still safely
# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
# how it's expected to be. The only real downside to this setting is that if
# some other MUA changes message flags, Dovecot doesn't notice it immediately.
# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
# commands.
#mbox_dirty_syncs = yes
# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
#mbox_very_dirty_syncs = no
# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
# commands and when closing the mailbox). This is especially useful for POP3
# where clients often delete all mails. The downside is that our changes
# aren't immediately visible to other MUAs.
#mbox_lazy_writes = yes
# If mbox size is smaller than this (e.g. 100k), don't write index files.
# If an index file already exists it's still read, just not updated.
#mbox_min_index_size = 0
# Mail header selection algorithm to use for MD5 POP3 UIDLs when
# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
# algorithm, but it fails if the first Received: header isn't unique in all
# mails. An alternative algorithm is "all" that selects all headers.
#mbox_md5 = apop3d
##
## mdbox-specific settings
##
# Maximum dbox file size until it's rotated.
#mdbox_rotate_size = 2M
# Maximum dbox file age until it's rotated. Typically in days. Day begins
# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
#mdbox_rotate_interval = 0
# When creating new mdbox files, immediately preallocate their size to
# mdbox_rotate_size. This setting currently works only in Linux with some
# filesystems (ext4, xfs).
#mdbox_preallocate_space = no
##
## Mail attachments
##
# sdbox and mdbox support saving mail attachments to external files, which
# also allows single instance storage for them. Other backends don't support
# this for now.
# Directory root where to store mail attachments. Disabled, if empty.
#mail_attachment_dir =
# Attachments smaller than this aren't saved externally. It's also possible to
# write a plugin to disable saving specific attachments externally.
#mail_attachment_min_size = 128k
# Filesystem backend to use for saving attachments:
# posix : No SiS done by Dovecot (but this might help FS's own deduplication)
# sis posix : SiS with immediate byte-by-byte comparison during saving
# sis-queue posix : SiS with delayed comparison and deduplication
#mail_attachment_fs = sis posix
# Hash format to use in attachment filenames. You can add any text and
# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
#mail_attachment_hash = %{sha1}
]]>
</content>
</file>
<file name="/etc/dovecot/conf.d/10-master.conf"
chown="root:0" chmod="0644" backup="true">
<content><![CDATA[
#default_process_limit = 100
#default_client_limit = 1000
# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M
# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull
# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot
service imap-login {
inet_listener imap {
#port = 143
}
inet_listener imaps {
#port = 993
#ssl = yes
}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
#service_count = 1
# Number of processes to always keep waiting for more connections.
#process_min_avail = 0
# If you set service_count=0, you probably need to grow this.
#vsz_limit = $default_vsz_limit
}
service pop3-login {
inet_listener pop3 {
#port = 110
}
inet_listener pop3s {
#port = 995
#ssl = yes
}
}
service lmtp {
unix_listener lmtp {
#mode = 0666
}
# Create inet listener only if you can't use the above UNIX socket
#inet_listener lmtp {
# Avoid making LMTP visible for the entire internet
#address =
#port =
#}
}
service imap {
# Most of the memory goes to mmap()ing files. You may need to increase this
# limit if you have huge mailboxes.
#vsz_limit = $default_vsz_limit
# Max. number of IMAP processes (connections)
#process_limit = 1024
}
service pop3 {
# Max. number of POP3 processes (connections)
#process_limit = 1024
}
service auth {
# auth_socket_path points to this userdb socket by default. It's typically
# used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
# full permissions to this socket are able to get a list of all usernames and
# get the results of everyone's userdb lookups.
#
# The default 0666 mode allows anyone to connect to the socket, but the
# userdb lookups will succeed only if the userdb returns an "uid" field that
# matches the caller process's UID. Also if caller's uid or gid matches the
# socket's uid or gid the lookup succeeds. Anything else causes a failure.
#
# To give the caller full permissions to lookup all users, set the mode to
# something else than 0666 and Dovecot lets the kernel enforce the
# permissions (e.g. 0777 allows everyone full permissions).
unix_listener auth-userdb {
#mode = 0666
#user =
#group =
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
# Exim4 smtp-auth
unix_listener auth-client {
mode = 0660
user = mail
# group = Debian-exim
}
# Auth process is run as this user.
#user = $default_internal_user
}
service auth-worker {
# Auth worker process is run as root by default, so that it can access
# /etc/shadow. If this isn't necessary, the user should be changed to
# $default_internal_user.
#user = root
}
service dict {
# If dict proxy is used, mail processes should have access to its socket.
# For example: mode=0660, group=vmail and global mail_access_groups=vmail
unix_listener dict {
#mode = 0600
#user =
#group =
}
}
service stats {
unix_listener stats-reader {
group = vmail
mode = 0666
}
unix_listener stats-writer {
group = vmail
mode = 0666
}
}
]]>
</content>
</file>
<file name="/etc/dovecot/conf.d/10-ssl.conf" chown="root:0"
chmod="0644" backup="true">
<content><![CDATA[
##
## SSL settings
##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = <<SSL_CERT_FILE>
ssl_key = <<SSL_KEY_FILE>
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =
# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
#ssl_ca =
# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes
# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
# directory is usually /etc/ssl/certs in Debian-based systems and the file is
# /etc/pki/tls/cert.pem in RedHat-based systems.
#ssl_client_ca_dir =
#ssl_client_ca_file =
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </usr/share/dovecot/dh.pem
# SSL protocols to use
#ssl_protocols = !SSLv3
# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
# SSL extra options. Currently supported options are:
# no_compression - Disable compression.
#ssl_options =
]]>
</content>
</file>
<file name="/etc/dovecot/conf.d/15-lda.conf" chown="root:0"
chmod="0644" backup="true">
<content><![CDATA[
##
## LDA specific settings (also used by LMTP)
##
# Address to use when sending rejection mails.
# Default is postmaster@<your domain>. %d expands to recipient domain.
postmaster_address = postmaster@<SERVERNAME>
# Hostname to use in various parts of sent mails (e.g. in Message-Id) and
# in LMTP replies. Default is the system's real hostname@domain.
#hostname =
# If user is over quota, return with temporary failure instead of
# bouncing the mail.
#quota_full_tempfail = no
# Binary to use for sending mails.
#sendmail_path = /usr/sbin/sendmail
# If non-empty, send mails via this SMTP host[:port] instead of sendmail.
#submission_host =
# Subject: header to use for rejection mails. You can use the same variables
# as for rejection_reason below.
#rejection_subject = Rejected: %s
# Human readable error message for rejection mails. You can use variables:
# %n = CRLF, %r = reason, %s = original subject, %t = recipient
#rejection_reason = Your message to <%t> was automatically rejected:%n%r
# Delimiter character between local-part and detail in email address.
#recipient_delimiter = +
# Header where the original recipient address (SMTP's RCPT TO: address) is taken
# from if not available elsewhere. With dovecot-lda -a parameter overrides this.
# A commonly used header for this is X-Original-To.
#lda_original_recipient_header =
# Should saving a mail to a nonexistent mailbox automatically create it?
#lda_mailbox_autocreate = no
# Should automatically created mailboxes be also automatically subscribed?
#lda_mailbox_autosubscribe = no
protocol lda {
# Space separated list of plugins to load (default is global mail_plugins).
mail_plugins = $mail_plugins quota sieve
}
]]>
</content>
</file>
<file name="/etc/dovecot/conf.d/20-imap.conf" chown="root:0"
chmod="0644" backup="true">
<content><![CDATA[
##
## IMAP specific settings
##
# Maximum IMAP command line length. Some clients generate very long command
# lines with huge mailboxes, so you may need to raise this if you get
# "Too long argument" or "IMAP command line too large" errors often.
#imap_max_line_length = 64k
# IMAP logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
#imap_logout_format = in=%i out=%o
# Override the IMAP CAPABILITY response. If the value begins with '+',
# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
#imap_capability =
# How long to wait between "OK Still here" notifications when client is
# IDLEing.
#imap_idle_notify_interval = 2 mins
# ID field names and values to send to clients. Using * as the value makes
# Dovecot use the default value. The following fields have default values
# currently: name, version, os, os-version, support-url, support-email.
#imap_id_send =
# ID fields sent by client to log. * means everything.
#imap_id_log =
# Workarounds for various client bugs:
# delay-newmail:
# Send EXISTS/RECENT new mail notifications only when replying to NOOP
# and CHECK commands. Some clients ignore them otherwise, for example OSX
# Mail (<v2.1). Outlook Express breaks more badly though, without this it
# may show user "Message no longer in server" errors. Note that OE6 still
# breaks even with this workaround if synchronization is set to
# "Headers Only".
# tb-extra-mailbox-sep:
# Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
# adds extra '/' suffixes to mailbox names. This option causes Dovecot to
# ignore the extra '/' instead of treating it as invalid mailbox name.
# tb-lsub-flags:
# Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
# This makes Thunderbird realize they aren't selectable and show them
# greyed out, instead of only later giving "not selectable" popup error.
#
# The list is space-separated.
#imap_client_workarounds =
# Host allowed in URLAUTH URLs sent by client. "*" allows all.
#imap_urlauth_host =
protocol imap {
# Space separated list of plugins to load (default is global mail_plugins).
mail_plugins = $mail_plugins quota imap_quota
# Maximum number of IMAP connections allowed for a user from each IP address.
# NOTE: The username is compared case-sensitively.
#mail_max_userip_connections = 10
}
]]>
</content>
</file>
<file name="/etc/dovecot/conf.d/20-managesieve.conf"
chown="root:0" chmod="0644" backup="true">
<content><![CDATA[
##
## ManageSieve specific settings
##
# Uncomment to enable managesieve protocol:
#protocols = $protocols sieve
# Service definitions
#service managesieve-login {
#inet_listener sieve {
# port = 4190
#}
#inet_listener sieve_deprecated {
# port = 2000
#}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
#service_count = 1
# Number of processes to always keep waiting for more connections.
#process_min_avail = 0
# If you set service_count=0, you probably need to grow this.
#vsz_limit = 64M
#}
#service managesieve {
# Max. number of ManageSieve processes (connections)
#process_limit = 1024
#}
# Service configuration
protocol sieve {
# Maximum ManageSieve command line length in bytes. ManageSieve usually does
# not involve overly long command lines, so this setting will not normally
# need adjustment
#managesieve_max_line_length = 65536
# Maximum number of ManageSieve connections allowed for a user from each IP
# address.
# NOTE: The username is compared case-sensitively.
#mail_max_userip_connections = 10
# Space separated list of plugins to load (none known to be useful so far).
# Do NOT try to load IMAP plugins here.
#mail_plugins =
# MANAGESIEVE logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
#managesieve_logout_format = bytes=%i/%o
# To fool ManageSieve clients that are focused on CMU's timesieved you can
# specify the IMPLEMENTATION capability that Dovecot reports to clients.
# For example: 'Cyrus timsieved v2.2.13'
#managesieve_implementation_string = Dovecot Pigeonhole
# Explicitly specify the SIEVE and NOTIFY capability reported by the server
# before login. If left unassigned these will be reported dynamically
# according to what the Sieve interpreter supports by default (after login
# this may differ depending on the user).
#managesieve_sieve_capability =
#managesieve_notify_capability =
# The maximum number of compile errors that are returned to the client upon
# script upload or script verification.
#managesieve_max_compile_errors = 5
# Refer to 90-sieve.conf for script quota configuration and configuration of
# Sieve execution limits.
}
]]>
</content>
</file>
<file name="/etc/dovecot/conf.d/20-pop3.conf" chown="root:0"
chmod="0644" backup="true">
<content><![CDATA[
##
## POP3 specific settings
##
# Don't try to set mails non-recent or seen with POP3 sessions. This is
# mostly intended to reduce disk I/O. With maildir it doesn't move files
# from new/ to cur/, with mbox it doesn't write Status-header.
#pop3_no_flag_updates = no
# Support LAST command which exists in old POP3 specs, but has been removed
# from new ones. Some clients still wish to use this though. Enabling this
# makes RSET command clear all \Seen flags from messages.
#pop3_enable_last = no
# If mail has X-UIDL header, use it as the mail's UIDL.
#pop3_reuse_xuidl = no
# Allow only one POP3 session to run simultaneously for the same user.
#pop3_lock_session = no
# POP3 requires message sizes to be listed as if they had CR+LF linefeeds.
# Many POP3 servers violate this by returning the sizes with LF linefeeds,
# because it's faster to get. When this setting is enabled, Dovecot still
# tries to do the right thing first, but if that requires opening the
# message, it fallbacks to the easier (but incorrect) size.
#pop3_fast_size_lookups = no
# POP3 UIDL (unique mail identifier) format to use. You can use following
# variables, along with the variable modifiers described in
# doc/wiki/Variables.txt (e.g. %Uf for the filename in uppercase)
#
# %v - Mailbox's IMAP UIDVALIDITY
# %u - Mail's IMAP UID
# %m - MD5 sum of the mailbox headers in hex (mbox only)
# %f - filename (maildir only)
# %g - Mail's GUID
#
# If you want UIDL compatibility with other POP3 servers, use:
# UW's ipop3d : %08Xv%08Xu
# Courier : %f or %v-%u (both might be used simultaneously)
# Cyrus (<= 2.1.3) : %u
# Cyrus (>= 2.1.4) : %v.%u
# Dovecot v0.99.x : %v.%u
# tpop3d : %Mf
#
# Note that Outlook 2003 seems to have problems with %v.%u format which was
# Dovecot's default, so if you're building a new server it would be a good
# idea to change this. %08Xu%08Xv should be pretty fail-safe.
#
#pop3_uidl_format = %08Xu%08Xv
# Permanently save UIDLs sent to POP3 clients, so pop3_uidl_format changes
# won't change those UIDLs. Currently this works only with Maildir.
#pop3_save_uidl = no
# What to do about duplicate UIDLs if they exist?
# allow: Show duplicates to clients.
# rename: Append a temporary -2, -3, etc. counter after the UIDL.
#pop3_uidl_duplicates = allow
# This option changes POP3 behavior so that it's not possible to actually
# delete mails via POP3, only hide them from future POP3 sessions. The mails
# will still be counted towards user's quota until actually deleted via IMAP.
# Use e.g. "$POP3Deleted" as the value (it will be visible as IMAP keyword).
# Make sure you can legally archive mails before enabling this setting.
#pop3_deleted_flag =
# POP3 logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
# %t - number of TOP commands
# %p - number of bytes sent to client as a result of TOP command
# %r - number of RETR commands
# %b - number of bytes sent to client as a result of RETR command
# %d - number of deleted messages
# %m - number of messages (before deletion)
# %s - mailbox size in bytes (before deletion)
# %u - old/new UIDL hash. may help finding out if UIDLs changed unexpectedly
pop3_logout_format = in=%i out=%o top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
# Workarounds for various client bugs:
# outlook-no-nuls:
# Outlook and Outlook Express hang if mails contain NUL characters.
# This setting replaces them with 0x80 character.
# oe-ns-eoh:
# Outlook Express and Netscape Mail breaks if end of headers-line is
# missing. This option simply sends it if it's missing.
# The list is space-separated.
#pop3_client_workarounds =
protocol pop3 {
# Space separated list of plugins to load (default is global mail_plugins).
#mail_plugins = $mail_plugins
# Maximum number of POP3 connections allowed for a user from each IP address.
# NOTE: The username is compared case-sensitively.
#mail_max_userip_connections = 10
}
]]>
</content>
</file>
<file name="/etc/dovecot/conf.d/90-sieve.conf" chown="root:0"
chmod="0644" backup="true">
<content><![CDATA[
##
## Settings for the Sieve interpreter
##
# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
# by adding it to the respective mail_plugins= settings.
plugin {
# The path to the user's main active script. If ManageSieve is used, this the
# location of the symbolic link controlled by ManageSieve.
sieve = ~/sieve/.dovecot.sieve
# The default Sieve script when the user has none. This is a path to a global
# sieve script file, which gets executed ONLY if user's private Sieve script
# doesn't exist. Be sure to pre-compile this script manually using the sievec
# command line tool.
# --> See sieve_before fore executing scripts before the user's personal
# script.
#sieve_default = /var/lib/dovecot/sieve/default.sieve
# Directory for :personal include scripts for the include extension. This
# is also where the ManageSieve service stores the user's scripts.
sieve_dir = ~/sieve
# Directory for :global include scripts for the include extension.
#sieve_global_dir =
# Path to a script file or a directory containing script files that need to be
# executed before the user's script. If the path points to a directory, all
# the Sieve scripts contained therein (with the proper .sieve extension) are
# executed. The order of execution within a directory is determined by the
# file names, using a normal 8bit per-character comparison. Multiple script
# file or directory paths can be specified by appending an increasing number.
#sieve_before =
#sieve_before2 =
#sieve_before3 = (etc...)
# Identical to sieve_before, only the specified scripts are executed after the
# user's script (only when keep is still in effect!). Multiple script file or
# directory paths can be specified by appending an increasing number.
#sieve_after =
#sieve_after2 =
#sieve_after2 = (etc...)
# Which Sieve language extensions are available to users. By default, all
# supported extensions are available, except for deprecated extensions or
# those that are still under development. Some system administrators may want
# to disable certain Sieve extensions or enable those that are not available
# by default. This setting can use '+' and '-' to specify differences relative
# to the default. For example `sieve_extensions = +imapflags' will enable the
# deprecated imapflags extension in addition to all extensions were already
# enabled by default.
#sieve_extensions = +notify +imapflags
# Which Sieve language extensions are ONLY available in global scripts. This
# can be used to restrict the use of certain Sieve extensions to administrator
# control, for instance when these extensions can cause security concerns.
# This setting has higher precedence than the `sieve_extensions' setting
# (above), meaning that the extensions enabled with this setting are never
# available to the user's personal script no matter what is specified for the
# `sieve_extensions' setting. The syntax of this setting is similar to the
# `sieve_extensions' setting, with the difference that extensions are
# enabled or disabled for exclusive use in global scripts. Currently, no
# extensions are marked as such by default.
#sieve_global_extensions =
# The Pigeonhole Sieve interpreter can have plugins of its own. Using this
# setting, the used plugins can be specified. Check the Dovecot wiki
# (wiki2.dovecot.org) or the pigeonhole website
# (http://pigeonhole.dovecot.org) for available plugins.
# The sieve_extprograms plugin is included in this release.
#sieve_plugins =
# The separator that is expected between the :user and :detail
# address parts introduced by the subaddress extension. This may
# also be a sequence of characters (e.g. '--'). The current
# implementation looks for the separator from the left of the
# localpart and uses the first one encountered. The :user part is
# left of the separator and the :detail part is right. This setting
# is also used by Dovecot's LMTP service.
#recipient_delimiter = +
# The maximum size of a Sieve script. The compiler will refuse to compile any
# script larger than this limit. If set to 0, no limit on the script size is
# enforced.
#sieve_max_script_size = 1M
# The maximum number of actions that can be performed during a single script
# execution. If set to 0, no limit on the total number of actions is enforced.
#sieve_max_actions = 32
# The maximum number of redirect actions that can be performed during a single
# script execution. If set to 0, no redirect actions are allowed.
#sieve_max_redirects = 4
# The maximum number of personal Sieve scripts a single user can have. If set
# to 0, no limit on the number of scripts is enforced.
# (Currently only relevant for ManageSieve)
#sieve_quota_max_scripts = 0
# The maximum amount of disk storage a single user's scripts may occupy. If
# set to 0, no limit on the used amount of disk storage is enforced.
# (Currently only relevant for ManageSieve)
#sieve_quota_max_storage = 0
}
]]>
</content>
</file>
<file name="/etc/dovecot/conf.d/90-quota.conf" chown="root:0"
chmod="0644" backup="true">
<content><![CDATA[
plugin {
quota = maildir:User quota
}
]]>
</content>
</file>
</files>
<commands index="1">
<command><![CDATA[service dovecot restart]]></command>
</commands>
</general>
<!-- Dovecot with postfix -->
<daemon name="dovecot_postfix" version="2"
title="Dovecot with postfix" default="true">
<include>//service[@type='mail']/general/installs[@index=1]
</include>
<include>//service[@type='mail']/general/files[@index=1]
</include>
<include>//service[@type='mail']/general/commands[@index=1]
</include>
</daemon>
</service>
<!-- Antispam services -->
<service type="antispam" title="Antispam">
<!-- general RSpamd commands -->
<general>
<commands index="1">
<command><![CDATA[mkdir -p /etc/apt/keyrings]]></command>
<command><![CDATA[wget -O- https://rspamd.com/apt-stable/gpg.key | gpg --dearmor | tee /etc/apt/keyrings/rspamd.gpg > /dev/null]]></command>
<command><![CDATA[echo "deb [signed-by=/etc/apt/keyrings/rspamd.gpg] http://rspamd.com/apt-stable/ focal main" > /etc/apt/sources.list.d/rspamd.list]]></command>
<command><![CDATA[echo "deb-src [signed-by=/etc/apt/keyrings/rspamd.gpg] http://rspamd.com/apt-stable/ focal main" >> /etc/apt/sources.list.d/rspamd.list]]></command>
<command><![CDATA[apt-get update]]></command>
</commands>
<installs index="1">
<install><![CDATA[DEBIAN_FRONTEND=noninteractive apt-get -yq --no-install-recommends install rspamd]]></install>
</installs>
<commands index="2">
<command><![CDATA[mkdir -p /etc/rspamd/local.d/]]></command>
<command><![CDATA[mkdir -p /etc/rspamd/override.d/]]></command>
<command><![CDATA[mkdir -p /var/lib/rspamd/dkim/]]></command>
</commands>
<files index="1">
<file name="/etc/rspamd/local.d/actions.conf"
chown="root:root" chmod="0644" backup="true">
<content><![CDATA[
# Set rewrite subject to this value (%s is replaced by the original subject)
subject = "***SPAM*** %s"
]]>
</content>
</file>
<file name="/etc/rspamd/local.d/arc.conf"
chown="root:root" chmod="0644" backup="true">
<content><![CDATA[
try_fallback = true;
### Enable DKIM signing for alias sender addresses
allow_username_mismatch = true;
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector_map = "/etc/rspamd/dkim_selectors.map";
]]>
</content>
</file>
<file name="/etc/rspamd/local.d/milter_headers.conf"
chown="root:root" chmod="0644" backup="true">
<content><![CDATA[
use = ["x-spamd-bar", "x-spam-level", "authentication-results"];
authenticated_headers = ["authentication-results"];
extended_spam_headers = true
skip_local = false
skip_authenticated = false
]]>
</content>
</file>
<file name="/etc/rspamd/local.d/replies.conf"
chown="root:root" chmod="0644" backup="true">
<content><![CDATA[
## If a user has replied to an email, dont mark other emails in the same thread as spam
action = "no action";
]]>
</content>
</file>
<file name="/etc/rspamd/local.d/settings.conf"
chown="root:root" chmod="0644" backup="true">
<content><![CDATA[
## Feel free to include your own settings or adjustments here, for example:
#whitelist {
# priority = low;
# rcpt = "postmaster@example.com";
# want_spam = yes;
#}
## Include froxlor generated settings
.include(try=true,priority=1,duplicate=merge) "{{settings.antispam.config_file}}"
]]>
</content>
</file>
</files>
<commands index="3">
<command><![CDATA[cp /etc/rspamd/local.d/arc.conf /etc/rspamd/local.d/dkim_signing.conf]]></command>
<command><![CDATA[postconf -e "milter_protocol = 6"]]></command>
<command><![CDATA[postconf -e "milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}"]]></command>
<command><![CDATA[postconf -e "milter_default_action = accept"]]></command>
<command><![CDATA[postconf -e "smtpd_milters = inet:127.0.0.1:11332"]]></command>
<command><![CDATA[postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"]]></command>
<command><![CDATA[chown -R _rspamd:_rspamd /var/lib/rspamd/dkim]]></command>
<command><![CDATA[service rspamd restart]]></command>
</commands>
</general>
<!-- rspamd -->
<daemon name="rspamd" title="Rspamd" default="true">
<include>//service[@type='antispam']/general/commands[@index=1]
</include>
<include>//service[@type='antispam']/general/installs[@index=1]
</include>
<include>//service[@type='antispam']/general/commands[@index=2]
</include>
<include>//service[@type='antispam']/general/files[@index=1]
</include>
<include>//service[@type='antispam']/general/commands[@index=3]
</include>
</daemon>
</service>
<!-- FTP services -->
<service type="ftp" title="{{lng.admin.configfiles.ftp}}">
<!-- Proftpd -->
<daemon name="proftpd" title="ProFTPd" default="true">
<install><![CDATA[apt-get install proftpd-basic proftpd-mod-mysql]]></install>
<file name="/etc/proftpd/create-cert.sh" chown="root:0"
chmod="0700">
<content><![CDATA[#!/bin/bash
[ -f /etc/ssl/certs/proftpd.crt ] || openssl req -new -x509 -newkey rsa:4096 -days 3650 -nodes -out /etc/ssl/certs/proftpd.crt -keyout /etc/ssl/private/proftpd.key -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"
[ -f /etc/ssl/certs/proftpd_ec.crt ] || openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp521r1) -keyout /etc/ssl/private/proftpd_ec.key -out /etc/ssl/certs/proftpd_ec.crt -days 3650 -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"
chmod 0600 /etc/ssl/private/proftpd.key /etc/ssl/private/proftpd_ec.key
]]>
</content>
</file>
<commands index="1">
<command><![CDATA[/etc/proftpd/create-cert.sh]]></command>
<command><![CDATA[rm -f /etc/proftpd/create-cert.sh]]></command>
</commands>
<file name="/etc/proftpd/proftpd.conf" chown="root:0"
chmod="0600" backup="true">
<content><![CDATA[
#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes, reload proftpd after modifications, if
# it runs in daemon mode. It is not required in inetd/xinetd mode.
#
# Includes DSO modules
Include /etc/proftpd/modules.conf
# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 on
# If set on you can experience a longer connection delay in many cases.
IdentLookups off
ServerName "<SERVERNAME> FTP Server"
ServerType standalone
DeferWelcome off
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"
DenyFilter \*.*/
# Use this to jail all users in their homes
# DefaultRoot ~
# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell off
# Port 21 is the standard FTP port.
Port 21
# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts 49152 65534
# If your host was NATted, this option is useful in order to
# allow passive transfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress 1.2.3.4
# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User proftpd
Group nogroup
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwritable.
AllowOverwrite on
# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd off
# This is required to use both PAM-based authentication and local passwords
# AuthOrder mod_auth_pam.c* mod_auth_unix.c
# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile off
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
# Logging onto /var/log/lastlog is enabled but set to off by default
#UseLastlog on
# In order to keep log file dates consistent after chroot, use timezone info
# from /etc/localtime. If this is not set, and proftpd is configured to
# chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight
# savings timezone regardless of whether DST is in effect.
#SetEnv TZ :/etc/localtime
<IfModule mod_quotatab.c>
QuotaEngine on
</IfModule>
<IfModule mod_ratio.c>
Ratios off
</IfModule>
# Delay engine reduces impact of the so-called Timing Attack described in
# http://www.securityfocus.com/bid/11430/discuss
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
Include /etc/proftpd/sql.conf
#
# This is used for FTPS connections
#
Include /etc/proftpd/tls.conf
#
# Useful to keep VirtualHost/VirtualRoot directives separated
#
#Include /etc/proftpd/virtuals.conf
# A basic anonymous configuration, no upload directories.
# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>
# Include other custom configuration files
Include /etc/proftpd/conf.d/
]]>
</content>
</file>
<file name="/etc/proftpd/modules.conf" chown="root:0"
chmod="0644" backup="true">
<content><![CDATA[
#
# This file is used to manage DSO modules and features.
#
# This is the directory where DSO modules reside
ModulePath /usr/lib/proftpd
# Allow only user root to load and unload modules, but allow everyone
# to see which modules have been loaded
ModuleControlsACLs insmod,rmmod allow user root
ModuleControlsACLs lsmod allow user *
LoadModule mod_ctrls_admin.c
LoadModule mod_tls.c
# Install one of proftpd-mod-mysql, proftpd-mod-pgsql or any other
# SQL backend engine to use this module and the required backend.
# This module must be mandatory loaded before anyone of
# the existent SQL backeds.
LoadModule mod_sql.c
# Install proftpd-mod-ldap to use this
#LoadModule mod_ldap.c
#
# 'SQLBackend mysql' or 'SQLBackend postgres' (or any other valid backend) directives
# are required to have SQL authorization working. You can also comment out the
# unused module here, in alternative.
#
# Install proftpd-mod-mysql and decomment the previous
# mod_sql.c module to use this.
LoadModule mod_sql_mysql.c
# Install proftpd-mod-pgsql and decomment the previous
# mod_sql.c module to use this.
#LoadModule mod_sql_postgres.c
# Install proftpd-mod-sqlite and decomment the previous
# mod_sql.c module to use this
#LoadModule mod_sql_sqlite.c
# Install proftpd-mod-odbc and decomment the previous
# mod_sql.c module to use this
#LoadModule mod_sql_odbc.c
# Install one of the previous SQL backends and decomment
# the previous mod_sql.c module to use this
#LoadModule mod_sql_passwd.c
LoadModule mod_radius.c
LoadModule mod_quotatab.c
LoadModule mod_quotatab_file.c
# Install proftpd-mod-ldap to use this
#LoadModule mod_quotatab_ldap.c
# Install one of the previous SQL backends and decomment
# the previous mod_sql.c module to use this
LoadModule mod_quotatab_sql.c
LoadModule mod_quotatab_radius.c
LoadModule mod_wrap.c
LoadModule mod_rewrite.c
LoadModule mod_load.c
LoadModule mod_ban.c
LoadModule mod_wrap2.c
LoadModule mod_wrap2_file.c
# Install one of the previous SQL backends and decomment
# the previous mod_sql.c module to use this
#LoadModule mod_wrap2_sql.c
LoadModule mod_dynmasq.c
LoadModule mod_exec.c
LoadModule mod_shaper.c
LoadModule mod_ratio.c
LoadModule mod_site_misc.c
LoadModule mod_sftp.c
LoadModule mod_sftp_pam.c
# Install one of the previous SQL backends and decomment
# the previous mod_sql.c module to use this
#LoadModule mod_sftp_sql.c
LoadModule mod_facl.c
LoadModule mod_unique_id.c
LoadModule mod_copy.c
LoadModule mod_deflate.c
LoadModule mod_ifversion.c
LoadModule mod_tls_memcache.c
# Install proftpd-mod-geoip to use the GeoIP feature
#LoadModule mod_geoip.c
# keep this module the last one
LoadModule mod_ifsession.c
]]>
</content>
</file>
<file name="/etc/proftpd/sql.conf" chown="root:0" chmod="0600"
backup="true">
<content><![CDATA[
#
# Proftpd sample configuration for SQL-based authentication.
#
# (This is not to be used if you prefer a PAM-based SQL authentication)
#
<IfModule mod_sql.c>
DefaultRoot ~
RequireValidShell off
AuthOrder mod_sql.c
#
# Choose a SQL backend among MySQL or PostgreSQL.
# Both modules are loaded in default configuration, so you have to specify the backend
# or comment out the unused module in /etc/proftpd/modules.conf.
# Use 'mysql' or 'postgres' as possible values.
#
SQLBackend mysql
#
SQLEngine on
SQLAuthenticate on
#
# Use both an encrypted or plaintext password
SQLAuthTypes Crypt OpenSSL
SQLAuthenticate users* groups*
#
# Connection
SQLConnectInfo <SQL_DB>@<SQL_HOST> <SQL_UNPRIVILEGED_USER> <SQL_UNPRIVILEGED_PASSWORD>
#
# Describes both users/groups tables
#
SQLUserInfo ftp_users username password uid gid homedir shell
SQLGroupInfo ftp_groups groupname gid members
#
SQLUserWhereClause "login_enabled = 'y'"
SQLLog PASS login
SQLNamedQuery login UPDATE "last_login=now(), login_count=login_count+1 WHERE username='%u'" ftp_users
SQLLog RETR download
SQLNamedQuery download UPDATE "down_count=down_count+1, down_bytes=down_bytes+%b WHERE username='%u'" ftp_users
SQLLog STOR upload
SQLNamedQuery upload UPDATE "up_count=up_count+1, up_bytes=up_bytes+%b WHERE username='%u'" ftp_users
QuotaEngine on
QuotaShowQuotas on
QuotaDisplayUnits Mb
QuotaLock /var/lock/ftpd.quotatab.lock
QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally
SQLNamedQuery get-quota-limit SELECT "ftp_users.username AS name, ftp_quotalimits.quota_type, ftp_quotalimits.per_session, ftp_quotalimits.limit_type, panel_customers.diskspace*1024 AS bytes_in_avail, ftp_quotalimits.bytes_out_avail, ftp_quotalimits.bytes_xfer_avail, ftp_quotalimits.files_in_avail, ftp_quotalimits.files_out_avail, ftp_quotalimits.files_xfer_avail FROM ftp_users, ftp_quotalimits, panel_customers WHERE ftp_users.username = '%{0}' AND panel_customers.loginname = SUBSTRING_INDEX('%{0}', 'ftp', 1) AND quota_type ='%{1}'"
SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_used, bytes_xfer_used, files_in_used, files_out_used,files_xfer_used FROM ftp_quotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies
</IfModule>
]]>
</content>
</file>
<file name="/etc/proftpd/tls.conf" chown="root:root"
chmod="0644" backup="true">
<content><![CDATA[
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol TLSv1.2 TLSv1.3
TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt
TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key
# TLSCACertificateFile
TLSOptions NoSessionReuseRequired
TLSVerifyClient off
# Are clients required to use FTP over TLS when talking to this server?
TLSRequired on
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotiations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
#
#TLSRenegotiate required off
</IfModule>
]]>
</content>
</file>
<file name="/etc/proftpd/conf.d/99-froxlor-ratelimit.conf" chown="root:0"
chmod="0644">
<content><![CDATA[
<Class whitelist>
From 127.0.0.1
</Class>
MaxLoginAttempts 3
<IfModule mod_ban.c>
<IfClass whitelist>
BanEngine off
</IfClass>
<IfClass !whitelist>
BanEngine on
</IfClass>
BanLog /var/log/proftpd/ban.log
BanTable /etc/proftpd/ban.tab
BanMessage "User %u was banned."
BanOnEvent ClientConnectRate 10/00:00:02 02:00:00 "Stop connecting frequently"
BanOnEvent MaxLoginAttempts 3/00:30:00 12:00:00
BanOnEvent AnonRejectPasswords 1/01:00:00 99:99:99
BanControlsACLs all allow user root
</IfModule>
<IfClass whitelist>
BanEngine off
DelayEngine off
</IfClass>
]]>
</content>
</file>
<command><![CDATA[service proftpd restart]]></command>
</daemon>
<!-- Pureftpd -->
<daemon name="pureftpd" title="PureFTPd">
<install><![CDATA[apt-get install pure-ftpd-common pure-ftpd-mysql]]></install>
<file name="/etc/pure-ftpd/create-cert.sh" chown="root:0"
chmod="0700">
<content><![CDATA[#!/bin/bash
[ -f /etc/ssl/private/pure-ftpd.pem ] || openssl req -x509 -nodes -days 7300 -newkey rsa:4096 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 3072
chmod 0600 /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd-dhparams.pem
]]>
</content>
</file>
<commands index="1">
<command><![CDATA[/etc/pure-ftpd/create-cert.sh]]></command>
<command><![CDATA[rm -f /etc/pure-ftpd/create-cert.sh]]></command>
</commands>
<file name="/etc/pure-ftpd/conf/TLS"
chown="root:0" chmod="0644">
<content><![CDATA[
1
]]>
</content>
</file>
<file name="/etc/pure-ftpd/conf/MinUID" chown="root:0"
chmod="0644">
<content><![CDATA[
1000
]]>
</content>
</file>
<file name="/etc/pure-ftpd/conf/MySQLConfigFile"
chown="root:0" chmod="0644">
<content><![CDATA[
/etc/pure-ftpd/db/mysql.conf
]]>
</content>
</file>
<file name="/etc/pure-ftpd/conf/NoAnonymous" chown="root:0"
chmod="0644">
<content><![CDATA[
yes
]]>
</content>
</file>
<file name="/etc/pure-ftpd/conf/MaxIdleTime" chown="root:0"
chmod="0644">
<content><![CDATA[
15
]]>
</content>
</file>
<file name="/etc/pure-ftpd/conf/ChrootEveryone" chown="root:0"
chmod="0644">
<content><![CDATA[
yes
]]>
</content>
</file>
<file name="/etc/pure-ftpd/conf/PAMAuthentication"
chown="root:0" chmod="0644">
<content><![CDATA[
no
]]>
</content>
</file>
<file name="/etc/pure-ftpd/db/mysql.conf" chown="root:0"
chmod="0640" backup="true">
<content><![CDATA[
##############################################
# #
# Sample Pure-FTPd Mysql configuration file. #
# See README.MySQL for explanations. #
# #
##############################################
# Optional : MySQL server name or IP. Don't define this for unix sockets.
# MYSQLServer 127.0.0.1
# Optional : MySQL port. Don't define this if a local unix socket is used.
# MYSQLPort 3306
# Optional : define the location of mysql.sock if the server runs on this host.
MYSQLSocket /var/run/mysqld/mysqld.sock
# Mandatory : user to bind the server as.
MYSQLUser <SQL_UNPRIVILEGED_USER>
# Mandatory : user password. You must have a password.
MYSQLPassword <SQL_UNPRIVILEGED_PASSWORD>
# Mandatory : database to open.
MYSQLDatabase <SQL_DB>
# Mandatory : how passwords are stored
# Valid values are : "cleartext", "crypt", "sha1", "md5" and "password"
# ("password" = MySQL password() function)
# You can also use "any" to try "crypt", "sha1", "md5" *and* "password"
MYSQLCrypt any
# In the following directives, parts of the strings are replaced at
# run-time before performing queries :
#
# \L is replaced by the login of the user trying to authenticate.
# \I is replaced by the IP address the user connected to.
# \P is replaced by the port number the user connected to.
# \R is replaced by the IP address the user connected from.
# \D is replaced by the remote IP address, as a long decimal number.
#
# Very complex queries can be performed using these substitution strings,
# especially for virtual hosting.
# Query to execute in order to fetch the password
MYSQLGetPW SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y"
# Query to execute in order to fetch the system user name or uid
MYSQLGetUID SELECT uid FROM ftp_users WHERE username="\L" AND login_enabled="y"
# Optional : default UID - if set this overrides MYSQLGetUID
#MYSQLDefaultUID 1000
# Query to execute in order to fetch the system user group or gid
MYSQLGetGID SELECT gid FROM ftp_users WHERE username="\L" AND login_enabled="y"
# Optional : default GID - if set this overrides MYSQLGetGID
#MYSQLDefaultGID 1000
# Query to execute in order to fetch the home directory
MYSQLGetDir SELECT homedir FROM ftp_users WHERE username="\L" AND login_enabled="y"
# Optional : query to get the maximal number of files
# Pure-FTPd must have been compiled with virtual quotas support.
# MySQLGetQTAFS SELECT QuotaFiles FROM users WHERE User='\L'
# Optional : query to get the maximal disk usage (virtual quotas)
# The number should be in Megabytes.
# Pure-FTPd must have been compiled with virtual quotas support.
MySQLGetQTASZ SELECT CASE WHEN panel_customers.diskspace = 0 THEN -1 WHEN panel_customers.diskspace <= -1 THEN 0 ELSE panel_customers.diskspace/1024 END AS QuotaSize FROM panel_customers, ftp_users WHERE username = "\L" AND panel_customers.loginname = SUBSTRING_INDEX('\L', 'ftp', 1)
# Optional : ratios. The server has to be compiled with ratio support.
# MySQLGetRatioUL SELECT ULRatio FROM users WHERE User='\L'
# MySQLGetRatioDL SELECT DLRatio FROM users WHERE User='\L'
# Optional : bandwidth throttling.
# The server has to be compiled with throttling support.
# Values are in KB/s .
# MySQLGetBandwidthUL SELECT ULBandwidth FROM users WHERE User='\L'
# MySQLGetBandwidthDL SELECT DLBandwidth FROM users WHERE User='\L'
# Enable ~ expansion. NEVER ENABLE THIS BLINDLY UNLESS :
# 1) You know what you are doing.
# 2) Real and virtual users match.
# MySQLForceTildeExpansion 1
# If you're using a transactionnal storage engine, you can enable SQL
# transactions to avoid races. Leave this commented if you are using the
# traditional MyIsam engine.
# MySQLTransactions On
]]>
</content>
</file>
<file name="/etc/pure-ftpd/conf/CustomerProof" chown="root:0"
chmod="0644">
<content><![CDATA[
1
]]>
</content>
</file>
<file name="/etc/pure-ftpd/conf/Bind" chown="root:0"
chmod="0644">
<content><![CDATA[
21
]]>
</content>
</file>
<file name="/etc/default/pure-ftpd-common" chown="root:0"
chmod="0644" backup="true">
<content><![CDATA[
# Configuration for pure-ftpd
# (this file is sourced by /bin/sh, edit accordingly)
# STANDALONE_OR_INETD
# valid values are "standalone" and "inetd".
# Any change here overrides the setting in debconf.
STANDALONE_OR_INETD=standalone
# VIRTUALCHROOT:
# whether to use binary with virtualchroot support
# valid values are "true" or "false"
# Any change here overrides the setting in debconf.
VIRTUALCHROOT=false
# UPLOADSCRIPT: if this is set and the daemon is run in standalone mode,
# pure-uploadscript will also be run to spawn the program given below
# for handling uploads. see /usr/share/doc/pure-ftpd/README.gz or
# pure-uploadscript(8)
# example: UPLOADSCRIPT=/usr/local/sbin/uploadhandler.pl
UPLOADSCRIPT=
# if set, pure-uploadscript will spawn running as the
# given uid and gid
UPLOADUID=
UPLOADGID=
]]>
</content>
</file>
<command><![CDATA[service pure-ftpd-mysql restart]]></command>
</daemon>
</service>
<!-- System tools/services -->
<service type="system" title="{{lng.admin.configfiles.etc}}">
<!-- Webalizer -->
<daemon name="webalizer"
title="Webalizer (traffic analyzer)">
<install><![CDATA[apt-get install webalizer]]></install>
</daemon>
<!-- goaccess -->
<daemon name="goaccess"
title="goaccess (traffic analyzer)" default="true">
<install><![CDATA[apt-get install goaccess jq]]></install>
</daemon>
<!-- AWstats -->
<daemon name="awstats"
title="Awstats (traffic analyzer)">
<install><![CDATA[apt-get install awstats]]></install>
<command><![CDATA[mv {{settings.system.awstats_conf}}/awstats.conf {{settings.system.awstats_conf}}/awstats.model.conf]]></command>
<command><![CDATA[sed -i.bak 's/^DirData/# DirData/' {{settings.system.awstats_conf}}/awstats.model.conf]]></command>
<command><![CDATA[sed -i.bak 's|^\\(DirIcons=\\).*$|\\1\\"/awstats-icon\\"|' {{settings.system.awstats_conf}}/awstats.model.conf]]></command>
<command><![CDATA[rm /etc/cron.d/awstats]]></command>
<command><![CDATA[rm /etc/logrotate.d/httpd-prerotate/awstats]]></command>
</daemon>
<!-- libnss-extrausers -->
<daemon name="libnssextrausers"
title="libnss-extrausers">
<install><![CDATA[apt-get install libnss-extrausers]]></install>
<commands index="1">
<command><![CDATA[mkdir -p /var/lib/extrausers]]></command>
<command><![CDATA[touch /var/lib/extrausers/passwd]]></command>
<command><![CDATA[touch /var/lib/extrausers/group]]></command>
<command><![CDATA[touch /var/lib/extrausers/shadow]]></command>
</commands>
<file name="/etc/nsswitch.conf" backup="true">
<content><![CDATA[
# Make sure that `passwd`, `group` and `shadow` have extrausers in their lines
# You should place extrausers at the end, so that it is queried after the other mechanisams
#
passwd: files systemd compat extrausers
group: files systemd compat extrausers
shadow: files compat extrausers
gshadow: files
hosts: files dns
networks: files dns
protocols: db files
services: db files
ethers: db files
rpc: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
]]>
</content>
</file>
<commands index="2">
<command><![CDATA[mv /var/spool/postfix/etc/nsswitch.conf /var/spool/postfix/etc/nsswitch.conf.frx.bak]]></command>
<command><![CDATA[cp /etc/nsswitch.conf /var/spool/postfix/etc/nsswitch.conf]]></command>
</commands>
<include>//service[@type='smtp']/general/commands[@index=3]
</include>
</daemon>
<!-- Logrotate -->
<daemon name="logrotate" title="Logrotate">
<install><![CDATA[apt-get install logrotate]]></install>
<file name="/etc/logrotate.d/froxlor" chown="root:root"
chmod="0644">
<content><![CDATA[
#
# Froxlor logrotate snippet
#
<CUSTOMER_LOGS>*.log {
missingok
daily
rotate 7
compress
delaycompress
notifempty
create
sharedscripts
postrotate
<WEBSERVER_RELOAD_CMD> > /dev/null 2>&1 || true
endscript
}
]]>
</content>
</file>
</daemon>
<!-- FCGID -->
<daemon name="fcgid" title="FCGID">
<install><![CDATA[apt-get install apache2-suexec-pristine libapache2-mod-fcgid php-cgi]]></install>
<command><![CDATA[a2enmod suexec fcgid]]></command>
<commands index="1">
<visibility mode="true">{{settings.system.mod_fcgid_ownvhost}}
</visibility>
<command><![CDATA[groupadd -f {{settings.system.mod_fcgid_httpgroup}}]]></command>
<command><![CDATA[useradd -s /bin/false -g {{settings.system.mod_fcgid_httpgroup}} {{settings.system.mod_fcgid_httpuser}}]]></command>
<command><![CDATA[mkdir -p {{settings.system.mod_fcgid_configdir}}]]></command>
<command><![CDATA[mkdir -p {{settings.system.mod_fcgid_tmpdir}}]]></command>
<command><![CDATA[chmod 1777 {{settings.system.mod_fcgid_tmpdir}}]]></command>
<command><![CDATA[a2dismod php7.4]]></command>
</commands>
<!-- instead of just restarting apache, we let the cronjob do all the
dirty work -->
<command><![CDATA[php {{const.install_dir}}bin/froxlor-cli froxlor:cron --force]]></command>
</daemon>
<!-- PHP-FPM -->
<daemon name="php-fpm"
title="PHP-FPM">
<install>
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<content><![CDATA[apt-get install apache2-suexec-pristine]]></content>
</install>
<install><![CDATA[apt-get install php-fpm]]></install>
<commands index="2">
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<command><![CDATA[a2enmod suexec proxy_fcgi actions]]></command>
</commands>
<commands index="3">
<visibility mode="true">{{settings.phpfpm.enabled_ownvhost}}
</visibility>
<visibility mode="usernamenotexists">{{settings.phpfpm.vhost_httpuser}}
</visibility>
<command><![CDATA[groupadd -f {{settings.phpfpm.vhost_httpgroup}}]]></command>
<command><![CDATA[useradd -s /bin/false -g {{settings.phpfpm.vhost_httpgroup}} {{settings.phpfpm.vhost_httpuser}}]]></command>
</commands>
<commands index="4">
<visibility mode="equals" value="apache2">{{settings.system.webserver}}
</visibility>
<visibility mode="true">{{settings.phpfpm.enabled_ownvhost}}
</visibility>
<command><![CDATA[a2dismod php7.4]]></command>
</commands>
<!-- instead of just restarting apache, we let the cronjob do all the
dirty work -->
<command><![CDATA[php {{const.install_dir}}bin/froxlor-cli froxlor:cron --force]]></command>
</daemon>
<!-- Cronjob -->
<daemon name="cron" title="Cronjob for froxlor"
mandatory="true">
<install><![CDATA[apt-get install cron gnupg]]></install>
<command><![CDATA[[ ! -e /usr/local/bin/froxlor-cli ] && ln -s <BASE_PATH>bin/froxlor-cli /usr/local/bin/froxlor-cli]]></command>
<command><![CDATA[/usr/bin/php <BASE_PATH>bin/froxlor-cli froxlor:cron --run-task 99]]></command>
<command><![CDATA[{{settings.system.crondreload}}]]></command>
</daemon>
</service>
</services>
</distribution>
</froxlor>
Reference in New Issue View Git Blame Copy Permalink