From b56b96f749f9fd9aae3463cfa2a4259a6c79540b Mon Sep 17 00:00:00 2001 From: Alexandros Ioannides Date: Wed, 23 Nov 2016 16:09:36 +0200 Subject: [PATCH 01/11] Minor changes --- install/vst-install-ubuntu.sh | 44 +++++++++++++++++------------------ 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/install/vst-install-ubuntu.sh b/install/vst-install-ubuntu.sh index b5ac1aa7b..a60e5b6fd 100755 --- a/install/vst-install-ubuntu.sh +++ b/install/vst-install-ubuntu.sh @@ -258,7 +258,7 @@ fi # Brief Info # #----------------------------------------------------------# -# Printing nice ascii aslogo +# Printing nice ASCII logo clear echo echo ' _| _| _|_|_|_| _|_|_| _|_|_|_|_| _|_|' @@ -490,7 +490,7 @@ mv /var/lib/mysql $vst_backups/mysql/mysql_datadir > /dev/null 2>&1 cp -r /etc/mysql/* $vst_backups/mysql > /dev/null 2>&1 mv -f /root/.my.cnf $vst_backups/mysql > /dev/null 2>&1 -# Backup vesta +# Backup Vesta service vesta stop > /dev/null 2>&1 cp -r $VESTA/* $vst_backups/vesta > /dev/null 2>&1 apt-get -y remove vesta vesta-nginx vesta-php > /dev/null 2>&1 @@ -584,7 +584,7 @@ chmod a+x /usr/sbin/policy-rc.d apt-get -y install $software check_result $? "apt-get install failed" -# Restore policy +# Restore policy rm -f /usr/sbin/policy-rc.d @@ -602,8 +602,8 @@ rm -f /etc/cron.d/awstats # Set directory color echo 'LS_COLORS="$LS_COLORS:di=00;33"' >> /etc/profile -# Register /sbin/nologin -echo "/sbin/nologin" >> /etc/shells +# Register /usr/sbin/nologin +echo "/usr/sbin/nologin" >> /etc/shells # NTP Synchronization echo '#!/bin/sh' > /etc/cron.daily/ntpdate @@ -639,10 +639,10 @@ echo 'PATH=$PATH:'$VESTA'/bin' >> /root/.bash_profile echo 'export PATH' >> /root/.bash_profile source /root/.bash_profile -# Configuring logrotate for vesta logs +# Configuring logrotate for Vesta logs wget $vestacp/logrotate/vesta -O /etc/logrotate.d/vesta -# Buidling directory tree and creating some blank files for vesta +# Buidling directory tree and creating some blank files for Vesta mkdir -p $VESTA/conf $VESTA/log $VESTA/ssl $VESTA/data/ips \ $VESTA/data/queue $VESTA/data/users $VESTA/data/firewall \ $VESTA/data/sessions @@ -658,12 +658,12 @@ ln -s $VESTA/log /var/log/vesta chown admin:admin $VESTA/data/sessions chmod 770 $VESTA/data/sessions -# Generating vesta configuration +# Generating Vesta configuration rm -f $VESTA/conf/vesta.conf 2>/dev/null touch $VESTA/conf/vesta.conf chmod 660 $VESTA/conf/vesta.conf -# WEB stack +# Web stack if [ "$apache" = 'yes' ] && [ "$nginx" = 'no' ] ; then echo "WEB_SYSTEM='apache2'" >> $VESTA/conf/vesta.conf echo "WEB_RGROUPS='www-data'" >> $VESTA/conf/vesta.conf @@ -867,7 +867,7 @@ done #----------------------------------------------------------# -# Configure VSFTPD # +# Configure Vsftpd # #----------------------------------------------------------# if [ "$vsftpd" = 'yes' ]; then @@ -904,14 +904,14 @@ if [ "$mysql" = 'yes' ]; then mycnf="my-large.cnf" fi - # MySQL configuration + # Configuring MySQL/MariaDB wget $vestacp/mysql/$mycnf -O /etc/mysql/my.cnf mysql_install_db update-rc.d mysql defaults service mysql start check_result $? "mysql start failed" - # Securing MySQL installation + # Securing MySQL/MariaDB installation mysqladmin -u root password $vpass echo -e "[client]\npassword='$vpass'\n" > /root/.my.cnf chmod 600 /root/.my.cnf @@ -1049,7 +1049,7 @@ fi #----------------------------------------------------------# -# Configure RoundCube # +# Configure Roundcube # #----------------------------------------------------------# if [ "$exim" = 'yes' ] && [ "$mysql" = 'yes' ]; then @@ -1114,16 +1114,16 @@ if [ ! -z "$(grep ^admin: /etc/group)" ] && [ "$force" = 'yes' ]; then groupdel admin > /dev/null 2>&1 fi -# Adding vesta account +# Adding Vesta admin account $VESTA/bin/v-add-user admin $vpass $email default System Administrator check_result $? "can't create admin user" $VESTA/bin/v-change-user-shell admin bash $VESTA/bin/v-change-user-language admin $lang -# Configuring system ips +# Configuring system IPs $VESTA/bin/v-update-sys-ip -# Get main ip +# Get main IP ip=$(ip addr|grep 'inet '|grep global|head -n1|awk '{print $2}'|cut -f1 -d/) # Firewall configuration @@ -1131,20 +1131,20 @@ if [ "$iptables" = 'yes' ]; then $VESTA/bin/v-update-firewall fi -# Get public ip +# Get public IP pub_ip=$(curl -s vestacp.com/what-is-my-ip/) if [ ! -z "$pub_ip" ] && [ "$pub_ip" != "$ip" ]; then $VESTA/bin/v-change-sys-ip-nat $ip $pub_ip ip=$pub_ip fi -# Configuring mysql host +# Configuring MySQL host if [ "$mysql" = 'yes' ]; then $VESTA/bin/v-add-database-host mysql localhost root $vpass $VESTA/bin/v-add-database admin default default $(gen_pass) mysql fi -# Configuring pgsql host +# Configuring PostgreSQL host if [ "$postgresql" = 'yes' ]; then $VESTA/bin/v-add-database-host pgsql localhost postgres $vpass $VESTA/bin/v-add-database admin db db $(gen_pass) pgsql @@ -1171,7 +1171,7 @@ command="sudo $VESTA/bin/v-update-sys-rrd" $VESTA/bin/v-add-cron-job 'admin' '*/5' '*' '*' '*' '*' "$command" service cron restart -# Building inititall rrd images +# Building initital rrd images $VESTA/bin/v-update-sys-rrd # Enabling file system quota @@ -1179,7 +1179,7 @@ if [ "$quota" = 'yes' ]; then $VESTA/bin/v-add-sys-quota fi -# Starting vesta service +# Starting Vesta service update-rc.d vesta defaults service vesta start check_result $? "vesta start failed" @@ -1199,7 +1199,7 @@ $VESTA/bin/v-add-cron-vesta-autoupdate # Sending install notification to vestacp.com wget vestacp.com/notify/?$codename -O /dev/null -q -# Comparing hostname and ip +# Comparing hostname and IP host_ip=$(host $servername| head -n 1 | awk '{print $NF}') if [ "$host_ip" = "$ip" ]; then ip="$servername" From 343e3230622f877bf4936b061037cfb407cbfa1f Mon Sep 17 00:00:00 2001 From: Alexandros Ioannides Date: Wed, 23 Nov 2016 16:16:53 +0200 Subject: [PATCH 02/11] Add DMARC support Add DMARC support --- install/ubuntu/16.04/templates/dns/child-ns.tpl | 1 + 1 file changed, 1 insertion(+) diff --git a/install/ubuntu/16.04/templates/dns/child-ns.tpl b/install/ubuntu/16.04/templates/dns/child-ns.tpl index 27f9b825b..f0695773d 100755 --- a/install/ubuntu/16.04/templates/dns/child-ns.tpl +++ b/install/ubuntu/16.04/templates/dns/child-ns.tpl @@ -9,3 +9,4 @@ ID='8' RECORD='pop' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time ID='9' RECORD='ftp' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' ID='10' RECORD='@' TYPE='MX' PRIORITY='10' VALUE='mail.%domain%.' SUSPENDED='no' TIME='%time%' DATE='%date%' ID='11' RECORD='@' TYPE='TXT' PRIORITY='' VALUE='"v=spf1 a mx ip4:%ip% ?all"' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='12' RECORD='_dmarc' TYPE='TXT' PRIORITY='' VALUE='"v=DMARC1; p=none"' SUSPENDED='no' TIME='%time%' DATE='%date%' From e64ac51893d051fcaf576064b2f8c2fa0c2fcb05 Mon Sep 17 00:00:00 2001 From: Alexandros Ioannides Date: Wed, 23 Nov 2016 16:18:17 +0200 Subject: [PATCH 03/11] Add DMARC Support Add DMARC Support --- install/ubuntu/16.04/templates/dns/default.tpl | 1 + 1 file changed, 1 insertion(+) diff --git a/install/ubuntu/16.04/templates/dns/default.tpl b/install/ubuntu/16.04/templates/dns/default.tpl index 942c15bc8..d02cfc03e 100755 --- a/install/ubuntu/16.04/templates/dns/default.tpl +++ b/install/ubuntu/16.04/templates/dns/default.tpl @@ -13,3 +13,4 @@ ID='12' RECORD='pop' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%tim ID='13' RECORD='ftp' TYPE='A' PRIORITY='' VALUE='%ip%' SUSPENDED='no' TIME='%time%' DATE='%date%' ID='14' RECORD='@' TYPE='MX' PRIORITY='10' VALUE='mail.%domain%.' SUSPENDED='no' TIME='%time%' DATE='%date%' ID='15' RECORD='@' TYPE='TXT' PRIORITY='' VALUE='"v=spf1 a mx ip4:%ip% ?all"' SUSPENDED='no' TIME='%time%' DATE='%date%' +ID='16' RECORD='_dmarc' TYPE='TXT' PRIORITY='' VALUE='"v=DMARC1; p=none"' SUSPENDED='no' TIME='%time%' DATE='%date%' From 931fc2b44ee30dc232cecac32b15c1d66ebd0fe1 Mon Sep 17 00:00:00 2001 From: Alexandros Ioannides Date: Wed, 23 Nov 2016 16:32:52 +0200 Subject: [PATCH 04/11] Minor optimizations Minor optimizations --- install/ubuntu/16.04/nginx/nginx.conf | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/install/ubuntu/16.04/nginx/nginx.conf b/install/ubuntu/16.04/nginx/nginx.conf index ca6929592..b300e29f1 100644 --- a/install/ubuntu/16.04/nginx/nginx.conf +++ b/install/ubuntu/16.04/nginx/nginx.conf @@ -1,7 +1,8 @@ # Server globals user www-data; -worker_processes 2; -error_log /var/log/nginx/error.log; +worker_processes auto; +worker_rlimit_nofile 65535; +error_log /var/log/nginx/error.log crit; pid /var/run/nginx.pid; @@ -9,6 +10,7 @@ pid /var/run/nginx.pid; events { worker_connections 1024; use epoll; + multi_accept on; } @@ -37,7 +39,7 @@ http { '"$status" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; log_format bytes '$body_bytes_sent'; - #access_log /var/log/nginx/access.log main; + #access_log /var/log/nginx/access.log main; access_log off; @@ -51,9 +53,9 @@ http { gzip_comp_level 9; gzip_min_length 512; gzip_buffers 8 64k; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml application/x-font-ttf font/opentype; + gzip_types text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype; gzip_proxied any; - + gzip_disable "MSIE [1-6]\."; # Proxy settings proxy_redirect off; From 103bdd71288d1b3e18d8d60a0e9fb9c9b5e41c28 Mon Sep 17 00:00:00 2001 From: Alexandros Ioannides Date: Wed, 23 Nov 2016 16:38:31 +0200 Subject: [PATCH 05/11] Security hardening --- install/ubuntu/16.04/dovecot/conf.d/10-ssl.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/ubuntu/16.04/dovecot/conf.d/10-ssl.conf b/install/ubuntu/16.04/dovecot/conf.d/10-ssl.conf index 3aaff6eec..24cbf3e26 100644 --- a/install/ubuntu/16.04/dovecot/conf.d/10-ssl.conf +++ b/install/ubuntu/16.04/dovecot/conf.d/10-ssl.conf @@ -1,3 +1,5 @@ ssl = yes +ssl_protocols = !SSLv2 !SSLv3 + ssl_cert = Date: Wed, 23 Nov 2016 16:39:20 +0200 Subject: [PATCH 06/11] Fix for folders creation --- install/ubuntu/16.04/dovecot/dovecot.conf | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/install/ubuntu/16.04/dovecot/dovecot.conf b/install/ubuntu/16.04/dovecot/dovecot.conf index 0a8553510..311a33517 100644 --- a/install/ubuntu/16.04/dovecot/dovecot.conf +++ b/install/ubuntu/16.04/dovecot/dovecot.conf @@ -2,3 +2,23 @@ protocols = imap pop3 listen = *, :: base_dir = /var/run/dovecot/ !include conf.d/*.conf + +namespace { + type = private + separator = / + prefix = + inbox = yes + + mailbox Sent { + auto = subscribe + special_use = \Sent + } + mailbox Drafts { + auto = subscribe + special_use = \Drafts + } + mailbox Trash { + auto = subscribe + special_use = \Trash + } +} From 8cf066ad9a31c51521704440562c6887a1312e9f Mon Sep 17 00:00:00 2001 From: Alexandros Ioannides Date: Wed, 23 Nov 2016 16:40:56 +0200 Subject: [PATCH 07/11] Fix Gmail issue with IPv6 --- install/ubuntu/16.04/exim/exim4.conf.template | 1 + 1 file changed, 1 insertion(+) diff --git a/install/ubuntu/16.04/exim/exim4.conf.template b/install/ubuntu/16.04/exim/exim4.conf.template index f515fb18f..0e2f2e1d4 100644 --- a/install/ubuntu/16.04/exim/exim4.conf.template +++ b/install/ubuntu/16.04/exim/exim4.conf.template @@ -8,6 +8,7 @@ #SPAM_SCORE = 50 #CLAMD = yes +disable_ipv6 = true domainlist local_domains = dsearch;/etc/exim4/domains/ domainlist relay_to_domains = dsearch;/etc/exim4/domains/ hostlist relay_from_hosts = 127.0.0.1 From 272774e8808f9115d9fba44ff70ca3b88ad09f11 Mon Sep 17 00:00:00 2001 From: Alexandros Ioannides Date: Wed, 23 Nov 2016 16:47:30 +0200 Subject: [PATCH 08/11] Security enhancements --- install/ubuntu/16.04/vsftpd/vsftpd.conf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/install/ubuntu/16.04/vsftpd/vsftpd.conf b/install/ubuntu/16.04/vsftpd/vsftpd.conf index 1ca1a9923..034b016d2 100644 --- a/install/ubuntu/16.04/vsftpd/vsftpd.conf +++ b/install/ubuntu/16.04/vsftpd/vsftpd.conf @@ -17,10 +17,11 @@ tcp_wrappers=YES force_dot_files=YES ascii_upload_enable=YES ascii_download_enable=YES -#allow_writable_chroot=YES allow_writeable_chroot=YES seccomp_sandbox=NO pasv_enable=YES -pasv_max_port=12100 pasv_min_port=12000 +pasv_max_port=12100 +max_per_ip=10 +max_clients=100 use_localtime=YES From de54d6d8bf6dee996fb8adf2567cfd3eb734f701 Mon Sep 17 00:00:00 2001 From: Alexandros Ioannides Date: Wed, 23 Nov 2016 17:21:36 +0200 Subject: [PATCH 09/11] Minor tweaks --- install/ubuntu/16.04/roundcube/main.inc.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/install/ubuntu/16.04/roundcube/main.inc.php b/install/ubuntu/16.04/roundcube/main.inc.php index 97cdbf2df..44b19793f 100644 --- a/install/ubuntu/16.04/roundcube/main.inc.php +++ b/install/ubuntu/16.04/roundcube/main.inc.php @@ -448,7 +448,7 @@ $rcmail_config['create_default_folders'] = true; $rcmail_config['protect_default_folders'] = true; // if in your system 0 quota means no limit set this option to true -$rcmail_config['quota_zero_as_unlimited'] = false; +$rcmail_config['quota_zero_as_unlimited'] = true; // Make use of the built-in spell checker. It is based on GoogieSpell. // Since Google only accepts connections over https your PHP installatation @@ -724,8 +724,8 @@ $rcmail_config['htmleditor'] = 0; // show pretty dates as standard $rcmail_config['prettydate'] = true; -// save compose message every 300 seconds (5min) -$rcmail_config['draft_autosave'] = 300; +// save compose message every 30 seconds +$rcmail_config['draft_autosave'] = 30; // default setting if preview pane is enabled $rcmail_config['preview_pane'] = false; From 574eb894b954eba5b8d4de37fdf5ec758fc12d92 Mon Sep 17 00:00:00 2001 From: Alexandros Ioannides Date: Wed, 23 Nov 2016 17:25:05 +0200 Subject: [PATCH 10/11] Fix It was required in the past (relevant thread was once posted in the Forum). --- install/ubuntu/16.04/pma/apache.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/ubuntu/16.04/pma/apache.conf b/install/ubuntu/16.04/pma/apache.conf index 2a8f69e25..4da6ce849 100644 --- a/install/ubuntu/16.04/pma/apache.conf +++ b/install/ubuntu/16.04/pma/apache.conf @@ -15,7 +15,7 @@ Alias /phpmyadmin /usr/share/phpmyadmin php_admin_flag allow_url_fopen Off php_value include_path . php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp - php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext + php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext:/usr/share/javascript/ From f04574d1f855efd98d45a17c024223a92a01bff0 Mon Sep 17 00:00:00 2001 From: Alexandros Ioannides Date: Wed, 23 Nov 2016 17:35:07 +0200 Subject: [PATCH 11/11] Better compression --- func/main.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/func/main.sh b/func/main.sh index b2a59e92a..99fb90b26 100644 --- a/func/main.sh +++ b/func/main.sh @@ -2,7 +2,7 @@ # Internal variables HOMEDIR='/home' BACKUP='/backup' -BACKUP_GZIP=5 +BACKUP_GZIP=9 BACKUP_DISK_LIMIT=95 BACKUP_LA_LIMIT=5 RRD_STEP=300