maybe chmod 0644 'amavis/conf.d/25-amavis_helpers'
maybe chmod 0644 'amavis/conf.d/30-template_localization'
maybe chmod 0644 'amavis/conf.d/50-user'
+maybe chmod 0644 'amavis/conf.d/50-user.2021.04.08.22.02.11'
maybe chmod 0755 'amavis/en_US'
maybe chmod 0644 'amavis/en_US/charset'
maybe chmod 0644 'amavis/en_US/template-auto-response.txt'
maybe chmod 0640 'chrony/chrony.keys'
maybe chmod 0755 'clamav'
maybe chmod 0644 'clamav/clamd.conf'
+maybe chmod 0644 'clamav/clamd.conf.2021.04.08.22.02.11'
maybe chown 'clamav' 'clamav/freshclam.conf'
maybe chgrp 'adm' 'clamav/freshclam.conf'
maybe chmod 0444 'clamav/freshclam.conf'
+maybe chmod 0444 'clamav/freshclam.conf.2021.04.08.22.02.11'
maybe chmod 0755 'clamav/onerrorexecute.d'
maybe chmod 0755 'clamav/onupdateexecute.d'
maybe chmod 0755 'clamav/virusevent.d'
maybe chmod 0640 'dovecot/dovecot-dict-auth.conf.ext'
maybe chgrp 'dovecot' 'dovecot/dovecot-dict-sql.conf.ext'
maybe chmod 0640 'dovecot/dovecot-dict-sql.conf.ext'
+maybe chown 'dovecot' 'dovecot/dovecot-last-login.conf'
+maybe chgrp 'dovecot' 'dovecot/dovecot-last-login.conf'
+maybe chmod 0500 'dovecot/dovecot-last-login.conf'
+maybe chown 'dovecot' 'dovecot/dovecot-master-users'
+maybe chgrp 'dovecot' 'dovecot/dovecot-master-users'
+maybe chmod 0500 'dovecot/dovecot-master-users'
+maybe chmod 0550 'dovecot/dovecot-mysql.conf'
+maybe chown 'dovecot' 'dovecot/dovecot-share-folder.conf'
+maybe chgrp 'dovecot' 'dovecot/dovecot-share-folder.conf'
+maybe chmod 0500 'dovecot/dovecot-share-folder.conf'
maybe chgrp 'dovecot' 'dovecot/dovecot-sql.conf.ext'
maybe chmod 0640 'dovecot/dovecot-sql.conf.ext'
-maybe chmod 0644 'dovecot/dovecot.conf'
+maybe chown 'dovecot' 'dovecot/dovecot-used-quota.conf'
+maybe chgrp 'dovecot' 'dovecot/dovecot-used-quota.conf'
+maybe chmod 0500 'dovecot/dovecot-used-quota.conf'
+maybe chmod 0664 'dovecot/dovecot.conf'
+maybe chmod 0644 'dovecot/dovecot.conf.2021.04.08.22.02.11'
maybe chmod 0700 'dovecot/private'
maybe chmod 0755 'dpkg'
maybe chmod 0644 'dpkg/dpkg.cfg'
maybe chmod 0644 'iproute2/rt_tables'
maybe chmod 0755 'iproute2/rt_tables.d'
maybe chmod 0644 'iproute2/rt_tables.d/README'
+maybe chmod 0644 'iredmail-release'
maybe chmod 0644 'issue'
maybe chmod 0644 'issue.net'
maybe chmod 0755 'kernel'
maybe chmod 0644 'logrotate.d/chrony'
maybe chmod 0644 'logrotate.d/clamav-daemon'
maybe chmod 0644 'logrotate.d/clamav-freshclam'
+maybe chmod 0644 'logrotate.d/dovecot'
maybe chmod 0644 'logrotate.d/dpkg'
+maybe chmod 0644 'logrotate.d/iredapd'
+maybe chmod 0644 'logrotate.d/mlmmjadmin'
maybe chmod 0644 'logrotate.d/mysql-server'
+maybe chmod 0644 'logrotate.d/netdata'
maybe chmod 0644 'logrotate.d/nginx'
maybe chmod 0644 'logrotate.d/php7.3-fpm'
maybe chmod 0644 'logrotate.d/rsyslog'
maybe chmod 0644 'mysql/mariadb.conf.d/50-mysql-clients.cnf'
maybe chmod 0644 'mysql/mariadb.conf.d/50-mysqld_safe.cnf'
maybe chmod 0644 'mysql/mariadb.conf.d/50-server.cnf'
+maybe chmod 0644 'mysql/my.cnf'
+maybe chmod 0644 'mysql/my.cnf.2021.04.08.22.02.11'
maybe chmod 0644 'mysql/my.cnf.fallback'
maybe chmod 0644 'nanorc'
maybe chmod 0755 'network'
maybe chmod 0644 'networks'
maybe chmod 0755 'nftables.conf'
maybe chmod 0755 'nginx'
+maybe chmod 0755 'nginx/conf-available'
+maybe chmod 0644 'nginx/conf-available/0-general.conf'
+maybe chmod 0644 'nginx/conf-available/cache.conf'
+maybe chmod 0644 'nginx/conf-available/client_max_body_size.conf'
+maybe chmod 0644 'nginx/conf-available/default_type.conf'
+maybe chmod 0644 'nginx/conf-available/gzip.conf'
+maybe chmod 0644 'nginx/conf-available/headers.conf'
+maybe chmod 0644 'nginx/conf-available/log.conf'
+maybe chmod 0644 'nginx/conf-available/mime_types.conf'
+maybe chmod 0644 'nginx/conf-available/php_fpm.conf'
+maybe chmod 0644 'nginx/conf-available/sendfile.conf'
+maybe chmod 0644 'nginx/conf-available/server_tokens.conf'
+maybe chmod 0644 'nginx/conf-available/types_hash_max_size.conf'
+maybe chmod 0755 'nginx/conf-enabled'
maybe chmod 0755 'nginx/conf.d'
maybe chmod 0644 'nginx/fastcgi.conf'
maybe chmod 0644 'nginx/fastcgi_params'
maybe chmod 0644 'nginx/mime.types'
maybe chmod 0755 'nginx/modules-available'
maybe chmod 0755 'nginx/modules-enabled'
+maybe chown 'www-data' 'nginx/netdata.users'
+maybe chgrp 'www-data' 'nginx/netdata.users'
+maybe chmod 0400 'nginx/netdata.users'
maybe chmod 0644 'nginx/nginx.conf'
+maybe chmod 0644 'nginx/nginx.conf.2021.04.08.22.02.11'
maybe chmod 0644 'nginx/proxy_params'
maybe chmod 0644 'nginx/scgi_params'
maybe chmod 0755 'nginx/sites-available'
-maybe chmod 0644 'nginx/sites-available/default'
+maybe chmod 0755 'nginx/sites-available.bak'
+maybe chmod 0644 'nginx/sites-available.bak/default'
+maybe chmod 0644 'nginx/sites-available/00-default-ssl.conf'
+maybe chmod 0644 'nginx/sites-available/00-default.conf'
maybe chmod 0755 'nginx/sites-enabled'
+maybe chmod 0755 'nginx/sites-enabled.bak'
maybe chmod 0755 'nginx/snippets'
maybe chmod 0644 'nginx/snippets/fastcgi-php.conf'
maybe chmod 0644 'nginx/snippets/snakeoil.conf'
+maybe chmod 0755 'nginx/templates'
+maybe chmod 0644 'nginx/templates/adminer.tmpl'
+maybe chmod 0644 'nginx/templates/fastcgi_php.tmpl'
+maybe chmod 0644 'nginx/templates/hsts.tmpl'
+maybe chmod 0644 'nginx/templates/iredadmin-subdomain.tmpl'
+maybe chmod 0644 'nginx/templates/iredadmin.tmpl'
+maybe chmod 0644 'nginx/templates/misc.tmpl'
+maybe chmod 0644 'nginx/templates/netdata-subdomain.tmpl'
+maybe chmod 0644 'nginx/templates/netdata.tmpl'
+maybe chmod 0644 'nginx/templates/php-catchall.tmpl'
+maybe chmod 0644 'nginx/templates/redirect_to_https.tmpl'
+maybe chmod 0644 'nginx/templates/roundcube-subdomain.tmpl'
+maybe chmod 0644 'nginx/templates/roundcube.tmpl'
+maybe chmod 0644 'nginx/templates/sogo-subdomain.tmpl'
+maybe chmod 0644 'nginx/templates/sogo.tmpl'
+maybe chmod 0644 'nginx/templates/ssl.tmpl'
+maybe chmod 0644 'nginx/templates/stub_status.tmpl'
maybe chmod 0644 'nginx/uwsgi_params'
maybe chmod 0644 'nginx/win-utf'
maybe chmod 0644 'nsswitch.conf'
maybe chmod 0755 'php/7.3/fpm/conf.d'
maybe chmod 0644 'php/7.3/fpm/php-fpm.conf'
maybe chmod 0644 'php/7.3/fpm/php.ini'
+maybe chmod 0644 'php/7.3/fpm/php.ini.2021.04.08.22.02.11'
maybe chmod 0755 'php/7.3/fpm/pool.d'
maybe chmod 0644 'php/7.3/fpm/pool.d/www.conf'
+maybe chmod 0644 'php/7.3/fpm/pool.d/www.conf.2021.04.08.22.02.11'
maybe chmod 0755 'php/7.3/mods-available'
maybe chmod 0644 'php/7.3/mods-available/calendar.ini'
maybe chmod 0644 'php/7.3/mods-available/ctype.ini'
maybe chmod 0644 'php/7.3/mods-available/xsl.ini'
maybe chmod 0644 'php/7.3/mods-available/zip.ini'
maybe chmod 0755 'postfix'
+maybe chmod 0644 'postfix/aliases'
+maybe chmod 0644 'postfix/aliases.db'
+maybe chgrp 'postfix' 'postfix/body_checks.pcre'
+maybe chmod 0640 'postfix/body_checks.pcre'
+maybe chmod 0644 'postfix/command_filter.pcre'
+maybe chmod 0755 'postfix/disclaimer'
+maybe chmod 0644 'postfix/disclaimer/default.txt'
maybe chmod 0644 'postfix/dynamicmaps.cf'
maybe chmod 0755 'postfix/dynamicmaps.cf.d'
+maybe chgrp 'postfix' 'postfix/header_checks'
+maybe chmod 0640 'postfix/header_checks'
+maybe chgrp 'postfix' 'postfix/helo_access.pcre'
+maybe chmod 0640 'postfix/helo_access.pcre'
+maybe chmod 0640 'postfix/helo_access.pcre.2021.04.08.22.02.11'
maybe chmod 0644 'postfix/main.cf'
+maybe chmod 0644 'postfix/main.cf.2021.04.08.22.02.11'
maybe chmod 0644 'postfix/main.cf.initial'
maybe chmod 0644 'postfix/main.cf.proto'
maybe chmod 0644 'postfix/master.cf'
+maybe chmod 0644 'postfix/master.cf.2021.04.08.22.02.11'
maybe chmod 0644 'postfix/master.cf.initial'
maybe chmod 0644 'postfix/master.cf.proto'
+maybe chmod 0755 'postfix/mysql'
+maybe chgrp 'postfix' 'postfix/mysql/catchall_maps.cf'
+maybe chmod 0640 'postfix/mysql/catchall_maps.cf'
+maybe chgrp 'postfix' 'postfix/mysql/domain_alias_catchall_maps.cf'
+maybe chmod 0640 'postfix/mysql/domain_alias_catchall_maps.cf'
+maybe chgrp 'postfix' 'postfix/mysql/domain_alias_maps.cf'
+maybe chmod 0640 'postfix/mysql/domain_alias_maps.cf'
+maybe chgrp 'postfix' 'postfix/mysql/recipient_bcc_maps_domain.cf'
+maybe chmod 0640 'postfix/mysql/recipient_bcc_maps_domain.cf'
+maybe chgrp 'postfix' 'postfix/mysql/recipient_bcc_maps_user.cf'
+maybe chmod 0640 'postfix/mysql/recipient_bcc_maps_user.cf'
+maybe chgrp 'postfix' 'postfix/mysql/relay_domains.cf'
+maybe chmod 0640 'postfix/mysql/relay_domains.cf'
+maybe chgrp 'postfix' 'postfix/mysql/sender_bcc_maps_domain.cf'
+maybe chmod 0640 'postfix/mysql/sender_bcc_maps_domain.cf'
+maybe chgrp 'postfix' 'postfix/mysql/sender_bcc_maps_user.cf'
+maybe chmod 0640 'postfix/mysql/sender_bcc_maps_user.cf'
+maybe chgrp 'postfix' 'postfix/mysql/sender_dependent_relayhost_maps.cf'
+maybe chmod 0640 'postfix/mysql/sender_dependent_relayhost_maps.cf'
+maybe chgrp 'postfix' 'postfix/mysql/sender_login_maps.cf'
+maybe chmod 0640 'postfix/mysql/sender_login_maps.cf'
+maybe chgrp 'postfix' 'postfix/mysql/transport_maps_domain.cf'
+maybe chmod 0640 'postfix/mysql/transport_maps_domain.cf'
+maybe chgrp 'postfix' 'postfix/mysql/transport_maps_maillist.cf'
+maybe chmod 0640 'postfix/mysql/transport_maps_maillist.cf'
+maybe chgrp 'postfix' 'postfix/mysql/transport_maps_user.cf'
+maybe chmod 0640 'postfix/mysql/transport_maps_user.cf'
+maybe chgrp 'postfix' 'postfix/mysql/virtual_alias_maps.cf'
+maybe chmod 0640 'postfix/mysql/virtual_alias_maps.cf'
+maybe chgrp 'postfix' 'postfix/mysql/virtual_mailbox_domains.cf'
+maybe chmod 0640 'postfix/mysql/virtual_mailbox_domains.cf'
+maybe chgrp 'postfix' 'postfix/mysql/virtual_mailbox_maps.cf'
+maybe chmod 0640 'postfix/mysql/virtual_mailbox_maps.cf'
maybe chmod 0755 'postfix/post-install'
maybe chmod 0644 'postfix/postfix-files'
maybe chmod 0755 'postfix/postfix-files.d'
maybe chmod 0644 'postfix/postfix-files.d/pcre.files'
maybe chmod 0644 'postfix/postfix-files.d/sqlite.files'
maybe chmod 0755 'postfix/postfix-script'
+maybe chmod 0644 'postfix/postscreen_access.cidr'
+maybe chmod 0644 'postfix/postscreen_dnsbl_reply'
maybe chmod 0755 'postfix/sasl'
+maybe chgrp 'postfix' 'postfix/sender_access.pcre'
+maybe chmod 0640 'postfix/sender_access.pcre'
maybe chmod 0755 'ppp'
maybe chmod 0755 'ppp/ip-down.d'
maybe chmod 0755 'ppp/ip-down.d/bind9'
maybe chmod 0644 'rpc'
maybe chmod 0644 'rsyslog.conf'
maybe chmod 0755 'rsyslog.d'
+maybe chmod 0644 'rsyslog.d/1-iredmail-dovecot.conf'
+maybe chmod 0644 'rsyslog.d/1-iredmail-iredapd.conf'
+maybe chmod 0644 'rsyslog.d/1-iredmail-mlmmjadmin.conf'
+maybe chmod 0644 'rsyslog.d/1-iredmail-phpfpm.conf'
maybe chmod 0644 'rsyslog.d/21-cloudinit.conf'
maybe chmod 0644 'rsyslog.d/60-default.conf'
maybe chmod 0644 'rsyslog.d/60-mail.conf'
maybe chmod 0644 'spamassassin/65_debian.cf'
maybe chmod 0644 'spamassassin/init.pre'
maybe chmod 0644 'spamassassin/local.cf'
+maybe chmod 0644 'spamassassin/local.cf.2021.04.08.22.02.11'
+maybe chmod 0644 'spamassassin/razor.conf'
maybe chmod 0755 'spamassassin/sa-update-hooks.d'
maybe chmod 0755 'spamassassin/sa-update-hooks.d/amavisd-new'
maybe chmod 0644 'spamassassin/v310.pre'
maybe chmod 0755 'ssl'
maybe chmod 0755 'ssl/certs'
maybe chmod 0644 'ssl/certs/ca-certificates.crt'
+maybe chmod 0644 'ssl/certs/iRedMail.crt'
maybe chmod 0644 'ssl/certs/ssl-cert-snakeoil.pem'
+maybe chmod 0644 'ssl/dh2048_param.pem'
+maybe chmod 0644 'ssl/dh512_param.pem'
maybe chmod 0644 'ssl/openssl.cnf'
maybe chgrp 'ssl-cert' 'ssl/private'
maybe chmod 0710 'ssl/private'
+maybe chmod 0644 'ssl/private/iRedMail.key'
maybe chgrp 'ssl-cert' 'ssl/private/ssl-cert-snakeoil.key'
maybe chmod 0640 'ssl/private/ssl-cert-snakeoil.key'
maybe chmod 0644 'subgid'
maybe chmod 0644 'systemd/system/clamav-daemon.service.d/extend.conf'
maybe chmod 0755 'systemd/system/cloud-init.target.wants'
maybe chmod 0755 'systemd/system/getty.target.wants'
+maybe chmod 0755 'systemd/system/mariadb.service.d'
+maybe chmod 0644 'systemd/system/mariadb.service.d/override.conf'
maybe chmod 0755 'systemd/system/multi-user.target.wants'
+maybe chmod 0755 'systemd/system/netdata.service.d'
+maybe chmod 0644 'systemd/system/netdata.service.d/limits.conf'
maybe chmod 0755 'systemd/system/network-online.target.wants'
maybe chmod 0755 'systemd/system/sockets.target.wants'
maybe chmod 0755 'systemd/system/sysinit.target.wants'
use strict;
+# controls running of anti-virus/spam code: 0 -> enabled, 1 -> disabled.
+@bypass_virus_checks_maps = (0);
+@bypass_spam_checks_maps = (0);
+# $bypass_decode_parts = 1; # controls running of decoders&dearchivers
+
+$daemon_user = 'amavis';
+$daemon_group = 'amavis';
+
+# Set hostname.
+$myhostname = 'helga.uhu-banane.de';
+$mydomain = $myhostname;
+$localhost_name = $myhostname;
+
+#
+# NOTE: $MYHOME/{tmp,var,db} must be created manually
+#
+$MYHOME = '/var/lib/amavis';
+$TEMPBASE = '/var/lib/amavis/tmp'; # working directory, needs to exist, -T
+$ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc.
+$db_home = '/var/lib/amavis/db'; # dir for bdb nanny/cache/snmp databases, -D
+$QUARANTINEDIR = '/var/lib/amavis/quarantine'; # -Q
+$quarantine_subdir_levels = 2; # add level of subdirs to disperse quarantine
+# $release_format = 'resend'; # 'attach', 'plain', 'resend'
+# $report_format = 'arf'; # 'attach', 'plain', 'resend', 'arf'
+# $daemon_chroot_dir = $MYHOME; # chroot directory or undef, -R
+# $helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S
+
+$lock_file = '/var/run/amavis/amavisd.lock'; # -L
+$pid_file = '/var/run/amavis/amavisd.pid'; # -P
+
+@local_domains_maps = 1;
+@mynetworks = qw( 127.0.0.0/8 [::1] 127.0.0.1 );
+
+# Socket file, used by amavisd-release or amavis-milter.
+$unix_socketname = '/var/run/amavis/amavisd.socket';
+
+#
+# BDB
+#
+$enable_db = 0; # enable use of BerkeleyDB/libdb (SNMP and nanny)
+$nanny_details_level = 2; # nanny verbosity: 1: traditional, 2: detailed
+
+$inet_socket_port = [10024, 10026, 10027, 9998];
+
+$policy_bank{'MYNETS'} = { # mail originating from @mynetworks
+ originating => 1, # is true in MYNETS by default, but let's make it explicit
+ os_fingerprint_method => undef, # don't query p0f for internal clients
+ allow_disclaimers => 1, # enables disclaimer insertion if available
+ enable_dkim_signing => 1,
+};
+
+# Postfix will re-route mail from authenticated users to this port.
+$interface_policy{'10026'} = 'ORIGINATING';
+$policy_bank{'ORIGINATING'} = {
+ originating => 1, # declare that mail was submitted by our smtp client
+ allow_disclaimers => 1, # enables disclaimer insertion if available
+ enable_dkim_signing => 1,
+
+ # notify administrator of locally originating malware
+ spam_admin_maps => ["root\@$mydomain"],
+ # notify administrator of locally originating malware
+ virus_admin_maps => ["root\@$mydomain"],
+ spam_admin_maps => ["root\@$mydomain"],
+ bad_header_admin_maps => ["root\@$mydomain"],
+ banned_admin_maps => ["root\@$mydomain"],
+ warnbadhsender => 0,
+ warnbannedsender => 0,
+
+ # force MTA conversion to 7-bit (e.g. before DKIM signing)
+ smtpd_discard_ehlo_keywords => ['8BITMIME'],
+ terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option
+
+ # Bypass checks
+ #bypass_spam_checks_maps => [1], # don't check spam
+ #bypass_virus_checks_maps => [1], # don't check virus
+ #bypass_banned_checks_maps => [1], # don't check banned file names and types
+ #bypass_header_checks_maps => [1], # don't check bad header
+};
+
+$interface_policy{'10027'} = 'MLMMJ';
+$policy_bank{'MLMMJ'} = {
+ originating => 1, # declare that mail was submitted by our smtp client
+ allow_disclaimers => 0, # we use 'mlmmj-amime-receive' program to handle disclaimer/footer
+ enable_dkim_signing => 1, # enable DKIM signing for outbound
+ virus_admin_maps => ["root\@$mydomain"],
+ spam_admin_maps => ["root\@$mydomain"],
+ smtpd_discard_ehlo_keywords => ['8BITMIME'],
+ terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option
+ # re-inject processed email to Postfix, with address mapping enabled.
+ forward_method => 'smtp:[127.0.0.1]:10028',
+ # Amavisd performs the checks for email sent to mailing list, so no need to
+ # check again for outbound.
+ bypass_spam_checks_maps => [1], # don't check spam
+ bypass_virus_checks_maps => [1], # don't check virus
+ bypass_banned_checks_maps => [1], # don't check banned file names and types
+ bypass_header_checks_maps => [1], # don't check bad header
+};
+
+$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname
+
+# Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c
+# (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'):
+$policy_bank{'AM.PDP-SOCK'} = {
+ protocol => 'AM.PDP',
+ auth_required_release => 0, # do not require secret_id for amavisd-release
+};
+
+$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
+$sa_tag2_level_deflt = 6.2; # add 'spam detected' headers at that level
+$sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail)
+$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
+$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
+#$sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
+
+$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
+$sa_local_tests_only = 0; # only tests which do not require internet access?
+
+$virus_admin = undef; # notifications recip.
+
+$mailfrom_notify_admin = undef; # notifications sender
+$mailfrom_notify_recip = undef; # notifications sender
+$mailfrom_notify_spamadmin = undef; # notifications sender
+$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef
+
+@addr_extension_virus_maps = ('virus');
+@addr_extension_banned_maps = ('banned');
+@addr_extension_spam_maps = ('spam');
+@addr_extension_bad_header_maps = ('badh');
+# $recipient_delimiter = '+'; # undef disables address extensions altogether
+# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+
+
+$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
+# $dspam = 'dspam';
+
+$MAXLEVELS = 14;
+$MAXFILES = 3000;
+$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
+$MAX_EXPANSION_QUOTA = 500*1024*1024; # bytes (default undef, not enforced)
+
+# Prepend '[SPAM] ' to subject of spam message.
+$sa_spam_modifies_subj = 1;
+$sa_spam_subject_tag = '[SPAM] ';
+
+$defang_virus = 1; # MIME-wrap passed infected mail
+$defang_banned = 0; # MIME-wrap passed mail containing banned name
+# for defanging bad headers only turn on certain minor contents categories:
+$defang_by_ccat{CC_BADH.",3"} = 1; # NUL or CR character in header
+$defang_by_ccat{CC_BADH.",5"} = 1; # header line longer than 998 characters
+$defang_by_ccat{CC_BADH.",6"} = 1; # header field syntax error
+
+@keep_decoded_original_maps = (new_RE(
+ # let virus scanner (clamav) see full original message (can be slow)
+ # this setting is required if we're going to use third-party clamav
+ # signatures. for example, Sanesecurity signatures.
+ # FYI: http://sanesecurity.com/support/signature-testing/
+ #qr'^MAIL$',
+
+ qr'^MAIL-UNDECIPHERABLE$', # same as ^MAIL$ if mail is undecipherable
+ qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
+ #qr'^Zip archive data', # don't trust Archive::Zip
+));
+
+$banned_filename_re = new_RE(
+
+### BLOCKED ANYWHERE
+# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
+ qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary
+# qr'^\.(exe|lha|cab|dll)$', # banned file(1) types
+
+### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
+# [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2
+ [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
+
+ qr'.\.(pif|scr)$'i, # banned extensions - rudimentary
+# qr'^\.zip$', # block zip type
+
+### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
+# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives
+
+ qr'^application/x-msdownload$'i, # block these MIME types
+ qr'^application/x-msdos-program$'i,
+ qr'^application/hta$'i,
+
+# qr'^message/partial$'i, # rfc2046 MIME type
+# qr'^message/external-body$'i, # rfc2046 MIME type
+
+# qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type
+# qr'^\.wmf$', # Windows Metafile file(1) type
+
+ # block certain double extensions in filenames
+ qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
+
+# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict
+# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose
+
+ qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic
+# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd
+# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
+# inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|
+# msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|
+# wmf|wsc|wsf|wsh)$'ix, # banned extensions - long
+# qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i, # consider also
+# qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename
+# qr'^\.ani$', # banned animated cursor file(1) type
+# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
+);
+# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
+# and http://www.cknow.com/vtutor/vtextensions.htm
+
+
+# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
+
+@score_sender_maps = ({ # a by-recipient hash lookup table,
+ # results from all matching recipient tables are summed
+
+# ## per-recipient personal tables (NOTE: positive: black, negative: white)
+# 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}],
+# 'user3@example.com' => [{'.ebay.com' => -3.0}],
+# 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0,
+# '.cleargreen.com' => -5.0}],
+
+ ## site-wide opinions about senders (the '.' matches any recipient)
+ '.' => [ # the _first_ matching sender determines the score boost
+
+ new_RE( # regexp-type lookup table, just happens to be all soft-blacklist
+ [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0],
+ [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
+ [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
+ [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0],
+ [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0],
+ [qr'^(your_friend|greatoffers)@'i => 5.0],
+ [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
+ ),
+
+ #read_hash("/var/amavis/sender_scores_sitewide"),
+
+ { # a hash-type lookup table (associative array)
+ 'nobody@cert.org' => -3.0,
+ 'cert-advisory@us-cert.gov' => -3.0,
+ 'owner-alert@iss.net' => -3.0,
+ 'slashdot@slashdot.org' => -3.0,
+ 'securityfocus.com' => -3.0,
+ 'ntbugtraq@listserv.ntbugtraq.com' => -3.0,
+ 'security-alerts@linuxsecurity.com' => -3.0,
+ 'mailman-announce-admin@python.org' => -3.0,
+ 'amavis-user-admin@lists.sourceforge.net'=> -3.0,
+ 'amavis-user-bounces@lists.sourceforge.net' => -3.0,
+ 'spamassassin.apache.org' => -3.0,
+ 'notification-return@lists.sophos.com' => -3.0,
+ 'owner-postfix-users@postfix.org' => -3.0,
+ 'owner-postfix-announce@postfix.org' => -3.0,
+ 'owner-sendmail-announce@lists.sendmail.org' => -3.0,
+ 'sendmail-announce-request@lists.sendmail.org' => -3.0,
+ 'donotreply@sendmail.org' => -3.0,
+ 'ca+envelope@sendmail.org' => -3.0,
+ 'noreply@freshmeat.net' => -3.0,
+ 'owner-technews@postel.acm.org' => -3.0,
+ 'ietf-123-owner@loki.ietf.org' => -3.0,
+ 'cvs-commits-list-admin@gnome.org' => -3.0,
+ 'rt-users-admin@lists.fsck.com' => -3.0,
+ 'clp-request@comp.nus.edu.sg' => -3.0,
+ 'surveys-errors@lists.nua.ie' => -3.0,
+ 'emailnews@genomeweb.com' => -5.0,
+ 'yahoo-dev-null@yahoo-inc.com' => -3.0,
+ 'returns.groups.yahoo.com' => -3.0,
+ 'clusternews@linuxnetworx.com' => -3.0,
+ lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0,
+ lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
+
+ # soft-blacklisting (positive score)
+ 'sender@example.net' => 3.0,
+ '.example.net' => 1.0,
+
+ },
+ ], # end of site-wide tables
+});
+
+
+@decoders = (
+ ['mail', \&do_mime_decode],
+# [[qw(asc uue hqx ync)], \&do_ascii], # not safe
+ ['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
+ ['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
+ ['gz', \&do_uncompress, 'gzip -d'],
+ ['gz', \&do_gunzip],
+ ['bz2', \&do_uncompress, 'bzip2 -d'],
+ ['xz', \&do_uncompress,
+ ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
+ ['lzma', \&do_uncompress,
+ ['lzmadec', 'xz -dc --format=lzma',
+ 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
+ ['lrz', \&do_uncompress,
+ ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
+ ['lzo', \&do_uncompress, 'lzop -d'],
+ ['lz4', \&do_uncompress, ['lz4c -d'] ],
+ ['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ],
+ [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
+ # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio']
+ ['deb', \&do_ar, 'ar'],
+# ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill
+ ['rar', \&do_unrar, ['unrar', 'rar'] ],
+ ['arj', \&do_unarj, ['unarj', 'arj'] ],
+ ['arc', \&do_arc, ['nomarch', 'arc'] ],
+ ['zoo', \&do_zoo, ['zoo', 'unzoo'] ],
+# ['doc', \&do_ole, 'ripole'], # no ripole package so far
+ ['cab', \&do_cabextract, 'cabextract'],
+# ['tnef', \&do_tnef_ext, 'tnef'], # use internal do_tnef() instead
+ ['tnef', \&do_tnef],
+# ['lha', \&do_lha, 'lha'], # not safe, use 7z instead
+# ['sit', \&do_unstuff, 'unstuff'], # not safe
+ [['zip','kmz'], \&do_7zip, ['7za', '7z'] ],
+ [['zip','kmz'], \&do_unzip],
+ ['7z', \&do_7zip, ['7zr', '7za', '7z'] ],
+ [[qw(gz bz2 Z tar)],
+ \&do_7zip, ['7za', '7z'] ],
+ [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)],
+ \&do_7zip, '7z' ],
+ ['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],
+);
+
+$notify_method = 'smtp:[127.0.0.1]:10025';
+$forward_method = 'smtp:[127.0.0.1]:10025';
+
+# Mark Spam/Virus with third-party clamav signatures: SaneSecurity.
+# *) The order matters, first match wins. Set to 'undef' to keep as infected
+# *) Anything declared as undefined will be marked as a virus
+@virus_name_to_spam_score_maps =(new_RE(
+ # SaneSecurity + Foxhole
+ [ qr'^Sanesecurity\.(Malware|Badmacro|Foxhole|Rogue|Trojan)\.' => undef ],
+ [ qr'^Sanesecurity\.MalwareHash\.' => undef ],
+ [ qr'^Sanesecurity.TestSig_' => undef ],
+ [ qr'^Sanesecurity\.' => 0.1 ],
+
+ # winnow
+ [ qr'^winnow\.(Exploit|Trojan|malware)\.' => undef ],
+ [ qr'^winnow\.(botnet|compromised|trojan)' => undef ],
+ [ qr'^winnow\.(exe|ms|JS)\.' => undef ],
+ [ qr'^winnow\.phish\.' => 3.0 ],
+ [ qr'^winnow\.' => 0.1 ],
+
+ # bofhland
+ [ qr'^Bofhland\.Malware\.' => undef ],
+ [ qr'^BofhlandMWFile' => undef ],
+ [ qr'^Bofhland\.Phishing\.' => 3.0 ],
+ [ qr'^Bofhland\.' => 0.1 ],
+
+ # porcupine.ndb
+ [ qr'^Porcupine\.(Malware|Trojan)\.' => undef ],
+ [ qr'^Porcupine\.(Junk|Spammer)\.' => 3.0 ],
+ [ qr'^Porcupine\.Phishing\.' => 3.0 ],
+ [ qr'^Porcupine\.' => 0.01 ],
+
+ # phishtank.ndb
+ [ qr'^PhishTank\.Phishing\.' => 3.0 ],
+
+ # SecuriteInfo
+ [ qr'^SecuriteInfo\.com\.Spam' => 3.0 ],
+
+ # Others
+ [ qr'^Structured\.(SSN|CreditCardNumber)\b' => 0.1 ],
+ [ qr'^(Heuristics\.)?Phishing\.' => 0.1 ],
+ [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 0.1 ],
+ [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0 ],
+ [ qr'^Email\.Spammail\b' => 0.1 ],
+ [ qr'^MSRBL-(Images|SPAM)\b' => 0.1 ],
+ [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' => 0.1 ],
+ [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ],
+ [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' => 0.1 ],
+ [ qr'^Safebrowsing\.' => 0.1 ],
+ [ qr'^INetMsg\.SpamDomain' => 0.1 ],
+ [ qr'^Doppelstern\.(Spam|Scam|Phishing|Junk|Lott|Loan)'=> 0.1 ],
+ [ qr'^ScamNailer\.' => 0.1 ],
+ [ qr'^HTML/Bankish' => 0.1 ],
+ [ qr'(-)?SecuriteInfo\.com(\.|\z)' => undef ],
+ [ qr'^MBL_NA\.UNOFFICIAL' => 0.1 ],
+ [ qr'^MBL_' => undef ],
+));
+
+@av_scanners = (
+ ['clamav-socket',
+ \&ask_daemon, ["CONTSCAN {}\n", '/var/run/clamav/clamd.ctl'],
+ qr/\bOK$/m,
+ qr/\bFOUND$/m,
+ qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
+);
+
+@av_scanners_backup = (
+ ['clamav-clamscan', 'clamscan',
+ "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1],
+ qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
+);
+
+#
+# Port used to release quarantined mails.
+#
+$interface_policy{'9998'} = 'AM.PDP-INET';
+$policy_bank{'AM.PDP-INET'} = {
+ protocol => 'AM.PDP', # select Amavis policy delegation protocol
+ auth_required_release => 1, # 0 - don't require secret_id for amavisd-release
+ #log_level => 4,
+ #always_bcc_by_ccat => {CC_CLEAN, 'admin@example.com'},
+};
+
+#########################
+# Default action applied to detected spam/virus/banned/bad-header, and how to
+# quarantine them
+#
+# Available actions:
+#
+# - D_PASS: Mail will pass to recipients, regardless of bad contents.
+# If a quarantine is configured, a copy of the mail will go there.
+# Note that including a recipient in a @*_lovers_maps is
+# functionally equivalent to setting '*_destiny = D_PASS;'
+# for that recipient.
+#
+# - D_BOUNCE: Mail will not be delivered to its recipients. A non-delivery
+# notification (bounce) will be created and sent to the sender.
+#
+# - D_REJECT: Mail will not be delivered to its recipients. Amavisd will
+# send the typical 55x reject response to the upstream MTA and
+# that MTA may create a reject notice (bounce) and return it to
+# the sender.
+# This notice is not as informative as the one created using
+# D_BOUNCE, so usually D_BOUNCE is preferred over D_REJECT.
+# If a quarantine is configured, a copy of the mail will go
+# there, if not mail message will be lost, but the sender should
+# be notified their message was rejected.
+#
+# - D_DISCARD: Mail will not be delivered to its recipients and the sender
+# normally will NOT be notified.
+# If a quarantine is configured, a copy of the mail will go
+# there, if not mail message will be lost. Note that there are
+# additional settings available that can send notifications to
+# persons that normally may not be notified when an undesirable
+# message is found, so it is possible to notify the sender even
+# when using D_DISCARD.
+#
+# Where to store quarantined mail message:
+#
+# - 'local:spam-%i-%m', quarantine mail on local file system.
+# - 'sql:', quarantine mail in SQL server specified in @storage_sql_dsn.
+# - undef, do not quarantine mail.
+
+# SPAM.
+$final_spam_destiny = D_DISCARD;
+$spam_quarantine_method = 'sql:';
+$spam_quarantine_to = 'spam-quarantine';
+
+# Virus
+$final_virus_destiny = D_DISCARD;
+$virus_quarantine_method = 'sql:';
+$virus_quarantine_to = 'virus-quarantine';
+
+# Banned
+$final_banned_destiny = D_DISCARD;
+$banned_files_quarantine_method = 'sql:';
+$banned_quarantine_to = 'banned-quarantine';
+
+# Bad header.
+$final_bad_header_destiny = D_DISCARD;
+$bad_header_quarantine_method = 'sql:';
+$bad_header_quarantine_to = 'bad-header-quarantine';
+
+#########################
+# Quarantine CLEAN mails.
+# Don't forget to enable clean quarantine in policy bank 'MYUSERS'.
+#
+#$clean_quarantine_method = 'sql:';
+#$clean_quarantine_to = 'clean-quarantine';
+
+# a string to prepend to Subject (for local recipients only) if mail could
+# not be decoded or checked entirely, e.g. due to password-protected archives
+#$undecipherable_subject_tag = '***UNCHECKED*** '; # undef disables it
+$undecipherable_subject_tag = undef;
+
+# Hope to fix 'nested MAIL command' issue on high load server.
+$smtp_connection_cache_enable = 0;
+
+# The default set of header fields to be signed can be controlled
+# by setting %signed_header_fields elements to true (to sign) or
+# to false (not to sign). Keys must be in lowercase, e.g.:
+# 0 -> off
+# 1 -> on
+$signed_header_fields{'received'} = 0;
+$signed_header_fields{'to'} = 1;
+$signed_header_fields{'from'} = 1;
+$signed_header_fields{'subject'} = 1;
+$signed_header_fields{'message-id'} = 1;
+$signed_header_fields{'content-type'} = 1;
+$signed_header_fields{'date'} = 1;
+$signed_header_fields{'mime-version'} = 1;
+
#
-# Place your configuration directives here. They will override those in
-# earlier files.
+# DKIM
+#
+# Enable DKIM verification globally.
+$enable_dkim_verification = 1;
+
+# Disable DKIM signing globally, because it's controlled per policy bank.
+#$enable_dkim_signing = 1;
+
+# Add dkim_key here.
+dkim_key('brehm-berlin.de', 'dkim', '/var/lib/dkim/brehm-berlin.de.pem');
+
+@dkim_signature_options_bysender_maps = ({
+ # 'd' defaults to a domain of an author/sender address,
+ # 's' defaults to whatever selector is offered by a matching key
+
+ # Per-domain dkim key
+ #"domain.com" => { d => "domain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
+
+ # catch-all (one dkim key for all domains)
+ '.' => {d => 'brehm-berlin.de',
+ a => 'rsa-sha256',
+ c => 'relaxed/simple',
+ ttl => 30*24*3600 },
+});
+
#
-# See /usr/share/doc/amavisd-new/ for documentation and examples of
-# the directives you can use in this file
+# Disclaimer settings
#
+# Uncomment below line to enable singing disclaimer in outgoing mails.
+#$defang_maps_by_ccat{+CC_CATCHALL} = [ 'disclaimer' ];
+
+# Program used to signing disclaimer in outgoing mails.
+$altermime = '/usr/bin/altermime';
+
+# Disclaimer in plain text formart.
+@altermime_args_disclaimer = qw(--disclaimer=/etc/postfix/disclaimer/_OPTION_.txt --disclaimer-html=/etc/postfix/disclaimer/_OPTION_.txt --force-for-bad-html);
+
+@disclaimer_options_bysender_maps = ({
+ # Per-domain, per-user disclaimer setting:
+ # '<domain>' => /path/to/disclaimer.txt,
+ # '<email>' => /path/to/disclaimer.txt,
+
+ # Catch-all disclaimer setting: /etc/postfix/disclaimer/default.txt
+ '.' => 'default',
+},);
+
+$sql_allow_8bit_address = 1;
+$timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP;
+
+# Reporting and quarantining.
+@storage_sql_dsn = (['DBI:mysql:database=amavisd;host=127.0.0.1;port=3306', 'amavisd', 'zgBEdCOURV8TveGk4KIWPjQFYLk745IJ']);
+
+# Lookup for per-recipient, per-domain and global policy.
+@lookup_sql_dsn = @storage_sql_dsn;
+
+# Don't send email with subject "UNCHECKED contents in mail FROM xxx".
+delete $admin_maps_by_ccat{&CC_UNCHECKED};
+
+# Do not notify administrator about SPAM/VIRUS from remote servers.
+$virus_admin = undef;
+$spam_admin = undef;
+$banned_admin = undef;
+$bad_header_admin = undef;
+
+#
+# Pre-define some policy banks.
+#
+# You can assign certain policy banks to clients/senders you want to whitelist
+# with parameter `@client_ipaddr_policy` and @author_to_policy_bank_maps.
+$policy_bank{'FULL_WHITELIST'} = {
+ bypass_spam_checks_maps => [1],
+ spam_lovers_maps => [1],
+ bypass_decode_parts => 1,
+ bypass_virus_checks_maps => [1],
+ virus_lovers_maps => [1],
+ bypass_banned_checks_maps => [1],
+ banned_files_lovers_maps => [1],
+ bypass_header_checks_maps => [1],
+ bad_header_lovers_maps => [1],
+};
+
+$policy_bank{'NO_SPAM_CHECK'} = {
+ bypass_spam_checks_maps => [1],
+ spam_lovers_maps => [1],
+};
+
+$policy_bank{'NO_VIRUS_CHECK'} = {
+ bypass_decode_parts => 1,
+ bypass_virus_checks_maps => [1],
+ virus_lovers_maps => [1],
+};
+
+$policy_bank{'NO_BANNED_CHECK'} = {
+ bypass_banned_checks_maps => [1],
+ banned_files_lovers_maps => [1],
+};
+
+$policy_bank{'NO_BAD_HEADER_CHECK'} = {
+ bypass_header_checks_maps => [1],
+ bad_header_lovers_maps => [1],
+};
+
+#$policy_bank{'MILD_WHITELIST'} = {
+# score_sender_maps => [ { '.' => [-1.8] } ],
+#};
+
+#
+# Logging
+#
+$do_syslog = 1; # log via syslogd (preferred)
+$syslog_facility = 'mail'; # Syslog facility as a string
+$log_level = 0; # Amavisd log level.
+ # Verbosity: 0, 1, 2, 3, 4, 5.
+$sa_debug = 0; # SpamAssassin debugging (require $log_level).
+ # Default if off (0).
+
+# Amavisd on some Linux/BSD distribution use $banned_namepath_re instead of
+# $banned_filename_re, so we define some blocked file types here.
+#
+# Sample input for $banned_namepath_re:
+#
+# P=p003\tL=1\tM=multipart/mixed\nP=p002\tL=1/2\tM=application/octet-stream\tT=dat\tN=my_docum.zip
+# P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/zip,T=zip,N=FedEx_00628727.zip | P=p005,L=1/2/2,T=asc,N=FedEx_00628727.doc.wsf
+#
+# What it means:
+# - T: type. e.g. zip archive.
+# - M: MIME type. e.g. application/octet-stream.
+# - N: suggested (MIME) name. e.g. my_docum.zip.
+
+$banned_namepath_re = new_RE(
+ #[qr'T=(rar|arc|arj|zoo|gz|bz2)(,|\t)'xmi => 'DISCARD'], # Compressed file types
+ [qr'T=x-(msdownload|msdos-program|msmetafile)(,|\t)'xmi => 'DISCARD'],
+ [qr'T=(hta)(,|\t)'xmi => 'DISCARD'],
+
+ # Dangerous mime types
+ [qr'T=(9|386|LeChiffre|aaa|abc|aepl|ani|aru|atm|aut|b64|bat|bhx|bkd|blf|bll|bmw|boo|bps|bqf|breaking_bad|buk|bup|bxz|cc|ccc|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|cpl|crinf|crjoker|crypt|cryptolocker|cryptowall|ctbl|cxq|cyw|dbd|delf|dev|dlb|dli|dll|dllx|dom|drv|dx|dxz|dyv|dyz|ecc|exe|exe-ms|exe1|exe_renamed|exx|ezt|ezz|fag|fjl|fnr|fuj|good|gzquar|hlp|hlw|hqx|hsq|hts|iva|iws|jar|js|kcd|keybtc@inbox_com|let|lik|lkh|lnk|locky|lok|lol!|lpaq5|magic|mfu|micro|mim|mjg|mjz|nls|oar|ocx|osa|ozd|pcx|pgm|php2|php3|pid|pif|plc|pr|pzdc|qit|qrn|r5a|rhk|rna|rsc_tmp|s7p|scr|shs|ska|smm|smtmp|sop|spam|ssy|swf|sys|tko|tps|tsa|tti|ttt|txs|upa|uu|uue|uzy|vb|vba|vbe|vbs|vbx|vexe|vxd|vzr|wlpginstall|ws|wsc|wsf|wsh|wss|xdu|xir|xlm|xlv|xnt|xnxx|xtbl|xxe|xxx|xyz|zix|zvz|zzz)(,|\t)'xmi => 'DISCARD'],
+
+ # Dangerous file name extensions
+ [qr'N=.*\.(9|386|LeChiffre|aaa|abc|aepl|ani|aru|atm|aut|b64|bat|bhx|bkd|blf|bll|bmw|boo|bps|bqf|breaking_bad|buk|bup|bxz|cc|ccc|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|cpl|crinf|crjoker|crypt|cryptolocker|cryptowall|ctbl|cxq|cyw|dbd|delf|dev|dlb|dli|dll|dllx|dom|drv|dx|dxz|dyv|dyz|ecc|exe|exe-ms|exe1|exe_renamed|exx|ezt|ezz|fag|fjl|fnr|fuj|good|gzquar|hlp|hlw|hqx|hsq|hts|iva|iws|jar|js|kcd|keybtc@inbox_com|let|lik|lkh|lnk|locky|lok|lol!|lpaq5|magic|mfu|micro|mim|mjg|mjz|nls|oar|ocx|osa|ozd|pcx|pgm|php2|php3|pid|pif|plc|pr|pzdc|qit|qrn|r5a|rhk|rna|rsc_tmp|s7p|scr|shs|ska|smm|smtmp|sop|spam|ssy|swf|sys|tko|tps|tsa|tti|ttt|txs|upa|uu|uue|uzy|vb|vba|vbe|vbs|vbx|vexe|vxd|vzr|wlpginstall|ws|wsc|wsf|wsh|wss|xdu|xir|xlm|xlv|xnt|xnxx|xtbl|xxe|xxx|xyz|zix|zvz|zzz)$'xmi => 'DISCARD'],
+);
+
+# Log verbose.
+$log_templ = $log_verbose_templ;
+
+# $bounce_killer_score defaults to 100, it will cause quota exceed notification
+# email sent by Dovecot quarantined by Amavisd.
+$penpals_bonus_score = undef;
+$bounce_killer_score = 0;
+
+# Selectively disable some of the header checks
+#
+# Duplicate or multiple occurrence of a header field
+$allowed_header_tests{'multiple'} = 0;
+
+# Missing some headers. e.g. 'Date:'
+$allowed_header_tests{'missing'} = 0;
+
+# Listen on specified addresses.
+$inet_socket_bind = ['127.0.0.1'];
+
+# Set ACL
+@inet_acl = qw(127.0.0.1 [::1] 127.0.0.1);
+# Num of pre-forked children.
+# WARNING: it must match (equal to or larger than) the number set in
+# `maxproc` column in Postfix master.cf for the `smtp-amavis` transport.
+$max_servers = 4;
-#------------ Do not modify anything below this line -------------
-1; # ensure a defined return
+1; # insure a defined return
--- /dev/null
+use strict;
+
+#
+# Place your configuration directives here. They will override those in
+# earlier files.
+#
+# See /usr/share/doc/amavisd-new/ for documentation and examples of
+# the directives you can use in this file
+#
+
+
+#------------ Do not modify anything below this line -------------
+1; # ensure a defined return
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 25M
-LogFile /var/log/clamav/clamav.log
+#LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
OnAccessMaxFileSize 5M
+AllowSupplementaryGroups true
--- /dev/null
+#Automatically Generated by clamav-daemon postinst
+#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
+#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
+LocalSocket /var/run/clamav/clamd.ctl
+FixStaleSocket true
+LocalSocketGroup clamav
+LocalSocketMode 666
+# TemporaryDirectory is not set to its default /tmp here to make overriding
+# the default with environment variables TMPDIR/TMP/TEMP possible
+User clamav
+ScanMail true
+ScanArchive true
+ArchiveBlockEncrypted false
+MaxDirectoryRecursion 15
+FollowDirectorySymlinks false
+FollowFileSymlinks false
+ReadTimeout 180
+MaxThreads 12
+MaxConnectionQueueLength 15
+LogSyslog false
+LogRotate true
+LogFacility LOG_LOCAL6
+LogClean false
+LogVerbose false
+PreludeEnable no
+PreludeAnalyzerName ClamAV
+DatabaseDirectory /var/lib/clamav
+OfficialDatabaseOnly false
+SelfCheck 3600
+Foreground false
+Debug false
+ScanPE true
+MaxEmbeddedPE 10M
+ScanOLE2 true
+ScanPDF true
+ScanHTML true
+MaxHTMLNormalize 10M
+MaxHTMLNoTags 2M
+MaxScriptNormalize 5M
+MaxZipTypeRcg 1M
+ScanSWF true
+ExitOnOOM false
+LeaveTemporaryFiles false
+AlgorithmicDetection true
+ScanELF true
+IdleTimeout 30
+CrossFilesystems true
+PhishingSignatures true
+PhishingScanURLs true
+PhishingAlwaysBlockSSLMismatch false
+PhishingAlwaysBlockCloak false
+PartitionIntersection false
+DetectPUA false
+ScanPartialMessages false
+HeuristicScanPrecedence false
+StructuredDataDetection false
+CommandReadTimeout 30
+SendBufTimeout 200
+MaxQueue 100
+ExtendedDetectionInfo true
+OLE2BlockMacros false
+AllowAllMatchScan true
+ForceToDisk false
+DisableCertCheck false
+DisableCache false
+MaxScanTime 120000
+MaxScanSize 100M
+MaxFileSize 25M
+MaxRecursion 16
+MaxFiles 10000
+MaxPartitions 50
+MaxIconsPE 100
+PCREMatchLimit 10000
+PCRERecMatchLimit 5000
+PCREMaxFileSize 25M
+ScanXMLDOCS true
+ScanHWP3 true
+MaxRecHWP3 16
+StreamMaxLength 25M
+LogFile /var/log/clamav/clamav.log
+LogTime true
+LogFileUnlock false
+LogFileMaxSize 0
+Bytecode true
+BytecodeSecurity TrustSigned
+BytecodeTimeout 60000
+OnAccessMaxFileSize 5M
--- /dev/null
+# Automatically created by the clamav-freshclam postinst
+# Comments will get lost when you reconfigure the clamav-freshclam package
+
+DatabaseOwner clamav
+UpdateLogFile /var/log/clamav/freshclam.log
+LogVerbose false
+LogSyslog false
+LogFacility LOG_LOCAL6
+LogFileMaxSize 0
+LogRotate true
+LogTime true
+Foreground false
+Debug false
+MaxAttempts 5
+DatabaseDirectory /var/lib/clamav
+DNSDatabaseInfo current.cvd.clamav.net
+ConnectTimeout 30
+ReceiveTimeout 0
+TestDatabases yes
+ScriptedUpdates yes
+CompressLocalDatabase no
+SafeBrowsing false
+Bytecode true
+NotifyClamd /etc/clamav/clamd.conf
+# Check for new database 24 times a day
+Checks 24
+DatabaseMirror db.local.clamav.net
+DatabaseMirror database.clamav.net
# Cronjob
# Set to anything but 0 to enable the cron job to automatically update
# spamassassin's rules on a nightly basis
-CRON=0
+CRON=1
--- /dev/null
+connect = host=127.0.0.1 port=3306 dbname=vmail user=vmailadmin password=kjnjsPN5ph8MB8Qcnuy9J7ucTvXat8Sp
+
+map {
+ pattern = shared/last-login/imap/$user/$domain
+ table = last_login
+ value_field = imap
+ value_type = uint
+
+ fields {
+ username = $user
+ domain = $domain
+ }
+}
+
+map {
+ pattern = shared/last-login/pop3/$user/$domain
+ table = last_login
+ value_field = pop3
+ value_type = uint
+
+ fields {
+ username = $user
+ domain = $domain
+ }
+}
+
+map {
+ pattern = shared/last-login/lda/$user/$domain
+ table = last_login
+ value_field = lda
+ value_type = uint
+
+ fields {
+ username = $user
+ domain = $domain
+ }
+}
+
+# Treat lmtp as lda.
+map {
+ pattern = shared/last-login/lmtp/$user/$domain
+ table = last_login
+ value_field = lda
+ value_type = uint
+
+ fields {
+ username = $user
+ domain = $domain
+ }
+}
--- /dev/null
+driver = mysql
+default_pass_scheme = CRYPT
+connect = host=127.0.0.1 port=3306 dbname=vmail user=vmail password=Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i
+
+# Required by doveadm tools which require to list all mail users.
+iterate_query = SELECT username AS user FROM mailbox
+
+password_query = SELECT mailbox.password, mailbox.allow_nets \
+ FROM mailbox,domain \
+ WHERE mailbox.username='%u' \
+ AND mailbox.`enable%Ls%Lc`=1 \
+ AND mailbox.active=1 \
+ AND mailbox.domain=domain.domain \
+ AND domain.backupmx=0 \
+ AND domain.active=1
+
+user_query = SELECT \
+ LOWER('%u') AS master_user, \
+ LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode, '/', mailbox.maildir)) AS home, \
+ CONCAT(mailbox.mailboxformat, ':~/', mailbox.mailboxfolder) AS mail, \
+ CONCAT('*:bytes=', mailbox.quota*1048576) AS quota_rule \
+ FROM mailbox,domain \
+ WHERE mailbox.username='%u' \
+ AND mailbox.`enable%Ls%Lc`=1 \
+ AND mailbox.active=1 \
+ AND mailbox.domain=domain.domain \
+ AND domain.backupmx=0 \
+ AND domain.active=1
--- /dev/null
+connect = host=127.0.0.1 port=3306 dbname=vmail user=vmailadmin password=kjnjsPN5ph8MB8Qcnuy9J7ucTvXat8Sp
+map {
+ pattern = shared/shared-boxes/user/$to/$from
+ table = share_folder
+ value_field = dummy
+
+ fields {
+ from_user = $from
+ to_user = $to
+ }
+}
+
+# To share mailbox to anyone, please uncomment 'acl_anyone = allow' in
+# dovecot.conf
+map {
+ pattern = shared/shared-boxes/anyone/$from
+ table = anyone_shares
+ value_field = dummy
+ fields {
+ from_user = $from
+ }
+}
--- /dev/null
+connect = host=127.0.0.1 port=3306 dbname=vmail user=vmailadmin password=kjnjsPN5ph8MB8Qcnuy9J7ucTvXat8Sp
+map {
+ pattern = priv/quota/storage
+ table = used_quota
+ username_field = username
+ value_field = bytes
+}
+map {
+ pattern = priv/quota/messages
+ table = used_quota
+ username_field = username
+ value_field = messages
+}
-## Dovecot configuration file
-
-# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
-
-# "doveconf -n" command gives a clean output of the changed settings. Use it
-# instead of copy&pasting files when posting to the Dovecot mailing list.
-
-# '#' character and everything after it is treated as comments. Extra spaces
-# and tabs are ignored. If you want to use either of these explicitly, put the
-# value inside quotes, eg.: key = "# char and trailing whitespace "
-
-# Most (but not all) settings can be overridden by different protocols and/or
-# source/destination IPs by placing the settings inside sections, for example:
-# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
-
-# Default values are shown for each setting, it's not required to uncomment
-# those. These are exceptions to this though: No sections (e.g. namespace {})
-# or plugin settings are added by default, they're listed only as examples.
-# Paths are also just examples with the real defaults being based on configure
-# options. The paths listed here are for configure --prefix=/usr
-# --sysconfdir=/etc --localstatedir=/var
-
-# Enable installed protocols
-!include_try /usr/share/dovecot/protocols.d/*.protocol
-
-# A comma separated list of IPs or hosts where to listen in for connections.
-# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
-# If you want to specify non-default ports or anything more complex,
-# edit conf.d/master.conf.
-#listen = *, ::
-
-# Base directory where to store runtime data.
-#base_dir = /var/run/dovecot/
-
-# Name of this instance. In multi-instance setup doveadm and other commands
-# can use -i <instance_name> to select which instance is used (an alternative
-# to -c <config_path>). The instance name is also added to Dovecot processes
-# in ps output.
-#instance_name = dovecot
-
-# Greeting message for clients.
-#login_greeting = Dovecot ready.
-
-# Space separated list of trusted network ranges. Connections from these
-# IPs are allowed to override their IP addresses and ports (for logging and
-# for authentication checks). disable_plaintext_auth is also ignored for
-# these networks. Typically you'd specify your IMAP proxy servers here.
-#login_trusted_networks =
-
-# Space separated list of login access check sockets (e.g. tcpwrap)
-#login_access_sockets =
-
-# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
-# proxying. This isn't necessary normally, but may be useful if the destination
-# IP is e.g. a load balancer's IP.
-#auth_proxy_self =
-
-# Show more verbose process titles (in ps). Currently shows user name and
-# IP address. Useful for seeing who are actually using the IMAP processes
-# (eg. shared mailboxes or if same uid is used for multiple accounts).
-#verbose_proctitle = no
-
-# Should all processes be killed when Dovecot master process shuts down.
-# Setting this to "no" means that Dovecot can be upgraded without
-# forcing existing client connections to close (although that could also be
-# a problem if the upgrade is e.g. because of a security fix).
-#shutdown_clients = yes
-
-# If non-zero, run mail commands via this many connections to doveadm server,
-# instead of running them directly in the same process.
-#doveadm_worker_count = 0
-# UNIX socket or host:port used for connecting to doveadm server
-#doveadm_socket_path = doveadm-server
-
-# Space separated list of environment variables that are preserved on Dovecot
-# startup and passed down to all of its child processes. You can also give
-# key=value pairs to always set specific settings.
-#import_environment = TZ
-
-##
-## Dictionary server settings
-##
-
-# Dictionary can be used to store key=value lists. This is used by several
-# plugins. The dictionary can be accessed either directly or though a
-# dictionary server. The following dict block maps dictionary names to URIs
-# when the server is used. These can then be referenced using URIs in format
-# "proxy::<name>".
+# More details about Dovecot settings:
+# - http://wiki2.dovecot.org/
+# - http://wiki2.dovecot.org/Variables
+
+# Listen addresses.
+# - '*' means all available IPv4 addresses.
+# - '[::]' means all available IPv6 addresses.
+# Listen on all available addresses by default
+listen = * [::]
+
+#base_dir = /var/run/dovecot
+mail_plugins = quota mailbox_alias acl mail_log notify
+
+# Enabled mail protocols.
+protocols = pop3 imap sieve lmtp
+
+# User/group who owns the message files:
+mail_uid = 2000
+mail_gid = 2000
+
+# Assign uid to virtual users.
+first_valid_uid = 2000
+last_valid_uid = 2000
+
+# Logging. Reference: http://wiki2.dovecot.org/Logging
+#
+# Use syslog
+syslog_facility = local5
+# Log file path if we use internal log system
+#log_path = /var/log/dovecot/dovecot.log
+
+# Debug
+#mail_debug = yes
+#auth_verbose = yes
+#auth_debug = yes
+#auth_debug_passwords = yes
+# Possible values: no, plain, sha1.
+#auth_verbose_passwords = no
+
+# SSL: Global settings.
+# Refer to wiki site for per protocol, ip, server name SSL settings:
+# http://wiki2.dovecot.org/SSL/DovecotConfiguration
+ssl_min_protocol = TLSv1.2
+ssl = required
+verbose_ssl = no
+#ssl_ca = </path/to/ca
+ssl_cert = </etc/ssl/certs/iRedMail.crt
+ssl_key = </etc/ssl/private/iRedMail.key
+ssl_dh = </etc/ssl/dh2048_param.pem
+
+# Fix 'The Logjam Attack'
+ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+ssl_prefer_server_ciphers = yes
+
+# With disable_plaintext_auth=yes AND ssl=required, STARTTLS is mandatory.
+# Set disable_plaintext_auth=no AND ssl=yes to allow plain password transmitted
+# insecurely.
+disable_plaintext_auth = yes
+
+# Allow plain text password per IP address/net
+#remote 192.168.0.0/24 {
+# disable_plaintext_auth = no
+#}
+
+# Mail location and mailbox format.
+mail_location = maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/
+
+# Authentication related settings.
+# Append this domain name if client gives empty realm.
+#auth_default_realm = brehm-berlin.de
+
+# Authentication mechanisms.
+auth_mechanisms = PLAIN LOGIN
+
+# Limits the number of users that can be logging in at the same time.
+# Default is 100. This can be overridden by `process_limit =` in
+# `service [protocol]` block.
+# e.g.
+# protocol imap-login {
+# ...
+# process_limit = 500
+# }
+#default_process_limit = 100
+
+# Login log elements.
+# Add '%k' for detailed SSL protocol and cipher information.
+# e.g. "TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)"
+login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k session=<%{session}>
+
+# Mail delivery log format
+deliver_log_format = from=%{from}, envelope_sender=%{from_envelope}, subject=%{subject}, msgid=%m, size=%{size}, delivery_time=%{delivery_time}ms, %$
+
+service auth {
+ unix_listener /var/spool/postfix/private/dovecot-auth {
+ user = postfix
+ group = postfix
+ mode = 0666
+ }
+ unix_listener auth-master {
+ user = vmail
+ group = vmail
+ mode = 0666
+ }
+ unix_listener auth-userdb {
+ user = vmail
+ group = vmail
+ mode = 0660
+ }
+}
+
+# LMTP server (Local Mail Transfer Protocol).
+# Reference: http://wiki2.dovecot.org/LMTP
+service lmtp {
+ user = vmail
+
+ # For higher volume sites, it may be desirable to increase the number of
+ # active listener processes. A range of 5 to 20 is probably good for most
+ # sites.
+ process_min_avail = 5
+
+ # Logging.
+ # Require 'log_path =' in 'protocol lmtp {}' block.
+ executable = lmtp -L
+
+ # Listening on socket file and TCP
+ unix_listener /var/spool/postfix/private/dovecot-lmtp {
+ user = postfix
+ group = postfix
+ mode = 0600
+ }
+
+ inet_listener lmtp {
+ # Listen on localhost (ipv4)
+ address = 127.0.0.1
+ port = 24
+ }
+}
+
+# Virtual mail accounts.
+userdb {
+ args = /etc/dovecot/dovecot-mysql.conf
+ driver = sql
+}
+passdb {
+ args = /etc/dovecot/dovecot-mysql.conf
+ driver = sql
+}
+
+# Master user.
+# Master users are able to log in as other users. It's also possible to
+# directly log in as any user using a master password, although this isn't
+# recommended.
+# Reference: http://wiki2.dovecot.org/Authentication/MasterUsers
+auth_master_user_separator = *
+passdb {
+ driver = passwd-file
+ args = /etc/dovecot/dovecot-master-users
+ master = yes
+}
+
+plugin {
+ # Quota configuration.
+ # Reference: http://wiki2.dovecot.org/Quota/Configuration
+ quota = dict:user::proxy::quotadict
+
+ # Set default quota rule if no quota returned from SQL/LDAP query.
+ #quota_rule = *:storage=1G
+ #quota_rule2 = *:messages=0
+ #quota_rule3 = Trash:storage=1G
+ #quota_rule4 = Junk:ignore
+
+ # Quota warning.
+ #
+ # If user suddenly receives a huge mail and the quota jumps from
+ # 85% to 95%, only the 95% script is executed.
+ #
+ # Only the command for the first exceeded limit is executed, so configure
+ # the highest limit first.
+ quota_warning = storage=100%% quota-warning 100 %u
+ quota_warning2 = storage=95%% quota-warning 95 %u
+ quota_warning3 = storage=90%% quota-warning 90 %u
+ quota_warning4 = storage=85%% quota-warning 85 %u
+
+ # allow user to become max 10% (or 50 MB) over quota
+ quota_grace = 10%%
+ #quota_grace = 50 M
+
+ # Custom Quota Exceeded Message.
+ # You can specify the message directly or read the message from a file.
+ #quota_exceeded_message = Quota exceeded, please try again later.
+ #quota_exceeded_message = </path/to/quota_exceeded_message.txt
+
+ # Used by quota-status service.
+ quota_status_success = DUNNO
+ quota_status_nouser = DUNNO
+ quota_status_overquota = "552 5.2.2 Mailbox is full"
+
+ # Plugin: expire.
+ #expire = Trash 7 Trash/* 7 Junk 30
+ #expire_dict = proxy::expire
+
+ # ACL and share folder
+ acl = vfile
+ acl_shared_dict = proxy::acl
+
+ # By default Dovecot doesn't allow using the IMAP "anyone" or
+ # "authenticated" identifier, because it would be an easy way to spam
+ # other users in the system. If you wish to allow it,
+ #acl_anyone = allow
+
+ # Pigeonhole managesieve service.
+ # Reference: http://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
+ # Per-user sieve settings.
+ sieve_dir = ~/sieve
+ sieve = ~/sieve/dovecot.sieve
+
+ # Global sieve settings.
+ sieve_global_dir = /var/vmail/sieve
+ # Note: if user has personal sieve script, global sieve rules defined in
+ # sieve_default will be ignored. Please use sieve_before or
+ # sieve_after instead.
+ #sieve_default =
+
+ sieve_before = /var/vmail/sieve/dovecot.sieve
+ #sieve_after =
+
+ # The maximum number of redirect actions that can be performed during a
+ # single script execution.
+ # The meaning of 0 differs based on your version. For pigeonhole-0.3.0 and
+ # beyond this means that redirect is prohibited. For older versions,
+ # however, this means that the number of redirects is unlimited.
+ sieve_max_redirects = 30
+
+ # Use recipient as vacation message sender instead of null sender (<>).
+ sieve_vacation_send_from_recipient = yes
+
+ # Reference: http://wiki2.dovecot.org/Plugins/MailboxAlias
+ mailbox_alias_old = Sent
+ mailbox_alias_new = Sent Messages
+ mailbox_alias_old2 = Sent
+ mailbox_alias_new2 = Sent Items
+
+ # Events to log. `autoexpunge` is included in `expunge`
+ # Defined in https://github.com/dovecot/core/blob/master/src/plugins/mail-log/mail-log-plugin.c
+ mail_log_events = delete undelete expunge copy mailbox_create mailbox_delete mailbox_rename
+ mail_log_fields = uid box msgid size from subject flags
+
+ # Track user last login
+ last_login_dict = proxy::lastlogin
+ last_login_key = last-login/%s/%u/%d
+}
+
+service stats {
+ fifo_listener stats-mail {
+ user = vmail
+ mode = 0644
+ }
+
+ unix_listener stats-writer {
+ user = vmail
+ group = vmail
+ mode = 0660
+ }
+
+ inet_listener {
+ address = 127.0.0.1
+ port = 24242
+ }
+}
+
+service quota-warning {
+ executable = script /usr/local/bin/dovecot-quota-warning.sh
+ unix_listener quota-warning {
+ user = vmail
+ group = vmail
+ mode = 0660
+ }
+}
+
+service quota-status {
+ # '-p <protocol>'. Currently only 'postfix' protocol is supported.
+ executable = quota-status -p postfix
+ client_limit = 1
+ inet_listener {
+ address = 127.0.0.1
+ port = 12340
+ }
+}
+
+service dict {
+ unix_listener dict {
+ mode = 0660
+ user = vmail
+ group = vmail
+ }
+}
dict {
- #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
- #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
+ #expire = db:/var/lib/dovecot/expire/expire.db
+ quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
+ acl = mysql:/etc/dovecot/dovecot-share-folder.conf
+ lastlogin = mysql:/etc/dovecot/dovecot-last-login.conf
+}
+
+protocol lda {
+ mail_plugins = $mail_plugins sieve
+ lda_mailbox_autocreate = yes
+ lda_mailbox_autosubscribe = yes
+}
+
+protocol lmtp {
+ # Plugins
+ mail_plugins = $mail_plugins sieve
+
+ # Address extension delivery
+ lmtp_save_to_detail_mailbox = yes
+ recipient_delimiter = +
+}
+
+protocol imap {
+ mail_plugins = $mail_plugins imap_quota imap_acl last_login
+ imap_client_workarounds = tb-extra-mailbox-sep
+
+ # Maximum number of IMAP connections allowed for a user from each IP address.
+ # NOTE: The username is compared case-sensitively.
+ # Default is 10.
+ # Increase it to avoid issue like below:
+ # "Maximum number of concurrent IMAP connections exceeded"
+ mail_max_userip_connections = 30
+}
+
+protocol pop3 {
+ mail_plugins = $mail_plugins last_login
+ pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
+ pop3_uidl_format = %08Xu%08Xv
+
+ # Maximum number of IMAP connections allowed for a user from each IP address.
+ # NOTE: The username is compared case-sensitively.
+ # Default is 10.
+ mail_max_userip_connections = 30
+
+ # POP3 logout format string:
+ # %i - total number of bytes read from client
+ # %o - total number of bytes sent to client
+ # %t - number of TOP commands
+ # %p - number of bytes sent to client as a result of TOP command
+ # %r - number of RETR commands
+ # %b - number of bytes sent to client as a result of RETR command
+ # %d - number of deleted messages
+ # %m - number of messages (before deletion)
+ # %s - mailbox size in bytes (before deletion)
+ # Default format doesn't have 'in=%i, out=%o'.
+ #pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s, in=%i, out=%o
+}
+
+# Login processes. Refer to Dovecot wiki for more details:
+# http://wiki2.dovecot.org/LoginProcess
+service imap-login {
+ #inet_listener imap {
+ # port = 143
+ #}
+ #inet_listener imaps {
+ # port = 993
+ # ssl = yes
+ #}
+
+ service_count = 1
+
+ # To avoid startup latency for new client connections, set process_min_avail
+ # to higher than zero. That many idling processes are always kept around
+ # waiting for new connections.
+ #process_min_avail = 0
+
+ # number of simultaneous IMAP connections
+ process_limit = 500
+
+ # vsz_limit should be fine at its default 64MB value
+ #vsz_limit = 64M
+}
+
+service pop3-login {
+ #inet_listener pop3 {
+ # port = 110
+ #}
+ #inet_listener pop3s {
+ # port = 995
+ # ssl = yes
+ #}
+
+ service_count = 1
+
+ # number of simultaneous POP3 connections
+ #process_limit = 500
+}
+
+service managesieve-login {
+ inet_listener sieve {
+ # Listen on localhost (ipv4)
+ address = 127.0.0.1
+ port = 4190
+ }
+}
+
+metric imap_command_finished {
+ event_name = imap_command_finished
+}
+
+namespace {
+ type = private
+ separator = /
+ prefix =
+ inbox = yes
+
+ # Refer to document for more details about alias mailbox:
+ # http://wiki2.dovecot.org/MailboxSettings
+ #
+ # Sent
+ mailbox Sent {
+ auto = subscribe
+ special_use = \Sent
+ }
+ mailbox "Sent Messages" {
+ auto = no
+ special_use = \Sent
+ }
+ mailbox "Sent Items" {
+ auto = no
+ special_use = \Sent
+ }
+
+ mailbox Drafts {
+ auto = subscribe
+ special_use = \Drafts
+ }
+
+ # Trash
+ mailbox Trash {
+ auto = subscribe
+ special_use = \Trash
+ }
+
+ mailbox "Deleted Messages" {
+ auto = no
+ special_use = \Trash
+ }
+
+ # Junk
+ mailbox Junk {
+ auto = subscribe
+ special_use = \Junk
+ }
+ mailbox Spam {
+ auto = no
+ special_use = \Junk
+ }
+ mailbox "Junk E-mail" {
+ auto = no
+ special_use = \Junk
+ }
+
+ # Archive
+ mailbox Archive {
+ auto = no
+ special_use = \Archive
+ }
+ mailbox Archives {
+ auto = no
+ special_use = \Archive
+ }
+}
+
+namespace {
+ type = shared
+ separator = /
+ prefix = Shared/%%u/
+ location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%Ld/%%Ln
+
+ # this namespace should handle its own subscriptions or not.
+ subscriptions = yes
+ list = children
}
-# Most of the actual configuration gets included below. The filenames are
-# first sorted by their ASCII value and parsed in that order. The 00-prefixes
-# in filenames are intended to make it easier to understand the ordering.
-!include conf.d/*.conf
+# Public mailboxes.
+# Refer to Dovecot wiki page for more details:
+# http://wiki2.dovecot.org/SharedMailboxes/Public
+#namespace {
+# type = public
+# separator = /
+# prefix = Public/
+# location = maildir:/var/vmail/public:CONTROL=%Lh/Maildir/public:INDEXPVT=%Lh/Maildir/public
+#
+# # Allow users to subscribe to the public folders.
+# subscriptions = yes
+#}
-# A config file can also tried to be included without giving an error if
-# it's not found:
-!include_try local.conf
+!include_try /etc/dovecot/iredmail/*.conf
--- /dev/null
+## Dovecot configuration file
+
+# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
+
+# "doveconf -n" command gives a clean output of the changed settings. Use it
+# instead of copy&pasting files when posting to the Dovecot mailing list.
+
+# '#' character and everything after it is treated as comments. Extra spaces
+# and tabs are ignored. If you want to use either of these explicitly, put the
+# value inside quotes, eg.: key = "# char and trailing whitespace "
+
+# Most (but not all) settings can be overridden by different protocols and/or
+# source/destination IPs by placing the settings inside sections, for example:
+# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
+
+# Default values are shown for each setting, it's not required to uncomment
+# those. These are exceptions to this though: No sections (e.g. namespace {})
+# or plugin settings are added by default, they're listed only as examples.
+# Paths are also just examples with the real defaults being based on configure
+# options. The paths listed here are for configure --prefix=/usr
+# --sysconfdir=/etc --localstatedir=/var
+
+# Enable installed protocols
+!include_try /usr/share/dovecot/protocols.d/*.protocol
+
+# A comma separated list of IPs or hosts where to listen in for connections.
+# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
+# If you want to specify non-default ports or anything more complex,
+# edit conf.d/master.conf.
+#listen = *, ::
+
+# Base directory where to store runtime data.
+#base_dir = /var/run/dovecot/
+
+# Name of this instance. In multi-instance setup doveadm and other commands
+# can use -i <instance_name> to select which instance is used (an alternative
+# to -c <config_path>). The instance name is also added to Dovecot processes
+# in ps output.
+#instance_name = dovecot
+
+# Greeting message for clients.
+#login_greeting = Dovecot ready.
+
+# Space separated list of trusted network ranges. Connections from these
+# IPs are allowed to override their IP addresses and ports (for logging and
+# for authentication checks). disable_plaintext_auth is also ignored for
+# these networks. Typically you'd specify your IMAP proxy servers here.
+#login_trusted_networks =
+
+# Space separated list of login access check sockets (e.g. tcpwrap)
+#login_access_sockets =
+
+# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
+# proxying. This isn't necessary normally, but may be useful if the destination
+# IP is e.g. a load balancer's IP.
+#auth_proxy_self =
+
+# Show more verbose process titles (in ps). Currently shows user name and
+# IP address. Useful for seeing who are actually using the IMAP processes
+# (eg. shared mailboxes or if same uid is used for multiple accounts).
+#verbose_proctitle = no
+
+# Should all processes be killed when Dovecot master process shuts down.
+# Setting this to "no" means that Dovecot can be upgraded without
+# forcing existing client connections to close (although that could also be
+# a problem if the upgrade is e.g. because of a security fix).
+#shutdown_clients = yes
+
+# If non-zero, run mail commands via this many connections to doveadm server,
+# instead of running them directly in the same process.
+#doveadm_worker_count = 0
+# UNIX socket or host:port used for connecting to doveadm server
+#doveadm_socket_path = doveadm-server
+
+# Space separated list of environment variables that are preserved on Dovecot
+# startup and passed down to all of its child processes. You can also give
+# key=value pairs to always set specific settings.
+#import_environment = TZ
+
+##
+## Dictionary server settings
+##
+
+# Dictionary can be used to store key=value lists. This is used by several
+# plugins. The dictionary can be accessed either directly or though a
+# dictionary server. The following dict block maps dictionary names to URIs
+# when the server is used. These can then be referenced using URIs in format
+# "proxy::<name>".
+
+dict {
+ #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
+ #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
+}
+
+# Most of the actual configuration gets included below. The filenames are
+# first sorted by their ASCII value and parsed in that order. The 00-prefixes
+# in filenames are intended to make it easier to understand the ordering.
+!include conf.d/*.conf
+
+# A config file can also tried to be included without giving an error if
+# it's not found:
+!include_try local.conf
daemon:x:1:frank
bin:x:2:frank
sys:x:3:frank
-adm:x:4:
+adm:x:4:netdata
tty:x:5:frank
disk:x:6:frank
lp:x:7:frank
news:x:9:
uucp:x:10:
man:x:12:frank
-proxy:x:13:
+proxy:x:13:netdata
kmem:x:15:
dialout:x:20:
fax:x:21:
dovecot:x:120:
dovenull:x:121:
debian-spamd:x:122:
-amavis:x:123:
+amavis:x:123:clamav
+vmail:x:2000:
+mlmmj:x:2003:
+iredadmin:x:2001:
+iredapd:x:2002:
+netdata:x:2004:
daemon:x:1:frank
bin:x:2:frank
sys:x:3:frank
-adm:x:4:
+adm:x:4:netdata
tty:x:5:frank
disk:x:6:frank
lp:x:7:frank
dovecot:x:120:
dovenull:x:121:
debian-spamd:x:122:
+amavis:x:123:clamav
+vmail:x:2000:
+mlmmj:x:2003:
+iredadmin:x:2001:
+iredapd:x:2002:
+netdata:x:2004:
daemon:*::frank
bin:*::frank
sys:*::frank
-adm:*::
+adm:*::netdata
tty:*::frank
disk:*::frank
lp:*::frank
news:*::
uucp:*::
man:*::frank
-proxy:*::
+proxy:*::netdata
kmem:*::
dialout:*::
fax:*::
dovecot:!::
dovenull:!::
debian-spamd:!::
-amavis:!::
+amavis:!::clamav
+vmail:!::
+mlmmj:!::
+iredadmin:!::
+iredapd:!::
+netdata:!::
daemon:*::frank
bin:*::frank
sys:*::frank
-adm:*::
+adm:*::netdata
tty:*::frank
disk:*::frank
lp:*::frank
dovecot:!::
dovenull:!::
debian-spamd:!::
+amavis:!::clamav
+vmail:!::
+mlmmj:!::
+iredadmin:!::
+iredapd:!::
+netdata:!::
--- /dev/null
+1.3.2 MARIADB edition.
+# Get professional support from iRedMail Team: http://www.iredmail.org/support.html
--- /dev/null
+/var/log/dovecot/*.log {
+ weekly
+ rotate 10
+ missingok
+ compress
+ delaycompress
+ notifempty
+ sharedscripts
+
+ postrotate
+
+ endscript
+}
--- /dev/null
+/var/log/iredapd/*.log {
+ weekly
+ rotate 10
+ missingok
+ compress
+ delaycompress
+ notifempty
+ sharedscripts
+
+ postrotate
+
+ endscript
+}
--- /dev/null
+/var/log/mlmmjadmin/*.log {
+ weekly
+ rotate 10
+ missingok
+ compress
+ delaycompress
+ notifempty
+ sharedscripts
+
+ postrotate
+
+ endscript
+}
--- /dev/null
+/opt/netdata/var/log/netdata/*.log {
+ daily
+ missingok
+ rotate 14
+ compress
+ delaycompress
+ notifempty
+ sharedscripts
+ postrotate
+ /bin/kill -HUP `cat /opt/netdata/var/run/netdata/netdata.pid 2>/dev/null` 2>/dev/null || true
+ endscript
+}
-/var/log/php7.3-fpm.log {
- rotate 12
- weekly
- missingok
- notifempty
- compress
- delaycompress
- postrotate
- /usr/lib/php/php7.3-fpm-reopenlogs
- endscript
+/var/log/php-fpm/*.log {
+ weekly
+ rotate 10
+ missingok
+ compress
+ delaycompress
+ notifempty
+ sharedscripts
+
+ postrotate
+ /bin/kill -SIGUSR1 `cat /run/php/php-fpm.pid 2>/dev/null` 2>/dev/null || true
+ endscript
}
+++ /dev/null
-/etc/alternatives/my.cnf
\ No newline at end of file
--- /dev/null
+# The MariaDB configuration file
+#
+# The MariaDB/MySQL tools read configuration files in the following order:
+# 1. "/etc/mysql/mariadb.cnf" (this file) to set global defaults,
+# 2. "/etc/mysql/conf.d/*.cnf" to set global options.
+# 3. "/etc/mysql/mariadb.conf.d/*.cnf" to set MariaDB-only options.
+# 4. "~/.my.cnf" to set user-specific options.
+#
+# If the same option is defined multiple times, the last one will apply.
+#
+# One can use all long options that the program supports.
+# Run program with --help to get a list of available options and with
+# --print-defaults to see which it would actually understand and use.
+
+#
+# This group is read both both by the client and the server
+# use it for options that affect everything
+#
+[client-server]
+
+# Import all .cnf files from configuration directory
+!includedir /etc/mysql/conf.d/
+!includedir /etc/mysql/mariadb.conf.d/
--- /dev/null
+# The MariaDB configuration file
+#
+# The MariaDB/MySQL tools read configuration files in the following order:
+# 1. "/etc/mysql/mariadb.cnf" (this file) to set global defaults,
+# 2. "/etc/mysql/conf.d/*.cnf" to set global options.
+# 3. "/etc/mysql/mariadb.conf.d/*.cnf" to set MariaDB-only options.
+# 4. "~/.my.cnf" to set user-specific options.
+#
+# If the same option is defined multiple times, the last one will apply.
+#
+# One can use all long options that the program supports.
+# Run program with --help to get a list of available options and with
+# --print-defaults to see which it would actually understand and use.
+
+#
+# This group is read both both by the client and the server
+# use it for options that affect everything
+#
+[client-server]
+
+# Import all .cnf files from configuration directory
+!includedir /etc/mysql/conf.d/
+!includedir /etc/mysql/mariadb.conf.d/
--- /dev/null
+/opt/netdata/etc/netdata
\ No newline at end of file
--- /dev/null
+map_hash_bucket_size 1024;
--- /dev/null
+map $sent_http_content_type $expires {
+ default off;
+ application/x-javascript 1d;
+ text/css 1d;
+ ~image/ 1d;
+}
+
+expires $expires;
--- /dev/null
+client_max_body_size 12m;
--- /dev/null
+default_type application/octet-stream;
--- /dev/null
+gzip on;
+gzip_vary on;
+gzip_http_version 1.0;
+gzip_comp_level 6;
+gzip_buffers 16 8k;
+gzip_min_length 10240;
+gzip_proxied any;
+gzip_disable "MSIE [1-6]\.";
+
+# text/html is always compressed.
+gzip_types
+ text/plain
+ text/css
+ text/xml
+ text/javascript
+ text/json
+ text/vcard
+ text/cache-manifest
+ text/vnd.rim.location.xloc
+ text/vtt
+ text/x-component
+ text/x-cross-domain-policy
+ image/bmp
+ image/vnd.microsoft.icon
+ image/x-icon
+ image/svg+xml
+ font/truetype
+ font/opentype
+ application/atom+xml
+ application/javascript
+ application/json
+ application/ld+json
+ application/vnd.geo+json
+ application/manifest+json
+ application/x-javascript
+ application/x-font-ttf
+ application/x-web-app-manifest+json
+ application/xml
+ application/xml+rss
+ application/xhtml+xml
+ application/vnd.ms-fontobject;
--- /dev/null
+add_header X-Frame-Options sameorigin;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection '1; mode=block';
+add_header X-Download-Options noopen;
+add_header X-Permitted-Cross-Domain-Policies none;
+add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'";
+add_header Referrer-Policy strict-origin;
--- /dev/null
+access_log /var/log/nginx/access.log;
+error_log /var/log/nginx/error.log;
--- /dev/null
+include /etc/nginx/mime.types;
--- /dev/null
+upstream php_workers {
+ server 127.0.0.1:9999;
+}
--- /dev/null
+sendfile on;
--- /dev/null
+# Hide Nginx version number
+server_tokens off;
--- /dev/null
+types_hash_max_size 2048;
--- /dev/null
+/etc/nginx/conf-available/0-general.conf
\ No newline at end of file
--- /dev/null
+/etc/nginx/conf-available/cache.conf
\ No newline at end of file
--- /dev/null
+/etc/nginx/conf-available/client_max_body_size.conf
\ No newline at end of file
--- /dev/null
+/etc/nginx/conf-available/default_type.conf
\ No newline at end of file
--- /dev/null
+/etc/nginx/conf-available/gzip.conf
\ No newline at end of file
--- /dev/null
+/etc/nginx/conf-available/headers.conf
\ No newline at end of file
--- /dev/null
+/etc/nginx/conf-available/log.conf
\ No newline at end of file
--- /dev/null
+/etc/nginx/conf-available/mime_types.conf
\ No newline at end of file
--- /dev/null
+/etc/nginx/conf-available/php_fpm.conf
\ No newline at end of file
--- /dev/null
+/etc/nginx/conf-available/sendfile.conf
\ No newline at end of file
--- /dev/null
+/etc/nginx/conf-available/server_tokens.conf
\ No newline at end of file
--- /dev/null
+/etc/nginx/conf-available/types_hash_max_size.conf
\ No newline at end of file
--- /dev/null
+postmaster@brehm-berlin.de:{SSHA}ui9JiDic/BkCBDhyd4dzMOKZ/HGVCytg
user www-data;
-worker_processes auto;
-pid /run/nginx.pid;
-include /etc/nginx/modules-enabled/*.conf;
+worker_processes 1;
+pid /var/run/nginx.pid;
events {
- worker_connections 768;
- # multi_accept on;
+ worker_connections 1024;
}
http {
-
- ##
- # Basic Settings
- ##
-
- sendfile on;
- tcp_nopush on;
- tcp_nodelay on;
- keepalive_timeout 65;
- types_hash_max_size 2048;
- # server_tokens off;
-
- # server_names_hash_bucket_size 64;
- # server_name_in_redirect off;
-
- include /etc/nginx/mime.types;
- default_type application/octet-stream;
-
- ##
- # SSL Settings
- ##
-
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
- ssl_prefer_server_ciphers on;
-
- ##
- # Logging Settings
- ##
-
- access_log /var/log/nginx/access.log;
- error_log /var/log/nginx/error.log;
-
- ##
- # Gzip Settings
- ##
-
- gzip on;
-
- # gzip_vary on;
- # gzip_proxied any;
- # gzip_comp_level 6;
- # gzip_buffers 16 8k;
- # gzip_http_version 1.1;
- # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
-
- ##
- # Virtual Host Configs
- ##
-
- include /etc/nginx/conf.d/*.conf;
- include /etc/nginx/sites-enabled/*;
+ include /etc/nginx/conf-enabled/*.conf;
+ include /etc/nginx/sites-enabled/*.conf;
}
-
-
-#mail {
-# # See sample authentication script at:
-# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
-#
-# # auth_http localhost/auth.php;
-# # pop3_capabilities "TOP" "USER";
-# # imap_capabilities "IMAP4rev1" "UIDPLUS";
-#
-# server {
-# listen localhost:110;
-# protocol pop3;
-# proxy on;
-# }
-#
-# server {
-# listen localhost:143;
-# protocol imap;
-# proxy on;
-# }
-#}
--- /dev/null
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+ worker_connections 768;
+ # multi_accept on;
+}
+
+http {
+
+ ##
+ # Basic Settings
+ ##
+
+ sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 65;
+ types_hash_max_size 2048;
+ # server_tokens off;
+
+ # server_names_hash_bucket_size 64;
+ # server_name_in_redirect off;
+
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ ##
+ # SSL Settings
+ ##
+
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+ ssl_prefer_server_ciphers on;
+
+ ##
+ # Logging Settings
+ ##
+
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log;
+
+ ##
+ # Gzip Settings
+ ##
+
+ gzip on;
+
+ # gzip_vary on;
+ # gzip_proxied any;
+ # gzip_comp_level 6;
+ # gzip_buffers 16 8k;
+ # gzip_http_version 1.1;
+ # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+ ##
+ # Virtual Host Configs
+ ##
+
+ include /etc/nginx/conf.d/*.conf;
+ include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+# # See sample authentication script at:
+# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+# # auth_http localhost/auth.php;
+# # pop3_capabilities "TOP" "USER";
+# # imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+# server {
+# listen localhost:110;
+# protocol pop3;
+# proxy on;
+# }
+#
+# server {
+# listen localhost:143;
+# protocol imap;
+# proxy on;
+# }
+#}
--- /dev/null
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+
+ # SSL configuration
+ #
+ # listen 443 ssl default_server;
+ # listen [::]:443 ssl default_server;
+ #
+ # Note: You should disable gzip for SSL traffic.
+ # See: https://bugs.debian.org/773332
+ #
+ # Read up on ssl_ciphers to ensure a secure configuration.
+ # See: https://bugs.debian.org/765782
+ #
+ # Self signed certs generated by the ssl-cert package
+ # Don't use them in a production server!
+ #
+ # include snippets/snakeoil.conf;
+
+ root /var/www/html;
+
+ # Add index.php to the list if you are using PHP
+ index index.html index.htm index.nginx-debian.html;
+
+ server_name _;
+
+ location / {
+ # First attempt to serve request as file, then
+ # as directory, then fall back to displaying a 404.
+ try_files $uri $uri/ =404;
+ }
+
+ # pass PHP scripts to FastCGI server
+ #
+ #location ~ \.php$ {
+ # include snippets/fastcgi-php.conf;
+ #
+ # # With php-fpm (or other unix sockets):
+ # fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+ # # With php-cgi (or other tcp sockets):
+ # fastcgi_pass 127.0.0.1:9000;
+ #}
+
+ # deny access to .htaccess files, if Apache's document root
+ # concurs with nginx's one
+ #
+ #location ~ /\.ht {
+ # deny all;
+ #}
+}
+
+
+# Virtual Host configuration for example.com
+#
+# You can move that to a different file under sites-available/ and symlink that
+# to sites-enabled/ to enable it.
+#
+#server {
+# listen 80;
+# listen [::]:80;
+#
+# server_name example.com;
+#
+# root /var/www/example.com;
+# index index.html;
+#
+# location / {
+# try_files $uri $uri/ =404;
+# }
+#}
--- /dev/null
+#
+# Note: This file must be loaded before other virtual host config files,
+#
+# HTTPS
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name _;
+
+ root /var/www/html;
+ index index.php index.html;
+
+ include /etc/nginx/templates/misc.tmpl;
+ include /etc/nginx/templates/ssl.tmpl;
+ include /etc/nginx/templates/iredadmin.tmpl;
+ include /etc/nginx/templates/roundcube.tmpl;
+ include /etc/nginx/templates/sogo.tmpl;
+ include /etc/nginx/templates/netdata.tmpl;
+ include /etc/nginx/templates/php-catchall.tmpl;
+ include /etc/nginx/templates/stub_status.tmpl;
+}
--- /dev/null
+#
+# Note: This file must be loaded before other virtual host config files,
+#
+# HTTP
+server {
+ # Listen on ipv4
+ listen 80;
+ listen [::]:80;
+
+ server_name _;
+
+ # Redirect all insecure http:// requests to https://
+ return 301 https://$host$request_uri;
+}
+++ /dev/null
-##
-# You should look at the following URL's in order to grasp a solid understanding
-# of Nginx configuration files in order to fully unleash the power of Nginx.
-# https://www.nginx.com/resources/wiki/start/
-# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
-# https://wiki.debian.org/Nginx/DirectoryStructure
-#
-# In most cases, administrators will remove this file from sites-enabled/ and
-# leave it as reference inside of sites-available where it will continue to be
-# updated by the nginx packaging team.
-#
-# This file will automatically load configuration files provided by other
-# applications, such as Drupal or Wordpress. These applications will be made
-# available underneath a path with that package name, such as /drupal8.
-#
-# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
-##
-
-# Default server configuration
-#
-server {
- listen 80 default_server;
- listen [::]:80 default_server;
-
- # SSL configuration
- #
- # listen 443 ssl default_server;
- # listen [::]:443 ssl default_server;
- #
- # Note: You should disable gzip for SSL traffic.
- # See: https://bugs.debian.org/773332
- #
- # Read up on ssl_ciphers to ensure a secure configuration.
- # See: https://bugs.debian.org/765782
- #
- # Self signed certs generated by the ssl-cert package
- # Don't use them in a production server!
- #
- # include snippets/snakeoil.conf;
-
- root /var/www/html;
-
- # Add index.php to the list if you are using PHP
- index index.html index.htm index.nginx-debian.html;
-
- server_name _;
-
- location / {
- # First attempt to serve request as file, then
- # as directory, then fall back to displaying a 404.
- try_files $uri $uri/ =404;
- }
-
- # pass PHP scripts to FastCGI server
- #
- #location ~ \.php$ {
- # include snippets/fastcgi-php.conf;
- #
- # # With php-fpm (or other unix sockets):
- # fastcgi_pass unix:/run/php/php7.3-fpm.sock;
- # # With php-cgi (or other tcp sockets):
- # fastcgi_pass 127.0.0.1:9000;
- #}
-
- # deny access to .htaccess files, if Apache's document root
- # concurs with nginx's one
- #
- #location ~ /\.ht {
- # deny all;
- #}
-}
-
-
-# Virtual Host configuration for example.com
-#
-# You can move that to a different file under sites-available/ and symlink that
-# to sites-enabled/ to enable it.
-#
-#server {
-# listen 80;
-# listen [::]:80;
-#
-# server_name example.com;
-#
-# root /var/www/example.com;
-# index index.html;
-#
-# location / {
-# try_files $uri $uri/ =404;
-# }
-#}
--- /dev/null
+/etc/nginx/sites-available/default
\ No newline at end of file
--- /dev/null
+/etc/nginx/sites-available/00-default-ssl.conf
\ No newline at end of file
--- /dev/null
+/etc/nginx/sites-available/00-default.conf
\ No newline at end of file
+++ /dev/null
-/etc/nginx/sites-available/default
\ No newline at end of file
--- /dev/null
+# Sample setting for Adminer: http://adminer.org/
+
+# -----------------------------------------
+# How to get it working:
+#
+# mkdir /opt/www/adminer
+# cd /opt/www/adminer
+# wget http://www.adminer.org/latest.php
+# chmod +x latest.php
+#
+# Warning: for security concern, it's recommended to change the URL '/adminer'
+# to another random string to avoid login attempts from bad guys.
+# for example, change the url to '^/HIoWCwogSHukIbGL'.
+#
+# -----------------------------------------
+# If you cannot login to MySQL server as root user:
+#
+# New MySQL or MariaDB support plugin authentication, by default, the root
+# account has setting `user.plugin=unix_socket` (in `mysql` database). The
+# `auth_socket` authentication plugin authenticates clients that connect from
+# the local host through the Unix socket file, this prevents access via network
+# connection, including Adminer. To make it working, please disable this
+# authentication plugin with sql commands below:
+#
+# sql> USE mysql;
+# sql> UPDATE user SET plugin='' WHERE User='root';
+#
+# Refer to MySQL document for more details:
+# https://dev.mysql.com/doc/refman/5.7/en/socket-authentication-plugin.html
+
+location ~ ^/adminer$ {
+ include /etc/nginx/templates/hsts.tmpl;
+ include /etc/nginx/templates/fastcgi_php.tmpl;
+
+ fastcgi_param SCRIPT_FILENAME /opt/www/adminer/latest.php;
+
+ # Access control
+ #allow 127.0.0.1;
+ #allow 192.168.1.10;
+ #allow 192.168.1.0/24;
+ #deny all;
+}
+
+location ~ ^/adminer.css$ {
+ alias /opt/www/adminer/adminer.css;
+}
--- /dev/null
+#
+# Template used to handle PHP fastcgi applications
+#
+# You still need to define `SCRIPT_FILENAME` for your PHP application, and
+# probably `fastcgi_index` if your application use different index file.
+#
+include fastcgi_params;
+
+# Directory index file
+fastcgi_index index.php;
+
+# Handle PHP files with upstream handler
+fastcgi_pass php_workers;
+
+# Fix the HTTPROXY issue.
+# Reference: https://httpoxy.org/
+fastcgi_param HTTP_PROXY '';
--- /dev/null
+# Use HTTP Strict Transport Security to force client to use secure
+# connections only. References:
+#
+# * RFC Document (6797): HTTP Strict Transport Security (HSTS)
+# https://tools.ietf.org/html/rfc6797#section-6.1.2
+#
+# * Short tutorial from Mozilla:
+# https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
+#
+# WARNING: According to RFC document, HSTS will fail with self-signed SSL
+# certificate.
+# https://tools.ietf.org/html/rfc6797#page-27
+#
+# Syntax:
+#
+# Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload]
+add_header Strict-Transport-Security "max-age=31536000";
--- /dev/null
+#
+# Run iRedAdmin as a sub-domain virtual host.
+#
+include /etc/nginx/templates/hsts.tmpl;
+
+location / {
+ root /opt/www/iredadmin;
+ uwsgi_pass 127.0.0.1:7791;
+ uwsgi_param UWSGI_CHDIR /opt/www/iredadmin;
+ uwsgi_param UWSGI_SCRIPT iredadmin;
+ include uwsgi_params;
+}
+
+location /static {
+ alias /opt/www/iredadmin/static;
+}
--- /dev/null
+# Settings for iRedAdmin.
+
+# static files under /iredadmin/static
+location ~ ^/iredadmin/static/(.*) {
+ alias /opt/www/iredadmin/static/$1;
+}
+
+# Python scripts
+location ~ ^/iredadmin(.*) {
+ rewrite ^/iredadmin(/.*)$ $1 break;
+
+ include /etc/nginx/templates/hsts.tmpl;
+
+ include uwsgi_params;
+ uwsgi_pass 127.0.0.1:7791;
+ uwsgi_param UWSGI_CHDIR /opt/www/iredadmin;
+ uwsgi_param UWSGI_SCRIPT iredadmin;
+ uwsgi_param SCRIPT_NAME /iredadmin;
+
+ # Access control
+ #allow 127.0.0.1;
+ #allow 192.168.1.10;
+ #allow 192.168.1.0/24;
+ #deny all;
+}
+
+# iRedAdmin: redirect /iredadmin to /iredadmin/
+location = /iredadmin {
+ rewrite ^ /iredadmin/;
+}
+
+# Handle newsletter-style subscription/unsubscription supported in iRedAdmin-Pro.
+location ~ ^/newsletter/ {
+ rewrite /newsletter/(.*) /iredadmin/newsletter/$1 last;
+}
--- /dev/null
+# Allow access to '^/.well-known/'
+location ~ ^/.well-known/ {
+ allow all;
+ access_log off;
+ log_not_found off;
+ autoindex off;
+ #root /var/www/html;
+}
+
+# Deny all attempts to access hidden files such as .htaccess.
+location ~ /\. { deny all; }
+
+# Handling noisy messages
+location = /favicon.ico { access_log off; log_not_found off; }
+location = /robots.txt { access_log off; log_not_found off; }
--- /dev/null
+#
+# Run netdata as a sub-domain virtual host.
+#
+# FYI: https://github.com/firehol/netdata/wiki/Running-behind-nginx
+
+location / {
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Forwarded-Server $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_pass http://127.0.0.1:19999;
+ proxy_http_version 1.1;
+ proxy_pass_request_headers on;
+ proxy_set_header Connection "keep-alive";
+ proxy_store off;
+
+ gzip on;
+ gzip_proxied any;
+ gzip_types *;
+
+ auth_basic "Authentication Required";
+ auth_basic_user_file /etc/nginx/netdata.users;
+}
--- /dev/null
+# Running netdata as a subfolder to an existing virtual host
+# FYI: https://github.com/firehol/netdata/wiki/Running-behind-nginx
+
+location = /netdata {
+ return 301 /netdata/;
+}
+
+location ~ /netdata/(?<ndpath>.*) {
+ proxy_redirect off;
+ proxy_set_header Host $host;
+
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Forwarded-Server $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_http_version 1.1;
+ proxy_pass_request_headers on;
+ proxy_set_header Connection "keep-alive";
+ proxy_store off;
+ proxy_pass http://127.0.0.1:19999/$ndpath$is_args$args;
+
+ gzip on;
+ gzip_proxied any;
+ gzip_types *;
+
+ auth_basic "Authentication Required";
+ auth_basic_user_file /etc/nginx/netdata.users;
+}
--- /dev/null
+# Normal PHP scripts
+location ~ \.php$ {
+ include /etc/nginx/templates/fastcgi_php.tmpl;
+
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+}
--- /dev/null
+# Redirect webmail/SOGo/iredadmin to HTTPS
+location ~ ^/mail { rewrite ^ https://$host$request_uri?; }
+location ~ ^/mail/index.php$ { rewrite ^ https://$host/mail/; }
+location ~* ^/sogo { rewrite ^ https://$host/SOGo; }
+location ~ ^/iredadmin { rewrite ^ https://$host$request_uri?; }
--- /dev/null
+#
+# Run Roundcube as a sub-domain virtual host.
+#
+# Block access to default directories and files under these directories
+location ~ ^/(bin|config|installer|logs|SQL|temp|vendor)/.* { deny all; }
+
+# Block access to default files under top-directory and files start with same name.
+location ~ ^/(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)$ { deny all; }
+
+# Block plugin config files and sample config files.
+location ~ ^/plugins/.*/config.inc.php.* { deny all; }
+
+# Block access to plugin data
+location ~ ^/plugins/enigma/home($|/.*) { deny all; }
+
+location / {
+ root /opt/www/roundcubemail;
+ index index.php index.html;
+ include /etc/nginx/templates/hsts.tmpl;
+}
+
+location ~ \.php$ {
+ root /opt/www/roundcubemail;
+ include /etc/nginx/templates/fastcgi_php.tmpl;
+ fastcgi_param SCRIPT_FILENAME /opt/www/roundcubemail$fastcgi_script_name;
+}
--- /dev/null
+#
+# Running Roundcube as a subfolder on an existing virtual host
+#
+# Block access to default directories and files under these directories
+location ~ ^/mail/(bin|config|installer|logs|SQL|temp|vendor)($|/.*) { deny all; }
+
+# Block access to default files under top-directory and files start with same name.
+location ~ ^/mail/(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { deny all; }
+
+# Block plugin config files and sample config files.
+location ~ ^/mail/plugins/.*/config.inc.php.* { deny all; }
+
+# Block access to plugin data
+location ~ ^/mail/plugins/enigma/home($|/.*) { deny all; }
+
+# Redirect URI `/mail` to `/mail/`.
+location = /mail {
+ return 301 /mail/;
+}
+
+location ~ ^/mail/(.*\.php)$ {
+ include /etc/nginx/templates/hsts.tmpl;
+ include /etc/nginx/templates/fastcgi_php.tmpl;
+ fastcgi_param SCRIPT_FILENAME /opt/www/roundcubemail/$1;
+}
+
+location ~ ^/mail/(.*) {
+ alias /opt/www/roundcubemail/$1;
+ index index.php;
+}
--- /dev/null
+#
+# Run SOGo as a sub-domain virtual host.
+#
+
+root /usr/lib/GNUstep/SOGo/WebServerResources;
+
+location / {
+ rewrite ^ https://$host/SOGo;
+}
+
+# For Mac OS X and iOS devices.
+rewrite ^/.well-known/caldav /SOGo/dav permanent;
+rewrite ^/.well-known/carddav /SOGo/dav permanent;
+rewrite ^/principals /SOGo/dav permanent;
+
+include /etc/nginx/templates/hsts.tmpl;
+
+location ^~ /SOGo {
+ proxy_pass http://127.0.0.1:20000;
+
+ # forward user's IP address
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $host;
+
+ # always use https
+ proxy_set_header x-webobjects-server-port $server_port;
+ proxy_set_header x-webobjects-server-name $host;
+ proxy_set_header x-webobjects-server-url https://$host;
+
+ proxy_set_header x-webobjects-server-protocol HTTP/1.0;
+}
+
+location ^~ /Microsoft-Server-ActiveSync {
+ proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync;
+
+ proxy_connect_timeout 3540;
+ proxy_send_timeout 3540;
+ proxy_read_timeout 3540;
+}
+
+location ^~ /SOGo/Microsoft-Server-ActiveSync {
+ proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync;
+
+ proxy_connect_timeout 3540;
+ proxy_send_timeout 3540;
+ proxy_read_timeout 3540;
+}
+
+location /SOGo.woa/WebServerResources/ {
+ alias /usr/lib/GNUstep/SOGo/WebServerResources/;
+ expires max;
+}
+location /SOGo/WebServerResources/ {
+ alias /usr/lib/GNUstep/SOGo/WebServerResources/;
+ expires max;
+}
+location ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ {
+ alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
+ expires max;
+}
+location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
+ alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
+ expires max;
+}
--- /dev/null
+# Settings for SOGo Groupware
+
+# SOGo
+location ~ ^/sogo { rewrite ^ https://$host/SOGo; }
+location ~ ^/SOGO { rewrite ^ https://$host/SOGo; }
+
+# Redirect /mail to /SOGo
+#location ~ ^/mail { rewrite ^ https://$host/SOGo; }
+
+# For Mac OS X and iOS devices.
+rewrite ^/.well-known/caldav /SOGo/dav permanent;
+rewrite ^/.well-known/carddav /SOGo/dav permanent;
+rewrite ^/principals /SOGo/dav permanent;
+
+location ^~ /SOGo {
+ include /etc/nginx/templates/hsts.tmpl;
+
+ proxy_pass http://127.0.0.1:20000;
+
+ # forward user's IP address
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $host;
+
+ # always use https
+ proxy_set_header x-webobjects-server-port $server_port;
+ proxy_set_header x-webobjects-server-name $host;
+ proxy_set_header x-webobjects-server-url https://$host;
+
+ proxy_set_header x-webobjects-server-protocol HTTP/1.0;
+}
+
+location ^~ /Microsoft-Server-ActiveSync {
+ proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync;
+
+ proxy_connect_timeout 3540;
+ proxy_send_timeout 3540;
+ proxy_read_timeout 3540;
+}
+
+location ^~ /SOGo/Microsoft-Server-ActiveSync {
+ proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync;
+
+ proxy_connect_timeout 3540;
+ proxy_send_timeout 3540;
+ proxy_read_timeout 3540;
+}
+
+location /SOGo.woa/WebServerResources/ {
+ alias /usr/lib/GNUstep/SOGo/WebServerResources/;
+ expires max;
+}
+location /SOGo/WebServerResources/ {
+ alias /usr/lib/GNUstep/SOGo/WebServerResources/;
+ expires max;
+}
+location ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ {
+ alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
+ expires max;
+}
--- /dev/null
+ssl_protocols TLSv1.2;
+
+# Fix 'The Logjam Attack'.
+ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
+ssl_prefer_server_ciphers on;
+ssl_dhparam /etc/ssl/dh2048_param.pem;
+
+# To use your own ssl cert (e.g. "Let's Encrypt"), please create symbol link to
+# ssl cert/key used below, so that we can manage this config file with Ansible.
+#
+# For example:
+#
+# rm -f /etc/ssl/private/iRedMail.key
+# rm -f /etc/ssl/certs/iRedMail.crt
+# ln -s /etc/letsencrypt/live/<domain>/privkey.pem /etc/ssl/private/iRedMail.key
+# ln -s /etc/letsencrypt/live/<domain>/fullchain.pem /etc/ssl/certs/iRedMail.crt
+#
+# To request free "Let's Encrypt" cert, please check our tutorial:
+# https://docs.iredmail.org/letsencrypt.html
+ssl_certificate /etc/ssl/certs/iRedMail.crt;
+ssl_certificate_key /etc/ssl/private/iRedMail.key;
--- /dev/null
+location = /stub_status {
+ stub_status on;
+ access_log off;
+ allow 127.0.0.1;
+ deny all;
+}
+
+location = /status {
+ include fastcgi_params;
+ fastcgi_pass php_workers;
+ fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
+ access_log off;
+ allow 127.0.0.1;
+ deny all;
+}
dovenull:x:112:121:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin
debian-spamd:x:113:122::/var/lib/spamassassin:/bin/sh
amavis:x:114:123:AMaViS system user,,,:/var/lib/amavis:/bin/sh
+vmail:x:2000:2000::/home/vmail:/usr/sbin/nologin
+mlmmj:x:2003:2003::/var/vmail/mlmmj:/usr/sbin/nologin
+iredadmin:x:2001:2001::/home/iredadmin:/usr/sbin/nologin
+iredapd:x:2002:2002::/home/iredapd:/usr/sbin/nologin
+netdata:x:2004:2004::/home/netdata:/usr/sbin/nologin
dovecot:x:111:120:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin
dovenull:x:112:121:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin
debian-spamd:x:113:122::/var/lib/spamassassin:/bin/sh
-amavis:x:114:123::/var/lib/amavis:/bin/sh
+amavis:x:114:123:AMaViS system user,,,:/var/lib/amavis:/bin/sh
+vmail:x:2000:2000::/home/vmail:/usr/sbin/nologin
+mlmmj:x:2003:2003::/var/vmail/mlmmj:/usr/sbin/nologin
+iredadmin:x:2001:2001::/home/iredadmin:/usr/sbin/nologin
+iredapd:x:2002:2002::/home/iredapd:/usr/sbin/nologin
; Pid file
; Note: the default prefix is /var
; Default Value: none
-pid = /run/php/php7.3-fpm.pid
+pid = /run/php/php-fpm.pid
; Error log file
; If it's set to "syslog", log is sent to syslogd instead of being written
; into a local file.
; Note: the default prefix is /var
; Default Value: log/php-fpm.log
-error_log = /var/log/php7.3-fpm.log
+error_log = syslog
; syslog_facility is used to specify what type of program is logging the
; message. This lets syslogd specify that messages from different facilities
; will be handled differently.
; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
; Default Value: daemon
-;syslog.facility = daemon
+syslog.facility = local5
; syslog_ident is prepended to every message. If you have multiple FPM
; instances running on the same server, you can change the default value
; which must suit common needs.
; Default Value: php-fpm
-;syslog.ident = php-fpm
+syslog.ident = php-fpm
; Log level
; Possible Values: alert, error, warning, notice, debug
; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names.
; http://php.net/disable-functions
-disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
+disable_functions = posix_uname,eval,pcntl_wexitstatus,posix_getpwuid,xmlrpc_entity_decode,pcntl_wifstopped,pcntl_wifexited,pcntl_wifsignaled,phpAds_XmlRpc,pcntl_strerror,ftp_exec,pcntl_wtermsig,mysql_pconnect,proc_nice,pcntl_sigtimedwait,posix_kill,pcntl_sigprocmask,fput,phpinfo,system,phpAds_remoteInfo,ftp_login,inject_code,posix_mkfifo,highlight_file,escapeshellcmd,show_source,pcntl_wifcontinued,fp,pcntl_alarm,pcntl_wait,ini_alter,posix_setpgid,parse_ini_file,ftp_raw,pcntl_waitpid,pcntl_getpriority,ftp_connect,pcntl_signal_dispatch,pcntl_wstopsig,ini_restore,ftp_put,passthru,proc_terminate,posix_setsid,pcntl_signal,pcntl_setpriority,phpAds_xmlrpcEncode,pcntl_exec,ftp_nb_fput,ftp_get,phpAds_xmlrpcDecode,pcntl_sigwaitinfo,shell_exec,pcntl_get_last_error,ftp_rawlist,pcntl_fork,posix_setuid
; This directive allows you to disable certain classes for security reasons.
; It receives a comma-delimited list of class names.
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
; http://php.net/expose-php
-expose_php = Off
+expose_php = Off;
;;;;;;;;;;;;;;;;;;;
; Resource Limits ;
; Maximum amount of memory a script may consume (128MB)
; http://php.net/memory-limit
-memory_limit = 128M
+memory_limit = 256M;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Error handling and logging ;
; Its value may be 0 to disable the limit. It is ignored if POST data reading
; is disabled through enable_post_data_reading.
; http://php.net/post-max-size
-post_max_size = 8M
+post_max_size = 12M;
; Automatically add files before PHP document.
; http://php.net/auto-prepend-file
; Maximum allowed size for uploaded files.
; http://php.net/upload-max-filesize
-upload_max_filesize = 2M
+upload_max_filesize = 10M;
; Maximum number of files that can be uploaded via a single request
max_file_uploads = 20
[Date]
; Defines the default timezone used by the date functions
; http://php.net/date.timezone
-;date.timezone =
+date.timezone = GMT
; http://php.net/date.default-latitude
;date.default_latitude = 31.7667
; where MODE is the octal representation of the mode. Note that this
; does not overwrite the process's umask.
; http://php.net/session.save-path
-;session.save_path = "/var/lib/php/sessions"
+session.save_path = "/var/lib/php/sessions"
; Whether to use strict session mode.
; Strict session mode does not accept an uninitialized session ID, and
--- /dev/null
+[PHP]
+
+;;;;;;;;;;;;;;;;;;;
+; About php.ini ;
+;;;;;;;;;;;;;;;;;;;
+; PHP's initialization file, generally called php.ini, is responsible for
+; configuring many of the aspects of PHP's behavior.
+
+; PHP attempts to find and load this configuration from a number of locations.
+; The following is a summary of its search order:
+; 1. SAPI module specific location.
+; 2. The PHPRC environment variable. (As of PHP 5.2.0)
+; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0)
+; 4. Current working directory (except CLI)
+; 5. The web server's directory (for SAPI modules), or directory of PHP
+; (otherwise in Windows)
+; 6. The directory from the --with-config-file-path compile time option, or the
+; Windows directory (usually C:\windows)
+; See the PHP docs for more specific information.
+; http://php.net/configuration.file
+
+; The syntax of the file is extremely simple. Whitespace and lines
+; beginning with a semicolon are silently ignored (as you probably guessed).
+; Section headers (e.g. [Foo]) are also silently ignored, even though
+; they might mean something in the future.
+
+; Directives following the section heading [PATH=/www/mysite] only
+; apply to PHP files in the /www/mysite directory. Directives
+; following the section heading [HOST=www.example.com] only apply to
+; PHP files served from www.example.com. Directives set in these
+; special sections cannot be overridden by user-defined INI files or
+; at runtime. Currently, [PATH=] and [HOST=] sections only work under
+; CGI/FastCGI.
+; http://php.net/ini.sections
+
+; Directives are specified using the following syntax:
+; directive = value
+; Directive names are *case sensitive* - foo=bar is different from FOO=bar.
+; Directives are variables used to configure PHP or PHP extensions.
+; There is no name validation. If PHP can't find an expected
+; directive because it is not set or is mistyped, a default value will be used.
+
+; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one
+; of the INI constants (On, Off, True, False, Yes, No and None) or an expression
+; (e.g. E_ALL & ~E_NOTICE), a quoted string ("bar"), or a reference to a
+; previously set variable or directive (e.g. ${foo})
+
+; Expressions in the INI file are limited to bitwise operators and parentheses:
+; | bitwise OR
+; ^ bitwise XOR
+; & bitwise AND
+; ~ bitwise NOT
+; ! boolean NOT
+
+; Boolean flags can be turned on using the values 1, On, True or Yes.
+; They can be turned off using the values 0, Off, False or No.
+
+; An empty string can be denoted by simply not writing anything after the equal
+; sign, or by using the None keyword:
+
+; foo = ; sets foo to an empty string
+; foo = None ; sets foo to an empty string
+; foo = "None" ; sets foo to the string 'None'
+
+; If you use constants in your value, and these constants belong to a
+; dynamically loaded extension (either a PHP extension or a Zend extension),
+; you may only use these constants *after* the line that loads the extension.
+
+;;;;;;;;;;;;;;;;;;;
+; About this file ;
+;;;;;;;;;;;;;;;;;;;
+; PHP comes packaged with two INI files. One that is recommended to be used
+; in production environments and one that is recommended to be used in
+; development environments.
+
+; php.ini-production contains settings which hold security, performance and
+; best practices at its core. But please be aware, these settings may break
+; compatibility with older or less security conscience applications. We
+; recommending using the production ini in production and testing environments.
+
+; php.ini-development is very similar to its production variant, except it is
+; much more verbose when it comes to errors. We recommend using the
+; development version only in development environments, as errors shown to
+; application users can inadvertently leak otherwise secure information.
+
+; This is the php.ini-production INI file.
+
+;;;;;;;;;;;;;;;;;;;
+; Quick Reference ;
+;;;;;;;;;;;;;;;;;;;
+; The following are all the settings which are different in either the production
+; or development versions of the INIs with respect to PHP's default behavior.
+; Please see the actual settings later in the document for more details as to why
+; we recommend these changes in PHP's behavior.
+
+; display_errors
+; Default Value: On
+; Development Value: On
+; Production Value: Off
+
+; display_startup_errors
+; Default Value: Off
+; Development Value: On
+; Production Value: Off
+
+; error_reporting
+; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
+; Development Value: E_ALL
+; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
+
+; html_errors
+; Default Value: On
+; Development Value: On
+; Production value: On
+
+; log_errors
+; Default Value: Off
+; Development Value: On
+; Production Value: On
+
+; max_input_time
+; Default Value: -1 (Unlimited)
+; Development Value: 60 (60 seconds)
+; Production Value: 60 (60 seconds)
+
+; output_buffering
+; Default Value: Off
+; Development Value: 4096
+; Production Value: 4096
+
+; register_argc_argv
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+
+; request_order
+; Default Value: None
+; Development Value: "GP"
+; Production Value: "GP"
+
+; session.gc_divisor
+; Default Value: 100
+; Development Value: 1000
+; Production Value: 1000
+
+; session.sid_bits_per_character
+; Default Value: 4
+; Development Value: 5
+; Production Value: 5
+
+; short_open_tag
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+
+; variables_order
+; Default Value: "EGPCS"
+; Development Value: "GPCS"
+; Production Value: "GPCS"
+
+;;;;;;;;;;;;;;;;;;;;
+; php.ini Options ;
+;;;;;;;;;;;;;;;;;;;;
+; Name for user-defined php.ini (.htaccess) files. Default is ".user.ini"
+;user_ini.filename = ".user.ini"
+
+; To disable this feature set this option to an empty value
+;user_ini.filename =
+
+; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes)
+;user_ini.cache_ttl = 300
+
+;;;;;;;;;;;;;;;;;;;;
+; Language Options ;
+;;;;;;;;;;;;;;;;;;;;
+
+; Enable the PHP scripting language engine under Apache.
+; http://php.net/engine
+engine = On
+
+; This directive determines whether or not PHP will recognize code between
+; <? and ?> tags as PHP source which should be processed as such. It is
+; generally recommended that <?php and ?> should be used and that this feature
+; should be disabled, as enabling it may result in issues when generating XML
+; documents, however this remains supported for backward compatibility reasons.
+; Note that this directive does not control the <?= shorthand tag, which can be
+; used regardless of this directive.
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+; http://php.net/short-open-tag
+short_open_tag = Off
+
+; The number of significant digits displayed in floating point numbers.
+; http://php.net/precision
+precision = 14
+
+; Output buffering is a mechanism for controlling how much output data
+; (excluding headers and cookies) PHP should keep internally before pushing that
+; data to the client. If your application's output exceeds this setting, PHP
+; will send that data in chunks of roughly the size you specify.
+; Turning on this setting and managing its maximum buffer size can yield some
+; interesting side-effects depending on your application and web server.
+; You may be able to send headers and cookies after you've already sent output
+; through print or echo. You also may see performance benefits if your server is
+; emitting less packets due to buffered output versus PHP streaming the output
+; as it gets it. On production servers, 4096 bytes is a good setting for performance
+; reasons.
+; Note: Output buffering can also be controlled via Output Buffering Control
+; functions.
+; Possible Values:
+; On = Enabled and buffer is unlimited. (Use with caution)
+; Off = Disabled
+; Integer = Enables the buffer and sets its maximum size in bytes.
+; Note: This directive is hardcoded to Off for the CLI SAPI
+; Default Value: Off
+; Development Value: 4096
+; Production Value: 4096
+; http://php.net/output-buffering
+output_buffering = 4096
+
+; You can redirect all of the output of your scripts to a function. For
+; example, if you set output_handler to "mb_output_handler", character
+; encoding will be transparently converted to the specified encoding.
+; Setting any output handler automatically turns on output buffering.
+; Note: People who wrote portable scripts should not depend on this ini
+; directive. Instead, explicitly set the output handler using ob_start().
+; Using this ini directive may cause problems unless you know what script
+; is doing.
+; Note: You cannot use both "mb_output_handler" with "ob_iconv_handler"
+; and you cannot use both "ob_gzhandler" and "zlib.output_compression".
+; Note: output_handler must be empty if this is set 'On' !!!!
+; Instead you must use zlib.output_handler.
+; http://php.net/output-handler
+;output_handler =
+
+; URL rewriter function rewrites URL on the fly by using
+; output buffer. You can set target tags by this configuration.
+; "form" tag is special tag. It will add hidden input tag to pass values.
+; Refer to session.trans_sid_tags for usage.
+; Default Value: "form="
+; Development Value: "form="
+; Production Value: "form="
+;url_rewriter.tags
+
+; URL rewriter will not rewrite absolute URL nor form by default. To enable
+; absolute URL rewrite, allowed hosts must be defined at RUNTIME.
+; Refer to session.trans_sid_hosts for more details.
+; Default Value: ""
+; Development Value: ""
+; Production Value: ""
+;url_rewriter.hosts
+
+; Transparent output compression using the zlib library
+; Valid values for this option are 'off', 'on', or a specific buffer size
+; to be used for compression (default is 4KB)
+; Note: Resulting chunk size may vary due to nature of compression. PHP
+; outputs chunks that are few hundreds bytes each as a result of
+; compression. If you prefer a larger chunk size for better
+; performance, enable output_buffering in addition.
+; Note: You need to use zlib.output_handler instead of the standard
+; output_handler, or otherwise the output will be corrupted.
+; http://php.net/zlib.output-compression
+zlib.output_compression = Off
+
+; http://php.net/zlib.output-compression-level
+;zlib.output_compression_level = -1
+
+; You cannot specify additional output handlers if zlib.output_compression
+; is activated here. This setting does the same as output_handler but in
+; a different order.
+; http://php.net/zlib.output-handler
+;zlib.output_handler =
+
+; Implicit flush tells PHP to tell the output layer to flush itself
+; automatically after every output block. This is equivalent to calling the
+; PHP function flush() after each and every call to print() or echo() and each
+; and every HTML block. Turning this option on has serious performance
+; implications and is generally recommended for debugging purposes only.
+; http://php.net/implicit-flush
+; Note: This directive is hardcoded to On for the CLI SAPI
+implicit_flush = Off
+
+; The unserialize callback function will be called (with the undefined class'
+; name as parameter), if the unserializer finds an undefined class
+; which should be instantiated. A warning appears if the specified function is
+; not defined, or if the function doesn't include/implement the missing class.
+; So only set this entry, if you really want to implement such a
+; callback-function.
+unserialize_callback_func =
+
+; When floats & doubles are serialized, store serialize_precision significant
+; digits after the floating point. The default value ensures that when floats
+; are decoded with unserialize, the data will remain the same.
+; The value is also used for json_encode when encoding double values.
+; If -1 is used, then dtoa mode 0 is used which automatically select the best
+; precision.
+serialize_precision = -1
+
+; open_basedir, if set, limits all file operations to the defined directory
+; and below. This directive makes most sense if used in a per-directory
+; or per-virtualhost web server configuration file.
+; Note: disables the realpath cache
+; http://php.net/open-basedir
+;open_basedir =
+
+; This directive allows you to disable certain functions for security reasons.
+; It receives a comma-delimited list of function names.
+; http://php.net/disable-functions
+disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
+
+; This directive allows you to disable certain classes for security reasons.
+; It receives a comma-delimited list of class names.
+; http://php.net/disable-classes
+disable_classes =
+
+; Colors for Syntax Highlighting mode. Anything that's acceptable in
+; <span style="color: ???????"> would work.
+; http://php.net/syntax-highlighting
+;highlight.string = #DD0000
+;highlight.comment = #FF9900
+;highlight.keyword = #007700
+;highlight.default = #0000BB
+;highlight.html = #000000
+
+; If enabled, the request will be allowed to complete even if the user aborts
+; the request. Consider enabling it if executing long requests, which may end up
+; being interrupted by the user or a browser timing out. PHP's default behavior
+; is to disable this feature.
+; http://php.net/ignore-user-abort
+;ignore_user_abort = On
+
+; Determines the size of the realpath cache to be used by PHP. This value should
+; be increased on systems where PHP opens many files to reflect the quantity of
+; the file operations performed.
+; Note: if open_basedir is set, the cache is disabled
+; http://php.net/realpath-cache-size
+;realpath_cache_size = 4096k
+
+; Duration of time, in seconds for which to cache realpath information for a given
+; file or directory. For systems with rarely changing files, consider increasing this
+; value.
+; http://php.net/realpath-cache-ttl
+;realpath_cache_ttl = 120
+
+; Enables or disables the circular reference collector.
+; http://php.net/zend.enable-gc
+zend.enable_gc = On
+
+; If enabled, scripts may be written in encodings that are incompatible with
+; the scanner. CP936, Big5, CP949 and Shift_JIS are the examples of such
+; encodings. To use this feature, mbstring extension must be enabled.
+; Default: Off
+;zend.multibyte = Off
+
+; Allows to set the default encoding for the scripts. This value will be used
+; unless "declare(encoding=...)" directive appears at the top of the script.
+; Only affects if zend.multibyte is set.
+; Default: ""
+;zend.script_encoding =
+
+;;;;;;;;;;;;;;;;;
+; Miscellaneous ;
+;;;;;;;;;;;;;;;;;
+
+; Decides whether PHP may expose the fact that it is installed on the server
+; (e.g. by adding its signature to the Web server header). It is no security
+; threat in any way, but it makes it possible to determine whether you use PHP
+; on your server or not.
+; http://php.net/expose-php
+expose_php = Off
+
+;;;;;;;;;;;;;;;;;;;
+; Resource Limits ;
+;;;;;;;;;;;;;;;;;;;
+
+; Maximum execution time of each script, in seconds
+; http://php.net/max-execution-time
+; Note: This directive is hardcoded to 0 for the CLI SAPI
+max_execution_time = 30
+
+; Maximum amount of time each script may spend parsing request data. It's a good
+; idea to limit this time on productions servers in order to eliminate unexpectedly
+; long running scripts.
+; Note: This directive is hardcoded to -1 for the CLI SAPI
+; Default Value: -1 (Unlimited)
+; Development Value: 60 (60 seconds)
+; Production Value: 60 (60 seconds)
+; http://php.net/max-input-time
+max_input_time = 60
+
+; Maximum input variable nesting level
+; http://php.net/max-input-nesting-level
+;max_input_nesting_level = 64
+
+; How many GET/POST/COOKIE input variables may be accepted
+;max_input_vars = 1000
+
+; Maximum amount of memory a script may consume (128MB)
+; http://php.net/memory-limit
+memory_limit = 128M
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Error handling and logging ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; This directive informs PHP of which errors, warnings and notices you would like
+; it to take action for. The recommended way of setting values for this
+; directive is through the use of the error level constants and bitwise
+; operators. The error level constants are below here for convenience as well as
+; some common settings and their meanings.
+; By default, PHP is set to take action on all errors, notices and warnings EXCEPT
+; those related to E_NOTICE and E_STRICT, which together cover best practices and
+; recommended coding standards in PHP. For performance reasons, this is the
+; recommend error reporting setting. Your production server shouldn't be wasting
+; resources complaining about best practices and coding standards. That's what
+; development servers and development settings are for.
+; Note: The php.ini-development file has this setting as E_ALL. This
+; means it pretty much reports everything which is exactly what you want during
+; development and early testing.
+;
+; Error Level Constants:
+; E_ALL - All errors and warnings (includes E_STRICT as of PHP 5.4.0)
+; E_ERROR - fatal run-time errors
+; E_RECOVERABLE_ERROR - almost fatal run-time errors
+; E_WARNING - run-time warnings (non-fatal errors)
+; E_PARSE - compile-time parse errors
+; E_NOTICE - run-time notices (these are warnings which often result
+; from a bug in your code, but it's possible that it was
+; intentional (e.g., using an uninitialized variable and
+; relying on the fact it is automatically initialized to an
+; empty string)
+; E_STRICT - run-time notices, enable to have PHP suggest changes
+; to your code which will ensure the best interoperability
+; and forward compatibility of your code
+; E_CORE_ERROR - fatal errors that occur during PHP's initial startup
+; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's
+; initial startup
+; E_COMPILE_ERROR - fatal compile-time errors
+; E_COMPILE_WARNING - compile-time warnings (non-fatal errors)
+; E_USER_ERROR - user-generated error message
+; E_USER_WARNING - user-generated warning message
+; E_USER_NOTICE - user-generated notice message
+; E_DEPRECATED - warn about code that will not work in future versions
+; of PHP
+; E_USER_DEPRECATED - user-generated deprecation warnings
+;
+; Common Values:
+; E_ALL (Show all errors, warnings and notices including coding standards.)
+; E_ALL & ~E_NOTICE (Show all errors, except for notices)
+; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.)
+; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors)
+; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
+; Development Value: E_ALL
+; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
+; http://php.net/error-reporting
+error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+
+; This directive controls whether or not and where PHP will output errors,
+; notices and warnings too. Error output is very useful during development, but
+; it could be very dangerous in production environments. Depending on the code
+; which is triggering the error, sensitive information could potentially leak
+; out of your application such as database usernames and passwords or worse.
+; For production environments, we recommend logging errors rather than
+; sending them to STDOUT.
+; Possible Values:
+; Off = Do not display any errors
+; stderr = Display errors to STDERR (affects only CGI/CLI binaries!)
+; On or stdout = Display errors to STDOUT
+; Default Value: On
+; Development Value: On
+; Production Value: Off
+; http://php.net/display-errors
+display_errors = Off
+
+; The display of errors which occur during PHP's startup sequence are handled
+; separately from display_errors. PHP's default behavior is to suppress those
+; errors from clients. Turning the display of startup errors on can be useful in
+; debugging configuration problems. We strongly recommend you
+; set this to 'off' for production servers.
+; Default Value: Off
+; Development Value: On
+; Production Value: Off
+; http://php.net/display-startup-errors
+display_startup_errors = Off
+
+; Besides displaying errors, PHP can also log errors to locations such as a
+; server-specific log, STDERR, or a location specified by the error_log
+; directive found below. While errors should not be displayed on productions
+; servers they should still be monitored and logging is a great way to do that.
+; Default Value: Off
+; Development Value: On
+; Production Value: On
+; http://php.net/log-errors
+log_errors = On
+
+; Set maximum length of log_errors. In error_log information about the source is
+; added. The default is 1024 and 0 allows to not apply any maximum length at all.
+; http://php.net/log-errors-max-len
+log_errors_max_len = 1024
+
+; Do not log repeated messages. Repeated errors must occur in same file on same
+; line unless ignore_repeated_source is set true.
+; http://php.net/ignore-repeated-errors
+ignore_repeated_errors = Off
+
+; Ignore source of message when ignoring repeated messages. When this setting
+; is On you will not log errors with repeated messages from different files or
+; source lines.
+; http://php.net/ignore-repeated-source
+ignore_repeated_source = Off
+
+; If this parameter is set to Off, then memory leaks will not be shown (on
+; stdout or in the log). This has only effect in a debug compile, and if
+; error reporting includes E_WARNING in the allowed list
+; http://php.net/report-memleaks
+report_memleaks = On
+
+; This setting is on by default.
+;report_zend_debug = 0
+
+; Store the last error/warning message in $php_errormsg (boolean). Setting this value
+; to On can assist in debugging and is appropriate for development servers. It should
+; however be disabled on production servers.
+; This directive is DEPRECATED.
+; Default Value: Off
+; Development Value: Off
+; Production Value: Off
+; http://php.net/track-errors
+;track_errors = Off
+
+; Turn off normal error reporting and emit XML-RPC error XML
+; http://php.net/xmlrpc-errors
+;xmlrpc_errors = 0
+
+; An XML-RPC faultCode
+;xmlrpc_error_number = 0
+
+; When PHP displays or logs an error, it has the capability of formatting the
+; error message as HTML for easier reading. This directive controls whether
+; the error message is formatted as HTML or not.
+; Note: This directive is hardcoded to Off for the CLI SAPI
+; Default Value: On
+; Development Value: On
+; Production value: On
+; http://php.net/html-errors
+html_errors = On
+
+; If html_errors is set to On *and* docref_root is not empty, then PHP
+; produces clickable error messages that direct to a page describing the error
+; or function causing the error in detail.
+; You can download a copy of the PHP manual from http://php.net/docs
+; and change docref_root to the base URL of your local copy including the
+; leading '/'. You must also specify the file extension being used including
+; the dot. PHP's default behavior is to leave these settings empty, in which
+; case no links to documentation are generated.
+; Note: Never use this feature for production boxes.
+; http://php.net/docref-root
+; Examples
+;docref_root = "/phpmanual/"
+
+; http://php.net/docref-ext
+;docref_ext = .html
+
+; String to output before an error message. PHP's default behavior is to leave
+; this setting blank.
+; http://php.net/error-prepend-string
+; Example:
+;error_prepend_string = "<span style='color: #ff0000'>"
+
+; String to output after an error message. PHP's default behavior is to leave
+; this setting blank.
+; http://php.net/error-append-string
+; Example:
+;error_append_string = "</span>"
+
+; Log errors to specified file. PHP's default behavior is to leave this value
+; empty.
+; http://php.net/error-log
+; Example:
+;error_log = php_errors.log
+; Log errors to syslog (Event Log on Windows).
+;error_log = syslog
+
+; The syslog ident is a string which is prepended to every message logged
+; to syslog. Only used when error_log is set to syslog.
+;syslog.ident = php
+
+; The syslog facility is used to specify what type of program is logging
+; the message. Only used when error_log is set to syslog.
+;syslog.facility = user
+
+; Set this to disable filtering control characters (the default).
+; Some loggers only accept NVT-ASCII, others accept anything that's not
+; control characters. If your logger accepts everything, then no filtering
+; is needed at all.
+; Allowed values are:
+; ascii (all printable ASCII characters and NL)
+; no-ctrl (all characters except control characters)
+; all (all characters)
+; raw (like "all", but messages are not split at newlines)
+; http://php.net/syslog.filter
+;syslog.filter = ascii
+
+;windows.show_crt_warning
+; Default value: 0
+; Development value: 0
+; Production value: 0
+
+;;;;;;;;;;;;;;;;;
+; Data Handling ;
+;;;;;;;;;;;;;;;;;
+
+; The separator used in PHP generated URLs to separate arguments.
+; PHP's default setting is "&".
+; http://php.net/arg-separator.output
+; Example:
+;arg_separator.output = "&"
+
+; List of separator(s) used by PHP to parse input URLs into variables.
+; PHP's default setting is "&".
+; NOTE: Every character in this directive is considered as separator!
+; http://php.net/arg-separator.input
+; Example:
+;arg_separator.input = ";&"
+
+; This directive determines which super global arrays are registered when PHP
+; starts up. G,P,C,E & S are abbreviations for the following respective super
+; globals: GET, POST, COOKIE, ENV and SERVER. There is a performance penalty
+; paid for the registration of these arrays and because ENV is not as commonly
+; used as the others, ENV is not recommended on productions servers. You
+; can still get access to the environment variables through getenv() should you
+; need to.
+; Default Value: "EGPCS"
+; Development Value: "GPCS"
+; Production Value: "GPCS";
+; http://php.net/variables-order
+variables_order = "GPCS"
+
+; This directive determines which super global data (G,P & C) should be
+; registered into the super global array REQUEST. If so, it also determines
+; the order in which that data is registered. The values for this directive
+; are specified in the same manner as the variables_order directive,
+; EXCEPT one. Leaving this value empty will cause PHP to use the value set
+; in the variables_order directive. It does not mean it will leave the super
+; globals array REQUEST empty.
+; Default Value: None
+; Development Value: "GP"
+; Production Value: "GP"
+; http://php.net/request-order
+request_order = "GP"
+
+; This directive determines whether PHP registers $argv & $argc each time it
+; runs. $argv contains an array of all the arguments passed to PHP when a script
+; is invoked. $argc contains an integer representing the number of arguments
+; that were passed when the script was invoked. These arrays are extremely
+; useful when running scripts from the command line. When this directive is
+; enabled, registering these variables consumes CPU cycles and memory each time
+; a script is executed. For performance reasons, this feature should be disabled
+; on production servers.
+; Note: This directive is hardcoded to On for the CLI SAPI
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+; http://php.net/register-argc-argv
+register_argc_argv = Off
+
+; When enabled, the ENV, REQUEST and SERVER variables are created when they're
+; first used (Just In Time) instead of when the script starts. If these
+; variables are not used within a script, having this directive on will result
+; in a performance gain. The PHP directive register_argc_argv must be disabled
+; for this directive to have any affect.
+; http://php.net/auto-globals-jit
+auto_globals_jit = On
+
+; Whether PHP will read the POST data.
+; This option is enabled by default.
+; Most likely, you won't want to disable this option globally. It causes $_POST
+; and $_FILES to always be empty; the only way you will be able to read the
+; POST data will be through the php://input stream wrapper. This can be useful
+; to proxy requests or to process the POST data in a memory efficient fashion.
+; http://php.net/enable-post-data-reading
+;enable_post_data_reading = Off
+
+; Maximum size of POST data that PHP will accept.
+; Its value may be 0 to disable the limit. It is ignored if POST data reading
+; is disabled through enable_post_data_reading.
+; http://php.net/post-max-size
+post_max_size = 8M
+
+; Automatically add files before PHP document.
+; http://php.net/auto-prepend-file
+auto_prepend_file =
+
+; Automatically add files after PHP document.
+; http://php.net/auto-append-file
+auto_append_file =
+
+; By default, PHP will output a media type using the Content-Type header. To
+; disable this, simply set it to be empty.
+;
+; PHP's built-in default media type is set to text/html.
+; http://php.net/default-mimetype
+default_mimetype = "text/html"
+
+; PHP's default character set is set to UTF-8.
+; http://php.net/default-charset
+default_charset = "UTF-8"
+
+; PHP internal character encoding is set to empty.
+; If empty, default_charset is used.
+; http://php.net/internal-encoding
+;internal_encoding =
+
+; PHP input character encoding is set to empty.
+; If empty, default_charset is used.
+; http://php.net/input-encoding
+;input_encoding =
+
+; PHP output character encoding is set to empty.
+; If empty, default_charset is used.
+; See also output_buffer.
+; http://php.net/output-encoding
+;output_encoding =
+
+;;;;;;;;;;;;;;;;;;;;;;;;;
+; Paths and Directories ;
+;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; UNIX: "/path1:/path2"
+;include_path = ".:/usr/share/php"
+;
+; Windows: "\path1;\path2"
+;include_path = ".;c:\php\includes"
+;
+; PHP's default setting for include_path is ".;/path/to/php/pear"
+; http://php.net/include-path
+
+; The root of the PHP pages, used only if nonempty.
+; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root
+; if you are running php as a CGI under any web server (other than IIS)
+; see documentation for security issues. The alternate is to use the
+; cgi.force_redirect configuration below
+; http://php.net/doc-root
+doc_root =
+
+; The directory under which PHP opens the script using /~username used only
+; if nonempty.
+; http://php.net/user-dir
+user_dir =
+
+; Directory in which the loadable extensions (modules) reside.
+; http://php.net/extension-dir
+;extension_dir = "./"
+; On windows:
+;extension_dir = "ext"
+
+; Directory where the temporary files should be placed.
+; Defaults to the system default (see sys_get_temp_dir)
+;sys_temp_dir = "/tmp"
+
+; Whether or not to enable the dl() function. The dl() function does NOT work
+; properly in multithreaded servers, such as IIS or Zeus, and is automatically
+; disabled on them.
+; http://php.net/enable-dl
+enable_dl = Off
+
+; cgi.force_redirect is necessary to provide security running PHP as a CGI under
+; most web servers. Left undefined, PHP turns this on by default. You can
+; turn it off here AT YOUR OWN RISK
+; **You CAN safely turn this off for IIS, in fact, you MUST.**
+; http://php.net/cgi.force-redirect
+;cgi.force_redirect = 1
+
+; if cgi.nph is enabled it will force cgi to always sent Status: 200 with
+; every request. PHP's default behavior is to disable this feature.
+;cgi.nph = 1
+
+; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape
+; (iPlanet) web servers, you MAY need to set an environment variable name that PHP
+; will look for to know it is OK to continue execution. Setting this variable MAY
+; cause security issues, KNOW WHAT YOU ARE DOING FIRST.
+; http://php.net/cgi.redirect-status-env
+;cgi.redirect_status_env =
+
+; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's
+; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
+; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting
+; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting
+; of zero causes PHP to behave as before. Default is 1. You should fix your scripts
+; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
+; http://php.net/cgi.fix-pathinfo
+;cgi.fix_pathinfo=1
+
+; if cgi.discard_path is enabled, the PHP CGI binary can safely be placed outside
+; of the web tree and people will not be able to circumvent .htaccess security.
+;cgi.discard_path=1
+
+; FastCGI under IIS supports the ability to impersonate
+; security tokens of the calling client. This allows IIS to define the
+; security context that the request runs under. mod_fastcgi under Apache
+; does not currently support this feature (03/17/2002)
+; Set to 1 if running under IIS. Default is zero.
+; http://php.net/fastcgi.impersonate
+;fastcgi.impersonate = 1
+
+; Disable logging through FastCGI connection. PHP's default behavior is to enable
+; this feature.
+;fastcgi.logging = 0
+
+; cgi.rfc2616_headers configuration option tells PHP what type of headers to
+; use when sending HTTP response code. If set to 0, PHP sends Status: header that
+; is supported by Apache. When this option is set to 1, PHP will send
+; RFC2616 compliant header.
+; Default is zero.
+; http://php.net/cgi.rfc2616-headers
+;cgi.rfc2616_headers = 0
+
+; cgi.check_shebang_line controls whether CGI PHP checks for line starting with #!
+; (shebang) at the top of the running script. This line might be needed if the
+; script support running both as stand-alone script and via PHP CGI<. PHP in CGI
+; mode skips this line and ignores its content if this directive is turned on.
+; http://php.net/cgi.check-shebang-line
+;cgi.check_shebang_line=1
+
+;;;;;;;;;;;;;;;;
+; File Uploads ;
+;;;;;;;;;;;;;;;;
+
+; Whether to allow HTTP file uploads.
+; http://php.net/file-uploads
+file_uploads = On
+
+; Temporary directory for HTTP uploaded files (will use system default if not
+; specified).
+; http://php.net/upload-tmp-dir
+;upload_tmp_dir =
+
+; Maximum allowed size for uploaded files.
+; http://php.net/upload-max-filesize
+upload_max_filesize = 2M
+
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 20
+
+;;;;;;;;;;;;;;;;;;
+; Fopen wrappers ;
+;;;;;;;;;;;;;;;;;;
+
+; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
+; http://php.net/allow-url-fopen
+allow_url_fopen = On
+
+; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
+; http://php.net/allow-url-include
+allow_url_include = Off
+
+; Define the anonymous ftp password (your email address). PHP's default setting
+; for this is empty.
+; http://php.net/from
+;from="john@doe.com"
+
+; Define the User-Agent string. PHP's default setting for this is empty.
+; http://php.net/user-agent
+;user_agent="PHP"
+
+; Default timeout for socket based streams (seconds)
+; http://php.net/default-socket-timeout
+default_socket_timeout = 60
+
+; If your scripts have to deal with files from Macintosh systems,
+; or you are running on a Mac and need to deal with files from
+; unix or win32 systems, setting this flag will cause PHP to
+; automatically detect the EOL character in those files so that
+; fgets() and file() will work regardless of the source of the file.
+; http://php.net/auto-detect-line-endings
+;auto_detect_line_endings = Off
+
+;;;;;;;;;;;;;;;;;;;;;;
+; Dynamic Extensions ;
+;;;;;;;;;;;;;;;;;;;;;;
+
+; If you wish to have an extension loaded automatically, use the following
+; syntax:
+;
+; extension=modulename
+;
+; For example:
+;
+; extension=mysqli
+;
+; When the extension library to load is not located in the default extension
+; directory, You may specify an absolute path to the library file:
+;
+; extension=/path/to/extension/mysqli.so
+;
+; Note : The syntax used in previous PHP versions ('extension=<ext>.so' and
+; 'extension='php_<ext>.dll') is supported for legacy reasons and may be
+; deprecated in a future PHP major version. So, when it is possible, please
+; move to the new ('extension=<ext>) syntax.
+;
+; Notes for Windows environments :
+;
+; - Many DLL files are located in the extensions/ (PHP 4) or ext/ (PHP 5+)
+; extension folders as well as the separate PECL DLL download (PHP 5+).
+; Be sure to appropriately set the extension_dir directive.
+;
+;extension=bz2
+;extension=curl
+;extension=fileinfo
+;extension=gd2
+;extension=gettext
+;extension=gmp
+;extension=intl
+;extension=imap
+;extension=interbase
+;extension=ldap
+;extension=mbstring
+;extension=exif ; Must be after mbstring as it depends on it
+;extension=mysqli
+;extension=oci8_12c ; Use with Oracle Database 12c Instant Client
+;extension=odbc
+;extension=openssl
+;extension=pdo_firebird
+;extension=pdo_mysql
+;extension=pdo_oci
+;extension=pdo_odbc
+;extension=pdo_pgsql
+;extension=pdo_sqlite
+;extension=pgsql
+;extension=shmop
+
+; The MIBS data available in the PHP distribution must be installed.
+; See http://www.php.net/manual/en/snmp.installation.php
+;extension=snmp
+
+;extension=soap
+;extension=sockets
+;extension=sodium
+;extension=sqlite3
+;extension=tidy
+;extension=xmlrpc
+;extension=xsl
+
+;;;;;;;;;;;;;;;;;;;
+; Module Settings ;
+;;;;;;;;;;;;;;;;;;;
+
+[CLI Server]
+; Whether the CLI web server uses ANSI color coding in its terminal output.
+cli_server.color = On
+
+[Date]
+; Defines the default timezone used by the date functions
+; http://php.net/date.timezone
+;date.timezone =
+
+; http://php.net/date.default-latitude
+;date.default_latitude = 31.7667
+
+; http://php.net/date.default-longitude
+;date.default_longitude = 35.2333
+
+; http://php.net/date.sunrise-zenith
+;date.sunrise_zenith = 90.583333
+
+; http://php.net/date.sunset-zenith
+;date.sunset_zenith = 90.583333
+
+[filter]
+; http://php.net/filter.default
+;filter.default = unsafe_raw
+
+; http://php.net/filter.default-flags
+;filter.default_flags =
+
+[iconv]
+; Use of this INI entry is deprecated, use global input_encoding instead.
+; If empty, default_charset or input_encoding or iconv.input_encoding is used.
+; The precedence is: default_charset < input_encoding < iconv.input_encoding
+;iconv.input_encoding =
+
+; Use of this INI entry is deprecated, use global internal_encoding instead.
+; If empty, default_charset or internal_encoding or iconv.internal_encoding is used.
+; The precedence is: default_charset < internal_encoding < iconv.internal_encoding
+;iconv.internal_encoding =
+
+; Use of this INI entry is deprecated, use global output_encoding instead.
+; If empty, default_charset or output_encoding or iconv.output_encoding is used.
+; The precedence is: default_charset < output_encoding < iconv.output_encoding
+; To use an output encoding conversion, iconv's output handler must be set
+; otherwise output encoding conversion cannot be performed.
+;iconv.output_encoding =
+
+[imap]
+; rsh/ssh logins are disabled by default. Use this INI entry if you want to
+; enable them. Note that the IMAP library does not filter mailbox names before
+; passing them to rsh/ssh command, thus passing untrusted data to this function
+; with rsh/ssh enabled is insecure.
+;imap.enable_insecure_rsh=0
+
+[intl]
+;intl.default_locale =
+; This directive allows you to produce PHP errors when some error
+; happens within intl functions. The value is the level of the error produced.
+; Default is 0, which does not produce any errors.
+;intl.error_level = E_WARNING
+;intl.use_exceptions = 0
+
+[sqlite3]
+; Directory pointing to SQLite3 extensions
+; http://php.net/sqlite3.extension-dir
+;sqlite3.extension_dir =
+
+; SQLite defensive mode flag (only available from SQLite 3.26+)
+; When the defensive flag is enabled, language features that allow ordinary
+; SQL to deliberately corrupt the database file are disabled. This forbids
+; writing directly to the schema, shadow tables (eg. FTS data tables), or
+; the sqlite_dbpage virtual table.
+; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html
+; (for older SQLite versions, this flag has no use)
+;sqlite3.defensive = 1
+
+[Pcre]
+; PCRE library backtracking limit.
+; http://php.net/pcre.backtrack-limit
+;pcre.backtrack_limit=100000
+
+; PCRE library recursion limit.
+; Please note that if you set this value to a high number you may consume all
+; the available process stack and eventually crash PHP (due to reaching the
+; stack size limit imposed by the Operating System).
+; http://php.net/pcre.recursion-limit
+;pcre.recursion_limit=100000
+
+; Enables or disables JIT compilation of patterns. This requires the PCRE
+; library to be compiled with JIT support.
+;pcre.jit=1
+
+[Pdo]
+; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off"
+; http://php.net/pdo-odbc.connection-pooling
+;pdo_odbc.connection_pooling=strict
+
+;pdo_odbc.db2_instance_name
+
+[Pdo_mysql]
+; Default socket name for local MySQL connects. If empty, uses the built-in
+; MySQL defaults.
+pdo_mysql.default_socket=
+
+[Phar]
+; http://php.net/phar.readonly
+;phar.readonly = On
+
+; http://php.net/phar.require-hash
+;phar.require_hash = On
+
+;phar.cache_list =
+
+[mail function]
+; For Win32 only.
+; http://php.net/smtp
+SMTP = localhost
+; http://php.net/smtp-port
+smtp_port = 25
+
+; For Win32 only.
+; http://php.net/sendmail-from
+;sendmail_from = me@example.com
+
+; For Unix only. You may supply arguments as well (default: "sendmail -t -i").
+; http://php.net/sendmail-path
+;sendmail_path =
+
+; Force the addition of the specified parameters to be passed as extra parameters
+; to the sendmail binary. These parameters will always replace the value of
+; the 5th parameter to mail().
+;mail.force_extra_parameters =
+
+; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
+mail.add_x_header = Off
+
+; The path to a log file that will log all mail() calls. Log entries include
+; the full path of the script, line number, To address and headers.
+;mail.log =
+; Log mail to syslog (Event Log on Windows).
+;mail.log = syslog
+
+[ODBC]
+; http://php.net/odbc.default-db
+;odbc.default_db = Not yet implemented
+
+; http://php.net/odbc.default-user
+;odbc.default_user = Not yet implemented
+
+; http://php.net/odbc.default-pw
+;odbc.default_pw = Not yet implemented
+
+; Controls the ODBC cursor model.
+; Default: SQL_CURSOR_STATIC (default).
+;odbc.default_cursortype
+
+; Allow or prevent persistent links.
+; http://php.net/odbc.allow-persistent
+odbc.allow_persistent = On
+
+; Check that a connection is still valid before reuse.
+; http://php.net/odbc.check-persistent
+odbc.check_persistent = On
+
+; Maximum number of persistent links. -1 means no limit.
+; http://php.net/odbc.max-persistent
+odbc.max_persistent = -1
+
+; Maximum number of links (persistent + non-persistent). -1 means no limit.
+; http://php.net/odbc.max-links
+odbc.max_links = -1
+
+; Handling of LONG fields. Returns number of bytes to variables. 0 means
+; passthru.
+; http://php.net/odbc.defaultlrl
+odbc.defaultlrl = 4096
+
+; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char.
+; See the documentation on odbc_binmode and odbc_longreadlen for an explanation
+; of odbc.defaultlrl and odbc.defaultbinmode
+; http://php.net/odbc.defaultbinmode
+odbc.defaultbinmode = 1
+
+[Interbase]
+; Allow or prevent persistent links.
+ibase.allow_persistent = 1
+
+; Maximum number of persistent links. -1 means no limit.
+ibase.max_persistent = -1
+
+; Maximum number of links (persistent + non-persistent). -1 means no limit.
+ibase.max_links = -1
+
+; Default database name for ibase_connect().
+;ibase.default_db =
+
+; Default username for ibase_connect().
+;ibase.default_user =
+
+; Default password for ibase_connect().
+;ibase.default_password =
+
+; Default charset for ibase_connect().
+;ibase.default_charset =
+
+; Default timestamp format.
+ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
+
+; Default date format.
+ibase.dateformat = "%Y-%m-%d"
+
+; Default time format.
+ibase.timeformat = "%H:%M:%S"
+
+[MySQLi]
+
+; Maximum number of persistent links. -1 means no limit.
+; http://php.net/mysqli.max-persistent
+mysqli.max_persistent = -1
+
+; Allow accessing, from PHP's perspective, local files with LOAD DATA statements
+; http://php.net/mysqli.allow_local_infile
+;mysqli.allow_local_infile = On
+
+; Allow or prevent persistent links.
+; http://php.net/mysqli.allow-persistent
+mysqli.allow_persistent = On
+
+; Maximum number of links. -1 means no limit.
+; http://php.net/mysqli.max-links
+mysqli.max_links = -1
+
+; Default port number for mysqli_connect(). If unset, mysqli_connect() will use
+; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the
+; compile-time value defined MYSQL_PORT (in that order). Win32 will only look
+; at MYSQL_PORT.
+; http://php.net/mysqli.default-port
+mysqli.default_port = 3306
+
+; Default socket name for local MySQL connects. If empty, uses the built-in
+; MySQL defaults.
+; http://php.net/mysqli.default-socket
+mysqli.default_socket =
+
+; Default host for mysql_connect() (doesn't apply in safe mode).
+; http://php.net/mysqli.default-host
+mysqli.default_host =
+
+; Default user for mysql_connect() (doesn't apply in safe mode).
+; http://php.net/mysqli.default-user
+mysqli.default_user =
+
+; Default password for mysqli_connect() (doesn't apply in safe mode).
+; Note that this is generally a *bad* idea to store passwords in this file.
+; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw")
+; and reveal this password! And of course, any users with read access to this
+; file will be able to reveal the password as well.
+; http://php.net/mysqli.default-pw
+mysqli.default_pw =
+
+; Allow or prevent reconnect
+mysqli.reconnect = Off
+
+[mysqlnd]
+; Enable / Disable collection of general statistics by mysqlnd which can be
+; used to tune and monitor MySQL operations.
+mysqlnd.collect_statistics = On
+
+; Enable / Disable collection of memory usage statistics by mysqlnd which can be
+; used to tune and monitor MySQL operations.
+mysqlnd.collect_memory_statistics = Off
+
+; Records communication from all extensions using mysqlnd to the specified log
+; file.
+; http://php.net/mysqlnd.debug
+;mysqlnd.debug =
+
+; Defines which queries will be logged.
+;mysqlnd.log_mask = 0
+
+; Default size of the mysqlnd memory pool, which is used by result sets.
+;mysqlnd.mempool_default_size = 16000
+
+; Size of a pre-allocated buffer used when sending commands to MySQL in bytes.
+;mysqlnd.net_cmd_buffer_size = 2048
+
+; Size of a pre-allocated buffer used for reading data sent by the server in
+; bytes.
+;mysqlnd.net_read_buffer_size = 32768
+
+; Timeout for network requests in seconds.
+;mysqlnd.net_read_timeout = 31536000
+
+; SHA-256 Authentication Plugin related. File with the MySQL server public RSA
+; key.
+;mysqlnd.sha256_server_public_key =
+
+[OCI8]
+
+; Connection: Enables privileged connections using external
+; credentials (OCI_SYSOPER, OCI_SYSDBA)
+; http://php.net/oci8.privileged-connect
+;oci8.privileged_connect = Off
+
+; Connection: The maximum number of persistent OCI8 connections per
+; process. Using -1 means no limit.
+; http://php.net/oci8.max-persistent
+;oci8.max_persistent = -1
+
+; Connection: The maximum number of seconds a process is allowed to
+; maintain an idle persistent connection. Using -1 means idle
+; persistent connections will be maintained forever.
+; http://php.net/oci8.persistent-timeout
+;oci8.persistent_timeout = -1
+
+; Connection: The number of seconds that must pass before issuing a
+; ping during oci_pconnect() to check the connection validity. When
+; set to 0, each oci_pconnect() will cause a ping. Using -1 disables
+; pings completely.
+; http://php.net/oci8.ping-interval
+;oci8.ping_interval = 60
+
+; Connection: Set this to a user chosen connection class to be used
+; for all pooled server requests with Oracle 11g Database Resident
+; Connection Pooling (DRCP). To use DRCP, this value should be set to
+; the same string for all web servers running the same application,
+; the database pool must be configured, and the connection string must
+; specify to use a pooled server.
+;oci8.connection_class =
+
+; High Availability: Using On lets PHP receive Fast Application
+; Notification (FAN) events generated when a database node fails. The
+; database must also be configured to post FAN events.
+;oci8.events = Off
+
+; Tuning: This option enables statement caching, and specifies how
+; many statements to cache. Using 0 disables statement caching.
+; http://php.net/oci8.statement-cache-size
+;oci8.statement_cache_size = 20
+
+; Tuning: Enables statement prefetching and sets the default number of
+; rows that will be fetched automatically after statement execution.
+; http://php.net/oci8.default-prefetch
+;oci8.default_prefetch = 100
+
+; Compatibility. Using On means oci_close() will not close
+; oci_connect() and oci_new_connect() connections.
+; http://php.net/oci8.old-oci-close-semantics
+;oci8.old_oci_close_semantics = Off
+
+[PostgreSQL]
+; Allow or prevent persistent links.
+; http://php.net/pgsql.allow-persistent
+pgsql.allow_persistent = On
+
+; Detect broken persistent links always with pg_pconnect().
+; Auto reset feature requires a little overheads.
+; http://php.net/pgsql.auto-reset-persistent
+pgsql.auto_reset_persistent = Off
+
+; Maximum number of persistent links. -1 means no limit.
+; http://php.net/pgsql.max-persistent
+pgsql.max_persistent = -1
+
+; Maximum number of links (persistent+non persistent). -1 means no limit.
+; http://php.net/pgsql.max-links
+pgsql.max_links = -1
+
+; Ignore PostgreSQL backends Notice message or not.
+; Notice message logging require a little overheads.
+; http://php.net/pgsql.ignore-notice
+pgsql.ignore_notice = 0
+
+; Log PostgreSQL backends Notice message or not.
+; Unless pgsql.ignore_notice=0, module cannot log notice message.
+; http://php.net/pgsql.log-notice
+pgsql.log_notice = 0
+
+[bcmath]
+; Number of decimal digits for all bcmath functions.
+; http://php.net/bcmath.scale
+bcmath.scale = 0
+
+[browscap]
+; http://php.net/browscap
+;browscap = extra/browscap.ini
+
+[Session]
+; Handler used to store/retrieve data.
+; http://php.net/session.save-handler
+session.save_handler = files
+
+; Argument passed to save_handler. In the case of files, this is the path
+; where data files are stored. Note: Windows users have to change this
+; variable in order to use PHP's session functions.
+;
+; The path can be defined as:
+;
+; session.save_path = "N;/path"
+;
+; where N is an integer. Instead of storing all the session files in
+; /path, what this will do is use subdirectories N-levels deep, and
+; store the session data in those directories. This is useful if
+; your OS has problems with many files in one directory, and is
+; a more efficient layout for servers that handle many sessions.
+;
+; NOTE 1: PHP will not create this directory structure automatically.
+; You can use the script in the ext/session dir for that purpose.
+; NOTE 2: See the section on garbage collection below if you choose to
+; use subdirectories for session storage
+;
+; The file storage module creates files using mode 600 by default.
+; You can change that by using
+;
+; session.save_path = "N;MODE;/path"
+;
+; where MODE is the octal representation of the mode. Note that this
+; does not overwrite the process's umask.
+; http://php.net/session.save-path
+;session.save_path = "/var/lib/php/sessions"
+
+; Whether to use strict session mode.
+; Strict session mode does not accept an uninitialized session ID, and
+; regenerates the session ID if the browser sends an uninitialized session ID.
+; Strict mode protects applications from session fixation via a session adoption
+; vulnerability. It is disabled by default for maximum compatibility, but
+; enabling it is encouraged.
+; https://wiki.php.net/rfc/strict_sessions
+session.use_strict_mode = 0
+
+; Whether to use cookies.
+; http://php.net/session.use-cookies
+session.use_cookies = 1
+
+; http://php.net/session.cookie-secure
+;session.cookie_secure =
+
+; This option forces PHP to fetch and use a cookie for storing and maintaining
+; the session id. We encourage this operation as it's very helpful in combating
+; session hijacking when not specifying and managing your own session id. It is
+; not the be-all and end-all of session hijacking defense, but it's a good start.
+; http://php.net/session.use-only-cookies
+session.use_only_cookies = 1
+
+; Name of the session (used as cookie name).
+; http://php.net/session.name
+session.name = PHPSESSID
+
+; Initialize session on request startup.
+; http://php.net/session.auto-start
+session.auto_start = 0
+
+; Lifetime in seconds of cookie or, if 0, until browser is restarted.
+; http://php.net/session.cookie-lifetime
+session.cookie_lifetime = 0
+
+; The path for which the cookie is valid.
+; http://php.net/session.cookie-path
+session.cookie_path = /
+
+; The domain for which the cookie is valid.
+; http://php.net/session.cookie-domain
+session.cookie_domain =
+
+; Whether or not to add the httpOnly flag to the cookie, which makes it
+; inaccessible to browser scripting languages such as JavaScript.
+; http://php.net/session.cookie-httponly
+session.cookie_httponly =
+
+; Add SameSite attribute to cookie to help mitigate Cross-Site Request Forgery (CSRF/XSRF)
+; Current valid values are "Strict", "Lax" or "None". When using "None",
+; make sure to include the quotes, as `none` is interpreted like `false` in ini files.
+; https://tools.ietf.org/html/draft-west-first-party-cookies-07
+session.cookie_samesite =
+
+; Handler used to serialize data. php is the standard serializer of PHP.
+; http://php.net/session.serialize-handler
+session.serialize_handler = php
+
+; Defines the probability that the 'garbage collection' process is started on every
+; session initialization. The probability is calculated by using gc_probability/gc_divisor,
+; e.g. 1/100 means there is a 1% chance that the GC process starts on each request.
+; Default Value: 1
+; Development Value: 1
+; Production Value: 1
+; http://php.net/session.gc-probability
+session.gc_probability = 0
+
+; Defines the probability that the 'garbage collection' process is started on every
+; session initialization. The probability is calculated by using gc_probability/gc_divisor,
+; e.g. 1/100 means there is a 1% chance that the GC process starts on each request.
+; For high volume production servers, using a value of 1000 is a more efficient approach.
+; Default Value: 100
+; Development Value: 1000
+; Production Value: 1000
+; http://php.net/session.gc-divisor
+session.gc_divisor = 1000
+
+; After this number of seconds, stored data will be seen as 'garbage' and
+; cleaned up by the garbage collection process.
+; http://php.net/session.gc-maxlifetime
+session.gc_maxlifetime = 1440
+
+; NOTE: If you are using the subdirectory option for storing session files
+; (see session.save_path above), then garbage collection does *not*
+; happen automatically. You will need to do your own garbage
+; collection through a shell script, cron entry, or some other method.
+; For example, the following script is the equivalent of setting
+; session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes):
+; find /path/to/sessions -cmin +24 -type f | xargs rm
+
+; Check HTTP Referer to invalidate externally stored URLs containing ids.
+; HTTP_REFERER has to contain this substring for the session to be
+; considered as valid.
+; http://php.net/session.referer-check
+session.referer_check =
+
+; Set to {nocache,private,public,} to determine HTTP caching aspects
+; or leave this empty to avoid sending anti-caching headers.
+; http://php.net/session.cache-limiter
+session.cache_limiter = nocache
+
+; Document expires after n minutes.
+; http://php.net/session.cache-expire
+session.cache_expire = 180
+
+; trans sid support is disabled by default.
+; Use of trans sid may risk your users' security.
+; Use this option with caution.
+; - User may send URL contains active session ID
+; to other person via. email/irc/etc.
+; - URL that contains active session ID may be stored
+; in publicly accessible computer.
+; - User may access your site with the same session ID
+; always using URL stored in browser's history or bookmarks.
+; http://php.net/session.use-trans-sid
+session.use_trans_sid = 0
+
+; Set session ID character length. This value could be between 22 to 256.
+; Shorter length than default is supported only for compatibility reason.
+; Users should use 32 or more chars.
+; http://php.net/session.sid-length
+; Default Value: 32
+; Development Value: 26
+; Production Value: 26
+session.sid_length = 26
+
+; The URL rewriter will look for URLs in a defined set of HTML tags.
+; <form> is special; if you include them here, the rewriter will
+; add a hidden <input> field with the info which is otherwise appended
+; to URLs. <form> tag's action attribute URL will not be modified
+; unless it is specified.
+; Note that all valid entries require a "=", even if no value follows.
+; Default Value: "a=href,area=href,frame=src,form="
+; Development Value: "a=href,area=href,frame=src,form="
+; Production Value: "a=href,area=href,frame=src,form="
+; http://php.net/url-rewriter.tags
+session.trans_sid_tags = "a=href,area=href,frame=src,form="
+
+; URL rewriter does not rewrite absolute URLs by default.
+; To enable rewrites for absolute paths, target hosts must be specified
+; at RUNTIME. i.e. use ini_set()
+; <form> tags is special. PHP will check action attribute's URL regardless
+; of session.trans_sid_tags setting.
+; If no host is defined, HTTP_HOST will be used for allowed host.
+; Example value: php.net,www.php.net,wiki.php.net
+; Use "," for multiple hosts. No spaces are allowed.
+; Default Value: ""
+; Development Value: ""
+; Production Value: ""
+;session.trans_sid_hosts=""
+
+; Define how many bits are stored in each character when converting
+; the binary hash data to something readable.
+; Possible values:
+; 4 (4 bits: 0-9, a-f)
+; 5 (5 bits: 0-9, a-v)
+; 6 (6 bits: 0-9, a-z, A-Z, "-", ",")
+; Default Value: 4
+; Development Value: 5
+; Production Value: 5
+; http://php.net/session.hash-bits-per-character
+session.sid_bits_per_character = 5
+
+; Enable upload progress tracking in $_SESSION
+; Default Value: On
+; Development Value: On
+; Production Value: On
+; http://php.net/session.upload-progress.enabled
+;session.upload_progress.enabled = On
+
+; Cleanup the progress information as soon as all POST data has been read
+; (i.e. upload completed).
+; Default Value: On
+; Development Value: On
+; Production Value: On
+; http://php.net/session.upload-progress.cleanup
+;session.upload_progress.cleanup = On
+
+; A prefix used for the upload progress key in $_SESSION
+; Default Value: "upload_progress_"
+; Development Value: "upload_progress_"
+; Production Value: "upload_progress_"
+; http://php.net/session.upload-progress.prefix
+;session.upload_progress.prefix = "upload_progress_"
+
+; The index name (concatenated with the prefix) in $_SESSION
+; containing the upload progress information
+; Default Value: "PHP_SESSION_UPLOAD_PROGRESS"
+; Development Value: "PHP_SESSION_UPLOAD_PROGRESS"
+; Production Value: "PHP_SESSION_UPLOAD_PROGRESS"
+; http://php.net/session.upload-progress.name
+;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS"
+
+; How frequently the upload progress should be updated.
+; Given either in percentages (per-file), or in bytes
+; Default Value: "1%"
+; Development Value: "1%"
+; Production Value: "1%"
+; http://php.net/session.upload-progress.freq
+;session.upload_progress.freq = "1%"
+
+; The minimum delay between updates, in seconds
+; Default Value: 1
+; Development Value: 1
+; Production Value: 1
+; http://php.net/session.upload-progress.min-freq
+;session.upload_progress.min_freq = "1"
+
+; Only write session data when session data is changed. Enabled by default.
+; http://php.net/session.lazy-write
+;session.lazy_write = On
+
+[Assertion]
+; Switch whether to compile assertions at all (to have no overhead at run-time)
+; -1: Do not compile at all
+; 0: Jump over assertion at run-time
+; 1: Execute assertions
+; Changing from or to a negative value is only possible in php.ini! (For turning assertions on and off at run-time, see assert.active, when zend.assertions = 1)
+; Default Value: 1
+; Development Value: 1
+; Production Value: -1
+; http://php.net/zend.assertions
+zend.assertions = -1
+
+; Assert(expr); active by default.
+; http://php.net/assert.active
+;assert.active = On
+
+; Throw an AssertionError on failed assertions
+; http://php.net/assert.exception
+;assert.exception = On
+
+; Issue a PHP warning for each failed assertion. (Overridden by assert.exception if active)
+; http://php.net/assert.warning
+;assert.warning = On
+
+; Don't bail out by default.
+; http://php.net/assert.bail
+;assert.bail = Off
+
+; User-function to be called if an assertion fails.
+; http://php.net/assert.callback
+;assert.callback = 0
+
+; Eval the expression with current error_reporting(). Set to true if you want
+; error_reporting(0) around the eval().
+; http://php.net/assert.quiet-eval
+;assert.quiet_eval = 0
+
+[COM]
+; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs
+; http://php.net/com.typelib-file
+;com.typelib_file =
+
+; allow Distributed-COM calls
+; http://php.net/com.allow-dcom
+;com.allow_dcom = true
+
+; autoregister constants of a component's typlib on com_load()
+; http://php.net/com.autoregister-typelib
+;com.autoregister_typelib = true
+
+; register constants casesensitive
+; http://php.net/com.autoregister-casesensitive
+;com.autoregister_casesensitive = false
+
+; show warnings on duplicate constant registrations
+; http://php.net/com.autoregister-verbose
+;com.autoregister_verbose = true
+
+; The default character set code-page to use when passing strings to and from COM objects.
+; Default: system ANSI code page
+;com.code_page=
+
+[mbstring]
+; language for internal character representation.
+; This affects mb_send_mail() and mbstring.detect_order.
+; http://php.net/mbstring.language
+;mbstring.language = Japanese
+
+; Use of this INI entry is deprecated, use global internal_encoding instead.
+; internal/script encoding.
+; Some encoding cannot work as internal encoding. (e.g. SJIS, BIG5, ISO-2022-*)
+; If empty, default_charset or internal_encoding or iconv.internal_encoding is used.
+; The precedence is: default_charset < internal_encoding < iconv.internal_encoding
+;mbstring.internal_encoding =
+
+; Use of this INI entry is deprecated, use global input_encoding instead.
+; http input encoding.
+; mbstring.encoding_translation = On is needed to use this setting.
+; If empty, default_charset or input_encoding or mbstring.input is used.
+; The precedence is: default_charset < input_encoding < mbsting.http_input
+; http://php.net/mbstring.http-input
+;mbstring.http_input =
+
+; Use of this INI entry is deprecated, use global output_encoding instead.
+; http output encoding.
+; mb_output_handler must be registered as output buffer to function.
+; If empty, default_charset or output_encoding or mbstring.http_output is used.
+; The precedence is: default_charset < output_encoding < mbstring.http_output
+; To use an output encoding conversion, mbstring's output handler must be set
+; otherwise output encoding conversion cannot be performed.
+; http://php.net/mbstring.http-output
+;mbstring.http_output =
+
+; enable automatic encoding translation according to
+; mbstring.internal_encoding setting. Input chars are
+; converted to internal encoding by setting this to On.
+; Note: Do _not_ use automatic encoding translation for
+; portable libs/applications.
+; http://php.net/mbstring.encoding-translation
+;mbstring.encoding_translation = Off
+
+; automatic encoding detection order.
+; "auto" detect order is changed according to mbstring.language
+; http://php.net/mbstring.detect-order
+;mbstring.detect_order = auto
+
+; substitute_character used when character cannot be converted
+; one from another
+; http://php.net/mbstring.substitute-character
+;mbstring.substitute_character = none
+
+; overload(replace) single byte functions by mbstring functions.
+; mail(), ereg(), etc are overloaded by mb_send_mail(), mb_ereg(),
+; etc. Possible values are 0,1,2,4 or combination of them.
+; For example, 7 for overload everything.
+; 0: No overload
+; 1: Overload mail() function
+; 2: Overload str*() functions
+; 4: Overload ereg*() functions
+; http://php.net/mbstring.func-overload
+;mbstring.func_overload = 0
+
+; enable strict encoding detection.
+; Default: Off
+;mbstring.strict_detection = On
+
+; This directive specifies the regex pattern of content types for which mb_output_handler()
+; is activated.
+; Default: mbstring.http_output_conv_mimetype=^(text/|application/xhtml\+xml)
+;mbstring.http_output_conv_mimetype=
+
+; This directive specifies maximum stack depth for mbstring regular expressions. It is similar
+; to the pcre.recursion_limit for PCRE.
+; Default: 100000
+;mbstring.regex_stack_limit=100000
+
+[gd]
+; Tell the jpeg decode to ignore warnings and try to create
+; a gd image. The warning will then be displayed as notices
+; disabled by default
+; http://php.net/gd.jpeg-ignore-warning
+;gd.jpeg_ignore_warning = 1
+
+[exif]
+; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS.
+; With mbstring support this will automatically be converted into the encoding
+; given by corresponding encode setting. When empty mbstring.internal_encoding
+; is used. For the decode settings you can distinguish between motorola and
+; intel byte order. A decode setting cannot be empty.
+; http://php.net/exif.encode-unicode
+;exif.encode_unicode = ISO-8859-15
+
+; http://php.net/exif.decode-unicode-motorola
+;exif.decode_unicode_motorola = UCS-2BE
+
+; http://php.net/exif.decode-unicode-intel
+;exif.decode_unicode_intel = UCS-2LE
+
+; http://php.net/exif.encode-jis
+;exif.encode_jis =
+
+; http://php.net/exif.decode-jis-motorola
+;exif.decode_jis_motorola = JIS
+
+; http://php.net/exif.decode-jis-intel
+;exif.decode_jis_intel = JIS
+
+[Tidy]
+; The path to a default tidy configuration file to use when using tidy
+; http://php.net/tidy.default-config
+;tidy.default_config = /usr/local/lib/php/default.tcfg
+
+; Should tidy clean and repair output automatically?
+; WARNING: Do not use this option if you are generating non-html content
+; such as dynamic images
+; http://php.net/tidy.clean-output
+tidy.clean_output = Off
+
+[soap]
+; Enables or disables WSDL caching feature.
+; http://php.net/soap.wsdl-cache-enabled
+soap.wsdl_cache_enabled=1
+
+; Sets the directory name where SOAP extension will put cache files.
+; http://php.net/soap.wsdl-cache-dir
+soap.wsdl_cache_dir="/tmp"
+
+; (time to live) Sets the number of second while cached file will be used
+; instead of original one.
+; http://php.net/soap.wsdl-cache-ttl
+soap.wsdl_cache_ttl=86400
+
+; Sets the size of the cache limit. (Max. number of WSDL files to cache)
+soap.wsdl_cache_limit = 5
+
+[sysvshm]
+; A default size of the shared memory segment
+;sysvshm.init_mem = 10000
+
+[ldap]
+; Sets the maximum number of open links or -1 for unlimited.
+ldap.max_links = -1
+
+[dba]
+;dba.default_handler=
+
+[opcache]
+; Determines if Zend OPCache is enabled
+;opcache.enable=1
+
+; Determines if Zend OPCache is enabled for the CLI version of PHP
+;opcache.enable_cli=0
+
+; The OPcache shared memory storage size.
+;opcache.memory_consumption=128
+
+; The amount of memory for interned strings in Mbytes.
+;opcache.interned_strings_buffer=8
+
+; The maximum number of keys (scripts) in the OPcache hash table.
+; Only numbers between 200 and 1000000 are allowed.
+;opcache.max_accelerated_files=10000
+
+; The maximum percentage of "wasted" memory until a restart is scheduled.
+;opcache.max_wasted_percentage=5
+
+; When this directive is enabled, the OPcache appends the current working
+; directory to the script key, thus eliminating possible collisions between
+; files with the same name (basename). Disabling the directive improves
+; performance, but may break existing applications.
+;opcache.use_cwd=1
+
+; When disabled, you must reset the OPcache manually or restart the
+; webserver for changes to the filesystem to take effect.
+;opcache.validate_timestamps=1
+
+; How often (in seconds) to check file timestamps for changes to the shared
+; memory storage allocation. ("1" means validate once per second, but only
+; once per request. "0" means always validate)
+;opcache.revalidate_freq=2
+
+; Enables or disables file search in include_path optimization
+;opcache.revalidate_path=0
+
+; If disabled, all PHPDoc comments are dropped from the code to reduce the
+; size of the optimized code.
+;opcache.save_comments=1
+
+; Allow file existence override (file_exists, etc.) performance feature.
+;opcache.enable_file_override=0
+
+; A bitmask, where each bit enables or disables the appropriate OPcache
+; passes
+;opcache.optimization_level=0x7FFFBFFF
+
+;opcache.dups_fix=0
+
+; The location of the OPcache blacklist file (wildcards allowed).
+; Each OPcache blacklist file is a text file that holds the names of files
+; that should not be accelerated. The file format is to add each filename
+; to a new line. The filename may be a full path or just a file prefix
+; (i.e., /var/www/x blacklists all the files and directories in /var/www
+; that start with 'x'). Line starting with a ; are ignored (comments).
+;opcache.blacklist_filename=
+
+; Allows exclusion of large files from being cached. By default all files
+; are cached.
+;opcache.max_file_size=0
+
+; Check the cache checksum each N requests.
+; The default value of "0" means that the checks are disabled.
+;opcache.consistency_checks=0
+
+; How long to wait (in seconds) for a scheduled restart to begin if the cache
+; is not being accessed.
+;opcache.force_restart_timeout=180
+
+; OPcache error_log file name. Empty string assumes "stderr".
+;opcache.error_log=
+
+; All OPcache errors go to the Web server log.
+; By default, only fatal errors (level 0) or errors (level 1) are logged.
+; You can also enable warnings (level 2), info messages (level 3) or
+; debug messages (level 4).
+;opcache.log_verbosity_level=1
+
+; Preferred Shared Memory back-end. Leave empty and let the system decide.
+;opcache.preferred_memory_model=
+
+; Protect the shared memory from unexpected writing during script execution.
+; Useful for internal debugging only.
+;opcache.protect_memory=0
+
+; Allows calling OPcache API functions only from PHP scripts which path is
+; started from specified string. The default "" means no restriction
+;opcache.restrict_api=
+
+; Mapping base of shared memory segments (for Windows only). All the PHP
+; processes have to map shared memory into the same address space. This
+; directive allows to manually fix the "Unable to reattach to base address"
+; errors.
+;opcache.mmap_base=
+
+; Enables and sets the second level cache directory.
+; It should improve performance when SHM memory is full, at server restart or
+; SHM reset. The default "" disables file based caching.
+;opcache.file_cache=
+
+; Enables or disables opcode caching in shared memory.
+;opcache.file_cache_only=0
+
+; Enables or disables checksum validation when script loaded from file cache.
+;opcache.file_cache_consistency_checks=1
+
+; Implies opcache.file_cache_only=1 for a certain process that failed to
+; reattach to the shared memory (for Windows only). Explicitly enabled file
+; cache is required.
+;opcache.file_cache_fallback=1
+
+; Enables or disables copying of PHP code (text segment) into HUGE PAGES.
+; This should improve performance, but requires appropriate OS configuration.
+;opcache.huge_code_pages=1
+
+; Validate cached file permissions.
+;opcache.validate_permission=0
+
+; Prevent name collisions in chroot'ed environment.
+;opcache.validate_root=0
+
+; If specified, it produces opcode dumps for debugging different stages of
+; optimizations.
+;opcache.opt_debug_level=0
+
+[curl]
+; A default value for the CURLOPT_CAINFO option. This is required to be an
+; absolute path.
+;curl.cainfo =
+
+[openssl]
+; The location of a Certificate Authority (CA) file on the local filesystem
+; to use when verifying the identity of SSL/TLS peers. Most users should
+; not specify a value for this directive as PHP will attempt to use the
+; OS-managed cert stores in its absence. If specified, this value may still
+; be overridden on a per-stream basis via the "cafile" SSL stream context
+; option.
+;openssl.cafile=
+
+; If openssl.cafile is not specified or if the CA file is not found, the
+; directory pointed to by openssl.capath is searched for a suitable
+; certificate. This value must be a correctly hashed certificate directory.
+; Most users should not specify a value for this directive as PHP will
+; attempt to use the OS-managed cert stores in its absence. If specified,
+; this value may still be overridden on a per-stream basis via the "capath"
+; SSL stream context option.
+;openssl.capath=
+
+; Local Variables:
+; tab-width: 4
+; End:
-; Start a new pool named 'www'.
-; the variable $pool can be used in any directive and will be replaced by the
-; pool name ('www' here)
-[www]
-
-; Per pool prefix
-; It only applies on the following directives:
-; - 'access.log'
-; - 'slowlog'
-; - 'listen' (unixsocket)
-; - 'chroot'
-; - 'chdir'
-; - 'php_values'
-; - 'php_admin_values'
-; When not set, the global prefix (or /usr) applies instead.
-; Note: This directive can also be relative to the global prefix.
-; Default Value: none
-;prefix = /path/to/pools/$pool
-
-; Unix user/group of processes
-; Note: The user is mandatory. If the group is not set, the default user's group
-; will be used.
+[inet]
user = www-data
group = www-data
-; The address on which to accept FastCGI requests.
-; Valid syntaxes are:
-; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
-; a specific port;
-; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
-; a specific port;
-; 'port' - to listen on a TCP socket to all addresses
-; (IPv6 and IPv4-mapped) on a specific port;
-; '/path/to/unix/socket' - to listen on a unix socket.
-; Note: This value is mandatory.
-listen = /run/php/php7.3-fpm.sock
-
-; Set listen(2) backlog.
-; Default Value: 511 (-1 on FreeBSD and OpenBSD)
-;listen.backlog = 511
-
-; Set permissions for unix socket, if one is used. In Linux, read/write
-; permissions must be set in order to allow connections from a web server. Many
-; BSD-derived systems allow connections regardless of permissions. The owner
-; and group can be specified either by name or by their numeric IDs.
-; Default Values: user and group are set as the running user
-; mode is set to 0660
+listen = 127.0.0.1:9999
listen.owner = www-data
listen.group = www-data
-;listen.mode = 0660
-; When POSIX Access Control Lists are supported you can set them using
-; these options, value is a comma separated list of user/group names.
-; When set, listen.owner and listen.group are ignored
-;listen.acl_users =
-;listen.acl_groups =
-
-; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
-; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
-; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
-; must be separated by a comma. If this value is left blank, connections will be
-; accepted from any ip address.
-; Default Value: any
-;listen.allowed_clients = 127.0.0.1
+listen.mode = 0660
-; Specify the nice(2) priority to apply to the pool processes (only if set)
-; The value can vary from -19 (highest priority) to 20 (lower priority)
-; Note: - It will only work if the FPM master process is launched as root
-; - The pool processes will inherit the master process priority
-; unless it specified otherwise
-; Default Value: no set
-; process.priority = -19
+; IP addresses must be separated by comma, and no space between comma and ip.
+listen.allowed_clients = 127.0.0.1
-; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
-; or group is differrent than the master process user. It allows to create process
-; core dump and ptrace the process for the pool user.
-; Default Value: no
-; process.dumpable = yes
-
-; Choose how the process manager will control the number of child processes.
-; Possible Values:
-; static - a fixed number (pm.max_children) of child processes;
-; dynamic - the number of child processes are set dynamically based on the
-; following directives. With this process management, there will be
-; always at least 1 children.
-; pm.max_children - the maximum number of children that can
-; be alive at the same time.
-; pm.start_servers - the number of children created on startup.
-; pm.min_spare_servers - the minimum number of children in 'idle'
-; state (waiting to process). If the number
-; of 'idle' processes is less than this
-; number then some children will be created.
-; pm.max_spare_servers - the maximum number of children in 'idle'
-; state (waiting to process). If the number
-; of 'idle' processes is greater than this
-; number then some children will be killed.
-; ondemand - no children are created at startup. Children will be forked when
-; new requests will connect. The following parameter are used:
-; pm.max_children - the maximum number of children that
-; can be alive at the same time.
-; pm.process_idle_timeout - The number of seconds after which
-; an idle process will be killed.
-; Note: This value is mandatory.
pm = dynamic
+pm.max_children = 100
+pm.start_servers = 5
+pm.min_spare_servers = 5
+pm.max_spare_servers = 10
+pm.max_requests = 100
-; The number of child processes to be created when pm is set to 'static' and the
-; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
-; This value sets the limit on the number of simultaneous requests that will be
-; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
-; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
-; CGI. The below defaults are based on a server without much resources. Don't
-; forget to tweak pm.* to fit your needs.
-; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
-; Note: This value is mandatory.
-pm.max_children = 5
-
-; The number of child processes created on startup.
-; Note: Used only when pm is set to 'dynamic'
-; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
-pm.start_servers = 2
-
-; The desired minimum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
-pm.min_spare_servers = 1
-
-; The desired maximum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
-pm.max_spare_servers = 3
+pm.status_path = /status
+ping.path = /ping
-; The number of seconds after which an idle process will be killed.
-; Note: Used only when pm is set to 'ondemand'
-; Default Value: 10s
-;pm.process_idle_timeout = 10s;
+request_terminate_timeout = 60s
+request_slowlog_timeout = 10s
-; The number of requests each child process should execute before respawning.
-; This can be useful to work around memory leaks in 3rd party libraries. For
-; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
-; Default Value: 0
-;pm.max_requests = 500
-
-; The URI to view the FPM status page. If this value is not set, no URI will be
-; recognized as a status page. It shows the following informations:
-; pool - the name of the pool;
-; process manager - static, dynamic or ondemand;
-; start time - the date and time FPM has started;
-; start since - number of seconds since FPM has started;
-; accepted conn - the number of request accepted by the pool;
-; listen queue - the number of request in the queue of pending
-; connections (see backlog in listen(2));
-; max listen queue - the maximum number of requests in the queue
-; of pending connections since FPM has started;
-; listen queue len - the size of the socket queue of pending connections;
-; idle processes - the number of idle processes;
-; active processes - the number of active processes;
-; total processes - the number of idle + active processes;
-; max active processes - the maximum number of active processes since FPM
-; has started;
-; max children reached - number of times, the process limit has been reached,
-; when pm tries to start more children (works only for
-; pm 'dynamic' and 'ondemand');
-; Value are updated in real time.
-; Example output:
-; pool: www
-; process manager: static
-; start time: 01/Jul/2011:17:53:49 +0200
-; start since: 62636
-; accepted conn: 190460
-; listen queue: 0
-; max listen queue: 1
-; listen queue len: 42
-; idle processes: 4
-; active processes: 11
-; total processes: 15
-; max active processes: 12
-; max children reached: 0
-;
-; By default the status page output is formatted as text/plain. Passing either
-; 'html', 'xml' or 'json' in the query string will return the corresponding
-; output syntax. Example:
-; http://www.foo.bar/status
-; http://www.foo.bar/status?json
-; http://www.foo.bar/status?html
-; http://www.foo.bar/status?xml
-;
-; By default the status page only outputs short status. Passing 'full' in the
-; query string will also return status for each pool process.
-; Example:
-; http://www.foo.bar/status?full
-; http://www.foo.bar/status?json&full
-; http://www.foo.bar/status?html&full
-; http://www.foo.bar/status?xml&full
-; The Full status returns for each process:
-; pid - the PID of the process;
-; state - the state of the process (Idle, Running, ...);
-; start time - the date and time the process has started;
-; start since - the number of seconds since the process has started;
-; requests - the number of requests the process has served;
-; request duration - the duration in µs of the requests;
-; request method - the request method (GET, POST, ...);
-; request URI - the request URI with the query string;
-; content length - the content length of the request (only with POST);
-; user - the user (PHP_AUTH_USER) (or '-' if not set);
-; script - the main script called (or '-' if not set);
-; last request cpu - the %cpu the last request consumed
-; it's always 0 if the process is not in Idle state
-; because CPU calculation is done when the request
-; processing has terminated;
-; last request memory - the max amount of memory the last request consumed
-; it's always 0 if the process is not in Idle state
-; because memory calculation is done when the request
-; processing has terminated;
-; If the process is in Idle state, then informations are related to the
-; last request the process has served. Otherwise informations are related to
-; the current request being served.
-; Example output:
-; ************************
-; pid: 31330
-; state: Running
-; start time: 01/Jul/2011:17:53:49 +0200
-; start since: 63087
-; requests: 12808
-; request duration: 1250261
-; request method: GET
-; request URI: /test_mem.php?N=10000
-; content length: 0
-; user: -
-; script: /home/fat/web/docs/php/test_mem.php
-; last request cpu: 0.00
-; last request memory: 0
;
-; Note: There is a real-time FPM status monitoring sample web page available
-; It's available in: /usr/share/php/7.3/fpm/status.html
+; Log files
;
-; Note: The value must start with a leading slash (/). The value can be
-; anything, but it may not be a good idea to use the .php extension or it
-; may conflict with a real PHP file.
-; Default Value: not set
-;pm.status_path = /status
-
-; The ping URI to call the monitoring page of FPM. If this value is not set, no
-; URI will be recognized as a ping page. This could be used to test from outside
-; that FPM is alive and responding, or to
-; - create a graph of FPM availability (rrd or such);
-; - remove a server from a group if it is not responding (load balancing);
-; - trigger alerts for the operating team (24/7).
-; Note: The value must start with a leading slash (/). The value can be
-; anything, but it may not be a good idea to use the .php extension or it
-; may conflict with a real PHP file.
-; Default Value: not set
-;ping.path = /ping
-
-; This directive may be used to customize the response of a ping request. The
-; response is formatted as text/plain with a 200 response code.
-; Default Value: pong
-;ping.response = pong
-
-; The access log file
-; Default: not set
-;access.log = log/$pool.access.log
-
-; The access log format.
-; The following syntax is allowed
-; %%: the '%' character
-; %C: %CPU used by the request
-; it can accept the following format:
-; - %{user}C for user CPU only
-; - %{system}C for system CPU only
-; - %{total}C for user + system CPU (default)
-; %d: time taken to serve the request
-; it can accept the following format:
-; - %{seconds}d (default)
-; - %{miliseconds}d
-; - %{mili}d
-; - %{microseconds}d
-; - %{micro}d
-; %e: an environment variable (same as $_ENV or $_SERVER)
-; it must be associated with embraces to specify the name of the env
-; variable. Some exemples:
-; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
-; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
-; %f: script filename
-; %l: content-length of the request (for POST request only)
-; %m: request method
-; %M: peak of memory allocated by PHP
-; it can accept the following format:
-; - %{bytes}M (default)
-; - %{kilobytes}M
-; - %{kilo}M
-; - %{megabytes}M
-; - %{mega}M
-; %n: pool name
-; %o: output header
-; it must be associated with embraces to specify the name of the header:
-; - %{Content-Type}o
-; - %{X-Powered-By}o
-; - %{Transfert-Encoding}o
-; - ....
-; %p: PID of the child that serviced the request
-; %P: PID of the parent of the child that serviced the request
-; %q: the query string
-; %Q: the '?' character if query string exists
-; %r: the request URI (without the query string, see %q and %Q)
-; %R: remote IP address
-; %s: status (response code)
-; %t: server time the request was received
-; it can accept a strftime(3) format:
-; %d/%b/%Y:%H:%M:%S %z (default)
-; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
-; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
-; %T: time the log has been written (the request has finished)
-; it can accept a strftime(3) format:
-; %d/%b/%Y:%H:%M:%S %z (default)
-; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
-; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
-; %u: remote user
-;
-; Default: "%R - %u %t \"%m %r\" %s"
-;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
-
-; The log file for slow requests
-; Default Value: not set
-; Note: slowlog is mandatory if request_slowlog_timeout is set
-;slowlog = log/$pool.log.slow
-
-; The timeout for serving a single request after which a PHP backtrace will be
-; dumped to the 'slowlog' file. A value of '0s' means 'off'.
-; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
-; Default Value: 0
-;request_slowlog_timeout = 0
-
-; Depth of slow log stack trace.
-; Default Value: 20
-;request_slowlog_trace_depth = 20
-
-; The timeout for serving a single request after which the worker process will
-; be killed. This option should be used when the 'max_execution_time' ini option
-; does not stop script execution for some reason. A value of '0' means 'off'.
-; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
-; Default Value: 0
-;request_terminate_timeout = 0
-
-; The timeout set by 'request_terminate_timeout' ini option is not engaged after
-; application calls 'fastcgi_finish_request' or when application has finished and
-; shutdown functions are being called (registered via register_shutdown_function).
-; This option will enable timeout limit to be applied unconditionally
-; even in such cases.
-; Default Value: no
-;request_terminate_timeout_track_finished = no
-
-; Set open file descriptor rlimit.
-; Default Value: system defined value
-;rlimit_files = 1024
-
-; Set max core size rlimit.
-; Possible Values: 'unlimited' or an integer greater or equal to 0
-; Default Value: system defined value
-;rlimit_core = 0
-
-; Chroot to this directory at the start. This value must be defined as an
-; absolute path. When this value is not set, chroot is not used.
-; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
-; of its subdirectories. If the pool prefix is not set, the global prefix
-; will be used instead.
-; Note: chrooting is a great security feature and should be used whenever
-; possible. However, all PHP paths will be relative to the chroot
-; (error_log, sessions.save_path, ...).
-; Default Value: not set
-;chroot =
-
-; Chdir to this directory at the start.
-; Note: relative path can be used.
-; Default Value: current directory or / when chroot
-;chdir = /var/www
-
-; Redirect worker stdout and stderr into main error log. If not set, stdout and
-; stderr will be redirected to /dev/null according to FastCGI specs.
-; Note: on highloaded environement, this can cause some delay in the page
-; process time (several ms).
-; Default Value: no
-;catch_workers_output = yes
-
-; Decorate worker output with prefix and suffix containing information about
-; the child that writes to the log and if stdout or stderr is used as well as
-; log level and time. This options is used only if catch_workers_output is yes.
-; Settings to "no" will output data as written to the stdout or stderr.
-; Default value: yes
-;decorate_workers_output = no
-
-; Clear environment in FPM workers
-; Prevents arbitrary environment variables from reaching FPM worker processes
-; by clearing the environment in workers before env vars specified in this
-; pool configuration are added.
-; Setting to "no" will make all environment variables available to PHP code
-; via getenv(), $_ENV and $_SERVER.
-; Default Value: yes
-;clear_env = no
-
-; Limits the extensions of the main script FPM will allow to parse. This can
-; prevent configuration mistakes on the web server side. You should only limit
-; FPM to .php extensions to prevent malicious users to use other extensions to
-; execute php code.
-; Note: set an empty value to allow all extensions.
-; Default Value: .php
-;security.limit_extensions = .php .php3 .php4 .php5 .php7
-
-; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
-; the current environment.
-; Default Value: clean env
-;env[HOSTNAME] = $HOSTNAME
-;env[PATH] = /usr/local/bin:/usr/bin:/bin
-;env[TMP] = /tmp
-;env[TMPDIR] = /tmp
-;env[TEMP] = /tmp
-
-; Additional php.ini defines, specific to this pool of workers. These settings
-; overwrite the values previously defined in the php.ini. The directives are the
-; same as the PHP SAPI:
-; php_value/php_flag - you can set classic ini defines which can
-; be overwritten from PHP call 'ini_set'.
-; php_admin_value/php_admin_flag - these directives won't be overwritten by
-; PHP call 'ini_set'
-; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
-
-; Defining 'extension' will load the corresponding shared extension from
-; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
-; overwrite previously defined php.ini values, but will append the new value
-; instead.
-
-; Note: path INI options can be relative and will be expanded with the prefix
-; (pool, global or /usr)
-
-; Default Value: nothing is defined by default except the values in php.ini and
-; specified at startup with the -d argument
-;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
-;php_flag[display_errors] = off
-;php_admin_value[error_log] = /var/log/fpm-php.www.log
-;php_admin_flag[log_errors] = on
-;php_admin_value[memory_limit] = 32M
+access.log = /var/log/php-fpm/php-fpm.log
+slowlog = /var/log/php-fpm/slow.log
--- /dev/null
+; Start a new pool named 'www'.
+; the variable $pool can be used in any directive and will be replaced by the
+; pool name ('www' here)
+[www]
+
+; Per pool prefix
+; It only applies on the following directives:
+; - 'access.log'
+; - 'slowlog'
+; - 'listen' (unixsocket)
+; - 'chroot'
+; - 'chdir'
+; - 'php_values'
+; - 'php_admin_values'
+; When not set, the global prefix (or /usr) applies instead.
+; Note: This directive can also be relative to the global prefix.
+; Default Value: none
+;prefix = /path/to/pools/$pool
+
+; Unix user/group of processes
+; Note: The user is mandatory. If the group is not set, the default user's group
+; will be used.
+user = www-data
+group = www-data
+
+; The address on which to accept FastCGI requests.
+; Valid syntaxes are:
+; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
+; a specific port;
+; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+; a specific port;
+; 'port' - to listen on a TCP socket to all addresses
+; (IPv6 and IPv4-mapped) on a specific port;
+; '/path/to/unix/socket' - to listen on a unix socket.
+; Note: This value is mandatory.
+listen = /run/php/php7.3-fpm.sock
+
+; Set listen(2) backlog.
+; Default Value: 511 (-1 on FreeBSD and OpenBSD)
+;listen.backlog = 511
+
+; Set permissions for unix socket, if one is used. In Linux, read/write
+; permissions must be set in order to allow connections from a web server. Many
+; BSD-derived systems allow connections regardless of permissions. The owner
+; and group can be specified either by name or by their numeric IDs.
+; Default Values: user and group are set as the running user
+; mode is set to 0660
+listen.owner = www-data
+listen.group = www-data
+;listen.mode = 0660
+; When POSIX Access Control Lists are supported you can set them using
+; these options, value is a comma separated list of user/group names.
+; When set, listen.owner and listen.group are ignored
+;listen.acl_users =
+;listen.acl_groups =
+
+; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
+; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
+; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
+; must be separated by a comma. If this value is left blank, connections will be
+; accepted from any ip address.
+; Default Value: any
+;listen.allowed_clients = 127.0.0.1
+
+; Specify the nice(2) priority to apply to the pool processes (only if set)
+; The value can vary from -19 (highest priority) to 20 (lower priority)
+; Note: - It will only work if the FPM master process is launched as root
+; - The pool processes will inherit the master process priority
+; unless it specified otherwise
+; Default Value: no set
+; process.priority = -19
+
+; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
+; or group is differrent than the master process user. It allows to create process
+; core dump and ptrace the process for the pool user.
+; Default Value: no
+; process.dumpable = yes
+
+; Choose how the process manager will control the number of child processes.
+; Possible Values:
+; static - a fixed number (pm.max_children) of child processes;
+; dynamic - the number of child processes are set dynamically based on the
+; following directives. With this process management, there will be
+; always at least 1 children.
+; pm.max_children - the maximum number of children that can
+; be alive at the same time.
+; pm.start_servers - the number of children created on startup.
+; pm.min_spare_servers - the minimum number of children in 'idle'
+; state (waiting to process). If the number
+; of 'idle' processes is less than this
+; number then some children will be created.
+; pm.max_spare_servers - the maximum number of children in 'idle'
+; state (waiting to process). If the number
+; of 'idle' processes is greater than this
+; number then some children will be killed.
+; ondemand - no children are created at startup. Children will be forked when
+; new requests will connect. The following parameter are used:
+; pm.max_children - the maximum number of children that
+; can be alive at the same time.
+; pm.process_idle_timeout - The number of seconds after which
+; an idle process will be killed.
+; Note: This value is mandatory.
+pm = dynamic
+
+; The number of child processes to be created when pm is set to 'static' and the
+; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
+; This value sets the limit on the number of simultaneous requests that will be
+; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
+; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
+; CGI. The below defaults are based on a server without much resources. Don't
+; forget to tweak pm.* to fit your needs.
+; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
+; Note: This value is mandatory.
+pm.max_children = 5
+
+; The number of child processes created on startup.
+; Note: Used only when pm is set to 'dynamic'
+; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
+pm.start_servers = 2
+
+; The desired minimum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.min_spare_servers = 1
+
+; The desired maximum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.max_spare_servers = 3
+
+; The number of seconds after which an idle process will be killed.
+; Note: Used only when pm is set to 'ondemand'
+; Default Value: 10s
+;pm.process_idle_timeout = 10s;
+
+; The number of requests each child process should execute before respawning.
+; This can be useful to work around memory leaks in 3rd party libraries. For
+; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
+; Default Value: 0
+;pm.max_requests = 500
+
+; The URI to view the FPM status page. If this value is not set, no URI will be
+; recognized as a status page. It shows the following informations:
+; pool - the name of the pool;
+; process manager - static, dynamic or ondemand;
+; start time - the date and time FPM has started;
+; start since - number of seconds since FPM has started;
+; accepted conn - the number of request accepted by the pool;
+; listen queue - the number of request in the queue of pending
+; connections (see backlog in listen(2));
+; max listen queue - the maximum number of requests in the queue
+; of pending connections since FPM has started;
+; listen queue len - the size of the socket queue of pending connections;
+; idle processes - the number of idle processes;
+; active processes - the number of active processes;
+; total processes - the number of idle + active processes;
+; max active processes - the maximum number of active processes since FPM
+; has started;
+; max children reached - number of times, the process limit has been reached,
+; when pm tries to start more children (works only for
+; pm 'dynamic' and 'ondemand');
+; Value are updated in real time.
+; Example output:
+; pool: www
+; process manager: static
+; start time: 01/Jul/2011:17:53:49 +0200
+; start since: 62636
+; accepted conn: 190460
+; listen queue: 0
+; max listen queue: 1
+; listen queue len: 42
+; idle processes: 4
+; active processes: 11
+; total processes: 15
+; max active processes: 12
+; max children reached: 0
+;
+; By default the status page output is formatted as text/plain. Passing either
+; 'html', 'xml' or 'json' in the query string will return the corresponding
+; output syntax. Example:
+; http://www.foo.bar/status
+; http://www.foo.bar/status?json
+; http://www.foo.bar/status?html
+; http://www.foo.bar/status?xml
+;
+; By default the status page only outputs short status. Passing 'full' in the
+; query string will also return status for each pool process.
+; Example:
+; http://www.foo.bar/status?full
+; http://www.foo.bar/status?json&full
+; http://www.foo.bar/status?html&full
+; http://www.foo.bar/status?xml&full
+; The Full status returns for each process:
+; pid - the PID of the process;
+; state - the state of the process (Idle, Running, ...);
+; start time - the date and time the process has started;
+; start since - the number of seconds since the process has started;
+; requests - the number of requests the process has served;
+; request duration - the duration in µs of the requests;
+; request method - the request method (GET, POST, ...);
+; request URI - the request URI with the query string;
+; content length - the content length of the request (only with POST);
+; user - the user (PHP_AUTH_USER) (or '-' if not set);
+; script - the main script called (or '-' if not set);
+; last request cpu - the %cpu the last request consumed
+; it's always 0 if the process is not in Idle state
+; because CPU calculation is done when the request
+; processing has terminated;
+; last request memory - the max amount of memory the last request consumed
+; it's always 0 if the process is not in Idle state
+; because memory calculation is done when the request
+; processing has terminated;
+; If the process is in Idle state, then informations are related to the
+; last request the process has served. Otherwise informations are related to
+; the current request being served.
+; Example output:
+; ************************
+; pid: 31330
+; state: Running
+; start time: 01/Jul/2011:17:53:49 +0200
+; start since: 63087
+; requests: 12808
+; request duration: 1250261
+; request method: GET
+; request URI: /test_mem.php?N=10000
+; content length: 0
+; user: -
+; script: /home/fat/web/docs/php/test_mem.php
+; last request cpu: 0.00
+; last request memory: 0
+;
+; Note: There is a real-time FPM status monitoring sample web page available
+; It's available in: /usr/share/php/7.3/fpm/status.html
+;
+; Note: The value must start with a leading slash (/). The value can be
+; anything, but it may not be a good idea to use the .php extension or it
+; may conflict with a real PHP file.
+; Default Value: not set
+;pm.status_path = /status
+
+; The ping URI to call the monitoring page of FPM. If this value is not set, no
+; URI will be recognized as a ping page. This could be used to test from outside
+; that FPM is alive and responding, or to
+; - create a graph of FPM availability (rrd or such);
+; - remove a server from a group if it is not responding (load balancing);
+; - trigger alerts for the operating team (24/7).
+; Note: The value must start with a leading slash (/). The value can be
+; anything, but it may not be a good idea to use the .php extension or it
+; may conflict with a real PHP file.
+; Default Value: not set
+;ping.path = /ping
+
+; This directive may be used to customize the response of a ping request. The
+; response is formatted as text/plain with a 200 response code.
+; Default Value: pong
+;ping.response = pong
+
+; The access log file
+; Default: not set
+;access.log = log/$pool.access.log
+
+; The access log format.
+; The following syntax is allowed
+; %%: the '%' character
+; %C: %CPU used by the request
+; it can accept the following format:
+; - %{user}C for user CPU only
+; - %{system}C for system CPU only
+; - %{total}C for user + system CPU (default)
+; %d: time taken to serve the request
+; it can accept the following format:
+; - %{seconds}d (default)
+; - %{miliseconds}d
+; - %{mili}d
+; - %{microseconds}d
+; - %{micro}d
+; %e: an environment variable (same as $_ENV or $_SERVER)
+; it must be associated with embraces to specify the name of the env
+; variable. Some exemples:
+; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
+; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
+; %f: script filename
+; %l: content-length of the request (for POST request only)
+; %m: request method
+; %M: peak of memory allocated by PHP
+; it can accept the following format:
+; - %{bytes}M (default)
+; - %{kilobytes}M
+; - %{kilo}M
+; - %{megabytes}M
+; - %{mega}M
+; %n: pool name
+; %o: output header
+; it must be associated with embraces to specify the name of the header:
+; - %{Content-Type}o
+; - %{X-Powered-By}o
+; - %{Transfert-Encoding}o
+; - ....
+; %p: PID of the child that serviced the request
+; %P: PID of the parent of the child that serviced the request
+; %q: the query string
+; %Q: the '?' character if query string exists
+; %r: the request URI (without the query string, see %q and %Q)
+; %R: remote IP address
+; %s: status (response code)
+; %t: server time the request was received
+; it can accept a strftime(3) format:
+; %d/%b/%Y:%H:%M:%S %z (default)
+; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
+; %T: time the log has been written (the request has finished)
+; it can accept a strftime(3) format:
+; %d/%b/%Y:%H:%M:%S %z (default)
+; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
+; %u: remote user
+;
+; Default: "%R - %u %t \"%m %r\" %s"
+;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
+
+; The log file for slow requests
+; Default Value: not set
+; Note: slowlog is mandatory if request_slowlog_timeout is set
+;slowlog = log/$pool.log.slow
+
+; The timeout for serving a single request after which a PHP backtrace will be
+; dumped to the 'slowlog' file. A value of '0s' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_slowlog_timeout = 0
+
+; Depth of slow log stack trace.
+; Default Value: 20
+;request_slowlog_trace_depth = 20
+
+; The timeout for serving a single request after which the worker process will
+; be killed. This option should be used when the 'max_execution_time' ini option
+; does not stop script execution for some reason. A value of '0' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_terminate_timeout = 0
+
+; The timeout set by 'request_terminate_timeout' ini option is not engaged after
+; application calls 'fastcgi_finish_request' or when application has finished and
+; shutdown functions are being called (registered via register_shutdown_function).
+; This option will enable timeout limit to be applied unconditionally
+; even in such cases.
+; Default Value: no
+;request_terminate_timeout_track_finished = no
+
+; Set open file descriptor rlimit.
+; Default Value: system defined value
+;rlimit_files = 1024
+
+; Set max core size rlimit.
+; Possible Values: 'unlimited' or an integer greater or equal to 0
+; Default Value: system defined value
+;rlimit_core = 0
+
+; Chroot to this directory at the start. This value must be defined as an
+; absolute path. When this value is not set, chroot is not used.
+; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
+; of its subdirectories. If the pool prefix is not set, the global prefix
+; will be used instead.
+; Note: chrooting is a great security feature and should be used whenever
+; possible. However, all PHP paths will be relative to the chroot
+; (error_log, sessions.save_path, ...).
+; Default Value: not set
+;chroot =
+
+; Chdir to this directory at the start.
+; Note: relative path can be used.
+; Default Value: current directory or / when chroot
+;chdir = /var/www
+
+; Redirect worker stdout and stderr into main error log. If not set, stdout and
+; stderr will be redirected to /dev/null according to FastCGI specs.
+; Note: on highloaded environement, this can cause some delay in the page
+; process time (several ms).
+; Default Value: no
+;catch_workers_output = yes
+
+; Decorate worker output with prefix and suffix containing information about
+; the child that writes to the log and if stdout or stderr is used as well as
+; log level and time. This options is used only if catch_workers_output is yes.
+; Settings to "no" will output data as written to the stdout or stderr.
+; Default value: yes
+;decorate_workers_output = no
+
+; Clear environment in FPM workers
+; Prevents arbitrary environment variables from reaching FPM worker processes
+; by clearing the environment in workers before env vars specified in this
+; pool configuration are added.
+; Setting to "no" will make all environment variables available to PHP code
+; via getenv(), $_ENV and $_SERVER.
+; Default Value: yes
+;clear_env = no
+
+; Limits the extensions of the main script FPM will allow to parse. This can
+; prevent configuration mistakes on the web server side. You should only limit
+; FPM to .php extensions to prevent malicious users to use other extensions to
+; execute php code.
+; Note: set an empty value to allow all extensions.
+; Default Value: .php
+;security.limit_extensions = .php .php3 .php4 .php5 .php7
+
+; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
+; the current environment.
+; Default Value: clean env
+;env[HOSTNAME] = $HOSTNAME
+;env[PATH] = /usr/local/bin:/usr/bin:/bin
+;env[TMP] = /tmp
+;env[TMPDIR] = /tmp
+;env[TEMP] = /tmp
+
+; Additional php.ini defines, specific to this pool of workers. These settings
+; overwrite the values previously defined in the php.ini. The directives are the
+; same as the PHP SAPI:
+; php_value/php_flag - you can set classic ini defines which can
+; be overwritten from PHP call 'ini_set'.
+; php_admin_value/php_admin_flag - these directives won't be overwritten by
+; PHP call 'ini_set'
+; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
+
+; Defining 'extension' will load the corresponding shared extension from
+; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
+; overwrite previously defined php.ini values, but will append the new value
+; instead.
+
+; Note: path INI options can be relative and will be expanded with the prefix
+; (pool, global or /usr)
+
+; Default Value: nothing is defined by default except the values in php.ini and
+; specified at startup with the -d argument
+;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
+;php_flag[display_errors] = off
+;php_admin_value[error_log] = /var/log/fpm-php.www.log
+;php_admin_flag[log_errors] = on
+;php_admin_value[memory_limit] = 32M
--- /dev/null
+# See man 5 aliases for format
+postmaster: root
+#clamav: root
+nobody: root
+vmail: root
+root: postmaster@brehm-berlin.de
+www-data: root
+clamav: root
+amavis: root
+iredapd: root
--- /dev/null
+# Work around clients that send `RCPT TO:<'user@domain'>` (Outlook 2003/2007).
+# WARNING: do not lose the parameters that follow the address.
+/^(RCPT\s+TO:\s*<)'([^[:space:]]+)'(>.*)/ $1$2$3
--- /dev/null
+#---------------------------------------------------------------------
+# This file is part of iRedMail, which is an open source mail server
+# solution for Red Hat(R) Enterprise Linux, CentOS, Debian and Ubuntu.
+#
+# iRedMail is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# iRedMail is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with iRedMail. If not, see <http://www.gnu.org/licenses/>.
+#---------------------------------------------------------------------
+
+#
+# Sample Postfix check_helo_access rule. It should be located at:
+# /etc/postfix/check_helo_access.pcre
+#
+# Shipped within iRedMail project:
+# * http://www.iredmail.org/
+
+# Prepend HELO hostname of sender server
+#/(.*)/ PREPEND X-Original-Helo: $1 (iRedMail: http://www.iredmail.org/)
+
+# No one will use these in helo command.
+/^(localhost)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/^(localhost.localdomain)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(\.local)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+
+# Reject who use IP address as helo.
+# Correct: [xxx.xxx.xxx.xxx]
+# Incorrect: xxx.xxx.xxx.xxx
+/^([0-9\.]+)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (${1})
+
+#
+# This is the real HELO identify of these ISPs:
+# sohu.com websmtp.sohu.com relay2nd.mail.sohu.com
+# 126.com m15-78.126.com
+# 163.com m31-189.vip.163.com m13-49.163.com
+# sina.com mail2-209.sinamail.sina.com.cn
+# gmail.com xx-out-NNNN.google.com
+/^(126\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/^(163\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/^(163\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/^(sohu\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/^(gmail\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/^(google\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/^(yahoo\.com\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/^(yahoo\.co\.jp)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+
+#
+# Spammers.
+#
+/^(728154EA470B4AA\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(taj-co\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(CF8D3DB045C1455\.net)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(dsgsfdg\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(se\.nit7-ngbo\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(mail\.goo\.ne\.jp)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(n-ong_an\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(meqail\.teamefs-ine5tl\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(zzg\.jhf-sp\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(din_glo-ng\.net)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(fda-cnc\.ie\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(yrtaj-yrco\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(m\.am\.biz\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(xr_haig\.roup\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(hjn\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(we_blf\.com\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(netvigator\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(mysam\.biz)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(mail\.teams-intl\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(seningbo\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(nblf\.com\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(kdn\.ktguide\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(zzsp\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(nblongan\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(dpu\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(nbalton\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(cncie\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(xinhaigroup\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(wz\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/(\.zj\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/(\.kornet)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+
+/^(dsldevice\.lan)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/^(system\.mail)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/^(speedtouch\.lan)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/^(dsldevice\.lan)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+
+#
+# Reject adsl spammers.
+#
+# match word `adsl` with word boundary `\b`.
+/(\badsl\b)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+
+# bypass "[IP_ADDRESS]"
+/^\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]$/ OK
+
+# bypass some HELOs which contains IP address
+/^o\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\.outbound-mail\.sendgrid\.net$/ OK
+/^\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\.mail-(mail|campmail)\.facebook\.com$/ OK
+/^outbound-\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\.pinterestmail\.com$/ OK
+
+# reject HELO which contains IP address
+/(\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3})/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(\d{1,3}\.ip\.-\d{1,3}-\d{1,3}-\d{1,3}\.eu)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(pppoe)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(dsl\.brasiltelecom\.net\.br)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(dsl\.optinet\.hr)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(dsl\.telesp\.net\.br)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(dialup)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(dhcp)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(static-pool-[\d\.-]*\.flagman\.zp\.ua)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+
+/(speedy\.com\.ar)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(speedyterra\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(static\.sbb\.rs)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(static\.vsnl\.net\.in)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+
+/(advance\.com\.ar)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(airtelbroadband\.in)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(bb\.netvision\.net\.il)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(broadband3\.iol\.cz)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(cable\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(catv\.broadband\.hu)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(chello\.nl)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(chello\.sk)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(client\.mchsi\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(comunitel\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(coprosys\.cz)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(dclient\.hispeed\.ch)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(dip0\.t-ipconnect\.de)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(domain\.invalid)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(dyn\.centurytel\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(embarqhsd\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(emcali\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(epm\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(fibertel\.com\.ar)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(freedom2surf\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(hgcbroadband\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(HINET-IP\.hinet\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(infonet\.by)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(is74\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(kievnet\.com\.ua)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(metrotel\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(nw\.nuvox\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(pldt\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(pool\.invitel\.hu)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(pool\.ukrtel\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(pools\.arcor-ip\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(pppoe\.avangarddsl\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(retail\.telecomitalia\.it)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(revip2\.asianet\.co\.th)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(tim\.ro)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(tsi\.tychy\.pl)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(ttnet\.net\.tr)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(tttmaxnet\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(user\.veloxzone\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(utk\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(veloxzone\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(virtua\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(wanamaroc\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(wbt\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(wireless\.iaw\.on\.ca)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(business\.telecomitalia\.it)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(cotas\.com\.bo)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(marunouchi\.tokyo\.ocn\.ne\.jp)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(amedex\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(aageneva\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/^ylmf-pc/ REJECT ACCESS DENIED
+
+/(\.*wideragents\.com)$/ REJECT ACCESS DENIED (${1})
+/(\.*resumekeep\.net)$/ REJECT ACCESS DENIED (${1})
+/(\.*terracedrink\.com)$/ REJECT ACCESS DENIED (${1})
+/(\.*sincemessage\.com)$/ REJECT ACCESS DENIED (${1})
+/(\.*ordertranquility\.com)$/ REJECT ACCESS DENIED (${1})
+/(\.*terracedrink\.com)$/ REJECT ACCESS DENIED (${1})
-# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+# --------------------
+# INSTALL-TIME CONFIGURATION INFORMATION
+#
+# location of the Postfix queue. Default is /var/spool/postfix.
+queue_directory = /var/spool/postfix
+# location of all postXXX commands. Default is /usr/sbin.
+command_directory = /usr/sbin
-# Debian specific: Specifying a file name will cause the first
-# line of that file to be used as the name. The Debian default
-# is /etc/mailname.
-#myorigin = /etc/mailname
+# location of all Postfix daemon programs (i.e. programs listed in the
+# master.cf file). This directory must be owned by root.
+# Default is /usr/libexec/postfix
+daemon_directory = /usr/lib/postfix/sbin
-smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+# location of Postfix-writable data files (caches, random numbers).
+# This directory must be owned by the mail_owner account (see below).
+# Default is /var/lib/postfix.
+data_directory = /var/lib/postfix
+
+# owner of the Postfix queue and of most Postfix daemon processes.
+# Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID
+# WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.
+# In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER.
+# Default is postfix.
+mail_owner = postfix
+
+# The following parameters are used when installing a new Postfix version.
+#
+# sendmail_path: The full pathname of the Postfix sendmail command.
+# This is the Sendmail-compatible mail posting interface.
+#
+sendmail_path = /usr/sbin/sendmail
+
+# newaliases_path: The full pathname of the Postfix newaliases command.
+# This is the Sendmail-compatible command to build alias databases.
+#
+newaliases_path = /usr/bin/newaliases
+
+# full pathname of the Postfix mailq command. This is the Sendmail-compatible
+# mail queue listing command.
+mailq_path = /usr/bin/mailq
+
+# group for mail submission and queue management commands.
+# This must be a group name with a numerical group ID that is not shared with
+# other accounts, not even with the Postfix account.
+setgid_group = postdrop
+
+# external command that is executed when a Postfix daemon program is run with
+# the -D option.
+#
+# Use "command .. & sleep 5" so that the debugger can attach before
+# the process marches on. If you use an X-based debugger, be sure to
+# set up your XAUTHORITY environment variable before starting Postfix.
+#
+debugger_command =
+ PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
+ ddd $daemon_directory/$process_name $process_id & sleep 5
+
+debug_peer_level = 2
+
+# --------------------
+# CUSTOM SETTINGS
+#
+
+# SMTP server response code when recipient or domain not found.
+unknown_local_recipient_reject_code = 550
+
+# Do not notify local user.
biff = no
-# appending .domain is the MUA's job.
-append_dot_mydomain = no
+# Disable the rewriting of "site!user" into "user@site".
+swap_bangpath = no
-# Uncomment the next line to generate "delayed mail" warnings
-#delay_warning_time = 4h
+# Disable the rewriting of the form "user%domain" to "user@domain".
+allow_percent_hack = no
-readme_directory = no
+# Allow recipient address start with '-'.
+allow_min_user = no
-# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
-# fresh installs.
-compatibility_level = 2
+# Disable the SMTP VRFY command. This stops some techniques used to
+# harvest email addresses.
+disable_vrfy_command = yes
+
+# Enable both IPv4 and/or IPv6: ipv4, ipv6, all.
+inet_protocols = all
+
+# Enable all network interfaces.
+inet_interfaces = all
+
+#
+# TLS settings.
+#
+# SSL key, certificate, CA
+#
+smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
+smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
+smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
+smtpd_tls_CApath = /etc/ssl/certs
+
+#
+# Disable SSLv2, SSLv3
+#
+smtpd_tls_protocols = !SSLv2 !SSLv3
+smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
+smtp_tls_protocols = !SSLv2 !SSLv3
+smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
+lmtp_tls_protocols = !SSLv2 !SSLv3
+lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
+
+#
+# Fix 'The Logjam Attack'.
+#
+smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
+smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
+smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
+
+tls_random_source = dev:/dev/urandom
+
+# Log only a summary message on TLS handshake completion — no logging of client
+# certificate trust-chain verification errors if client certificate
+# verification is not required. With Postfix 2.8 and earlier, log the summary
+# message, peer certificate summary information and unconditionally log
+# trust-chain verification errors.
+smtp_tls_loglevel = 1
+smtpd_tls_loglevel = 1
+
+# Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do
+# not require that clients use TLS encryption.
+smtpd_tls_security_level = may
+
+# Produce `Received:` message headers that include information about the
+# protocol and cipher used, as well as the remote SMTP client CommonName and
+# client certificate issuer CommonName.
+# This is disabled by default, as the information may be modified in transit
+# through other mail servers. Only information that was recorded by the final
+# destination can be trusted.
+#smtpd_tls_received_header = yes
+
+# Opportunistic TLS, used when Postfix sends email to remote SMTP server.
+# Use TLS if this is supported by the remote SMTP server, otherwise use
+# plaintext.
+# References:
+# - http://www.postfix.org/TLS_README.html#client_tls_may
+# - http://www.postfix.org/postconf.5.html#smtp_tls_security_level
+smtp_tls_security_level = may
+
+# Use the same CA file as smtpd.
+smtp_tls_CApath = /etc/ssl/certs
+smtp_tls_CAfile = $smtpd_tls_CAfile
+smtp_tls_note_starttls_offer = yes
+
+# Enable long, non-repeating, queue IDs (queue file names).
+# The benefit of non-repeating names is simpler logfile analysis and easier
+# queue migration (there is no need to run "postsuper" to change queue file
+# names that don't match their message file inode number).
+enable_long_queue_ids = yes
+
+# Reject unlisted sender and recipient
+smtpd_reject_unlisted_recipient = yes
+smtpd_reject_unlisted_sender = yes
+
+# Header and body checks with PCRE table
+header_checks = pcre:/etc/postfix/header_checks
+body_checks = pcre:/etc/postfix/body_checks.pcre
+
+# A mechanism to transform commands from remote SMTP clients.
+# This is a last-resort tool to work around client commands that break
+# interoperability with the Postfix SMTP server. Other uses involve fault
+# injection to test Postfix's handling of invalid commands.
+# Requires Postfix-2.7+.
+smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre
+
+# HELO restriction
+smtpd_helo_required = yes
+smtpd_helo_restrictions =
+ permit_mynetworks
+ permit_sasl_authenticated
+ check_helo_access pcre:/etc/postfix/helo_access.pcre
+ reject_non_fqdn_helo_hostname
+ reject_unknown_helo_hostname
+
+# Sender restrictions
+smtpd_sender_restrictions =
+ reject_non_fqdn_sender
+ reject_unlisted_sender
+ permit_mynetworks
+ permit_sasl_authenticated
+ check_sender_access pcre:/etc/postfix/sender_access.pcre
+ reject_unknown_sender_domain
+
+# Recipient restrictions
+smtpd_recipient_restrictions =
+ reject_non_fqdn_recipient
+ reject_unlisted_recipient
+ check_policy_service inet:127.0.0.1:7777
+ permit_mynetworks
+ permit_sasl_authenticated
+ reject_unauth_destination
+ check_policy_service inet:127.0.0.1:12340
+# END-OF-MESSAGE restrictions
+smtpd_end_of_data_restrictions =
+ check_policy_service inet:127.0.0.1:7777
+# Data restrictions
+smtpd_data_restrictions = reject_unauth_pipelining
-# TLS parameters
-smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
-smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
-smtpd_use_tls=yes
-smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
-smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+# SRS (Sender Rewriting Scheme) support
+#sender_canonical_maps = tcp:127.0.0.1:7778
+#sender_canonical_classes = envelope_sender
+#recipient_canonical_maps = tcp:127.0.0.1:7779
+#recipient_canonical_classes= envelope_recipient,header_recipient
-# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
-# information on enabling SSL in the smtp client.
+proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
-smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+# Avoid duplicate recipient messages. Default is 'yes'.
+enable_original_recipient = no
+
+# Virtual support.
+virtual_minimum_uid = 2000
+virtual_uid_maps = static:2000
+virtual_gid_maps = static:2000
+virtual_mailbox_base = /var/vmail
+
+# Do not set virtual_alias_domains.
+virtual_alias_domains =
+
+#
+# Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication.
+# WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should
+# be forced to submit email through port 587 instead.
+#
+#smtpd_sasl_auth_enable = yes
+#smtpd_sasl_security_options = noanonymous
+#smtpd_tls_auth_only = yes
+
+# hostname
myhostname = helga.uhu-banane.de
-alias_maps = hash:/etc/aliases
-alias_database = hash:/etc/aliases
-myorigin = /etc/mailname
-mydestination = $myhostname, helga.uhu-banane.de, localhost.uhu-banane.de, , localhost
-relayhost =
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-mailbox_command = procmail -a "$EXTENSION"
-mailbox_size_limit = 0
+myorigin = helga.uhu-banane.de
+mydomain = helga.uhu-banane.de
+
+# trusted SMTP clients which are allowed to relay mail through Postfix.
+#
+# Note: additional IP addresses/networks listed in mynetworks should be listed
+# in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too.
+# for example:
+#
+# MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]
+#
+mynetworks = 127.0.0.1 [::1]
+
+# Accepted local emails
+mydestination = $myhostname, localhost, localhost.localdomain
+
+alias_maps = hash:/etc/postfix/aliases
+alias_database = hash:/etc/postfix/aliases
+
+# Default message_size_limit.
+message_size_limit = 15728640
+
+# The set of characters that can separate a user name from its extension
+# (example: user+foo), or a .forward file name from its extension (example:
+# .forward+foo).
+# Postfix 2.11 and later supports multiple characters.
recipient_delimiter = +
-inet_interfaces = all
-inet_protocols = all
+
+# The time after which the sender receives a copy of the message headers of
+# mail that is still queued. Default setting is disabled (0h) by Postfix.
+#delay_warning_time = 1h
+
+# Do not display the name of the recipient table in the "User unknown" responses.
+# The extra detail makes trouble shooting easier but also reveals information
+# that is nobody elses business.
+show_user_unknown_table_name = no
+compatibility_level = 2
+#
+# Lookup virtual mail accounts
+#
+transport_maps =
+ proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf
+ proxy:mysql:/etc/postfix/mysql/transport_maps_maillist.cf
+ proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
+
+sender_dependent_relayhost_maps =
+ proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
+
+# Lookup table with the SASL login names that own the sender (MAIL FROM) addresses.
+smtpd_sender_login_maps =
+ proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
+
+virtual_mailbox_domains =
+ proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
+
+relay_domains =
+ $mydestination
+ proxy:mysql:/etc/postfix/mysql/relay_domains.cf
+
+virtual_mailbox_maps =
+ proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
+
+virtual_alias_maps =
+ proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf
+ proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf
+ proxy:mysql:/etc/postfix/mysql/catchall_maps.cf
+ proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
+
+sender_bcc_maps =
+ proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf
+ proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
+
+recipient_bcc_maps =
+ proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf
+ proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
+
+#
+# Postscreen
+#
+postscreen_greet_action = drop
+postscreen_blacklist_action = drop
+postscreen_dnsbl_action = drop
+postscreen_dnsbl_threshold = 2
+
+# Attention:
+# - zen.spamhaus.org free tire has 3 limits
+# (https://www.spamhaus.org/organization/dnsblusage/):
+#
+# 1) Your use of the Spamhaus DNSBLs is non-commercial*, and
+# 2) Your email traffic is less than 100,000 SMTP connections per day, and
+# 3) Your DNSBL query volume is less than 300,000 queries per day.
+#
+# - FAQ: "Your DNSBL blocks nothing at all!"
+# https://www.spamhaus.org/faq/section/DNSBL%20Usage#261
+#
+# It's strongly recommended to use a local DNS server for cache.
+postscreen_dnsbl_sites =
+ zen.spamhaus.org=127.0.0.[2..11]*3
+ b.barracudacentral.org=127.0.0.2*2
+
+postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
+postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
+
+# Require Postfix-2.11+
+postscreen_dnsbl_whitelist_threshold = -2
+
+#
+# Dovecot SASL support.
+#
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/dovecot-auth
+virtual_transport = dovecot
+dovecot_destination_recipient_limit = 1
+
+#
+# mlmmj - mailing list manager
+#
+mlmmj_destination_recipient_limit = 1
+
+#
+# Amavisd + SpamAssassin + ClamAV
+#
+content_filter = smtp-amavis:[127.0.0.1]:10024
+
+# Concurrency per recipient limit.
+smtp-amavis_destination_recipient_limit = 1
--- /dev/null
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific: Specifying a file name will cause the first
+# line of that file to be used as the name. The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
+# fresh installs.
+compatibility_level = 2
+
+
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = helga.uhu-banane.de
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = $myhostname, helga.uhu-banane.de, localhost.uhu-banane.de, , localhost
+relayhost =
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_command = procmail -a "$EXTENSION"
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
-smtp inet n - y - - smtpd
-#smtp inet n - y - 1 postscreen
-#smtpd pass - - y - - smtpd
-#dnsblog unix - - y - 0 dnsblog
-#tlsproxy unix - - y - 0 tlsproxy
+smtp inet n - y - 1 postscreen
+smtpd pass - - y - - smtpd
+dnsblog unix - - y - 0 dnsblog
+tlsproxy unix - - y - 0 tlsproxy
#submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
-pickup unix n - y 60 1 pickup
-cleanup unix n - y - 0 cleanup
-qmgr unix n - n 300 1 qmgr
+#smtp inet n - - - - smtpd
+pickup unix n - n 60 1 pickup
+ -o content_filter=smtp-amavis:[127.0.0.1]:10026
+cleanup unix n - n - 0 cleanup
#qmgr unix n - n 300 1 oqmgr
-tlsmgr unix - - y 1000? 1 tlsmgr
-rewrite unix - - y - - trivial-rewrite
-bounce unix - - y - 0 bounce
-defer unix - - y - 0 bounce
-trace unix - - y - 0 bounce
-verify unix - - y - 1 verify
-flush unix n - y 1000? 0 flush
-proxymap unix - - n - - proxymap
-proxywrite unix - - n - 1 proxymap
-smtp unix - - y - - smtp
-relay unix - - y - - smtp
- -o syslog_name=postfix/$service_name
+qmgr unix n - n 300 1 qmgr
+tlsmgr unix - - n 1000? 1 tlsmgr
+rewrite unix - - n - - trivial-rewrite
+bounce unix - - n - 0 bounce
+defer unix - - n - 0 bounce
+trace unix - - n - 0 bounce
+verify unix - - n - 1 verify
+flush unix n - n 1000? 0 flush
+proxymap unix - - n - - proxymap
+proxywrite unix - - n - 1 proxymap
+smtp unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
-showq unix n - y - - showq
-error unix - - y - - error
-retry unix - - y - - error
-discard unix - - y - - discard
-local unix - n n - - local
-virtual unix - n n - - virtual
-lmtp unix - - y - - lmtp
-anvil unix - - y - 1 anvil
-scache unix - - y - 1 scache
-postlog unix-dgram n - n - 1 postlogd
+relay unix - - n - - smtp
+ -o syslog_name=postfix/$service_name
+showq unix n - n - - showq
+error unix - - n - - error
+retry unix - - n - - error
+discard unix - - n - - discard
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - n - - lmtp
+anvil unix - - n - 1 anvil
+scache unix - - n - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
-maildrop unix - n n - - pipe
- flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+postlog unix-dgram n - n - 1 postlogd
#
# ====================================================================
#
#
# See the Postfix UUCP_README file for configuration details.
#
-uucp unix - n n - - pipe
- flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+maildrop unix - n n - - pipe flags=DRhu
+ user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# Other external delivery methods.
#
-ifmail unix - n n - - pipe
- flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
-bsmtp unix - n n - - pipe
- flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
-scalemail-backend unix - n n - 2 pipe
- flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
-mailman unix - n n - - pipe
- flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
- ${nexthop} ${user}
+uucp unix - n n - - pipe flags=Fqhu
+ user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+ifmail unix - n n - - pipe flags=F user=ftn
+ argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp unix - n n - - pipe flags=Fq.
+ user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix - n n - 2 pipe flags=R
+ user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
+ ${user} ${extension}
+
+mailman unix - n n - - pipe flags=FR
+ user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
+ ${user}
+# Submission, port 587, force TLS connection.
+submission inet n - n - - smtpd
+ -o syslog_name=postfix/submission
+ -o smtpd_tls_security_level=encrypt
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+ -o content_filter=smtp-amavis:[127.0.0.1]:10026
+
+# Use dovecot's `deliver` program as LDA.
+dovecot unix - n n - - pipe
+ flags=DRh user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${domain} -m ${extension}
+
+# mlmmj - mailing list manager
+# ${nexthop} is '%d/%u' in transport ('mlmmj:%d/%u')
+mlmmj unix - n n - - pipe
+ flags=ORhu user=mlmmj:mlmmj argv=/usr/bin/mlmmj-amime-receive -L /var/vmail/mlmmj/${nexthop}
+
+# Amavisd integration.
+smtp-amavis unix - - n - 4 smtp
+ -o syslog_name=postfix/amavis
+ -o smtp_data_done_timeout=1200
+ -o smtp_send_xforward_command=yes
+ -o disable_dns_lookups=yes
+ -o max_use=20
+
+# smtp port used by Amavisd to re-inject scanned email back to Postfix
+127.0.0.1:10025 inet n - n - - smtpd
+ -o syslog_name=postfix/10025
+ -o content_filter=
+ -o mynetworks_style=host
+ -o mynetworks=127.0.0.0/8
+ -o local_recipient_maps=
+ -o relay_recipient_maps=
+ -o strict_rfc821_envelopes=yes
+ -o smtp_tls_security_level=none
+ -o smtpd_tls_security_level=none
+ -o smtpd_restriction_classes=
+ -o smtpd_delay_reject=no
+ -o smtpd_client_restrictions=permit_mynetworks,reject
+ -o smtpd_helo_restrictions=
+ -o smtpd_sender_restrictions=
+ -o smtpd_recipient_restrictions=permit_mynetworks,reject
+ -o smtpd_end_of_data_restrictions=
+ -o smtpd_error_sleep_time=0
+ -o smtpd_soft_error_limit=1001
+ -o smtpd_hard_error_limit=1000
+ -o smtpd_client_connection_count_limit=0
+ -o smtpd_client_connection_rate_limit=0
+ -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
+
+# smtp port used by mlmmj to re-inject scanned email back to Postfix, with
+# address mapping support
+127.0.0.1:10028 inet n - n - - smtpd
+ -o syslog_name=postfix/10028
+ -o content_filter=
+ -o mynetworks_style=host
+ -o mynetworks=127.0.0.0/8
+ -o local_recipient_maps=
+ -o relay_recipient_maps=
+ -o strict_rfc821_envelopes=yes
+ -o smtp_tls_security_level=none
+ -o smtpd_tls_security_level=none
+ -o smtpd_restriction_classes=
+ -o smtpd_delay_reject=no
+ -o smtpd_client_restrictions=permit_mynetworks,reject
+ -o smtpd_helo_restrictions=
+ -o smtpd_sender_restrictions=
+ -o smtpd_recipient_restrictions=permit_mynetworks,reject
+ -o smtpd_end_of_data_restrictions=
+ -o smtpd_error_sleep_time=0
+ -o smtpd_soft_error_limit=1001
+ -o smtpd_hard_error_limit=1000
+ -o smtpd_client_connection_count_limit=0
+ -o smtpd_client_connection_rate_limit=0
+ -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
--- /dev/null
+#
+# Postfix master process configuration file. For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (no) (never) (100)
+# ==========================================================================
+smtp inet n - y - - smtpd
+#smtp inet n - y - 1 postscreen
+#smtpd pass - - y - - smtpd
+#dnsblog unix - - y - 0 dnsblog
+#tlsproxy unix - - y - 0 tlsproxy
+#submission inet n - y - - smtpd
+# -o syslog_name=postfix/submission
+# -o smtpd_tls_security_level=encrypt
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_tls_auth_only=yes
+# -o smtpd_reject_unlisted_recipient=no
+# -o smtpd_client_restrictions=$mua_client_restrictions
+# -o smtpd_helo_restrictions=$mua_helo_restrictions
+# -o smtpd_sender_restrictions=$mua_sender_restrictions
+# -o smtpd_recipient_restrictions=
+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
+#smtps inet n - y - - smtpd
+# -o syslog_name=postfix/smtps
+# -o smtpd_tls_wrappermode=yes
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_reject_unlisted_recipient=no
+# -o smtpd_client_restrictions=$mua_client_restrictions
+# -o smtpd_helo_restrictions=$mua_helo_restrictions
+# -o smtpd_sender_restrictions=$mua_sender_restrictions
+# -o smtpd_recipient_restrictions=
+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
+#628 inet n - y - - qmqpd
+pickup unix n - y 60 1 pickup
+cleanup unix n - y - 0 cleanup
+qmgr unix n - n 300 1 qmgr
+#qmgr unix n - n 300 1 oqmgr
+tlsmgr unix - - y 1000? 1 tlsmgr
+rewrite unix - - y - - trivial-rewrite
+bounce unix - - y - 0 bounce
+defer unix - - y - 0 bounce
+trace unix - - y - 0 bounce
+verify unix - - y - 1 verify
+flush unix n - y 1000? 0 flush
+proxymap unix - - n - - proxymap
+proxywrite unix - - n - 1 proxymap
+smtp unix - - y - - smtp
+relay unix - - y - - smtp
+ -o syslog_name=postfix/$service_name
+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq unix n - y - - showq
+error unix - - y - - error
+retry unix - - y - - error
+discard unix - - y - - discard
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - y - - lmtp
+anvil unix - - y - 1 anvil
+scache unix - - y - 1 scache
+postlog unix-dgram n - n - 1 postlogd
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent. See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop unix - n n - - pipe
+ flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+# mailbox_transport = lmtp:inet:localhost
+# virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus unix - n n - - pipe
+# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix - n n - - pipe
+# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp unix - n n - - pipe
+ flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail unix - n n - - pipe
+ flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp unix - n n - - pipe
+ flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix - n n - 2 pipe
+ flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman unix - n n - - pipe
+ flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+ ${nexthop} ${user}
+
--- /dev/null
+hosts = 127.0.0.1:3306
+user = vmail
+password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i
+dbname = vmail
+query = SELECT forwardings.forwarding FROM forwardings,domain WHERE forwardings.address='%d' AND '%u' NOT LIKE '%%+%%' AND forwardings.address=domain.domain AND forwardings.active=1 AND domain.active=1 AND domain.backupmx=0
--- /dev/null
+hosts = 127.0.0.1:3306
+user = vmail
+password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i
+dbname = vmail
+query = SELECT forwardings.forwarding FROM forwardings,alias_domain,domain WHERE alias_domain.alias_domain='%d' AND forwardings.address=alias_domain.target_domain AND alias_domain.target_domain=domain.domain AND forwardings.active=1 AND alias_domain.active=1
--- /dev/null
+hosts = 127.0.0.1:3306
+user = vmail
+password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i
+dbname = vmail
+query = SELECT forwardings.forwarding FROM forwardings,alias_domain,domain WHERE alias_domain.alias_domain='%d' AND forwardings.address=CONCAT('%u', '@', alias_domain.target_domain) AND alias_domain.target_domain=domain.domain AND forwardings.active=1 AND alias_domain.active=1 AND domain.backupmx=0
--- /dev/null
+hosts = 127.0.0.1:3306
+user = vmail
+password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i
+dbname = vmail
+query = SELECT bcc_address FROM recipient_bcc_domain WHERE domain='%d' AND active=1
--- /dev/null
+hosts = 127.0.0.1:3306
+user = vmail
+password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i
+dbname = vmail
+query = SELECT recipient_bcc_user.bcc_address FROM recipient_bcc_user,domain WHERE recipient_bcc_user.username='%s' AND recipient_bcc_user.domain='%d' AND recipient_bcc_user.domain=domain.domain AND domain.backupmx=0 AND domain.active=1 AND recipient_bcc_user.active=1
--- /dev/null
+hosts = 127.0.0.1:3306
+user = vmail
+password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i
+dbname = vmail
+query = SELECT domain FROM domain WHERE domain='%s' AND backupmx=1 AND active=1 LIMIT 1
--- /dev/null
+hosts = 127.0.0.1:3306
+user = vmail
+password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i
+dbname = vmail
+query = SELECT bcc_address FROM sender_bcc_domain WHERE domain='%d' AND active=1
--- /dev/null
+hosts = 127.0.0.1:3306
+user = vmail
+password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i
+dbname = vmail
+query = SELECT sender_bcc_user.bcc_address FROM sender_bcc_user,domain WHERE sender_bcc_user.username='%s' AND sender_bcc_user.domain='%d' AND sender_bcc_user.domain=domain.domain AND domain.backupmx=0 AND domain.active=1 AND sender_bcc_user.active=1
--- /dev/null
+hosts = 127.0.0.1:3306
+user = vmail
+password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i
+dbname = vmail
+# '%s' will be replaced by the envelope sender address or @domain.
+query = SELECT relayhost FROM sender_relayhost WHERE account='%s' LIMIT 1
--- /dev/null
+hosts = 127.0.0.1:3306
+user = vmail
+password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i
+dbname = vmail
+query = SELECT mailbox.username FROM mailbox,domain WHERE mailbox.username='%s' AND mailbox.domain='%d' AND mailbox.domain=domain.domain AND mailbox.enablesmtp=1 AND mailbox.active=1 AND domain.backupmx=0 AND domain.active=1
--- /dev/null
+hosts = 127.0.0.1:3306
+user = vmail
+password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i
+dbname = vmail
+query = SELECT transport FROM domain WHERE domain='%s' AND active=1 LIMIT 1
--- /dev/null
+hosts = 127.0.0.1:3306
+user = vmail
+password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i
+dbname = vmail
+query = SELECT maillists.transport FROM maillists,domain WHERE maillists.address='%s' AND maillists.active=1 AND maillists.domain = domain.domain AND domain.active=1
--- /dev/null
+hosts = 127.0.0.1:3306
+user = vmail
+password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i
+dbname = vmail
+query = SELECT mailbox.transport FROM mailbox,domain WHERE mailbox.username='%s' AND mailbox.domain='%d' AND mailbox.domain=domain.domain AND mailbox.transport<>'' AND mailbox.active=1 AND mailbox.enabledeliver=1 AND domain.backupmx=0 AND domain.active=1
--- /dev/null
+hosts = 127.0.0.1:3306
+user = vmail
+password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i
+dbname = vmail
+query = SELECT forwardings.forwarding FROM forwardings,domain WHERE forwardings.address='%s' AND forwardings.domain=domain.domain AND forwardings.active=1 AND domain.backupmx=0 AND domain.active=1
--- /dev/null
+hosts = 127.0.0.1:3306
+user = vmail
+password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i
+dbname = vmail
+query = (SELECT domain FROM domain WHERE domain='%s' AND backupmx=0 AND active=1 LIMIT 1) UNION (SELECT alias_domain.alias_domain FROM alias_domain,domain WHERE alias_domain.alias_domain='%s' AND alias_domain.active=1 AND alias_domain.target_domain=domain.domain AND domain.active=1 AND domain.backupmx=0 LIMIT 1)
--- /dev/null
+hosts = 127.0.0.1:3306
+user = vmail
+password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i
+dbname = vmail
+query = SELECT CONCAT(mailbox.storagenode, '/', mailbox.maildir, '/Maildir/') FROM mailbox,domain WHERE mailbox.username='%s' AND mailbox.active=1 AND mailbox.enabledeliver=1 AND domain.domain = mailbox.domain AND domain.active=1
--- /dev/null
+# Rules are evaluated in the order as specified.
+#1.2.3.4 permit
+#2.3.4.5 reject
+
+# Permit local clients
+127.0.0.0/8 permit
--- /dev/null
+# Debug
+if $syslogfacility-text == 'local5' and ($msg contains ": Debug:") then -/var/log/dovecot/dovecot.log
+& stop
+
+# sieve and LMTP
+if $syslogfacility-text == 'local5' and ($msg contains "lmtp(" or $msg contains "lda(") then -/var/log/dovecot/lda.log
+& stop
+
+# IMAP
+if $syslogfacility-text == 'local5' and ($msg contains "imap(" or $msg contains "imap-login:") then -/var/log/dovecot/imap.log
+& stop
+
+# POP3
+if $syslogfacility-text == 'local5' and ($msg contains "pop3(" or $msg contains "pop3-login:") then -/var/log/dovecot/pop3.log
+& stop
+
+# managesieve
+if $syslogfacility-text == 'local5' and ($msg contains "managesieve(" or $msg contains "managesieve-login:") then -/var/log/dovecot/sieve.log
+& stop
+
+# All other Dovecot log
+if $syslogfacility-text == 'local5' and $programname startswith "dovecot" then -/var/log/dovecot/dovecot.log
+& stop
--- /dev/null
+# Log to /var/log/iredapd/iredapd.log
+#
+# Notes:
+#
+# - $syslogfacility-text must be same as value of parameter SYSLOG_FACILITY
+# in iredapd config file. Defaults to 'local5' (defined in
+# libs/default_settings.py).
+#
+# - Directory /var/log/iredapd/ must be owned by syslog daemon user/group.
+#
+if $syslogfacility-text == 'local5' and ($syslogtag startswith 'iredapd' or $msg startswith 'iredapd') then -/var/log/iredapd/iredapd.log
+& stop
--- /dev/null
+# Log to /var/log/mlmmjadmin/mlmmjadmin.log
+#
+# Notes:
+#
+# - $syslogfacility-text must be same as value of parameter SYSLOG_FACILITY
+# in mlmmjadmin config file. Defaults to 'local5' (defined in
+# libs/default_settings.py).
+#
+# - Directory /var/log/mlmmjadmin/ must be owned by syslog daemon user/group.
+#
+if $syslogfacility-text == 'local5' and $programname startswith 'mlmmjadmin' then -/var/log/mlmmjadmin/mlmmjadmin.log
+& stop
--- /dev/null
+# php-fpm
+if $syslogfacility-text == 'local5' and $syslogtag startswith 'php-fpm' then -/var/log/php-fpm/php-fpm.log
+& stop
dovenull:*:18725:0:99999:7:::
debian-spamd:*:18725:0:99999:7:::
amavis:*:18725:0:99999:7:::
+vmail:!:18725:0:99999:7:::
+mlmmj:!:18725:0:99999:7:::
+iredadmin:!:18725:0:99999:7:::
+iredapd:!:18725:0:99999:7:::
+netdata:!:18725:0:99999:7:::
dovenull:*:18725:0:99999:7:::
debian-spamd:*:18725:0:99999:7:::
amavis:*:18725:0:99999:7:::
+vmail:!:18725:0:99999:7:::
+mlmmj:!:18725:0:99999:7:::
+iredadmin:!:18725:0:99999:7:::
+iredapd:!:18725:0:99999:7:::
-# This is the right place to customize your installation of SpamAssassin.
-#
-# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
-# tweaked.
-#
-# Only a small subset of options are listed below
-#
-###########################################################################
-
-# Add *****SPAM***** to the Subject header of spam e-mails
-#
-# rewrite_header Subject *****SPAM*****
-
-
-# Save spam messages as a message/rfc822 MIME attachment instead of
-# modifying the original message (0: off, 2: use text/plain instead)
-#
-# report_safe 1
-
-
-# Set which networks or hosts are considered 'trusted' by your mail
-# server (i.e. not spammers)
-#
-# trusted_networks 212.17.35.
-
-
-# Set file-locking method (flock is not safe over NFS, but is faster)
-#
-# lock_method flock
-
-
-# Set the threshold at which a message is considered spam (default: 5.0)
-#
-# required_score 5.0
-
-
-# Use Bayesian classifier (default: 1)
-#
-# use_bayes 1
-
-
-# Bayesian classifier auto-learning (default: 1)
-#
-# bayes_auto_learn 1
-
-
-# Set headers which may provide inappropriate cues to the Bayesian
-# classifier
-#
-# bayes_ignore_header X-Bogosity
-# bayes_ignore_header X-Spam-Flag
-# bayes_ignore_header X-Spam-Status
-
-
-# Whether to decode non- UTF-8 and non-ASCII textual parts and recode
-# them to UTF-8 before the text is given over to rules processing.
-#
-# normalize_charset 1
-
-# Some shortcircuiting, if the plugin is enabled
-#
-ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
-#
-# default: strongly-whitelisted mails are *really* whitelisted now, if the
-# shortcircuiting plugin is active, causing early exit to save CPU load.
-# Uncomment to turn this on
-#
-# shortcircuit USER_IN_WHITELIST on
-# shortcircuit USER_IN_DEF_WHITELIST on
-# shortcircuit USER_IN_ALL_SPAM_TO on
-# shortcircuit SUBJECT_IN_WHITELIST on
-
-# the opposite; blacklisted mails can also save CPU
-#
-# shortcircuit USER_IN_BLACKLIST on
-# shortcircuit USER_IN_BLACKLIST_TO on
-# shortcircuit SUBJECT_IN_BLACKLIST on
-
-# if you have taken the time to correctly specify your "trusted_networks",
-# this is another good way to save CPU
-#
-# shortcircuit ALL_TRUSTED on
-
-# and a well-trained bayes DB can save running rules, too
-#
-# shortcircuit BAYES_99 spam
-# shortcircuit BAYES_00 ham
-
-endif # Mail::SpamAssassin::Plugin::Shortcircuit
+#---------------------------------------------------------------------
+# This file is part of iRedMail, which is an open source mail server
+# solution for Red Hat(R) Enterprise Linux, CentOS, Debian and Ubuntu.
+#
+# iRedMail is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# iRedMail is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with iRedMail. If not, see <http://www.gnu.org/licenses/>.
+#---------------------------------------------------------------------
+
+#
+# Sample SpamAssassin rules. It should be located at:
+# /etc/mail/spamassassin/local.cf
+#
+# Shipped within iRedMail project:
+# * http://iRedMail.googlecode.com/
+#
+# See also:
+# $ man Mail::SpamAssassin::Conf
+#
+
+
+# These two lines will not affect due to Amavisd use its
+# own variables setting in /etc/amavisd.conf.
+required_score 5.0
+rewrite_header subject [ SPAM ]
+
+report_safe 0
+lock_method flock
+
+#
+# Bayesian support
+#
+# References:
+# - http://wiki.apache.org/spamassassin/BayesInSpamAssassin
+# - http://svn.apache.org/repos/asf/spamassassin/branches/3.3/sql/README.bayes
+# Addition plugin for Roundcube webmail to call sa-learn
+# - http://www.tehinterweb.co.uk/roundcube/#pimarkasjunk2
+#
+use_bayes 1
+bayes_auto_learn 1
+bayes_auto_expire 1
+
+# Store bayesian data in MySQL.
+# Please make sure you have correct server address, port and database name.
+#bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
+#bayes_sql_dsn DBI:mysql:sa_bayes:127.0.0.1:3306
+
+# Store bayesian data in PostgreSQL.
+# Please make sure you have correct server address, port and database name.
+#bayes_store_module Mail::SpamAssassin::BayesStore::PgSQL
+#bayes_sql_dsn DBI:Pg:database=sa_bayes;host=127.0.0.1;port=5432
+
+# SQL username and password.
+#bayes_sql_username db_username
+#bayes_sql_password db_password
+
+# Override the username used for storing data in the database.
+# This could be used to group users together to share bayesian filter data.
+# You can also use this config option to trick sa-learn to learn data as a specific user.
+#bayes_sql_override_username vmail
+
+# Increase score for message which contains blacklisted or phishing URI
+# URIBL
+#score URIBL_SBL 3
+# dbl.spamhaus.org
+#score URIBL_DBL_SPAM 3
+#score URIBL_DBL_PHISH 3
+#score URIBL_DBL_MALWARE 3
+#score URIBL_DBL_BOTNETCC 3
+#score URIBL_DBL_ABUSE_SPAM 3
+#score URIBL_DBL_ABUSE_REDIR 3
+#score URIBL_DBL_ABUSE_PHISH 3
+#score URIBL_DBL_ABUSE_MALW 3
+#score URIBL_DBL_ABUSE_BOTCC 3
+#score URIBL_DBL_ERROR 0
+# multi.surbl.org
+#score URIBL_WS_SURBL 3
+#score URIBL_PH_SURBL 3
+#score URIBL_MW_SURBL 3
+#score URIBL_CR_SURBL 3
+#score URIBL_ABUSE_SURBL 3
+#score SURBL_BLOCKED 0
+# multi.urlbl.com
+#score URIBL_BLACK 3
+#score URIBL_RED 3
+#score URIBL_BLOCKED 0
+
+# DNSBL
+#score RCVD_IN_SBL 5
+#score RCVD_IN_XBL 5
+#score RCVD_IN_PBL 5
+
+# Turn off ALL DNSBL (DNS Blocklists)
+#skip_rbl_checks 1
+# Turn off DNSBL: rhsbl.ahbl.org.
+# Check /usr/share/spamassassin/20_dnsbl_teest.cf to see the rule name.
+score DNS_FROM_AHBL_RHSBL 0
+
+score URIBL_AB_SURBL 0 0.3306 0 0.3812
+score URIBL_JP_SURBL 0 0.3360 0 0.4087
+score URIBL_OB_SURBL 0 0.2617 0 0.3008
+score URIBL_PH_SURBL 0 0.2240 0 0.2800
+score URIBL_SBL 0 0.1094 0 0.1639
+score URIBL_SC_SURBL 0 0.3600 0 0.4498
+score URIBL_WS_SURBL 0 0.1533 0 0.2140
+
+# For SpamAssassin-3.2.x. Reference:
+# http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_SPF.html
+#do_not_use_mail_spf 0
+#do_not_use_mail_spf_query 1
+#ignore_received_spf_header 1
+
+# Trusted networks. Examples:
+# 192.168/16 # all in 192.168.*.*
+# 212.17.35.15 # just that host
+# !10.0.1.5 10.0.1/24 # all in 10.0.1.* but not 10.0.1.5
+# DEAD:BEEF::/32 # all in that ipv6 prefix
+# Local host (127.0.0.1) will automatically be trusted implicitly.
+#trusted_networks 192.168/16
+
+# Whitelist from SPF.
+#whitelist_from_spf joe@example.com fred@example.com
+#whitelist_from_spf *@example.com
+
+# Whitelist from DKIM.
+loadplugin Mail::SpamAssassin::Plugin::DKIM
+whitelist_from_dkim *@paypal.com
+whitelist_from_dkim *@linkedin.com
+whitelist_from_dkim *@twitter.com
+whitelist_from_dkim *@bounce.twitter.com
+
+# Whitelist domains.
+# Reference: http://wiki.apache.org/spamassassin/ManualWhitelist
+#whitelist_from *@gmail.com
+
+# Locales.
+ok_locales all
+
+# Some sample custom file rules. Refer to SpamAssassin wiki site for more
+# details: http://wiki.apache.org/spamassassin/WritingRules
+#
+# Filter Headers.
+# -- Subject
+#header LOCAL_DEMONSTRATION_SUBJECT Subject =~ /\btest\b/i
+#score LOCAL_DEMONSTRATION_SUBJECT 0.1
+# -- From
+#header LOCAL_DEMONSTRATION_FROM From =~ /test\.com/i
+#score LOCAL_DEMONSTRATION_FROM 0.1
+# -- Look at all the headers and match if any of them contain the specified regex:
+#header LOCAL_DEMONSTRATION_ALL ALL =~ /test\.com/i
+#score LOCAL_DEMONSTRATION_ALL 0.1
+#
+# Filter mail body.
+#body LOCAL_DEMONSTRATION_RULE /test/
+#score LOCAL_DEMONSTRATION_RULE 0.1
+#describe LOCAL_DEMONSTRATION_RULE This is a simple test rule
+
+# Decrease score for authenticated senders.
+# IMPORTANT NOTES:
+#
+# 1) Please replace 'your\.server\.com' by the value of Postfix parameter
+# "myhostname".
+# 2) Please set 'smtpd_sasl_authenticated_header = yes' in Postfix main.cf.
+#
+#header AUTHENTICATED_SENDER Received =~ /Authenticated\ sender\:.*by\ your\.server\.com/
+#describe AUTHENTICATED_SENDER Header 'Received:' contains 'Authenticated sender:'
+#score AUTHENTICATED_SENDER -3
+
+# Checks if domain name of an envelope sender address matches the domain name
+# of the first untrusted relay (if any), or any trusted relay otherwise.
+# https://wiki.apache.org/spamassassin/Rules/RP_MATCHES_RCVD
+score RP_MATCHES_RCVD 0
+
+# SPF mismatch
+score SPF_FAIL 5
+
+razor_config /etc/mail/spamassassin/razor.conf
--- /dev/null
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# Only a small subset of options are listed below
+#
+###########################################################################
+
+# Add *****SPAM***** to the Subject header of spam e-mails
+#
+# rewrite_header Subject *****SPAM*****
+
+
+# Save spam messages as a message/rfc822 MIME attachment instead of
+# modifying the original message (0: off, 2: use text/plain instead)
+#
+# report_safe 1
+
+
+# Set which networks or hosts are considered 'trusted' by your mail
+# server (i.e. not spammers)
+#
+# trusted_networks 212.17.35.
+
+
+# Set file-locking method (flock is not safe over NFS, but is faster)
+#
+# lock_method flock
+
+
+# Set the threshold at which a message is considered spam (default: 5.0)
+#
+# required_score 5.0
+
+
+# Use Bayesian classifier (default: 1)
+#
+# use_bayes 1
+
+
+# Bayesian classifier auto-learning (default: 1)
+#
+# bayes_auto_learn 1
+
+
+# Set headers which may provide inappropriate cues to the Bayesian
+# classifier
+#
+# bayes_ignore_header X-Bogosity
+# bayes_ignore_header X-Spam-Flag
+# bayes_ignore_header X-Spam-Status
+
+
+# Whether to decode non- UTF-8 and non-ASCII textual parts and recode
+# them to UTF-8 before the text is given over to rules processing.
+#
+# normalize_charset 1
+
+# Some shortcircuiting, if the plugin is enabled
+#
+ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
+#
+# default: strongly-whitelisted mails are *really* whitelisted now, if the
+# shortcircuiting plugin is active, causing early exit to save CPU load.
+# Uncomment to turn this on
+#
+# shortcircuit USER_IN_WHITELIST on
+# shortcircuit USER_IN_DEF_WHITELIST on
+# shortcircuit USER_IN_ALL_SPAM_TO on
+# shortcircuit SUBJECT_IN_WHITELIST on
+
+# the opposite; blacklisted mails can also save CPU
+#
+# shortcircuit USER_IN_BLACKLIST on
+# shortcircuit USER_IN_BLACKLIST_TO on
+# shortcircuit SUBJECT_IN_BLACKLIST on
+
+# if you have taken the time to correctly specify your "trusted_networks",
+# this is another good way to save CPU
+#
+# shortcircuit ALL_TRUSTED on
+
+# and a well-trained bayes DB can save running rules, too
+#
+# shortcircuit BAYES_99 spam
+# shortcircuit BAYES_00 ham
+
+endif # Mail::SpamAssassin::Plugin::Shortcircuit
--- /dev/null
+debuglevel = 0
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIGLzCCBBegAwIBAgIUUDTsI1RzjR/xSTdy6Ynw0lEl1oUwDQYJKoZIhvcNAQEL
+BQAwgaYxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxETAPBgNVBAcM
+CFNoZW5aaGVuMRwwGgYDVQQKDBNoZWxnYS51aHUtYmFuYW5lLmRlMQswCQYDVQQL
+DAJJVDEcMBoGA1UEAwwTaGVsZ2EudWh1LWJhbmFuZS5kZTEnMCUGCSqGSIb3DQEJ
+ARYYcm9vdEBoZWxnYS51aHUtYmFuYW5lLmRlMB4XDTIxMDQwODIwMDIzMVoXDTMx
+MDQwNjIwMDIzMVowgaYxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0Rvbmcx
+ETAPBgNVBAcMCFNoZW5aaGVuMRwwGgYDVQQKDBNoZWxnYS51aHUtYmFuYW5lLmRl
+MQswCQYDVQQLDAJJVDEcMBoGA1UEAwwTaGVsZ2EudWh1LWJhbmFuZS5kZTEnMCUG
+CSqGSIb3DQEJARYYcm9vdEBoZWxnYS51aHUtYmFuYW5lLmRlMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAyft3/rLPQDxUEZ8FrkmTqtLPssxy8p+hYh0G
+P40UwB0s/B+gAU7t/Dut+i8Gl+sLdjb2hVus7j3Qq36vpe+pMyG3R3Cg5vhgQDAN
+5nnUYxSLL3jo24dyYsGjpIaxBA0UpR0I1l6+vSH+Ogl3SOtvDJ7mJSD3btLDDAcl
+MRhhVYFox45OQVbrz6waza7+mfBC6uRGWzwUi09Whn21GX7F5g6YrvLmcflDc2IO
+mSwTmlG5V/pbTw6NtyqYEm7Dr179Uogd6gU92mQNA76kJi0I/MnAkwWNL//ASw3e
+b7mkjgxUMgN/RFzpvLl4QJsoA7DEOTPF4yuqrHhnWSU8Ctztjfj6R8sPXfy5s5Ot
+fZFZeGotFagTt7UmxUQHVb9MP0S+eSYAhLKz/8cH24OWzkeoyBeD8aXCUmsbDRdP
+mOlLOpPFmSwzwsVcWHobf9dy7DuzfeTFIAIFWXH8yZEz1FeNncqiFSFILwlxDftY
+hcJcVyPtHjjQOk8NMzxd/pPmgiJL5AIwHCLEmJWYHEASqEtCPUIPE3leSW++d6Rs
+hEfPrKm3aN5NA6RBXVBePwkjhzQBPKUcu4RdoXY3RHriZ2DCXcCb/aGlTBVtG2ki
+y/6AJU1hlz9I9FAscHOWkjt/0dt/aCPD5EJRKsqbEX5OQJtBNkMduhfZ63/w4bsb
+u2SCNmMCAwEAAaNTMFEwHQYDVR0OBBYEFLgUu6zRtIHhBv/bTp9wxAlr3fSfMB8G
+A1UdIwQYMBaAFLgUu6zRtIHhBv/bTp9wxAlr3fSfMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggIBAJoM5mlxmVYvbHPmNUFF3D5eK0ETZZILGrD9WLuQ
+UJ9Zgf73bUTdGIp9arohFoQdyMe20EVbeMt/VeYwCQ1a970IaOHMWjwMPmHL6M5d
+J5/gssomLHtyF3L4oRxkubvIsowwSDkoCBbc3GzYt1RELdfbH52GO3hzqhhuYntU
+/po/TTBCNFh9HjBIC0ztFeuBtQcsCaqZzhobDVRxc1jF8ASJm0YzOpENd32MdUwC
+7dr+lRpXgdy+3s0yyd0Col53W47hcSLdCoF4x4swQmUjV4dTXlkHnXa5qUB55WvN
+7jcyHEpYyiJH/9tDYmDjTrDDgaS/M3zvxds0jZlklZTvxzKNtfMJxRv4nq7Kgipg
+5ED9VeaDmXSLuVjq7qmARtLN2jh+XNZD0esITrVbDCv57yHR1nKMCZYHN99/xl3h
+pUe7iHcSbaHDGGX8Tt4lHFipVDfFtC1bvy8mrlYb1SCyO0PXvs3/v9YHmviFtd4k
+P/iYPT2BM83FqMmvAJPQ/sdW6IamkcdCr6RKOkgjNjrHDmEfmU8gNbaK2FbTZ1aY
+4+SvtG89N3mmlcbjF7M3FANacGEEzHtPyU8JDrkOmcxd2sxWVcLwGlI1XSv8f4Az
+dRKeO1xpiGERp4GiMP5/4AAvHCIeoebsRODPMko0wWIaOU4cUVGlTyIla9Yi9N9p
+BSwD
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA0XOwq9DHuWZyPU1CITlkb8Rpqqtzp6zipz37sJ9TukpiQz1eNfcr
+rHaCzZsdnS1395jgT++ZOJfgqGbx7/MP/oaXfeujWshMpx0vTOeIi7FAfwpc1qB1
+iY8suZpyObzLNszg8Bvc+qE97xOvMI2cM4fI94423XLI9nUve9U1vMTIsvztPmG+
+NiiyL4+9U2uSKb5NXRHWJT1KwooLJgZoHiYuIhyyLQ5QKZQVj147BeHE+xTSx9Cf
+fvkYxq23PregHu5mL5OGHheF9kqwoCeYMoSHelsWVBv+7QqIEnhSKpzEByL804zN
+1k/GCxyY7z9k4CrKrPB9Jari8ew108oPqwIBAg==
+-----END DH PARAMETERS-----
--- /dev/null
+-----BEGIN DH PARAMETERS-----
+MEYCQQDSc+hZPYcdopzZAnwu0RiI/5ZIcWXeCqXS9u+dUl6b7LXnnNs1EBARIvmM
+pVR4OTY1AY0sFhlSrdWGQI/427XLAgEC
+-----END DH PARAMETERS-----
--- /dev/null
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDJ+3f+ss9APFQR
+nwWuSZOq0s+yzHLyn6FiHQY/jRTAHSz8H6ABTu38O636LwaX6wt2NvaFW6zuPdCr
+fq+l76kzIbdHcKDm+GBAMA3medRjFIsveOjbh3JiwaOkhrEEDRSlHQjWXr69If46
+CXdI628MnuYlIPdu0sMMByUxGGFVgWjHjk5BVuvPrBrNrv6Z8ELq5EZbPBSLT1aG
+fbUZfsXmDpiu8uZx+UNzYg6ZLBOaUblX+ltPDo23KpgSbsOvXv1SiB3qBT3aZA0D
+vqQmLQj8ycCTBY0v/8BLDd5vuaSODFQyA39EXOm8uXhAmygDsMQ5M8XjK6qseGdZ
+JTwK3O2N+PpHyw9d/Lmzk619kVl4ai0VqBO3tSbFRAdVv0w/RL55JgCEsrP/xwfb
+g5bOR6jIF4PxpcJSaxsNF0+Y6Us6k8WZLDPCxVxYeht/13LsO7N95MUgAgVZcfzJ
+kTPUV42dyqIVIUgvCXEN+1iFwlxXI+0eONA6Tw0zPF3+k+aCIkvkAjAcIsSYlZgc
+QBKoS0I9Qg8TeV5Jb753pGyER8+sqbdo3k0DpEFdUF4/CSOHNAE8pRy7hF2hdjdE
+euJnYMJdwJv9oaVMFW0baSLL/oAlTWGXP0j0UCxwc5aSO3/R239oI8PkQlEqypsR
+fk5Am0E2Qx26F9nrf/Dhuxu7ZII2YwIDAQABAoICADREVY3cOZNWyS5yJycttP+s
+Y8DR9SDhvAJGnnpNiMQaCK0Jhf8wrJbr3p5yEtO3KBUkLfDeg0Z3SotGUi+vb+pi
+XCopdAmw1j9l8ALnHdWx2D6lnCRKzYfOsgj+LcptlB0SAVpv1A3fQQlFr8931Rm/
++LA88qqD8aMoKjClLXLR9QpGwetYkdcAo0L8eLffG4HrJmWvi2VtV2egGgAJ9S4O
+MuZ6xrVRmmm+QybR6BSz9zFUANLZYkS2yfljHlJAU29K9+q6BoKAB3ojmBik6MF5
+d9LTyfBUzy7c3OWudW2otRToIMPRA08p83tMazNhR7XBtwCNKTJOSfggkYQCHZp8
+1lh79+XYE2aFV1Jrx+o5MQ40dZyWVv9I2ZHQM63d7hARSpcnvHq+kG+B4JXow4hh
+ARyjqharrzTWbHlQGaAwKKGO/Lvi3VEp9dbcjl/8RbU3A6AS/HobM+GG/zwUhWv9
+8uupQCDevYX2qnYEkt6Z8RSF70lPegQKUXLonFrzXsWr/ZiNqJkl4UqFiApx98JR
+8QtHIZa6RKNH/g70VViSdItKcUVOfdYHmObsFslOgZieo86JV42Zinr4xXUDqLtq
+eLNKBCungyapB9TS1rxkjN3RfXS+vlJgi9V1GU4MseWQjcHrMotkVYq5jBK7rVhA
+NVLjBy5Ms+zJ486i2Ub5AoIBAQDkOLY4rJA2RhyATYZIeDmoz8tFUvpsa+lsK6FT
+yhRjrawM3TOvwwKiW39RAqKXsB7KJyL8CS/8QuqFeLC/ntAljpqBxTa9XUl07KSP
+J2X7nELeKwlFqXJ+1mxKMsrCt4wUf8AFoVYfkGSuKhSjD94anBCOjmXh4jwNEbhX
+eJHDHRlqllkIPEvksp1W8g9zXL2IycxDs9HPLrPpSKemuc9X9S+Ma66nd2k6cRqG
+BL/UHPxCl18zpbvtufZKGV9t7WsDK4onwEU2q+A9P4Qo4Ij73IZpzR3enbvpG4RX
+S5ZEL90BVMbdYkmZX8F/VWc1H755Eg8sPgFGOgOuDN9j//MfAoIBAQDikSdEN5Lr
+Vy/fnZ5TsrTb2jKWgInmkmjCbNm5RYtEooP02qvlGoYOa5IB4VNaNWrgFKwse29s
+DbM7nF8en+15uFmeyfsQDdoAabNRwZN2yQ9jwcm172lNTHvgkkhWAJWu9xcrcc0F
+QR/TjYBWdVkZBTz1TGSLTt6LV12tlE10ANdCuzCZwLLB+kabrikUAKp+NmvQG3Ev
+BlwISWOuKx664U8OozgJ1Dm2oZVJ7cYSbKKPh0pGNfFSNLCMGt2TEk8mYSnJF6Vn
+r8NrEauiTmzLWXcVaGvxmBuVPYqIo9ResHdOw4znRgAb8stK37n9Usj+RDKmvlt4
+u8fwdWxsWbg9AoIBAG09oCucniL8iGP5t880jRT68eerAmend8HpWH2M+xmDZhl6
+QGVfSQGCHn0eb8l/6h0Fgr91flyXgz6EOMZgNG3lxptbVQprft/S7in/x9caQv+p
+RfTsWPvRk2Ao09lElm6xf66yPVE6gpbDWcF7tOqzzVEPZEEtU2VGGCD2e38TjLjy
+YoeIpSNBRAL8Nt0XhTnWrkmx5znutvtxZZ5uzorht/LVEHLku5/Xx8RivZfAkBcn
+8c/9AumV3Ag4AO/Tdye7TZQdeoPi3aEzqAURBUDZnBVEs4l9oxa/rydB7RmSd41N
+kSsjAuvBZBOZQ5+wJDI7rLuWqnF9D4nea4eoWi0CggEAJBao4YXUoiXuGzlZCc3y
+Xv6fhjeNP6vcgfOiro80Qsd8K1lVfhW+ereJt0Dz7O+LSYwhbKhwtA5umTUsNY2V
+3wiNRey4T/NU4TH0/TXPTmFyURqCDbfH1ycyqC/E0+Yd8ZOsHiBvXsHj1ue4JI1m
+lsSt1AjKDyKN8jYFVuvDdpHXt+pnMGZwUtORwaR5KJV+ksIKZEiqu6nQqQU/mnOF
+3pCa7iLzfyVN2Bhe1jrIjRC+yAvtucdH3CdGY9q3poCJGPzrEfvxPdXSU9CpvR2u
+2Kk0fbV3VDE9W4VE9sTZxAdpyaL+Y6xTwh/nX9LJJl+0YkPsqYCyw0Vt8JBTp+KW
+pQKCAQEAtpUbpWpRbnj09XLrFupvacWDFPcrkKDVXD7cY0JWp/aLAFoxzswuRT0k
+qhniZIDLTH8fsVGkeJBDgzc5E8q6/w0yIPpICp47qFK63HVvJDz0lEYmK3rHN6pu
+LFLD4ibLTr4mc9mRRowVHlJPFugh7icI3ejcXcE7o0GHWb0/DgdWCfB3gXpGuEGP
+Uh3wZbacK48AiFATWCwgF171nBM55KbT055jJqob2C/Ci2t1SJoZtCvLydzM5Wnk
+2HtKx1l6A9d6hMqSFLQYA20P+4lHO0Q4rb27b7rJyz+1Q23KLlNvzlwGKY9qWt9r
+UEyvPYOkCr8/qEVcHTMhf/daAMCpGQ==
+-----END PRIVATE KEY-----
frank:100000:65536
+vmail:165536:65536
+mlmmj:231072:65536
+iredadmin:296608:65536
+iredapd:362144:65536
+netdata:427680:65536
+frank:100000:65536
+vmail:165536:65536
+mlmmj:231072:65536
+iredadmin:296608:65536
+iredapd:362144:65536
frank:100000:65536
+vmail:165536:65536
+mlmmj:231072:65536
+iredadmin:296608:65536
+iredapd:362144:65536
+netdata:427680:65536
+frank:100000:65536
+vmail:165536:65536
+mlmmj:231072:65536
+iredadmin:296608:65536
+iredapd:362144:65536
# for what other values do
#kernel.sysrq=438
+vm.dirty_expire_centisecs=60000
+vm.dirty_background_ratio=80
+vm.dirty_ratio=90
--- /dev/null
+# Reference: https://mariadb.com/kb/en/the-mariadb-library/server-system-variables/#open_files_limit
+[Service]
+LimitNOFILE=infinity
--- /dev/null
+/lib/systemd/system/iredadmin.service
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/iredapd.service
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/mlmmjadmin.service
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/netdata.service
\ No newline at end of file
--- /dev/null
+[Service]
+LimitNOFILE=30000