Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE
froxlor
leap42.xml
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File leap42.xml of Package froxlor
<?xml version="1.0" encoding="UTF-8"?> <froxlor> <distribution name="openSUSE Leap" version="42" defaulteditor="/usr/bin/vim"> <services> <!-- HTTP --> <service type="http" title="{{lng.admin.configfiles.http}}"> <!-- general HTTP commands --> <general> <commands index="1"> <command> <visibility mode="isdir">{{settings.system.apacheconf_vhost}} </visibility> <content><![CDATA[mkdir -p {{settings.system.apacheconf_vhost}}]]></content> </command> <command> <visibility mode="isfile">{{settings.system.apacheconf_vhost}} </visibility> <content><![CDATA[touch {{settings.system.apacheconf_vhost}}]]></content> </command> <command><![CDATA[chown root:0 {{settings.system.apacheconf_vhost}}]]></command> <command><![CDATA[chmod 0600 {{settings.system.apacheconf_vhost}}]]></command> <command> <visibility mode="isdir">{{settings.system.apacheconf_diroptions}} </visibility> <content><![CDATA[mkdir -p {{settings.system.apacheconf_diroptions}}]]></content> </command> <command> <visibility mode="isfile">{{settings.system.apacheconf_diroptions}} </visibility> <content><![CDATA[touch {{settings.system.apacheconf_diroptions}}]]></content> </command> <command><![CDATA[chown root:0 {{settings.system.apacheconf_diroptions}}]]></command> <command><![CDATA[chmod 0600 {{settings.system.apacheconf_diroptions}}]]></command> <command><![CDATA[mkdir -p {{settings.system.documentroot_prefix}}]]></command> <command><![CDATA[mkdir -p {{settings.system.logfiles_directory}}]]></command> <command><![CDATA[mkdir -p {{settings.system.mod_fcgid_tmpdir}}]]></command> <command><![CDATA[chmod 1777 {{settings.system.mod_fcgid_tmpdir}}]]></command> <command> <visibility mode="notempty">{{settings.system.deactivateddocroot}} </visibility> <content><![CDATA[mkdir -p {{settings.system.deactivateddocroot}}]]></content> </command> </commands> </general> <!-- HTTP Apache --> <daemon name="apache" version="2.4" title="Apache 2.4" default="true"> <install><![CDATA[zypper install apache2]]></install> <include>//service[@type='http']/general/commands</include> <command><![CDATA[a2dismod userdir]]></command> <command><![CDATA[a2enmod headers]]></command> <command> <visibility mode="true">{{settings.phpfpm.enabled}} </visibility> <content><![CDATA[zypper install apache2-mod_fastcgi]]></content> </command> <file name="/etc/apache2/conf.d/fastcgi.conf"> <visibility mode="true">{{settings.phpfpm.enabled}} </visibility> <content><![CDATA[ <IfModule mod_fastcgi.c> FastCgiIpcDir <FPM_IPCDIR> <Location "/fastcgiphp"> Require all granted Require env REDIRECT_STATUS </Location> </IfModule> ]]> </content> </file> <file name="{{settings.system.letsencryptacmeconf}}"> <visibility mode="true">{{settings.system.leenabled}} </visibility> <content><![CDATA[ Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge" <Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"> Require all granted </Directory> ]]> </content> </file> <command><![CDATA[systemctl reload-or-restart apache2.service]]></command> </daemon> <!-- HTTP Lighttpd --> <daemon name="lighttpd" title="LigHTTPd"> <install><![CDATA[zypper install lighttpd]]></install> <file name="/etc/lighttpd/lighttpd.conf"> <content><![CDATA[ server.modules = ( "mod_access", "mod_alias", "mod_compress", "mod_redirect", "mod_rewrite", "mod_setenv", ) server.document-root = "/srv/www" server.upload-dirs = ( "/var/cache/lighttpd/uploads" ) server.errorlog = "/var/log/lighttpd/error.log" server.pid-file = "/var/run/lighttpd.pid" server.username = "wwwrun" server.groupname = "www" server.port = 80 index-file.names = ( "index.php", "index.html", "index.lighttpd.html" ) url.access-deny = ( "~", ".inc" ) static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) compress.cache-dir = "/var/cache/lighttpd/compress/" compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" ) alias.url += ("/.well-known/acme-challenge/" => "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge/") # default listening port for IPv6 falls back to the IPv4 port include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port include_shell "/usr/share/lighttpd/create-mime.assign.pl" include_shell "/usr/share/lighttpd/include-conf-enabled.pl" ]]> </content> </file> <include>//service[@type='http']/general/commands</include> <command> <visibility mode="isdir">{{settings.system.apacheconf_vhost}} </visibility> <content><![CDATA[echo -e '\\ninclude_shell "cat {{settings.system.apacheconf_vhost}}*.conf"' >> /etc/lighttpd/lighttpd.conf]]></content> </command> <command> <visibility mode="isfile">{{settings.system.apacheconf_vhost}} </visibility> <content><![CDATA[echo -e '\\ninclude "{{settings.system.apacheconf_vhost}}"' >> /etc/lighttpd/lighttpd.conf]]></content> </command> <command> <visibility mode="isdir">{{settings.system.apacheconf_diroptions}} </visibility> <content><![CDATA[echo -e '\\ninclude_shell "cat {{settings.system.apacheconf_diroptions}}*.conf"' >> /etc/lighttpd/lighttpd.conf]]></content> </command> <command> <visibility mode="isfile">{{settings.system.apacheconf_diroptions}} </visibility> <content><![CDATA[echo -e '\\ninclude "{{settings.system.apacheconf_diroptions}}"' >> /etc/lighttpd/lighttpd.conf]]></content> </command> <command><![CDATA[lighty-disable-mod cgi]]></command> <command><![CDATA[lighty-disable-mod fastcgi]]></command> <command><![CDATA[/etc/init.d/lighttpd restart]]></command> </daemon> <!-- HTTP Nginx --> <daemon name="nginx" title="nginx"> <install><![CDATA[zypper install nginx]]></install> <install> <visibility mode="false">{{settings.phpfpm.enabled}} </visibility> <visibility mode="false">{{settings.system.mod_fcgid}} </visibility> <content><![CDATA[zypper install php7-cgi]]></content> </install> <file name="/etc/nginx/nginx.conf"> <content><![CDATA[ user www-data; worker_processes 4; pid /var/run/nginx.pid; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; ## # nginx-naxsi config ## # Uncomment it if you installed nginx-naxsi ## #include /etc/nginx/naxsi_core.rules; ## # nginx-passenger config ## # Uncomment it if you installed nginx-passenger ## #passenger_root /usr; #passenger_ruby /usr/bin/ruby; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # # # auth_http localhost/auth.php; # # pop3_capabilities "TOP" "USER"; # # imap_capabilities "IMAP4rev1" "UIDPLUS"; # # server { # listen localhost:110; # protocol pop3; # proxy on; # } # # server { # listen localhost:143; # protocol imap; # proxy on; # } #} ]]> </content> </file> <file name="/etc/nginx/fastcgi_params"> <content><![CDATA[ fastcgi_connect_timeout 65; fastcgi_send_timeout 180; fastcgi_read_timeout 180; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param HTTPS $https if_not_empty; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; # PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200; ]]> </content> </file> <file name="{{settings.system.letsencryptacmeconf}}"> <visibility mode="true">{{settings.system.leenabled}} </visibility> <content><![CDATA[ location /.well-known/acme-challenge { alias {{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge; location ~ /.well-known/acme-challenge/(.*) { default_type text/plain; } } ]]> </content> </file> <file name="/etc/init.d/php-fcgi" chmod="u+x"> <visibility mode="false">{{settings.phpfpm.enabled}} </visibility> <visibility mode="false">{{settings.system.mod_fcgid}} </visibility> <content><![CDATA[ #!/bin/bash BIND="127.0.0.1:8888" USER="www-data" PHP_FCGI_CHILDREN="15" PHP_FCGI_MAX_REQUESTS="1000" PHP_CGI="/usr/bin/php-cgi" PHP_CGI_NAME="$(basename ${PHP_CGI})" PHP_CGI_ARGS="- USER=${USER} PATH=/usr/bin PHP_FCGI_CHILDREN=${PHP_FCGI_CHILDREN} PHP_FCGI_MAX_REQUESTS=${PHP_FCGI_MAX_REQUESTS} ${PHP_CGI} -b ${BIND}" RETVAL="0" start() { echo -n "Starting PHP FastCGI: " start-stop-daemon --quiet --start --background --chuid "$USER" --exec /usr/bin/env -- $PHP_CGI_ARGS RETVAL="$?" echo "${PHP_CGI_NAME}." } stop() { echo -n "Stopping PHP FastCGI: " killall -q -w -u ${USER} ${PHP_CGI} RETVAL="$?" echo "${PHP_CGI_NAME}." } case "$1" in start) start ;; stop) stop ;; restart) stop start ;; *) echo "Usage: php-fastcgi {start|stop|restart}" exit 1 ;; esac exit "$RETVAL" ]]> </content> </file> <include>//service[@type='http']/general/commands</include> <command> <visibility mode="false">{{settings.phpfpm.enabled}} </visibility> <visibility mode="false">{{settings.system.mod_fcgid}} </visibility> <content><![CDATA[/etc/init.d/php-fcgi restart]]></content> </command> <command><![CDATA[/etc/init.d/nginx restart]]></command> </daemon> </service> <!--DNS --> <service type="dns" title="{{lng.admin.configfiles.dns}}"> <!--Bind9 --> <daemon name="bind" title="Bind9 nameserver"> <install><![CDATA[zypper install named]]></install> <command><![CDATA[echo "include \"{{settings.system.bindconf_directory}}froxlor_bind.conf\";" >> /etc/named.d/named.conf.local]]></command> <command><![CDATA[touch {{settings.system.bindconf_directory}}froxlor_bind.conf]]></command> <command><![CDATA[chown bind:0 {{settings.system.bindconf_directory}}froxlor_bind.conf]]></command> <command><![CDATA[chmod 0644 {{settings.system.bindconf_directory}}froxlor_bind.conf]]></command> <command><![CDATA[systemctl restart named]]></command> </daemon> <daemon name="powerdns" title="PowerDNS (standalone)"> <install><![CDATA[zypper install pdns pdns-backend-mysql]]></install> <file name="/etc/pdns/pdns.conf" backup="true" chmod="600"> <content><![CDATA[ ################################# # allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP> # add these entries to the list if any speficied: <AXFRSERVERS> ################################# # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # # allow-dnsupdate-from=127.0.0.0/8,::1 ################################# # allow-recursion List of subnets that are allowed to recurse # allow-recursion=127.0.0.1 ################################# # also-notify When notifying a domain, also notify these nameservers # # also-notify= ################################# # any-to-tcp Answer ANY queries with tc=1, shunting to TCP # # any-to-tcp=no ################################# # cache-ttl Seconds to store packets in the PacketCache # # cache-ttl=20 ################################# # carbon-interval Number of seconds between carbon (graphite) updates # # carbon-interval=30 ################################# # carbon-ourname If set, overrides our reported hostname for carbon stats # # carbon-ourname= ################################# # carbon-server If set, send metrics in carbon (graphite) format to this server # # carbon-server= ################################# # chroot If set, chroot to this directory for more security # # chroot= ################################# # config-dir Location of configuration directory (pdns.conf) # # config-dir=/etc/pdns ################################# # config-name Name of this virtual configuration - will rename the binary image # # config-name= ################################# # control-console Debugging switch - don't use # # control-console=no ################################# # daemon Operate as a daemon # # daemon=no ################################# # default-ksk-algorithms Default KSK algorithms # # default-ksk-algorithms=rsasha256 ################################# # default-ksk-size Default KSK size (0 means default) # # default-ksk-size=0 ################################# # default-soa-mail mail address to insert in the SOA record if none set in the backend # # default-soa-mail= ################################# # default-soa-name name to insert in the SOA record if none set in the backend # # default-soa-name=a.misconfigured.powerdns.server ################################# # default-ttl Seconds a result is valid if not set otherwise # # default-ttl=3600 ################################# # default-zsk-algorithms Default ZSK algorithms # # default-zsk-algorithms=rsasha256 ################################# # default-zsk-size Default ZSK size (0 means default) # # default-zsk-size=0 ################################# # direct-dnskey Fetch DNSKEY RRs from backend during DNSKEY synthesis # # direct-dnskey=no ################################# # disable-axfr Disable zonetransfers but do allow TCP queries # # disable-axfr=no ################################# # disable-axfr-rectify Disable the rectify step during an outgoing AXFR. Only required for regression testing. # # disable-axfr-rectify=no ################################# # disable-tcp Do not listen to TCP queries # # disable-tcp=no ################################# # distributor-threads Default number of Distributor (backend) threads to start # # distributor-threads=3 ################################# # do-ipv6-additional-processing Do AAAA additional processing # # do-ipv6-additional-processing=yes ################################# # edns-subnet-processing If we should act on EDNS Subnet options # # edns-subnet-processing=no ################################# # entropy-source If set, read entropy from this file # # entropy-source=/dev/urandom ################################# # experimental-api-key REST API Static authentication key (required for API use) # # experimental-api-key= ################################# # experimental-api-readonly If the JSON API should disallow data modification # # experimental-api-readonly=no ################################# # experimental-dname-processing If we should support DNAME records # # experimental-dname-processing=no ################################# # experimental-dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no. # # experimental-dnsupdate=no ################################# # experimental-json-interface If the webserver should serve JSON data # # experimental-json-interface=no ################################# # experimental-logfile Filename of the log file for JSON parser # # experimental-logfile=/var/log/pdns.log ################################# # forward-dnsupdate A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master. # # forward-dnsupdate=yes ################################# # guardian Run within a guardian process # # guardian=no ################################# # include-dir Include *.conf files from this directory # # include-dir= ################################# # launch Which backends to launch and order to query them in # # launch= ################################# # load-modules Load this module - supply absolute or relative path # # load-modules= ################################# # local-address Local IP addresses to which we bind # local-address=<SERVERIP>,127.0.0.1 ################################# # local-address-nonexist-fail Fail to start if one or more of the local-address's do not exist on this server # # local-address-nonexist-fail=yes ################################# # local-ipv6 Local IP address to which we bind # # local-ipv6= ################################# # local-ipv6-nonexist-fail Fail to start if one or more of the local-ipv6 addresses do not exist on this server # # local-ipv6-nonexist-fail=yes ################################# # local-port The port on which we listen # # local-port=53 ################################# # log-dns-details If PDNS should log DNS non-erroneous details # # log-dns-details=no ################################# # log-dns-queries If PDNS should log all incoming DNS queries # # log-dns-queries=no ################################# # logging-facility Log under a specific facility # # logging-facility= ################################# # loglevel Amount of logging. Higher is more. Do not set below 3 # # loglevel=4 ################################# # lua-prequery-script Lua script with prequery handler # # lua-prequery-script= ################################# # master Act as a master # master=yes ################################# # max-cache-entries Maximum number of cache entries # # max-cache-entries=1000000 ################################# # max-ent-entries Maximum number of empty non-terminals in a zone # # max-ent-entries=100000 ################################# # max-nsec3-iterations Limit the number of NSEC3 hash iterations # # max-nsec3-iterations=500 ################################# # max-queue-length Maximum queuelength before considering situation lost # # max-queue-length=5000 ################################# # max-signature-cache-entries Maximum number of signatures cache entries # # max-signature-cache-entries= ################################# # max-tcp-connections Maximum number of TCP connections # # max-tcp-connections=10 ################################# # module-dir Default directory for modules # # module-dir=/usr/lib/TRIPLET/pdns ################################# # negquery-cache-ttl Seconds to store negative query results in the QueryCache # # negquery-cache-ttl=60 ################################# # no-shuffle Set this to prevent random shuffling of answers - for regression testing # # no-shuffle=off ################################# # only-notify Only send AXFR NOTIFY to these IP addresses or netmasks # # only-notify=0.0.0.0/0,::/0 ################################# # out-of-zone-additional-processing Do out of zone additional processing # # out-of-zone-additional-processing=yes ################################# # overload-queue-length Maximum queuelength moving to packetcache only # # overload-queue-length=0 ################################# # pipebackend-abi-version Version of the pipe backend ABI # # pipebackend-abi-version=1 ################################# # prevent-self-notification Don't send notifications to what we think is ourself # # prevent-self-notification=yes ################################# # query-cache-ttl Seconds to store query results in the QueryCache # # query-cache-ttl=20 ################################# # query-local-address Source IP address for sending queries # # query-local-address=0.0.0.0 ################################# # query-local-address6 Source IPv6 address for sending queries # # query-local-address6=:: ################################# # query-logging Hint backends that queries should be logged # # query-logging=no ################################# # queue-limit Maximum number of milliseconds to queue a query # # queue-limit=1500 ################################# # receiver-threads Default number of receiver threads to start # # receiver-threads=1 ################################# # recursive-cache-ttl Seconds to store packets for recursive queries in the PacketCache # # recursive-cache-ttl=10 ################################# # recursor If recursion is desired, IP address of a recursing nameserver # # recursor=no ################################# # retrieval-threads Number of AXFR-retrieval threads for slave operation # # retrieval-threads=2 ################################# # reuseport Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket # # reuseport=no ################################# # security-poll-suffix Domain name from which to query security update notifications # # security-poll-suffix=secpoll.powerdns.com. ################################# # send-root-referral Send out old-fashioned root-referral instead of ServFail in case of no authority # # send-root-referral=no ################################# # server-id Returned when queried for 'server.id' TXT or NSID, defaults to hostname - disabled or custom # # server-id= ################################# # setgid If set, change group id to this gid for more security # # setgid= ################################# # setuid If set, change user id to this uid for more security # # setuid= ################################# # signing-threads Default number of signer threads to start # # signing-threads=3 ################################# # slave Act as a slave # # slave=no ################################# # slave-cycle-interval Reschedule failed SOA serial checks once every .. seconds # # slave-cycle-interval=60 ################################# # slave-renotify If we should send out notifications for slaved updates # # slave-renotify=no ################################# # soa-expire-default Default SOA expire # # soa-expire-default=604800 ################################# # soa-minimum-ttl Default SOA minimum ttl # # soa-minimum-ttl=3600 ################################# # soa-refresh-default Default SOA refresh # # soa-refresh-default=10800 ################################# # soa-retry-default Default SOA retry # # soa-retry-default=3600 ################################# # socket-dir Where the controlsocket will live # # socket-dir=/var/run ################################# # tcp-control-address If set, PowerDNS can be controlled over TCP on this address # # tcp-control-address= ################################# # tcp-control-port If set, PowerDNS can be controlled over TCP on this address # # tcp-control-port=53000 ################################# # tcp-control-range If set, remote control of PowerDNS is possible over these networks only # # tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 ################################# # tcp-control-secret If set, PowerDNS can be controlled over TCP after passing this secret # # tcp-control-secret= ################################# # traceback-handler Enable the traceback handler (Linux only) # # traceback-handler=yes ################################# # trusted-notification-proxy IP address of incoming notification proxy # # trusted-notification-proxy= ################################# # udp-truncation-threshold Maximum UDP response size before we truncate # # udp-truncation-threshold=1680 ################################# # version-string PowerDNS version in packets - full, anonymous, powerdns or custom # version-string=powerdns ################################# # webserver Start a webserver for monitoring # # webserver=no ################################# # webserver-address IP Address of webserver to listen on # # webserver-address=127.0.0.1 ################################# # webserver-allow-from Webserver access is only allowed from these subnets # # webserver-allow-from=0.0.0.0/0,::/0 ################################# # webserver-password Password required for accessing the webserver # # webserver-password= ################################# # webserver-port Port of webserver to listen on # # webserver-port=8081 ################################# # webserver-print-arguments If the webserver should print arguments # # webserver-print-arguments=no # include froxlor-bind-specific config include-dir=/etc/pdns/froxlor/ ]]> </content> </file> <command><![CDATA[mkdir -p /etc/pdns/froxlor/]]></command> <file name="/etc/pdns/froxlor/pdns_froxlor.conf" chown="root:root" chmod="600"> <content><![CDATA[ # mysql-settings / you need to create the power-dns database for yourself! launch=gmysql gmysql-host=127.0.0.1 gmysql-port=3306 gmysql-dbname=pdns gmysql-user=powerdns gmysql-group=client gmysql-password= ]]> </content> </file> <command><![CDATA[systemctl restart pdns]]></command> </daemon> <daemon name="powerdns_bind" title="PowerDNS via bind-backend"> <install><![CDATA[zypper install pdns]]></install> <file name="/etc/pdns/pdns.conf" backup="true" chmod="600"> <content><![CDATA[ ################################# # allow-axfr-ips Allow zonetransfers only to these subnets # # allow-axfr-ips=127.0.0.0/8,::1,<NAMESERVERS_IP> # add these entries to the list if any speficied: <AXFRSERVERS> ################################# # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # # allow-dnsupdate-from=127.0.0.0/8,::1 ################################# # allow-recursion List of subnets that are allowed to recurse # allow-recursion=127.0.0.1 ################################# # also-notify When notifying a domain, also notify these nameservers # # also-notify= ################################# # any-to-tcp Answer ANY queries with tc=1, shunting to TCP # # any-to-tcp=no ################################# # cache-ttl Seconds to store packets in the PacketCache # # cache-ttl=20 ################################# # carbon-interval Number of seconds between carbon (graphite) updates # # carbon-interval=30 ################################# # carbon-ourname If set, overrides our reported hostname for carbon stats # # carbon-ourname= ################################# # carbon-server If set, send metrics in carbon (graphite) format to this server # # carbon-server= ################################# # chroot If set, chroot to this directory for more security # # chroot= ################################# # config-dir Location of configuration directory (pdns.conf) # # config-dir=/etc/pdns ################################# # config-name Name of this virtual configuration - will rename the binary image # # config-name= ################################# # control-console Debugging switch - don't use # # control-console=no ################################# # daemon Operate as a daemon # # daemon=no ################################# # default-ksk-algorithms Default KSK algorithms # # default-ksk-algorithms=rsasha256 ################################# # default-ksk-size Default KSK size (0 means default) # # default-ksk-size=0 ################################# # default-soa-mail mail address to insert in the SOA record if none set in the backend # # default-soa-mail= ################################# # default-soa-name name to insert in the SOA record if none set in the backend # # default-soa-name=a.misconfigured.powerdns.server ################################# # default-ttl Seconds a result is valid if not set otherwise # # default-ttl=3600 ################################# # default-zsk-algorithms Default ZSK algorithms # # default-zsk-algorithms=rsasha256 ################################# # default-zsk-size Default ZSK size (0 means default) # # default-zsk-size=0 ################################# # direct-dnskey Fetch DNSKEY RRs from backend during DNSKEY synthesis # # direct-dnskey=no ################################# # disable-axfr Disable zonetransfers but do allow TCP queries # # disable-axfr=no ################################# # disable-axfr-rectify Disable the rectify step during an outgoing AXFR. Only required for regression testing. # # disable-axfr-rectify=no ################################# # disable-tcp Do not listen to TCP queries # # disable-tcp=no ################################# # distributor-threads Default number of Distributor (backend) threads to start # # distributor-threads=3 ################################# # do-ipv6-additional-processing Do AAAA additional processing # # do-ipv6-additional-processing=yes ################################# # edns-subnet-processing If we should act on EDNS Subnet options # # edns-subnet-processing=no ################################# # entropy-source If set, read entropy from this file # # entropy-source=/dev/urandom ################################# # experimental-api-key REST API Static authentication key (required for API use) # # experimental-api-key= ################################# # experimental-api-readonly If the JSON API should disallow data modification # # experimental-api-readonly=no ################################# # experimental-dname-processing If we should support DNAME records # # experimental-dname-processing=no ################################# # experimental-dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no. # # experimental-dnsupdate=no ################################# # experimental-json-interface If the webserver should serve JSON data # # experimental-json-interface=no ################################# # experimental-logfile Filename of the log file for JSON parser # # experimental-logfile=/var/log/pdns.log ################################# # forward-dnsupdate A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master. # # forward-dnsupdate=yes ################################# # guardian Run within a guardian process # # guardian=no ################################# # include-dir Include *.conf files from this directory # # include-dir= ################################# # launch Which backends to launch and order to query them in # # launch= launch=bind ################################# # load-modules Load this module - supply absolute or relative path # # load-modules= ################################# # local-address Local IP addresses to which we bind # local-address=<SERVERIP>,127.0.0.1 ################################# # local-address-nonexist-fail Fail to start if one or more of the local-address's do not exist on this server # # local-address-nonexist-fail=yes ################################# # local-ipv6 Local IP address to which we bind # # local-ipv6= ################################# # local-ipv6-nonexist-fail Fail to start if one or more of the local-ipv6 addresses do not exist on this server # # local-ipv6-nonexist-fail=yes ################################# # local-port The port on which we listen # # local-port=53 ################################# # log-dns-details If PDNS should log DNS non-erroneous details # # log-dns-details=no ################################# # log-dns-queries If PDNS should log all incoming DNS queries # # log-dns-queries=no ################################# # logging-facility Log under a specific facility # # logging-facility= ################################# # loglevel Amount of logging. Higher is more. Do not set below 3 # # loglevel=4 ################################# # lua-prequery-script Lua script with prequery handler # # lua-prequery-script= ################################# # master Act as a master # master=yes ################################# # max-cache-entries Maximum number of cache entries # # max-cache-entries=1000000 ################################# # max-ent-entries Maximum number of empty non-terminals in a zone # # max-ent-entries=100000 ################################# # max-nsec3-iterations Limit the number of NSEC3 hash iterations # # max-nsec3-iterations=500 ################################# # max-queue-length Maximum queuelength before considering situation lost # # max-queue-length=5000 ################################# # max-signature-cache-entries Maximum number of signatures cache entries # # max-signature-cache-entries= ################################# # max-tcp-connections Maximum number of TCP connections # # max-tcp-connections=10 ################################# # module-dir Default directory for modules # # module-dir=/usr/lib/TRIPLET/pdns ################################# # negquery-cache-ttl Seconds to store negative query results in the QueryCache # # negquery-cache-ttl=60 ################################# # no-shuffle Set this to prevent random shuffling of answers - for regression testing # # no-shuffle=off ################################# # only-notify Only send AXFR NOTIFY to these IP addresses or netmasks # # only-notify=0.0.0.0/0,::/0 ################################# # out-of-zone-additional-processing Do out of zone additional processing # # out-of-zone-additional-processing=yes ################################# # overload-queue-length Maximum queuelength moving to packetcache only # # overload-queue-length=0 ################################# # pipebackend-abi-version Version of the pipe backend ABI # # pipebackend-abi-version=1 ################################# # prevent-self-notification Don't send notifications to what we think is ourself # # prevent-self-notification=yes ################################# # query-cache-ttl Seconds to store query results in the QueryCache # # query-cache-ttl=20 ################################# # query-local-address Source IP address for sending queries # # query-local-address=0.0.0.0 ################################# # query-local-address6 Source IPv6 address for sending queries # # query-local-address6=:: ################################# # query-logging Hint backends that queries should be logged # # query-logging=no ################################# # queue-limit Maximum number of milliseconds to queue a query # # queue-limit=1500 ################################# # receiver-threads Default number of receiver threads to start # # receiver-threads=1 ################################# # recursive-cache-ttl Seconds to store packets for recursive queries in the PacketCache # # recursive-cache-ttl=10 ################################# # recursor If recursion is desired, IP address of a recursing nameserver # # recursor=no ################################# # retrieval-threads Number of AXFR-retrieval threads for slave operation # # retrieval-threads=2 ################################# # reuseport Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket # # reuseport=no ################################# # security-poll-suffix Domain name from which to query security update notifications # # security-poll-suffix=secpoll.powerdns.com. ################################# # send-root-referral Send out old-fashioned root-referral instead of ServFail in case of no authority # # send-root-referral=no ################################# # server-id Returned when queried for 'server.id' TXT or NSID, defaults to hostname - disabled or custom # # server-id= ################################# # setgid If set, change group id to this gid for more security # setgid=pdns ################################# # setuid If set, change user id to this uid for more security # setuid=pdns ################################# # signing-threads Default number of signer threads to start # # signing-threads=3 ################################# # slave Act as a slave # # slave=no ################################# # slave-cycle-interval Reschedule failed SOA serial checks once every .. seconds # # slave-cycle-interval=60 ################################# # slave-renotify If we should send out notifications for slaved updates # # slave-renotify=no ################################# # soa-expire-default Default SOA expire # # soa-expire-default=604800 ################################# # soa-minimum-ttl Default SOA minimum ttl # # soa-minimum-ttl=3600 ################################# # soa-refresh-default Default SOA refresh # # soa-refresh-default=10800 ################################# # soa-retry-default Default SOA retry # # soa-retry-default=3600 ################################# # socket-dir Where the controlsocket will live # # socket-dir=/var/run ################################# # tcp-control-address If set, PowerDNS can be controlled over TCP on this address # # tcp-control-address= ################################# # tcp-control-port If set, PowerDNS can be controlled over TCP on this address # # tcp-control-port=53000 ################################# # tcp-control-range If set, remote control of PowerDNS is possible over these networks only # # tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 ################################# # tcp-control-secret If set, PowerDNS can be controlled over TCP after passing this secret # # tcp-control-secret= ################################# # traceback-handler Enable the traceback handler (Linux only) # # traceback-handler=yes ################################# # trusted-notification-proxy IP address of incoming notification proxy # # trusted-notification-proxy= ################################# # udp-truncation-threshold Maximum UDP response size before we truncate # # udp-truncation-threshold=1680 ################################# # version-string PowerDNS version in packets - full, anonymous, powerdns or custom # version-string=powerdns ################################# # webserver Start a webserver for monitoring # # webserver=no ################################# # webserver-address IP Address of webserver to listen on # # webserver-address=127.0.0.1 ################################# # webserver-allow-from Webserver access is only allowed from these subnets # # webserver-allow-from=0.0.0.0/0,::/0 ################################# # webserver-password Password required for accessing the webserver # # webserver-password= ################################# # webserver-port Port of webserver to listen on # # webserver-port=8081 ################################# # webserver-print-arguments If the webserver should print arguments # # webserver-print-arguments=no # include froxlor-bind-specific config include-dir=/etc/pdns/froxlor/ ]]> </content> </file> <command><![CDATA[mkdir -p /etc/pdns/froxlor/]]></command> <file name="/etc/pdns/froxlor/pdns_froxlor.conf" chown="root:root" chmod="600"> <content><![CDATA[ # Bind backend configuration # Location of the Bind configuration file to parse. bind-config=<BIND_CONFIG_PATH>named.conf # How often to check for zone changes. See 'Operation' section. bind-check-interval=180 # Uncomment to enable Huffman compression on zone data. # Currently saves around 20% of memory actually used, but slows down operation. # bind-enable-huffman ]]> </content> </file> <command><![CDATA[systemctl restart pdns]]></command> </daemon> </service> <!-- SMTP services --> <service type="smtp" title="{{lng.admin.configfiles.smtp}}"> <!-- general SMTP commands --> <general> <commands index="1"> <command> <visibility mode="groupnotexists">{{settings.system.vmail_gid}} </visibility> <content><![CDATA[groupadd -g {{settings.system.vmail_gid}} vmail]]></content> </command> <command> <visibility mode="usernotexists">{{settings.system.vmail_uid}} </visibility> <content><![CDATA[useradd -u {{settings.system.vmail_uid}} -g vmail vmail]]></content> </command> </commands> <installs index="1"> <install><![CDATA[zypper install postfix]]></install> </installs> <commands index="2"> <command><![CDATA[mkdir -p /var/spool/postfix/etc/pam.d]]></command> <command><![CDATA[mkdir -p /var/spool/postfix/var/run/mysqld]]></command> <command><![CDATA[mkdir -p {{settings.system.vmail_homedir}}]]></command> <command><![CDATA[chown -R {{settings.system.vmail_uid}}:{{settings.system.vmail_gid}} {{settings.system.vmail_homedir}}]]></command> <command><![CDATA[chmod 0750 {{settings.system.vmail_homedir}}]]></command> </commands> <files index="0"> <file name="/etc/postfix/mysql_virtual_alias_maps.cf" chown="root:postfix" chmod="0640"> <content><![CDATA[ user = <SQL_UNPRIVILEGED_USER> password = <SQL_UNPRIVILEGED_PASSWORD> dbname = <SQL_DB> hosts = <SQL_HOST> query = SELECT destination FROM mail_virtual WHERE email = '%s' AND trim(destination) <> '' ]]> </content> </file> <file name="/etc/postfix/mysql_virtual_domains_maps.cf" chown="root:postfix" chmod="0640"> <content><![CDATA[ user = <SQL_UNPRIVILEGED_USER> password = <SQL_UNPRIVILEGED_PASSWORD> dbname = <SQL_DB> hosts = <SQL_HOST> query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' ]]> </content> </file> <file name="/etc/postfix/mysql_virtual_mailbox_maps.cf" chown="root:postfix" chmod="0640"> <content><![CDATA[ user = <SQL_UNPRIVILEGED_USER> password = <SQL_UNPRIVILEGED_PASSWORD> dbname = <SQL_DB> expansion_limit = 1 hosts = <SQL_HOST> query = SELECT CONCAT(homedir,maildir) FROM mail_users WHERE email = '%s' ]]> </content> </file> <file name="/etc/postfix/mysql_virtual_sender_permissions.cf" chown="root:postfix" chmod="0640"> <content><![CDATA[ user = <SQL_UNPRIVILEGED_USER> password = <SQL_UNPRIVILEGED_PASSWORD> dbname = <SQL_DB> hosts = <SQL_HOST> query = SELECT DISTINCT username FROM mail_users WHERE email in ((SELECT mail_virtual.email_full FROM mail_virtual WHERE mail_virtual.email = '%s' UNION SELECT mail_virtual.destination FROM mail_virtual WHERE mail_virtual.email = '%s')); ]]> </content> </file> <file name="/etc/postfix/mysql_virtual_uid_maps.cf" chown="root:postfix" chmod="0640"> <content><![CDATA[ user = <SQL_UNPRIVILEGED_USER> password = <SQL_UNPRIVILEGED_PASSWORD> dbname = <SQL_DB> expansion_limit = 1 hosts = <SQL_HOST> query = SELECT uid FROM mail_users WHERE email = '%s' ]]> </content> </file> <file name="/etc/postfix/mysql_virtual_gid_maps.cf" chown="root:postfix" chmod="0640"> <content><![CDATA[ user = <SQL_UNPRIVILEGED_USER> password = <SQL_UNPRIVILEGED_PASSWORD> dbname = <SQL_DB> expansion_limit = 1 hosts = <SQL_HOST> query = SELECT gid FROM mail_users WHERE email = '%s' ]]> </content> </file> <file name="/etc/aliases" backup="true"> <content><![CDATA[ # /etc/aliases mailer-daemon: postmaster postmaster: root nobody: root hostmaster: root usenet: root news: root webmaster: root www: root ftp: root abuse: root noc: root security: root # change this to a valid e-mail address you can access root: root@<SERVERNAME> ]]> </content> </file> </files> <commands index="3"> <command><![CDATA[newaliases]]></command> <command><![CDATA[systemctl enable postfix.service]]></command> <command><![CDATA[systemctl reload-or-restart postfix.service]]></command> </commands> </general> <!-- postfix with dovecot --> <daemon name="postfix_dovecot" version="2.11" title="Postfix with dovecot" default="true"> <include>//service[@type='smtp']/general/commands[@index=1] </include> <include>//service[@type='smtp']/general/installs[@index=1] </include> <include>//service[@type='smtp']/general/commands[@index=2] </include> <file name="/etc/postfix/main.cf" chown="root:root" chmod="0644" backup="true"> <content><![CDATA[ ## General Postfix configuration # FQDN from Froxlor mydomain = <SERVERNAME> # set myhostname to $mydomain because Froxlor alrady uses a FQDN myhostname = $mydomain mydestination = $myhostname, $mydomain, localhost.$myhostname, localhost.$mydomain, localhost mynetworks = 127.0.0.0/8 inet_interfaces = all append_dot_mydomain = no biff = no # Postfix performance settings default_destination_concurrency_limit = 20 local_destination_concurrency_limit = 2 # SMTPD Settings smtpd_banner = $myhostname ESMTP $mail_name smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_recipient smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_unknown_helo_hostname, reject_unknown_recipient_domain, reject_unknown_sender_domain smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname # Postfix 2.10 requires this option. Postfix < 2.10 ignores this. # The option is intentionally left empty. smtpd_relay_restrictions = # Maximum size of Message in bytes (50MB) message_size_limit = 52428800 mailbox_size_limit = 0 ## SASL Auth Settings smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes ## Dovecot Settings for deliver, SASL Auth and virtual transport smtpd_sasl_type = dovecot mailbox_command = /usr/lib/dovecot/deliver virtual_transport = dovecot dovecot_destination_recipient_limit = 1 smtpd_sasl_path = private/auth # Virtual delivery settings virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf smtpd_sender_login_maps = mysql:/etc/postfix/mysql_virtual_sender_permissions.cf # Local delivery settings local_transport = local alias_maps = $alias_database ### TLS settings ### ## TLS for outgoing mails from the server to another server #smtp_tls_security_level = may #smtp_tls_note_starttls_offer = yes ## TLS for incoming connections (clients or other mail servers) #smtpd_tls_security_level = may #smtpd_tls_cert_file = /etc/ssl/server/<SERVERNAME>.pem #smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt #smtpd_tls_loglevel = 1 #smtpd_tls_received_header = yes debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 ]]> </content> </file> <include>//service[@type='smtp']/general/files[@index=0]</include> <file name="/etc/postfix/master.cf" chown="root:root" chmod="0644" backup="true" mode="append"> <content><![CDATA[ # added for Froxlor dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient} ]]> </content> </file> <include>//service[@type='smtp']/general/commands[@index=3] </include> </daemon> </service> <!-- IMAP/POP3 services --> <service type="mail" title="{{lng.admin.configfiles.mail}}"> <!-- Dovecot --> <daemon name="dovecot" version="2.2" title="Dovecot" default="true"> <install><![CDATA[zypper install dovecot dovecot-mysql dovecot-pigeonhole]]></install> <file name="/etc/dovecot/dovecot.conf" chown="root:root" chmod="0644" backup="true"> <content><![CDATA[ ## Dovecot configuration file # If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration # "doveconf -n" command gives a clean output of the changed settings. Use it # instead of copy&pasting files when posting to the Dovecot mailing list. # '#' character and everything after it is treated as comments. Extra spaces # and tabs are ignored. If you want to use either of these explicitly, put the # value inside quotes, eg.: key = "# char and trailing whitespace " # Most (but not all) settings can be overridden by different protocols and/or # source/destination IPs by placing the settings inside sections, for example: # protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { } # Default values are shown for each setting, it's not required to uncomment # those. These are exceptions to this though: No sections (e.g. namespace {}) # or plugin settings are added by default, they're listed only as examples. # Paths are also just examples with the real defaults being based on configure # options. The paths listed here are for configure --prefix=/usr # --sysconfdir=/etc --localstatedir=/var # Protocols we want to be serving. protocols = imap pop3 sieve <SSLPROTOCOLS> #protocols = imap pop3 lmtp #protocols = imap pop3 lmtp sieve # A comma separated list of IPs or hosts where to listen in for connections. # "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces. # If you want to specify non-default ports or anything more complex, # edit conf.d/master.conf. listen = *, :: # Base directory where to store runtime data. base_dir = /var/run/dovecot/ # Name of this instance. In multi-instance setup doveadm and other commands # can use -i <instance_name> to select which instance is used (an alternative # to -c <config_path>). The instance name is also added to Dovecot processes # in ps output. #instance_name = dovecot # Greeting message for clients. login_greeting = Dovecot ready. # Space separated list of trusted network ranges. Connections from these # IPs are allowed to override their IP addresses and ports (for logging and # for authentication checks). disable_plaintext_auth is also ignored for # these networks. Typically you'd specify your IMAP proxy servers here. #login_trusted_networks = # Sepace separated list of login access check sockets (e.g. tcpwrap) #login_access_sockets = # With proxy_maybe=yes if proxy destination matches any of these IPs, don't do # proxying. This isn't necessary normally, but may be useful if the destination # IP is e.g. a load balancer's IP. #auth_proxy_self = # Show more verbose process titles (in ps). Currently shows user name and # IP address. Useful for seeing who are actually using the IMAP processes # (eg. shared mailboxes or if same uid is used for multiple accounts). #verbose_proctitle = no # Should all processes be killed when Dovecot master process shuts down. # Setting this to "no" means that Dovecot can be upgraded without # forcing existing client connections to close (although that could also be # a problem if the upgrade is e.g. because of a security fix). shutdown_clients = yes # If non-zero, run mail commands via this many connections to doveadm server, # instead of running them directly in the same process. #doveadm_worker_count = 0 # UNIX socket or host:port used for connecting to doveadm server #doveadm_socket_path = doveadm-server # Space separated list of environment variables that are preserved on Dovecot # startup and passed down to all of its child processes. You can also give # key=value pairs to always set specific settings. #import_environment = TZ ## ## Dictionary server settings ## # Dictionary can be used to store key=value lists. This is used by several # plugins. The dictionary can be accessed either directly or though a # dictionary server. The following dict block maps dictionary names to URIs # when the server is used. These can then be referenced using URIs in format # "proxy::<name>". dict { #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext } # Most of the actual configuration gets included below. The filenames are # first sorted by their ASCII value and parsed in that order. The 00-prefixes # in filenames are intended to make it easier to understand the ordering. !include conf.d/*.conf # A config file can also tried to be included without giving an error if # it's not found: #!include_try /etc/dovecot/local.conf ]]> </content> </file> <file name="/etc/dovecot/conf.d/10-auth.conf" chown="root:0" chmod="0644" backup="true"> <content><![CDATA[ ## ## Authentication processes ## # Disable LOGIN command and all other plaintext authentications unless # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. # See also ssl=required setting. #disable_plaintext_auth = yes disable_plaintext_auth = no # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used. #auth_cache_size = 0 # Time to live for cached data. After TTL expires the cached record is no # longer used, *except* if the main database lookup returns internal failure. # We also try to handle password changes automatically: If user's previous # authentication was successful, but this one wasn't, the cache isn't used. # For now this works only with plaintext authentication. #auth_cache_ttl = 1 hour # TTL for negative hits (user not found, password mismatch). # 0 disables caching them completely. #auth_cache_negative_ttl = 1 hour # Space separated list of realms for SASL authentication mechanisms that need # them. You can leave it empty if you don't want to support multiple realms. # Many clients simply use the first one listed here, so keep the default realm # first. #auth_realms = # Default realm/domain to use if none was specified. This is used for both # SASL realms and appending @domain to username in plaintext logins. #auth_default_realm = # List of allowed characters in username. If the user-given username contains # a character not listed in here, the login automatically fails. This is just # an extra check to make sure user can't exploit any potential quote escaping # vulnerabilities with SQL/LDAP databases. If you want to allow all characters, # set this value to empty. auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ # Username character translations before it's looked up from databases. The # value contains series of from -> to characters. For example "#@/@" means # that '#' and '/' characters are translated to '@'. #auth_username_translation = # Username formatting before it's looked up from databases. You can use # the standard variables here, eg. %Lu would lowercase the username, %n would # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into # "-AT-". This translation is done after auth_username_translation changes. #auth_username_format = %Lu # If you want to allow master users to log in by specifying the master # username within the normal username string (ie. not using SASL mechanism's # support for it), you can specify the separator character here. The format # is then <username><separator><master username>. UW-IMAP uses "*" as the # separator, so that could be a good choice. #auth_master_user_separator = # Username to use for users logging in with ANONYMOUS SASL mechanism #auth_anonymous_username = anonymous # Maximum number of dovecot-auth worker processes. They're used to execute # blocking passdb and userdb queries (eg. MySQL and PAM). They're # automatically created and destroyed as needed. #auth_worker_max_count = 30 # Host name to use in GSSAPI principal names. The default is to use the # name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab # entries. #auth_gssapi_hostname = # Kerberos keytab to use for the GSSAPI mechanism. Will use the system # default (usually /etc/krb5.keytab) if not specified. You may need to change # the auth service to run as root to be able to read this file. #auth_krb5_keytab = # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt> #auth_use_winbind = no # Path for Samba's ntlm_auth helper binary. #auth_winbind_helper_path = /usr/bin/ntlm_auth # Time to delay before replying to failed authentications. #auth_failure_delay = 2 secs # Require a valid SSL client certificate or the authentication fails. #auth_ssl_require_client_cert = no # Take the username from client's SSL certificate, using # X509_NAME_get_text_by_NID() which returns the subject's DN's # CommonName. #auth_ssl_username_from_cert = no # Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey # gss-spnego # NOTE: See also disable_plaintext_auth setting. auth_mechanisms = plain ## ## Password and user databases ## # # Password database is used to verify user's password (and nothing more). # You can have multiple passdbs and userdbs. This is useful if you want to # allow both system users (/etc/passwd) and virtual users to login without # duplicating the system users into virtual database. # # <doc/wiki/PasswordDatabase.txt> # # User database specifies where mails are located and what user/group IDs # own them. For single-UID configuration use "static" userdb. # # <doc/wiki/UserDatabase.txt> #!include auth-deny.conf.ext #!include auth-master.conf.ext #!include auth-system.conf.ext !include auth-sql.conf.ext #!include auth-ldap.conf.ext #!include auth-passwdfile.conf.ext #!include auth-checkpassword.conf.ext #!include auth-vpopmail.conf.ext #!include auth-static.conf.ext ]]> </content> </file> <file name="/etc/dovecot/conf.d/10-logging.conf" chown="root:0" chmod="0644" backup="true"> <content><![CDATA[ ## ## Log destination. ## # Log file to use for error messages. "syslog" logs to syslog, # /dev/stderr logs to stderr. log_path = syslog # Log file to use for informational messages. Defaults to log_path. #info_log_path = # Log file to use for debug messages. Defaults to info_log_path. #debug_log_path = # Syslog facility to use if you're logging to syslog. Usually if you don't # want to use "mail", you'll use local0..local7. Also other standard # facilities are supported. syslog_facility = mail ## ## Logging verbosity and debugging. ## # Log unsuccessful authentication attempts and the reasons why they failed. #auth_verbose = no # In case of password mismatches, log the attempted password. Valid values are # no, plain and sha1. sha1 can be useful for detecting brute force password # attempts vs. user simply trying the same password over and over again. # You can also truncate the value to n chars by appending ":n" (e.g. sha1:6). #auth_verbose_passwords = no # Even more verbose logging for debugging purposes. Shows for example SQL # queries. #auth_debug = no # In case of password mismatches, log the passwords and used scheme so the # problem can be debugged. Enabling this also enables auth_debug. #auth_debug_passwords = no # Enable mail process debugging. This can help you figure out why Dovecot # isn't finding your mails. #mail_debug = no # Show protocol level SSL errors. #verbose_ssl = no # mail_log plugin provides more event logging for mail processes. plugin { # Events to log. Also available: flag_change append #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename # Available fields: uid, box, msgid, from, subject, size, vsize, flags # size and vsize are available only for expunge and copy events. #mail_log_fields = uid box msgid size } ## ## Log formatting. ## # Prefix for each line written to log file. % codes are in strftime(3) # format. #log_timestamp = "%b %d %H:%M:%S " # Space-separated list of elements we want to log. The elements which have # a non-empty variable value are joined together to form a comma-separated # string. #login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c # Login log format. %s contains login_log_format_elements string, %$ contains # the data we want to log. #login_log_format = %$: %s # Log prefix for mail processes. See doc/wiki/Variables.txt for list of # possible variables you can use. #mail_log_prefix = "%s(%u): " # Format to use for logging mail deliveries. You can use variables: # %$ - Delivery status message (e.g. "saved to INBOX") # %m - Message-ID # %s - Subject # %f - From address # %p - Physical size # %w - Virtual size #deliver_log_format = msgid=%m: %$ ]]> </content> </file> <file name="/etc/dovecot/conf.d/10-mail.conf" chown="root:0" chmod="0644" backup="true"> <content><![CDATA[ ## ## Mailbox locations and namespaces ## # Location for users' mailboxes. The default is empty, which means that Dovecot # tries to find the mailboxes automatically. This won't work if the user # doesn't yet have any mail, so you should explicitly tell Dovecot the full # location. # # If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u) # isn't enough. You'll also need to tell Dovecot where the other mailboxes are # kept. This is called the "root mail directory", and it must be the first # path given in the mail_location setting. # # There are a few special variables you can use, eg.: # # %u - username # %n - user part in user@domain, same as %u if there's no domain # %d - domain part in user@domain, empty if there's no domain # %h - home directory # # See doc/wiki/Variables.txt for full list. Some examples: # # mail_location = maildir:~/Maildir # mail_location = mbox:~/mail:INBOX=/var/mail/%u # mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n # # <doc/wiki/MailLocation.txt> # mail_location = maildir:/var/vmail/%d/%u # ########################## TODO # If you need to set multiple mailbox locations or want to change default # namespace settings, you can do it by defining namespace sections. # # You can have private, shared and public namespaces. Private namespaces # are for user's personal mails. Shared namespaces are for accessing other # users' mailboxes that have been shared. Public namespaces are for shared # mailboxes that are managed by sysadmin. If you create any shared or public # namespaces you'll typically want to enable ACL plugin also, otherwise all # users can access all the shared mailboxes, assuming they have permissions # on filesystem level to do so. namespace inbox { # Namespace type: private, shared or public #type = private # Hierarchy separator to use. You should use the same separator for all # namespaces or some clients get confused. '/' is usually a good one. # The default however depends on the underlying mail storage format. #separator = # Prefix required to access this namespace. This needs to be different for # all namespaces. For example "Public/". #prefix = # Physical location of the mailbox. This is in same format as # mail_location, which is also the default for it. #location = # There can be only one INBOX, and this setting defines which namespace # has it. inbox = yes # If namespace is hidden, it's not advertised to clients via NAMESPACE # extension. You'll most likely also want to set list=no. This is mostly # useful when converting from another server with different namespaces which # you want to deprecate but still keep working. For example you can create # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/". #hidden = no # Show the mailboxes under this namespace with LIST command. This makes the # namespace visible for clients that don't support NAMESPACE extension. # "children" value lists child mailboxes, but hides the namespace prefix. #list = yes # Namespace handles its own subscriptions. If set to "no", the parent # namespace handles them (empty prefix should always have this as "yes") #subscriptions = yes } # Example shared namespace configuration #namespace { #type = shared #separator = / # Mailboxes are visible under "shared/user@domain/" # %%n, %%d and %%u are expanded to the destination user. #prefix = shared/%%u/ # Mail location for other users' mailboxes. Note that %variables and ~/ # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the # destination user's data. #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u # Use the default namespace for saving subscriptions. #subscriptions = no # List the shared/ namespace only if there are visible shared mailboxes. #list = children #} # Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"? #mail_shared_explicit_inbox = no # System user and group used to access mails. If you use multiple, userdb # can override these by returning uid or gid fields. You can use either numbers # or names. <doc/wiki/UserIds.txt> #mail_uid = #mail_gid = # Group to enable temporarily for privileged operations. Currently this is # used only with INBOX when either its initial creation or dotlocking fails. # Typically this is set to "mail" to give access to /var/mail. #mail_privileged_group = # Grant access to these supplementary groups for mail processes. Typically # these are used to set up access to shared mailboxes. Note that it may be # dangerous to set these if users can create symlinks (e.g. if "mail" group is # set here, ln -s /var/mail ~/mail/var could allow a user to delete others' # mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). #mail_access_groups = vmail # Allow full filesystem access to clients. There's no access checks other than # what the operating system does for the active UID/GID. It works with both # maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/ # or ~user/. #mail_full_filesystem_access = no # Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but # soon intended to be used by METADATA as well. #mail_attribute_dict = ## ## Mail processes ## # Don't use mmap() at all. This is required if you store indexes to shared # filesystems (NFS or clustered filesystem). #mmap_disable = no # Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL # since version 3, so this should be safe to use nowadays by default. #dotlock_use_excl = yes # When to use fsync() or fdatasync() calls: # optimized (default): Whenever necessary to avoid losing important data # always: Useful with e.g. NFS when write()s are delayed # never: Never use it (best performance, but crashes can lose data) #mail_fsync = optimized # Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches # whenever needed. If you're using only a single mail server this isn't needed. #mail_nfs_storage = no # Mail index files also exist in NFS. Setting this to yes requires # mmap_disable=yes and fsync_disable=no. #mail_nfs_index = no # Locking method for index files. Alternatives are fcntl, flock and dotlock. # Dotlocking uses some tricks which may create more disk I/O than other locking # methods. NFS users: flock doesn't work, remember to change mmap_disable. #lock_method = fcntl # Directory in which LDA/LMTP temporarily stores incoming mails >128 kB. #mail_temp_dir = /tmp # Valid UID range for users, defaults to 500 and above. This is mostly # to make sure that users can't log in as daemons or other system users. # Note that denying root logins is hardcoded to dovecot binary and can't # be done even if first_valid_uid is set to 0. first_valid_uid = 150 last_valid_uid = 150 # Valid GID range for users, defaults to non-root/wheel. Users having # non-valid GID as primary group ID aren't allowed to log in. If user # belongs to supplementary groups with non-valid GIDs, those groups are # not set. first_valid_gid = 12 last_valid_gid = 12 # Maximum allowed length for mail keyword name. It's only forced when trying # to create new keywords. #mail_max_keyword_length = 50 # ':' separated list of directories under which chrooting is allowed for mail # processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too). # This setting doesn't affect login_chroot, mail_chroot or auth chroot # settings. If this setting is empty, "/./" in home dirs are ignored. # WARNING: Never add directories here which local users can modify, that # may lead to root exploit. Usually this should be done only if you don't # allow shell access for users. <doc/wiki/Chrooting.txt> #valid_chroot_dirs = # Default chroot directory for mail processes. This can be overridden for # specific users in user database by giving /./ in user's home directory # (eg. /home/./user chroots into /home). Note that usually there is no real # need to do chrooting, Dovecot doesn't allow users to access files outside # their mail directory anyway. If your home directories are prefixed with # the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt> #mail_chroot = # UNIX socket path to master authentication server to find users. # This is used by imap (for shared users) and lda. #auth_socket_path = /var/run/dovecot/auth-userdb # Directory where to look up mail plugins. #mail_plugin_dir = /usr/lib/dovecot # Space separated list of plugins to load for all services. Plugins specific to # IMAP, LDA, etc. are added to this list in their own .conf files. #mail_plugins = ## ## Mailbox handling optimizations ## # Mailbox list indexes can be used to optimize IMAP STATUS commands. They are # also required for IMAP NOTIFY extension to be enabled. #mailbox_list_index = no # The minimum number of mails in a mailbox before updates are done to cache # file. This allows optimizing Dovecot's behavior to do less disk writes at # the cost of more disk reads. #mail_cache_min_mail_count = 0 # When IDLE command is running, mailbox is checked once in a while to see if # there are any new mails or other changes. This setting defines the minimum # time to wait between those checks. Dovecot can also use dnotify, inotify and # kqueue to find out immediately when changes occur. #mailbox_idle_check_interval = 30 secs # Save mails with CR+LF instead of plain LF. This makes sending those mails # take less CPU, especially with sendfile() syscall with Linux and FreeBSD. # But it also creates a bit more disk I/O which may just make it slower. # Also note that if other software reads the mboxes/maildirs, they may handle # the extra CRs wrong and cause problems. #mail_save_crlf = no # Max number of mails to keep open and prefetch to memory. This only works with # some mailbox formats and/or operating systems. #mail_prefetch_count = 0 # How often to scan for stale temporary files and delete them (0 = never). # These should exist only after Dovecot dies in the middle of saving mails. #mail_temp_scan_interval = 1w ## ## Maildir-specific settings ## # By default LIST command returns all entries in maildir beginning with a dot. # Enabling this option makes Dovecot return only entries which are directories. # This is done by stat()ing each entry, so it causes more disk I/O. # (For systems setting struct dirent->d_type, this check is free and it's # done always regardless of this setting) #maildir_stat_dirs = no # When copying a message, do it with hard links whenever possible. This makes # the performance much better, and it's unlikely to have any side effects. #maildir_copy_with_hardlinks = yes # Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only # when its mtime changes unexpectedly or when we can't find the mail otherwise. #maildir_very_dirty_syncs = no # If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for # getting the mail's physical size, except when recalculating Maildir++ quota. # This can be useful in systems where a lot of the Maildir filenames have a # broken size. The performance hit for enabling this is very small. #maildir_broken_filename_sizes = no ## ## mbox-specific settings ## # Which locking methods to use for locking mbox. There are four available: # dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe # solution. If you want to use /var/mail/ like directory, the users # will need write access to that directory. # dotlock_try: Same as dotlock, but if it fails because of permissions or # because there isn't enough disk space, just skip it. # fcntl : Use this if possible. Works with NFS too if lockd is used. # flock : May not exist in all systems. Doesn't work with NFS. # lockf : May not exist in all systems. Doesn't work with NFS. # # You can use multiple locking methods; if you do the order they're declared # in is important to avoid deadlocks if other MTAs/MUAs are using multiple # locking methods as well. Some operating systems don't allow using some of # them simultaneously. #mbox_read_locks = fcntl #mbox_write_locks = dotlock fcntl mbox_write_locks = fcntl # Maximum time to wait for lock (all of them) before aborting. #mbox_lock_timeout = 5 mins # If dotlock exists but the mailbox isn't modified in any way, override the # lock file after this much time. #mbox_dotlock_change_timeout = 2 mins # When mbox changes unexpectedly we have to fully read it to find out what # changed. If the mbox is large this can take a long time. Since the change # is usually just a newly appended mail, it'd be faster to simply read the # new mails. If this setting is enabled, Dovecot does this but still safely # fallbacks to re-reading the whole mbox file whenever something in mbox isn't # how it's expected to be. The only real downside to this setting is that if # some other MUA changes message flags, Dovecot doesn't notice it immediately. # Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK # commands. #mbox_dirty_syncs = yes # Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE, # EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored. #mbox_very_dirty_syncs = no # Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK # commands and when closing the mailbox). This is especially useful for POP3 # where clients often delete all mails. The downside is that our changes # aren't immediately visible to other MUAs. #mbox_lazy_writes = yes # If mbox size is smaller than this (e.g. 100k), don't write index files. # If an index file already exists it's still read, just not updated. #mbox_min_index_size = 0 # Mail header selection algorithm to use for MD5 POP3 UIDLs when # pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired # algorithm, but it fails if the first Received: header isn't unique in all # mails. An alternative algorithm is "all" that selects all headers. #mbox_md5 = apop3d ## ## mdbox-specific settings ## # Maximum dbox file size until it's rotated. #mdbox_rotate_size = 2M # Maximum dbox file age until it's rotated. Typically in days. Day begins # from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled. #mdbox_rotate_interval = 0 # When creating new mdbox files, immediately preallocate their size to # mdbox_rotate_size. This setting currently works only in Linux with some # filesystems (ext4, xfs). #mdbox_preallocate_space = no ## ## Mail attachments ## # sdbox and mdbox support saving mail attachments to external files, which # also allows single instance storage for them. Other backends don't support # this for now. # Directory root where to store mail attachments. Disabled, if empty. #mail_attachment_dir = # Attachments smaller than this aren't saved externally. It's also possible to # write a plugin to disable saving specific attachments externally. #mail_attachment_min_size = 128k # Filesystem backend to use for saving attachments: # posix : No SiS done by Dovecot (but this might help FS's own deduplication) # sis posix : SiS with immediate byte-by-byte comparison during saving # sis-queue posix : SiS with delayed comparison and deduplication #mail_attachment_fs = sis posix # Hash format to use in attachment filenames. You can add any text and # variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}. # Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits #mail_attachment_hash = %{sha1} ]]> </content> </file> <file name="/etc/dovecot/conf.d/10-master.conf" chown="root:0" chmod="0644" backup="true"> <content><![CDATA[ #default_process_limit = 100 #default_client_limit = 1000 # Default VSZ (virtual memory size) limit for service processes. This is mainly # intended to catch and kill processes that leak memory before they eat up # everything. #default_vsz_limit = 256M # Login user is internally used by login processes. This is the most untrusted # user in Dovecot system. It shouldn't have access to anything at all. #default_login_user = dovenull # Internal user is used by unprivileged processes. It should be separate from # login user, so that login processes can't disturb other processes. #default_internal_user = dovecot service imap-login { inet_listener imap { #port = 143 } inet_listener imaps { #port = 993 #ssl = yes } # Number of connections to handle before starting a new process. Typically # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 # is faster. <doc/wiki/LoginProcess.txt> #service_count = 1 # Number of processes to always keep waiting for more connections. #process_min_avail = 0 # If you set service_count=0, you probably need to grow this. #vsz_limit = $default_vsz_limit } service pop3-login { inet_listener pop3 { #port = 110 } inet_listener pop3s { #port = 995 #ssl = yes } } service lmtp { unix_listener lmtp { #mode = 0666 } # Create inet listener only if you can't use the above UNIX socket #inet_listener lmtp { # Avoid making LMTP visible for the entire internet #address = #port = #} } service imap { # Most of the memory goes to mmap()ing files. You may need to increase this # limit if you have huge mailboxes. #vsz_limit = $default_vsz_limit # Max. number of IMAP processes (connections) #process_limit = 1024 } service pop3 { # Max. number of POP3 processes (connections) #process_limit = 1024 } service auth { # auth_socket_path points to this userdb socket by default. It's typically # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have # full permissions to this socket are able to get a list of all usernames and # get the results of everyone's userdb lookups. # # The default 0666 mode allows anyone to connect to the socket, but the # userdb lookups will succeed only if the userdb returns an "uid" field that # matches the caller process's UID. Also if caller's uid or gid matches the # socket's uid or gid the lookup succeeds. Anything else causes a failure. # # To give the caller full permissions to lookup all users, set the mode to # something else than 0666 and Dovecot lets the kernel enforce the # permissions (e.g. 0777 allows everyone full permissions). unix_listener auth-userdb { #mode = 0666 #user = #group = } # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 } # Auth process is run as this user. #user = $default_internal_user } service auth-worker { # Auth worker process is run as root by default, so that it can access # /etc/shadow. If this isn't necessary, the user should be changed to # $default_internal_user. #user = root } service dict { # If dict proxy is used, mail processes should have access to its socket. # For example: mode=0660, group=vmail and global mail_access_groups=vmail unix_listener dict { #mode = 0600 #user = #group = } } ]]> </content> </file> <file name="/etc/dovecot/conf.d/10-ssl.conf" chown="root:0" chmod="0644" backup="true"> <content><![CDATA[ ## ## SSL settings ## # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> # disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps # plain imap and pop3 are still allowed for local connections ssl = no # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf #ssl_cert = </etc/pki/dovecot/certs/dovecot.pem #ssl_key = </etc/pki/dovecot/private/dovecot.pem # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often # world-readable, you may want to place this setting instead to a different # root owned 0600 file by using ssl_key_password = <path. #ssl_key_password = # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = </etc/pki/dovecot/certs/ca.pem) #ssl_ca = # Require that CRL check succeeds for client certificates. #ssl_require_crl = yes # Directory and/or file for trusted SSL CA certificates. These are used only # when Dovecot needs to act as an SSL client (e.g. imapc backend). The # directory is usually /etc/pki/dovecot/certs in Debian-based systems and the file is # /etc/pki/tls/cert.pem in RedHat-based systems. #ssl_client_ca_dir = #ssl_client_ca_file = # Request client to send a certificate. If you also want to require it, set # auth_ssl_require_client_cert=yes in auth section. #ssl_verify_client_cert = no # Which field from certificate to use for username. commonName and # x500UniqueIdentifier are the usual choices. You'll also need to set # auth_ssl_username_from_cert=yes. #ssl_cert_username_field = commonName # DH parameters length to use. #ssl_dh_parameters_length = 1024 # SSL protocols to use #ssl_protocols = !SSLv2 # SSL ciphers to use #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL # Prefer the server's order of ciphers over client's. #ssl_prefer_server_ciphers = no # SSL crypto device to use, for valid values run "openssl engine" #ssl_crypto_device = ]]> </content> </file> <file name="/etc/dovecot/conf.d/15-lda.conf" chown="root:0" chmod="0644" backup="true"> <content><![CDATA[ ## ## LDA specific settings (also used by LMTP) ## # Address to use when sending rejection mails. # Default is postmaster@<your domain>. %d expands to recipient domain. postmaster_address = postmaster@<SERVERNAME> # Hostname to use in various parts of sent mails (e.g. in Message-Id) and # in LMTP replies. Default is the system's real hostname@domain. #hostname = # If user is over quota, return with temporary failure instead of # bouncing the mail. #quota_full_tempfail = no # Binary to use for sending mails. #sendmail_path = /usr/sbin/sendmail # If non-empty, send mails via this SMTP host[:port] instead of sendmail. #submission_host = # Subject: header to use for rejection mails. You can use the same variables # as for rejection_reason below. #rejection_subject = Rejected: %s # Human readable error message for rejection mails. You can use variables: # %n = CRLF, %r = reason, %s = original subject, %t = recipient #rejection_reason = Your message to <%t> was automatically rejected:%n%r # Delimiter character between local-part and detail in email address. #recipient_delimiter = + # Header where the original recipient address (SMTP's RCPT TO: address) is taken # from if not available elsewhere. With dovecot-lda -a parameter overrides this. # A commonly used header for this is X-Original-To. #lda_original_recipient_header = # Should saving a mail to a nonexistent mailbox automatically create it? #lda_mailbox_autocreate = no # Should automatically created mailboxes be also automatically subscribed? #lda_mailbox_autosubscribe = no protocol lda { # Space separated list of plugins to load (default is global mail_plugins). mail_plugins = $mail_plugins quota sieve } ]]> </content> </file> <file name="/etc/dovecot/conf.d/15-mailboxes.conf" chown="root:0" chmod="0644" backup="true"> <content><![CDATA[ ## ## Mailbox definitions ## # NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf. namespace inbox { #mailbox name { # auto=create will automatically create this mailbox. # auto=subscribe will both create and subscribe to the mailbox. #auto = no # Space separated list of IMAP SPECIAL-USE attributes as specified by # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash #special_use = #} # These mailboxes are widely used and could perhaps be created automatically: mailbox Drafts { special_use = \Drafts auto=subscribe } mailbox Junk { special_use = \Junk auto=subscribe } mailbox Trash { special_use = \Trash auto=subscribe } # For \Sent mailboxes there are two widely used names. We'll mark both of # them as \Sent. User typically deletes one of them if duplicates are created. mailbox Sent { special_use = \Sent auto=subscribe } #mailbox "Sent Messages" { # special_use = \Sent #} # If you have a virtual "All messages" mailbox: #mailbox virtual/All { # special_use = \All #} # If you have a virtual "Flagged" mailbox: #mailbox virtual/Flagged { # special_use = \Flagged #} } ]]> </content> </file> <file name="/etc/dovecot/conf.d/20-imap.conf" chown="root:0" chmod="0644" backup="true"> <content><![CDATA[ ## ## IMAP specific settings ## # Maximum IMAP command line length. Some clients generate very long command # lines with huge mailboxes, so you may need to raise this if you get # "Too long argument" or "IMAP command line too large" errors often. #imap_max_line_length = 64k # IMAP logout format string: # %i - total number of bytes read from client # %o - total number of bytes sent to client imap_logout_format = in=%i out=%o # Override the IMAP CAPABILITY response. If the value begins with '+', # add the given capabilities on top of the defaults (e.g. +XFOO XBAR). #imap_capability = # How long to wait between "OK Still here" notifications when client is # IDLEing. #imap_idle_notify_interval = 2 mins # ID field names and values to send to clients. Using * as the value makes # Dovecot use the default value. The following fields have default values # currently: name, version, os, os-version, support-url, support-email. #imap_id_send = # ID fields sent by client to log. * means everything. #imap_id_log = # Workarounds for various client bugs: # delay-newmail: # Send EXISTS/RECENT new mail notifications only when replying to NOOP # and CHECK commands. Some clients ignore them otherwise, for example OSX # Mail (<v2.1). Outlook Express breaks more badly though, without this it # may show user "Message no longer in server" errors. Note that OE6 still # breaks even with this workaround if synchronization is set to # "Headers Only". # tb-extra-mailbox-sep: # Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and # adds extra '/' suffixes to mailbox names. This option causes Dovecot to # ignore the extra '/' instead of treating it as invalid mailbox name. # tb-lsub-flags: # Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox). # This makes Thunderbird realize they aren't selectable and show them # greyed out, instead of only later giving "not selectable" popup error. # # The list is space-separated. #imap_client_workarounds = # Host allowed in URLAUTH URLs sent by client. "*" allows all. #imap_urlauth_host = protocol imap { # Space separated list of plugins to load (default is global mail_plugins). mail_plugins = $mail_plugins quota imap_quota # Maximum number of IMAP connections allowed for a user from each IP address. # NOTE: The username is compared case-sensitively. #mail_max_userip_connections = 10 } ]]> </content> </file> <file name="/etc/dovecot/conf.d/20-lmtp.conf" chown="root:0" chmod="0644" backup="true"> <content><![CDATA[ ## ## LMTP specific settings ## # Support proxying to other LMTP/SMTP servers by performing passdb lookups. #lmtp_proxy = no # When recipient address includes the detail (e.g. user+detail), try to save # the mail to the detail mailbox. See also recipient_delimiter and # lda_mailbox_autocreate settings. #lmtp_save_to_detail_mailbox = no # Verify quota before replying to RCPT TO. This adds a small overhead. #lmtp_rcpt_check_quota = no protocol lmtp { # Space separated list of plugins to load (default is global mail_plugins). mail_plugins = $mail_plugins sieve } ]]> </content> </file> <file name="/etc/dovecot/conf.d/20-managesieve.conf" chown="root:0" chmod="0644" backup="true"> <content><![CDATA[ ## ## ManageSieve specific settings ## # Uncomment to enable managesieve protocol: #protocols = $protocols sieve # Service definitions #service managesieve-login { #inet_listener sieve { # port = 4190 #} #inet_listener sieve_deprecated { # port = 2000 #} # Number of connections to handle before starting a new process. Typically # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 # is faster. <doc/wiki/LoginProcess.txt> #service_count = 1 # Number of processes to always keep waiting for more connections. #process_min_avail = 0 # If you set service_count=0, you probably need to grow this. #vsz_limit = 64M #} #service managesieve { # Max. number of ManageSieve processes (connections) #process_limit = 1024 #} # Service configuration protocol sieve { # Maximum ManageSieve command line length in bytes. ManageSieve usually does # not involve overly long command lines, so this setting will not normally # need adjustment #managesieve_max_line_length = 65536 # Maximum number of ManageSieve connections allowed for a user from each IP # address. # NOTE: The username is compared case-sensitively. #mail_max_userip_connections = 10 # Space separated list of plugins to load (none known to be useful so far). # Do NOT try to load IMAP plugins here. #mail_plugins = # MANAGESIEVE logout format string: # %i - total number of bytes read from client # %o - total number of bytes sent to client #managesieve_logout_format = bytes=%i/%o # To fool ManageSieve clients that are focused on CMU's timesieved you can # specify the IMPLEMENTATION capability that Dovecot reports to clients. # For example: 'Cyrus timsieved v2.2.13' #managesieve_implementation_string = Dovecot Pigeonhole # Explicitly specify the SIEVE and NOTIFY capability reported by the server # before login. If left unassigned these will be reported dynamically # according to what the Sieve interpreter supports by default (after login # this may differ depending on the user). #managesieve_sieve_capability = #managesieve_notify_capability = # The maximum number of compile errors that are returned to the client upon # script upload or script verification. #managesieve_max_compile_errors = 5 # Refer to 90-sieve.conf for script quota configuration and configuration of # Sieve execution limits. } ]]> </content> </file> <file name="/etc/dovecot/conf.d/20-pop3.conf" chown="root:0" chmod="0644" backup="true"> <content><![CDATA[ ## ## POP3 specific settings ## # Don't try to set mails non-recent or seen with POP3 sessions. This is # mostly intended to reduce disk I/O. With maildir it doesn't move files # from new/ to cur/, with mbox it doesn't write Status-header. #pop3_no_flag_updates = no # Support LAST command which exists in old POP3 specs, but has been removed # from new ones. Some clients still wish to use this though. Enabling this # makes RSET command clear all \Seen flags from messages. #pop3_enable_last = no # If mail has X-UIDL header, use it as the mail's UIDL. #pop3_reuse_xuidl = no # Allow only one POP3 session to run simultaneously for the same user. #pop3_lock_session = no # POP3 requires message sizes to be listed as if they had CR+LF linefeeds. # Many POP3 servers violate this by returning the sizes with LF linefeeds, # because it's faster to get. When this setting is enabled, Dovecot still # tries to do the right thing first, but if that requires opening the # message, it fallbacks to the easier (but incorrect) size. #pop3_fast_size_lookups = no # POP3 UIDL (unique mail identifier) format to use. You can use following # variables, along with the variable modifiers described in # doc/wiki/Variables.txt (e.g. %Uf for the filename in uppercase) # # %v - Mailbox's IMAP UIDVALIDITY # %u - Mail's IMAP UID # %m - MD5 sum of the mailbox headers in hex (mbox only) # %f - filename (maildir only) # %g - Mail's GUID # # If you want UIDL compatibility with other POP3 servers, use: # UW's ipop3d : %08Xv%08Xu # Courier : %f or %v-%u (both might be used simultaneosly) # Cyrus (<= 2.1.3) : %u # Cyrus (>= 2.1.4) : %v.%u # Dovecot v0.99.x : %v.%u # tpop3d : %Mf # # Note that Outlook 2003 seems to have problems with %v.%u format which was # Dovecot's default, so if you're building a new server it would be a good # idea to change this. %08Xu%08Xv should be pretty fail-safe. # #pop3_uidl_format = %08Xu%08Xv # Permanently save UIDLs sent to POP3 clients, so pop3_uidl_format changes # won't change those UIDLs. Currently this works only with Maildir. #pop3_save_uidl = no # What to do about duplicate UIDLs if they exist? # allow: Show duplicates to clients. # rename: Append a temporary -2, -3, etc. counter after the UIDL. #pop3_uidl_duplicates = allow # This option changes POP3 behavior so that it's not possible to actually # delete mails via POP3, only hide them from future POP3 sessions. The mails # will still be counted towards user's quota until actually deleted via IMAP. # Use e.g. "$POP3Deleted" as the value (it will be visible as IMAP keyword). # Make sure you can legally archive mails before enabling this setting. #pop3_deleted_flag = # POP3 logout format string: # %i - total number of bytes read from client # %o - total number of bytes sent to client # %t - number of TOP commands # %p - number of bytes sent to client as a result of TOP command # %r - number of RETR commands # %b - number of bytes sent to client as a result of RETR command # %d - number of deleted messages # %m - number of messages (before deletion) # %s - mailbox size in bytes (before deletion) # %u - old/new UIDL hash. may help finding out if UIDLs changed unexpectedly #pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s # Workarounds for various client bugs: # outlook-no-nuls: # Outlook and Outlook Express hang if mails contain NUL characters. # This setting replaces them with 0x80 character. # oe-ns-eoh: # Outlook Express and Netscape Mail breaks if end of headers-line is # missing. This option simply sends it if it's missing. # The list is space-separated. #pop3_client_workarounds = protocol pop3 { # Space separated list of plugins to load (default is global mail_plugins). mail_plugins = $mail_plugins quota # Maximum number of POP3 connections allowed for a user from each IP address. # NOTE: The username is compared case-sensitively. #mail_max_userip_connections = 10 } ]]> </content> </file> <file name="/etc/dovecot/conf.d/90-sieve.conf" chown="root:0" chmod="0644" backup="true"> <content><![CDATA[ ## ## Settings for the Sieve interpreter ## # Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf # by adding it to the respective mail_plugins= settings. plugin { # The path to the user's main active script. If ManageSieve is used, this the # location of the symbolic link controlled by ManageSieve. #sieve = ~/.dovecot.sieve sieve = /var/sieve-userscripts/script-%u.sieve # The default Sieve script when the user has none. This is a path to a global # sieve script file, which gets executed ONLY if user's private Sieve script # doesn't exist. Be sure to pre-compile this script manually using the sievec # command line tool. # --> See sieve_before fore executing scripts before the user's personal # script. #sieve_default = /var/lib/dovecot/sieve/default.sieve sieve_global_path = /var/lib/dovecot/sieve/default.sieve # Directory for :personal include scripts for the include extension. This # is also where the ManageSieve service stores the user's scripts. #sieve_dir = ~/sieve sieve_dir = /var/sieve-userscripts/%u # Directory for :global include scripts for the include extension. #sieve_global_dir = sieve_global_dir = /var/lib/dovecot/sieve/global # Path to a script file or a directory containing script files that need to be # executed before the user's script. If the path points to a directory, all # the Sieve scripts contained therein (with the proper .sieve extension) are # executed. The order of execution within a directory is determined by the # file names, using a normal 8bit per-character comparison. Multiple script # file or directory paths can be specified by appending an increasing number. #sieve_before = #sieve_before2 = #sieve_before3 = (etc...) sieve_before = /var/lib/dovecot/sieve/before/ # Identical to sieve_before, only the specified scripts are executed after the # user's script (only when keep is still in effect!). Multiple script file or # directory paths can be specified by appending an increasing number. #sieve_after = #sieve_after2 = #sieve_after2 = (etc...) # Which Sieve language extensions are available to users. By default, all # supported extensions are available, except for deprecated extensions or # those that are still under development. Some system administrators may want # to disable certain Sieve extensions or enable those that are not available # by default. This setting can use '+' and '-' to specify differences relative # to the default. For example `sieve_extensions = +imapflags' will enable the # deprecated imapflags extension in addition to all extensions were already # enabled by default. #sieve_extensions = +notify +imapflags sieve_extensions = +spamtest +spamtestplus +relational +comparator-i;ascii-numeric +notify +imapflags # Which Sieve language extensions are ONLY available in global scripts. This # can be used to restrict the use of certain Sieve extensions to administrator # control, for instance when these extensions can cause security concerns. # This setting has higher precedence than the `sieve_extensions' setting # (above), meaning that the extensions enabled with this setting are never # available to the user's personal script no matter what is specified for the # `sieve_extensions' setting. The syntax of this setting is similar to the # `sieve_extensions' setting, with the difference that extensions are # enabled or disabled for exclusive use in global scripts. Currently, no # extensions are marked as such by default. #sieve_global_extensions = # The Pigeonhole Sieve interpreter can have plugins of its own. Using this # setting, the used plugins can be specified. Check the Dovecot wiki # (wiki2.dovecot.org) or the pigeonhole website # (http://pigeonhole.dovecot.org) for available plugins. # The sieve_extprograms plugin is included in this release. #sieve_plugins = # The separator that is expected between the :user and :detail # address parts introduced by the subaddress extension. This may # also be a sequence of characters (e.g. '--'). The current # implementation looks for the separator from the left of the # localpart and uses the first one encountered. The :user part is # left of the separator and the :detail part is right. This setting # is also used by Dovecot's LMTP service. #recipient_delimiter = + # The maximum size of a Sieve script. The compiler will refuse to compile any # script larger than this limit. If set to 0, no limit on the script size is # enforced. #sieve_max_script_size = 1M # The maximum number of actions that can be performed during a single script # execution. If set to 0, no limit on the total number of actions is enforced. #sieve_max_actions = 32 # The maximum number of redirect actions that can be performed during a single # script execution. If set to 0, no redirect actions are allowed. #sieve_max_redirects = 4 # The maximum number of personal Sieve scripts a single user can have. If set # to 0, no limit on the number of scripts is enforced. # (Currently only relevant for ManageSieve) #sieve_quota_max_scripts = 0 # The maximum amount of disk storage a single user's scripts may occupy. If # set to 0, no limit on the used amount of disk storage is enforced. # (Currently only relevant for ManageSieve) #sieve_quota_max_storage = 0 } ]]> </content> </file> <file name="/etc/dovecot/dovecot-sql.conf.ext" chown="root:0" chmod="0640"> <content><![CDATA[ # This file is opened as root, so it should be owned by root and mode 0600. # # http://wiki.dovecot.org/AuthDatabase/SQL # # For the sql passdb module, you'll need a database with a table that # contains fields for at least the username and password. If you want to # use the user@domain syntax, you might want to have a separate domain # field as well. # # If your users all have the same uig/gid, and have predictable home # directories, you can use the static userdb module to generate the home # dir based on the username and domain. In this case, you won't need fields # for home, uid, or gid in the database. # # If you prefer to use the sql userdb module, you'll want to add fields # for home, uid, and gid. Here is an example table: # # CREATE TABLE users ( # username VARCHAR(128) NOT NULL, # domain VARCHAR(128) NOT NULL, # password VARCHAR(64) NOT NULL, # home VARCHAR(255) NOT NULL, # uid INTEGER NOT NULL, # gid INTEGER NOT NULL, # active CHAR(1) DEFAULT 'Y' NOT NULL # ); # Database driver: mysql, pgsql, sqlite driver = mysql # Database connection string. This is driver-specific setting. # # HA / round-robin load-balancing is supported by giving multiple host # settings, like: host=sql1.host.org host=sql2.host.org # # pgsql: # For available options, see the PostgreSQL documention for the # PQconnectdb function of libpq. # Use maxconns=n (default 5) to change how many connections Dovecot can # create to pgsql. # # mysql: # Basic options emulate PostgreSQL option names: # host, port, user, password, dbname # # But also adds some new settings: # client_flags - See MySQL manual # ssl_ca, ssl_ca_path - Set either one or both to enable SSL # ssl_cert, ssl_key - For sending client-side certificates to server # ssl_cipher - Set minimum allowed cipher security (default: HIGH) # option_file - Read options from the given file instead of # the default my.cnf location # option_group - Read options from the given group (default: client) # # You can connect to UNIX sockets by using host: host=/var/run/mysql.sock # Note that currently you can't use spaces in parameters. # # sqlite: # The path to the database file. # # Examples: # connect = host=192.168.1.1 dbname=users # connect = host=sql.example.com dbname=virtual user=virtual password=blarg # connect = /etc/dovecot/authdb.sqlite # connect = host=<SQL_HOST> dbname=<SQL_DB> user=<SQL_UNPRIVILEGED_USER> password=<SQL_UNPRIVILEGED_PASSWORD> # Default password scheme. # # List of supported schemes is in # http://wiki.dovecot.org/Authentication/PasswordSchemes # default_pass_scheme = CRYPT # passdb query to retrieve the password. It can return fields: # password - The user's password. This field must be returned. # user - user@domain from the database. Needed with case-insensitive lookups. # username and domain - An alternative way to represent the "user" field. # # The "user" field is often necessary with case-insensitive lookups to avoid # e.g. "name" and "nAme" logins creating two different mail directories. If # your user and domain names are in separate fields, you can return "username" # and "domain" fields instead of "user". # # The query can also return other fields which have a special meaning, see # http://wiki.dovecot.org/PasswordDatabase/ExtraFields # # Commonly used available substitutions (see http://wiki.dovecot.org/Variables # for full list): # %u = entire user@domain # %n = user part of user@domain # %d = domain part of user@domain # # Note that these can be used only as input to SQL query. If the query outputs # any of these substitutions, they're not touched. Otherwise it would be # difficult to have eg. usernames containing '%' characters. # # Example: # password_query = SELECT userid AS user, pw AS password \ # FROM users WHERE userid = '%u' AND active = 'Y' # #password_query = \ # SELECT username, domain, password \ # FROM users WHERE username = '%n' AND domain = '%d' password_query = SELECT username AS user, password_enc AS password, CONCAT(homedir, maildir) AS userdb_home, uid AS userdb_uid, gid AS userdb_gid, CONCAT('maildir:', homedir, maildir) AS userdb_mail, CONCAT('*:storage=', quota, 'M') as userdb_quota_rule FROM mail_users WHERE (username = '%u' OR email = '%u') AND ((imap = 1 AND '%Ls' = 'imap') OR (pop3 = 1 AND '%Ls' = 'pop3') OR '%Ls' = 'smtp' OR '%Ls' = 'sieve') #password_query = SELECT username as user, password, '/var/vmail/%d/%n' as userdb_home, 'maildir:/var/vmail/%d/%n' as userdb_mail, 150 as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1' # userdb query to retrieve the user information. It can return fields: # uid - System UID (overrides mail_uid setting) # gid - System GID (overrides mail_gid setting) # home - Home directory # mail - Mail location (overrides mail_location setting) # # None of these are strictly required. If you use a single UID and GID, and # home or mail directory fits to a template string, you could use userdb static # instead. For a list of all fields that can be returned, see # http://wiki.dovecot.org/UserDatabase/ExtraFields # # Examples: # user_query = SELECT home, uid, gid FROM users WHERE userid = '%u' # user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u' # user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u' # #user_query = \ # SELECT home, uid, gid \ # FROM users WHERE username = '%n' AND domain = '%d' user_query = SELECT CONCAT(homedir, maildir) AS home, CONCAT('maildir:', homedir, maildir) AS mail, uid, gid, CONCAT('*:storage=', quota, 'M') as quota_rule FROM mail_users WHERE (username = '%u' OR email = '%u') #user_query = SELECT '/var/vmail/%d/%n' as home, 'maildir:/var/vmail/%d/%n' as mail, 150 AS uid, 12 AS gid FROM mailbox WHERE username = '%u' AND active = '1' # If you wish to avoid two SQL lookups (passdb + userdb), you can use # userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll # also have to return userdb fields in password_query prefixed with "userdb_" # string. For example: #password_query = \ # SELECT userid AS user, password, \ # home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \ # FROM users WHERE userid = '%u' # Query to get a list of all usernames. #iterate_query = SELECT username AS user FROM users iterate_query = SELECT username AS user FROM mail_users ]]> </content> </file> <command><![CDATA[systemctl enable dovecot.service]]></command> <command><![CDATA[systemctl reload-or-restart dovecot.service]]></command> </daemon> </service> <!-- FTP services --> <service type="ftp" title="{{lng.admin.configfiles.ftp}}"> <!-- Proftpd --> <daemon name="proftpd" version="1.3" title="ProFTPd" default="true"> <install><![CDATA[zypper install proftpd proftpd-mysql]]></install> <file name="/etc/proftpd/proftpd.conf" chown="root:0" chmod="0600" backup="true"> <content><![CDATA[ # This is the ProFTPD configuration file # # See: http://www.proftpd.org/docs/directives/linked/by-name.html # Security-Enhanced Linux (SELinux) Notes: # # In Fedora and Red Hat Enterprise Linux, ProFTPD runs confined by SELinux # in order to mitigate the effects of an attacker taking advantage of an # unpatched vulnerability and getting control of the ftp server. By default, # ProFTPD cannot read or write most files on a system nor connect to many # external network services, but these restrictions can be relaxed by # setting SELinux booleans as follows: # # setsebool -P allow_ftpd_anon_write=1 # This allows the ftp daemon to write to files and directories labelled # with the public_content_rw_t context type; the daemon would only have # read access to these files normally. Files to be made available by ftp # but not writeable should be labelled public_content_t. # # setsebool -P allow_ftpd_full_access=1 # This allows the ftp daemon to read and write all files on the system. # # setsebool -P allow_ftpd_use_cifs=1 # This allows the ftp daemon to read and write files on CIFS-mounted # filesystems. # # setsebool -P allow_ftpd_use_nfs=1 # This allows the ftp daemon to read and write files on NFS-mounted # filesystems. # # setsebool -P ftp_home_dir=1 # This allows the ftp daemon to read and write files in users' home # directories. # # setsebool -P ftpd_connect_all_unreserved=1 # This setting is only available from Fedora 16/RHEL-7 onwards, and is # necessary for active-mode ftp transfers to work reliably with non-Linux # clients (see http://bugzilla.redhat.com/782177), which may choose to # use port numbers outside the "ephemeral port" range of 32768-61000. # # setsebool -P ftpd_connect_db=1 # This setting allows the ftp daemon to connect to commonly-used database # ports over the network, which is necessary if you are using a database # back-end for user authentication, etc. # # setsebool -P ftpd_is_daemon=1 # This setting is available only in Fedora releases 4 to 6 and Red Hat # Enterprise Linux 5. It should be set if ProFTPD is running in standalone # mode, and unset if running in inetd mode. # # setsebool -P ftpd_disable_trans=1 # This setting is available only in Fedora releases 4 to 6 and Red Hat # Enterprise Linux 5, and when set it removes the SELinux confinement of the # ftp daemon. Needless to say, its use is not recommended. # # All of these booleans are unset by default. # # See also the "ftpd_selinux" manpage. # # Note that the "-P" option to setsebool makes the setting permanent, i.e. # it will still be in effect after a reboot; without the "-P" option, the # effect only lasts until the next reboot. # # Restrictions imposed by SELinux are on top of those imposed by ordinary # file ownership and access permissions; in normal operation, the ftp daemon # will not be able to read and/or write a file unless *all* of the ownership, # permission and SELinux restrictions allow it. # Server Config - config used for anything outside a <VirtualHost> or <Global> context # See: http://www.proftpd.org/docs/howto/Vhost.html # Trace logging, disabled by default for performance reasons # (http://www.proftpd.org/docs/howto/Tracing.html) #TraceLog /var/log/proftpd/trace.log #Trace DEFAULT:0 ServerName "<SERVERNAME> FTP server" ServerIdent on "FTP Server ready." ServerAdmin root@<SERVERNAME> DefaultServer on # The DebugLevel directive configures the debugging level the server will use when logging. # The level parameter must be between 0 and 9. # This configuration directive will take precedence over any command-line debugging options used. #DebugLevel 9 # Cause every FTP user except adm to be chrooted into their home directory DefaultRoot ~ !adm # Use pam to authenticate (default) and be authoritative AuthPAMConfig proftpd AuthOrder mod_sql.c #AuthOrder mod_auth_pam.c* mod_auth_unix.c # If you use NIS/YP/LDAP you may need to disable PersistentPasswd #PersistentPasswd off # Don't do reverse DNS lookups (hangs on DNS problems) UseReverseDNS off # Set the user and group that the server runs as User nobody Group nobody # To prevent DoS attacks, set the maximum number of child processes # to 20. If you need to allow more than 20 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode; in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 20 # Disable sendfile by default since it breaks displaying the download speeds in # ftptop and ftpwho UseSendfile off # Define the log formats LogFormat default "%h %l %u %t \"%r\" %s %b" LogFormat auth "%v [%P] %h %t \"%r\" %s" # Dynamic Shared Object (DSO) loading # See README.DSO and howto/DSO.html for more details # # General database support (http://www.proftpd.org/docs/contrib/mod_sql.html) LoadModule mod_sql.c # # Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables # (contrib/mod_sql_passwd.html) # LoadModule mod_sql_passwd.c # # Mysql support (requires proftpd-mysql package) # (http://www.proftpd.org/docs/contrib/mod_sql.html) LoadModule mod_sql_mysql.c # # Postgresql support (requires proftpd-postgresql package) # (http://www.proftpd.org/docs/contrib/mod_sql.html) # LoadModule mod_sql_postgres.c # # Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html) LoadModule mod_quotatab.c # # File-specific "driver" for storing quota table information in files # (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html) # LoadModule mod_quotatab_file.c # # SQL database "driver" for storing quota table information in SQL tables # (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html) LoadModule mod_quotatab_sql.c # # LDAP support (requires proftpd-ldap package) # (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html) # LoadModule mod_ldap.c # # LDAP quota support (requires proftpd-ldap package) # (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html) # LoadModule mod_quotatab_ldap.c # # Support for authenticating users using the RADIUS protocol # (http://www.proftpd.org/docs/contrib/mod_radius.html) # LoadModule mod_radius.c # # Retrieve quota limit table information from a RADIUS server # (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html) # LoadModule mod_quotatab_radius.c # # SITE CPFR and SITE CPTO commands (analogous to RNFR and RNTO), which can be # used to copy files/directories from one place to another on the server # without having to transfer the data to the client and back # (http://www.castaglia.org/proftpd/modules/mod_copy.html) # LoadModule mod_copy.c # # Administrative control actions for the ftpdctl program # (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html) LoadModule mod_ctrls_admin.c # # Support for MODE Z commands, which allows FTP clients and servers to # compress data for transfer # (http://www.castaglia.org/proftpd/modules/mod_deflate.html) # LoadModule mod_deflate.c # # Execute external programs or scripts at various points in the process # of handling FTP commands # (http://www.castaglia.org/proftpd/modules/mod_exec.html) # LoadModule mod_exec.c # # Support for POSIX ACLs # (http://www.proftpd.org/docs/modules/mod_facl.html) # LoadModule mod_facl.c # # Support for using the GeoIP library to look up geographical information on # the connecting client and using that to set access controls for the server # (http://www.castaglia.org/proftpd/modules/mod_geoip.html) # LoadModule mod_geoip.c # # Allow for version-specific configuration sections of the proftpd config file, # useful for using the same proftpd config across multiple servers where # different proftpd versions may be in use # (http://www.castaglia.org/proftpd/modules/mod_ifversion.html) # LoadModule mod_ifversion.c # # Configure server availability based on system load # (http://www.proftpd.org/docs/contrib/mod_load.html) # LoadModule mod_load.c # # Limit downloads to a multiple of upload volume (see README.ratio) # LoadModule mod_ratio.c # # Rewrite FTP commands sent by clients on-the-fly, # using regular expression matching and substitution # (http://www.proftpd.org/docs/contrib/mod_rewrite.html) # LoadModule mod_rewrite.c # # Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over # an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html) # LoadModule mod_sftp.c # # Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for # mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html) # LoadModule mod_sftp_pam.c # # Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user # and host based authentication # (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html) # LoadModule mod_sftp_sql.c # # Provide data transfer rate "shaping" across the entire server # (http://www.castaglia.org/proftpd/modules/mod_shaper.html) # LoadModule mod_shaper.c # # Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK, # and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html) # LoadModule mod_site_misc.c # # Provide an external SSL session cache using shared memory # (contrib/mod_tls_shmcache.html) # LoadModule mod_tls_shmcache.c # # Provide a memcached-based implementation of an external SSL session cache # (contrib/mod_tls_memcache.html) # LoadModule mod_tls_memcache.c # # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny # files, for IP-based access control # (http://www.proftpd.org/docs/contrib/mod_wrap.html) # LoadModule mod_wrap.c # # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny # files, as well as SQL-based access rules, for IP-based access control # (http://www.proftpd.org/docs/contrib/mod_wrap2.html) # LoadModule mod_wrap2.c # # Support module for mod_wrap2 that handles access rules stored in specially # formatted files on disk # (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html) # LoadModule mod_wrap2_file.c # # Support module for mod_wrap2 that handles access rules stored in SQL # database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html) # LoadModule mod_wrap2_sql.c # # Implement a virtual chroot capability that does not require root privileges # (http://www.castaglia.org/proftpd/modules/mod_vroot.html) # Using this module rather than the kernel's chroot() system call works # around issues with PAM and chroot (http://bugzilla.redhat.com/506735) LoadModule mod_vroot.c # # Provide a flexible way of specifying that certain configuration directives # only apply to certain sessions, based on credentials such as connection # class, user, or group membership # (http://www.proftpd.org/docs/contrib/mod_ifsession.html) # LoadModule mod_ifsession.c # Allow only user root to load and unload modules, but allow everyone # to see which modules have been loaded # (http://www.proftpd.org/docs/modules/mod_dso.html#ModuleControlsACLs) ModuleControlsACLs insmod,rmmod allow user root ModuleControlsACLs lsmod allow user * # Enable basic controls via ftpdctl # (http://www.proftpd.org/docs/modules/mod_ctrls.html) ControlsEngine on ControlsACLs all allow user root ControlsSocketACL allow user * ControlsLog /var/log/proftpd/controls.log # Enable admin controls via ftpdctl # (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html) <IfModule mod_ctrls_admin.c> AdminControlsEngine on AdminControlsACLs all allow user root </IfModule> # Enable mod_vroot by default for better compatibility with PAM # (http://bugzilla.redhat.com/506735) <IfModule mod_vroot.c> VRootEngine on </IfModule> # TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html) <IfDefine TLS> TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest NoSessionReuseRequired TLSVerifyClient off #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log <IfModule mod_tls_shmcache.c> TLSSessionCache shm:/file=/var/run/proftpd/sesscache </IfModule> </IfDefine> # Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html) # Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd <IfDefine DYNAMIC_BAN_LISTS> LoadModule mod_ban.c BanEngine on BanLog /var/log/proftpd/ban.log BanTable /var/run/proftpd/ban.tab # If the same client reaches the MaxLoginAttempts limit 2 times # within 10 minutes, automatically add a ban for that client that # will expire after one hour. BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00 # Inform the user that it's not worth persisting BanMessage "Host %a has been banned" # Allow the FTP admin to manually add/remove bans BanControlsACLs all allow user ftpadm </IfDefine> # Set networking-specific "Quality of Service" (QoS) bits on the packets used # by the server (contrib/mod_qos.html) <IfDefine QOS> LoadModule mod_qos.c # RFC791 TOS parameter compatibility QoSOptions dataqos throughput ctrlqos lowdelay # For a DSCP environment (may require tweaking) #QoSOptions dataqos CS2 ctrlqos AF41 </IfDefine> # Global Config - config common to Server Config and all virtual hosts # See: http://www.proftpd.org/docs/howto/Vhost.html <Global> # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable Umask 077 # Allow users to overwrite files and change permissions AllowOverwrite yes <Limit ALL SITE_CHMOD> AllowAll </Limit> # CH-Root all users DefaultRoot ~ # Reject rootlogin (just for security) RootLogin off # Noo need to require valid shell, because user is virtual RequireValidShell off </Global> # A basic anonymous configuration, with an upload directory # Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd <IfDefine ANONYMOUS_FTP> #<Anonymous ~ftp> #User ftp #Group ftp #AccessGrantMsg "Anonymous login ok, restrictions apply." ## We want clients to be able to login with "anonymous" as well as "ftp" #UserAlias anonymous ftp ## Limit the maximum number of anonymous logins #MaxClients 10 "Sorry, max %m users -- try again later" ## Put the user into /pub right after login ##DefaultChdir /pub ## We want 'welcome.msg' displayed at login, '.message' displayed in ## each newly chdired directory and tell users to read README* files. #DisplayLogin /welcome.msg #DisplayChdir .message #DisplayReadme README* ## Cosmetic option to make all files appear to be owned by user "ftp" #DirFakeUser on ftp #DirFakeGroup on ftp ## Limit WRITE everywhere in the anonymous chroot #<Limit WRITE SITE_CHMOD> #DenyAll #</Limit> ## An upload directory that allows storing files but not retrieving ## or creating directories. #<Directory uploads/*> #AllowOverwrite no #<Limit READ> #DenyAll #</Limit> #<Limit STOR> #AllowAll #</Limit> #</Directory> ## Don't write anonymous accesses to the system wtmp file (good idea!) #WtmpLog off ## Logging for the anonymous transfers #ExtendedLog /var/log/proftpd/access.log WRITE,READ default #ExtendedLog /var/log/proftpd/auth.log AUTH auth #</Anonymous> </IfDefine> <IfModule mod_sql_mysql.c> SQLLogFile /var/log/proftpd/sql.log SQLAuthTypes Crypt SQLAuthenticate users* groups* SQLConnectInfo <SQL_DB>@<SQL_HOST> <SQL_UNPRIVILEGED_USER> <SQL_UNPRIVILEGED_PASSWORD> SQLUserInfo ftp_users username password uid gid homedir shell SQLGroupInfo ftp_groups groupname gid members SQLUserWhereClause "login_enabled = 'y'" SQLLog PASS login #SQLNamedQuery login UPDATE "last_login=now(), login_count=login_count+1 WHERE username='%u'" ftp_users SQLLog RETR download #SQLNamedQuery download UPDATE "down_count=down_count+1, down_bytes=down_bytes+%b WHERE username='%u'" ftp_users SQLLog STOR upload #SQLNamedQuery upload UPDATE "up_count=up_count+1, up_bytes=up_bytes+%b WHERE username='%u'" ftp_users #QuotaEngine on #QuotaShowQuotas on #QuotaDisplayUnits Mb #QuotaLock /var/lock/ftpd.quotatab.lock #QuotaLimitTable sql:/get-quota-limit #QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally #SQLNamedQuery get-quota-limit SELECT "ftp_users.username AS name, ftp_quotalimits.quota_type, ftp_quotalimits.per_session, ftp_quotalimits.limit_type, panel_customers.diskspace*1024 AS bytes_in_avail, ftp_quotalimits.bytes_out_avail, ftp_quotalimits.bytes_xfer_avail, ftp_quotalimits.files_in_avail, ftp_quotalimits.files_out_avail, ftp_quotalimits.files_xfer_avail FROM ftp_users, ftp_quotalimits, panel_customers WHERE ftp_users.username = '%{0}' AND panel_customers.loginname = SUBSTRING_INDEX('%{0}', 'ftp', 1) AND quota_type ='%{1}'" #SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_used, bytes_xfer_used, files_in_used, files_out_used,files_xfer_used FROM ftp_quotatallies WHERE name = '%{0}' AND quota_type = '%{1}'" #SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies #SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies </IfModule> ]]> </content> </file> <command><![CDATA[systemctl enable proftpd.service]]></command> <command><![CDATA[systemctl reload-or-restart proftpd.service]]></command> </daemon> </service> <!-- System tools/services --> <service type="system" title="{{lng.admin.configfiles.etc}}"> <!-- Cronjob --> <daemon name="cron" title="Cronjob for froxlor" mandatory="true"> <file name="/etc/cron.d/froxlor" chown="root:0" chmod="0640"> <content><![CDATA[ # # Set PATH, otherwise restart-scripts won't find start-stop-daemon # PATH=/sbin:/bin:/usr/sbin:/usr/bin # # Regular cron jobs for the froxlor package # # Please check that all following paths are correct # */1 * * * * root /usr/bin/php -q <BASE_PATH>scripts/froxlor_master_cronjob.php ]]> </content> </file> <command><![CDATA[{{settings.system.crondreload}}]]></command> </daemon> <!-- AWstats --> <daemon name="awstats" title="Awstats (webalizer alternative)"> <command><![CDATA[sed -i.bak 's/^DirData/# DirData/' {{settings.system.awstats_conf}}/awstats.model.conf]]></command> <command><![CDATA[sed -i.bak 's|^\\(DirIcons=\\).*$|\\1\\"/awstats-icon\\"|' {{settings.system.awstats_conf}}/awstats.model.conf]]></command> <command><![CDATA[rm /etc/cron.d/awstats]]></command> </daemon> <!-- libnss-mysql --> <daemon name="libnss" title="libnss-mysql (required for FCGID/php-fpm/mpm-itk)"> <install><![CDATA[zypper --enablerepo=extras install epel-release]]></install> <install><![CDATA[zypper install libnss-mysql nscd]]></install> <file name="/etc/libnss-mysql.cfg" chown="root:root" chmod="0600" backup="true"> <content><![CDATA[ getpwnam SELECT username,'x',uid,gid,'Froxlor Customer',homedir,shell \ FROM ftp_users \ WHERE username='%1$s' \ AND login_enabled = 'Y' \ ORDER BY LENGTH(username) \ LIMIT 1 getpwuid SELECT username,'x',uid,gid,'Froxlor Customer',homedir,shell \ FROM ftp_users \ WHERE uid='%1$u' \ AND login_enabled = 'Y' \ ORDER BY LENGTH(username) \ LIMIT 1 getspnam SELECT username,password,FLOOR(UNIX_TIMESTAMP()/86400-1),'1','99999','7','-1','-1','0' \ FROM ftp_users \ WHERE username='%1$s' \ AND login_enabled = 'Y' \ ORDER BY LENGTH(username) \ LIMIT 1 getpwent SELECT username,'x',uid,gid,'Froxlor Customer',homedir,shell \ FROM ftp_users getspent SELECT username,password,FLOOR(UNIX_TIMESTAMP()/86400-1),'1','99999','7','-1','-1','0' \ FROM ftp_users getgrnam SELECT groupname,'x',gid \ FROM ftp_groups \ WHERE groupname='%1$s' \ LIMIT 1 getgrgid SELECT groupname,'x',gid \ FROM ftp_groups \ WHERE gid='%1$u' \ LIMIT 1 getgrent SELECT groupname,'x',gid \ FROM ftp_groups memsbygid SELECT members \ FROM ftp_groups \ WHERE gid='%1$u' gidsbymem SELECT CONCAT_WS(',', gid) as gid \ FROM ftp_groups \ WHERE FIND_IN_SET('%1$s', members) host <SQL_HOST> database <SQL_DB> username <SQL_UNPRIVILEGED_USER> password <SQL_UNPRIVILEGED_PASSWORD> #socket /var/lib/mysql/mysql.sock #port 3306 ]]> </content> </file> <commands> <!-- if a socket is set for the db-server use it --> <visibility mode="notempty">{{sql.socket}}</visibility> <command><![CDATA[sed -i.bak 's/^#socket/socket/' /etc/libnss-mysql.cfg]]></command> <command><![CDATA[sed -i.bak 's|^\\(socket\\).*$|\\1\\"{{sql.socket}}\\"|' /etc/libnss-mysql.cfg]]></command> </commands> <file name="/etc/libnss-mysql-root.cfg" chown="root:root" chmod="0600" backup="true"> <content><![CDATA[ username <SQL_UNPRIVILEGED_USER> password <SQL_UNPRIVILEGED_PASSWORD> ]]> </content> </file> <file name="/etc/nsswitch.conf" backup="true"> <content><![CDATA[ # Make sure that `passwd`, `group` and `shadow` have mysql in their lines # You should place mysql at the end, so that it is queried after the other mechanisams # passwd: files sss mysql group: files sss mysql shadow: files sss mysql hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files aliases: files nisplus ]]> </content> </file> <command><![CDATA[systemctl reload-or-restart nscd.service]]></command> <!-- clear group chache --> <command><![CDATA[nscd --invalidate=group]]></command> </daemon> <!-- Logrotate --> <daemon name="logrotate" title="Logrotate"> <install><![CDATA[zypper install logrotate]]></install> <file name="/etc/logrotate.d/froxlor" chown="root:root" chmod="0644"> <content><![CDATA[ # # Froxlor logrotate snipet # <CUSTOMER_LOGS>*.log { missingok weekly rotate 4 compress delaycompress notifempty create sharedscripts postrotate <WEBSERVER_RELOAD_CMD> > /dev/null 2>&1 || true endscript } ]]> </content> </file> </daemon> </service> </services> </distribution> </froxlor>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor