Not sure if feature or bug, but pretty annoying: create customised postfix main.cf lines in "/usr/local/ispconfig/server/conf-custom/install/postfix_main.cf.master" run "ispconfig_update.sh --force" verify your lines are reflected in "cat /etc/postfix/main.cf | grep 'xxx'" open ispconfig3 web ui and go to System / System Config switch the view to "Web" tab it triggers UI config change (red number upper right) the customised main.cf is gone and replaced with ispconfig3 default main.cf resulting in need to do "ispconfig_update.sh --force" every time you visit System Config and change tabs, even if you do not do any change at all.
Yes, that's probably a bug, then when the conf-custom version is not used. I'll add it to our issue tracker.
Ok, I just saw that you created an installer template and not a server template. Installer templates are for the installer and updater only; they do not get used by the server process. The server process does not use a template for main.cf. Any template you put in the folder /usr/local/ispconfig/server/conf-custom/install/ is used exclusively by the installer and the updater. Server process templates are in the folder /usr/local/ispconfig/server/conf-custom/ So the question that remains is what got overwritten in main.cf, as the main.cf is not rewritten from scratch by the server process. What exactly did you change?
I'm curious about this, about to make some changes to main.cf and not wanting to have to verify my adjustments won't be over-ridden
Depends on which settings you want to change. Many will be update proof but not all. Especially if a setting is related to something you can configure in ispconfig you should asume it won't be update proof. Or make it update proof by creating your own custom template in /usr/local/ispconfig/server/conf-custom/.
getting tls more up to date: smtp_tls_security_level = encrypt smtpd_tls_security_level = encrypt smtpd_tls_mandatory_protocols = >=TLSv1.2 smtp_tls_mandatory_protocols = >=TLSv1.2 smtpd_tls_protocols = >=TLSv1.2 smtp_tls_protocols = >=TLSv1.2 smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
Kind of curious as why the 'How to perfect multi etc' doesn't refer to another doc and end of mail server setup or even have us to these things during install to better secure ie: TLS1 = poodle etc. Security Compliance is kind of a must these days. I understand it is more work but securing a novice from the get go would be benificial to all. PS: Still the best platform to work with!
ISPConfig uses what the underlying Linux distribution considers a good and safe default. If you think you want a stricter setup, then you are always free to alter your system in any way you prefer.
I can understand why the tutorials stay with systemdefaults. It gives the most broad support, even to older devices. I'm with you on making it more secure, fasing out settings that are generally considered out-of-date. Every webserver I install gets at least customized vhost templates. I also created a tutorial for serverwide /.well-known/security.txt. Giving websites a 100% score on internet.nl. Also mailservers get several changes in their config to be more compliant to todays security industrie standard and scoring 100% on internet.nl (not sure what the default config scores though).
