ssh public keys are base64 encoded, thus can potentially contain =.
until now the RSA keys generated by Debian were 2048 bits long and did
not need padding
with bullseye (openssh (1:8.0p1-1)) the RSA keysize got increased to
3072 bits, and now does contain a =
noticed while trying to join a PMG container from a bullseye template
to my existing cluster (the error happens on the new node).
Stoiko Ivanov [Wed, 30 Jun 2021 16:39:55 +0000 (18:39 +0200)]
config: freshclam: default to incremental downloads
clamav recently started yielding 429 (too many requests) response
codes on even comparatively low attempts to download the complete
signature files (cvd)(see [0]), instead of the incremental changes
(cdiff) (see [1] for some background)
changing the default to scriptedupdates (a.k.a. cdiff download) seems
sensible for most situations.
Stoiko Ivanov [Wed, 30 Jun 2021 15:42:57 +0000 (17:42 +0200)]
cluster: fix missing import
The missing use PMG::Ticket import is problematic during ACME cert
renewal from pmg-daily->PMG::API2::Certificates->renew_acme_cert,
since pmg-daily does not import it.
Reported-by: Martin Maurer <martin@proxmox.com> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Stoiko Ivanov [Mon, 17 May 2021 14:02:57 +0000 (16:02 +0200)]
fix #2013 spamreport: remove ticket if authmode is ldap
Currently the 'authmode' setting for the spamquarantine is not used
anywhere. According to documentation setting it to 'ldap' should allow
access to the quarantine only with ldap credentials.
This patch addresses the issue by not generating a quarantineticket,
and adapting all links accordingly if the authmode is 'ldap'.
tested by changing the authmode and running
`pmgqm send -receiver <email-address> -debug 1`
Stoiko Ivanov [Wed, 16 Jun 2021 18:36:40 +0000 (20:36 +0200)]
api: nodeconfig: validate acme config before writing
Currently it is possible to add the same domains as different
acmedomainX keys to the node config, which prevents the user from
ordering certificates later.
This patch adds a call to get_acme_conf, which does the semantic
validation (and is also used in all other sites, which read the
config).
Reported in our community forum:
https://forum.proxmox.com/threads/lets-encrypt-cert-on-gui-not-working.91014/
quickly tested in my setup, by successfully adding the same domain
twice without the patch, and failing to do so with it applied.
Thomas Lamprecht [Mon, 28 Jun 2021 12:15:28 +0000 (14:15 +0200)]
d/control: drop transitional apt-transport-https, provided by apt
It was actually integrated into apt quite a bit before version 2.0
but it does not really hurts and version 2 is available since Q1 2020
on sid, bullseye will have 2.2.x so using (>= 2~) is just fine.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stoiko Ivanov [Fri, 11 Jun 2021 15:54:46 +0000 (17:54 +0200)]
greylisting: drop unneeded Host column form cgreylist table
With the changes added in f61d54891d4820b21ef9e53f7ce0ebb1d5be1f73
greylisting does the matches based on a configurable netmask, and
does not use the 'Host' column in the cgreylist table anymore.
Drop it now with PMG 7.0
Quickly tested the following scenarios (all successfully):
* Upgrading from a previous version
* Restoring a pmg-backup taken with PMG 5.2 (the greylist table is
excluded from the backup)
* Adding a node with the changes to an existing cluster without the
change
* Adding a node without the changes to a master-node having them
Stoiko Ivanov [Mon, 31 May 2021 13:53:05 +0000 (13:53 +0000)]
utils: do not hardcode postgres version
PMG::Utils::lookup_real_service_name is only called
for translating the service names provided as arguments
to PMG::API2::Nodes::syslog (for fetching the journal
for specific units). Instead of hardcoding the
version getting it with a call to `psql` seems justified.
Stoiko Ivanov [Tue, 8 Jun 2021 17:25:29 +0000 (17:25 +0000)]
api: statistics: drop deprecated detail statistic methods
in e89b61c5190e3e374c2c3bcb3dce444c64c718cf we introduced a method
taking the address as explicit parameter instead of path component
(local-parts can contain '/'). now we can drop the old paths.
Stoiko Ivanov [Tue, 8 Jun 2021 16:06:50 +0000 (16:06 +0000)]
api: nodes: drop deprecated 'upgrade' option of termproxy
The termproxy api was adapted to the changes from PVE and PBS
in d9e79ff4b7f0f9b2c49f06484091546353980c5e
We can now drop the 'upgrade' option kept for backwards compatibility
archive in case it goes 404:
https://web.archive.org/web/20210408140341/https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html
* remove from freshclam.conf.in template
* remove from description
* default to 0 just to be sure
* if 'safebrowsing' set in pmg.conf, this is now ignored
note about removing the option in PMG 7.0
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
changed the removal notice form PMG 7.0 to 8.0 Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Reported in our community forum [0], support for wildcard certificates
via ACME sounds like a good enhancement (especially for PMG).
In order for this to work you need to configure the wild-card
sub-entry (*.domain.example) as ACME domains and be able to verify
that via a DNS Plugin.
This is best described in the announcement by Let's Encrypt announcing
wildcard certificate support [1], or the dns challenge type
documentation[2].
Quickly tested with a domain of mine (and the powerdns plugin)
Thomas Lamprecht [Mon, 22 Mar 2021 07:49:55 +0000 (08:49 +0100)]
fix #3164: api: quarantine: allow to return spam from all users
The pmail was only checked for the spam quarantine call, and there
mainly to ensure that the quarantine user only can check their own
mails. Make the pmail parameter also optional for this quarantine
related endpoint as long as one has a role other than quser.
This allows to query all spam quarantine entries from all pmails at
once, providing the backend side to address #3164.
The main argument against this was performance, but postgres can
handle even hundreds of thousands of rows rather fine, it's a high
performant database after all and this is quite the simple query
(single join, but no functions on columns, nested queries or other
performance hogs).
Some data, 45k records on a read limited disk, gathered with EXPLAIN
ANALYZE commands:
All caches dropped and fresh start: 440ms
Running for a bit with caches warm: 55ms
A simple extrapolation would mean that for half a million rows we
would spent about 5s in the DB, which is not too bad considering our
hard limit of 30s per requests, and the overhead of perl/https seems
to put the limit on my not so beefy VM at at least ~1.5 million rows
from a *cold* cache, which seems plenty (default 7 days keep window
and an avg. of 10 spam mails per day means >21k qusers). And with
warm caches and a beefier machine one can probably gain one or even
two order of magnitudes here.
And at the end, no mail admin is forced to use this and if they run a
setup with tens of millions of spam in their spam-keep time window,
well, they really should not be surprised that querying all has a
certain cost.
Stoiko Ivanov [Thu, 18 Mar 2021 15:14:49 +0000 (16:14 +0100)]
certs: reload postfix to activate new certificate
the current logic for reloading postfix only does so if the tls config
parameter changes (after rewriting the config files).
this does not cover the case where a certificate is replaced in a
setup, which already has tls enabled (config stays the same, so
postfix does not get reloaded)
the issue is mostly cosmetic, since postfix does eventually fork off
new smtpd instances, which read the files from disk, but it's
inconvenient, when trying out the new acme integration, and then
running a ssl-check on your PMG from external just to see that the
certificate was not updated.
Stoiko Ivanov [Thu, 18 Mar 2021 15:14:48 +0000 (16:14 +0100)]
cluster: use old and new fingerprint on master
when triggering a fingerprint update on master right after reloading
pmgproxy as we do for ACME certificates it can happen that the
connection is made against the old pmgproxy process (with the old
fingerprint). Simply trusting both fingerprints in that case seems
acceptable from a security perspective and makes the fingerprint
update more robust
projects / pmg-api.git / log