After having installed ISPconfig 3 a couple of times, I'd say the defaults aren't correctly chosen, and somewhat outdated; We're living 4 years post Snowden by now. For people using nginx without apache, for example, I'd say always default to SSL/TLS only, so - redirect to https should always be enabled, - spam and virus filtering should default to ON and default to sieve into the Junk folder which should be created for Maildirs by dovecot. - Let'sEncrypt and SSL should be enabled by default, and be allowed for Clients (the Limits tab). - Always enable SPDY or its followup rather, http2 It would save us so much clicking and tabbing for each new Client/Site/Mailbox etc. For some customers I've installed froxlor a couple of times, this has really good options for admins to pick the defaults. ISPconfig should have that too.
I do not agree with you. http is 2x faster than https. Only enable https when it is necessary. Whoever cares when you are reading public news? ============ HTTP 2205 bytes in 0.338 second response time HTTPS 2205 bytes in 0.683 second response time
I'm afraid you're doing something terribly wrong then; https://scotthelme.co.uk/still-think-you-dont-need-https/ "Encryption used to introduce overheads. It's true that TLS used to be computationally expensive, but that's just no longer the case these days. Adam Langley from Google wrote about this back in 2010 (yes, 6 years ago!) when they moved GMail to HTTPS and he had this to say: On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that. If you stop reading now you only need to remember one thing: SSL/TLS is not computationally expensive any more."
I agree with loveless. There are experts you can hire for making your SSL/TLS responses fast. (https://bettercrypto.org/) It is just a pain to integrate it in ISPConfig. Also TLS-Settings and crypto is outdated/not executed with dovecot/postfix. Deploying better crypto is painfull in ISPConfig (see my dovecot-Problem)
