GDPR Plugin for ISPConfig

,

With our ISPConfig GDPR Plugin we have developed an enhancement that allows you and your customers to sign online contracts for data processing.

As an admin, you also have the option of generating agreements or other contracts directly and send them to the client.

You can also export all data stored for a customer in ISPConfig to generate information about the stored data. Of course, every client can also do this himself.

Try the GDPR Plugin for free

You can download the plugin here and test it for 14 days for free. As a license you simply use “TRIAL”.

If you want to use the GDPR Plugin afterwards, you need a license.

Installation

Download the plugin to your server, unpack the archive and change to the directory ispconfig-gdpr.

If you haven’t installed the ionCube load yet, you can do it either with the script install_ioncube.php or manually for all PHP versions and modes.

php -q install_ioncube.php

We have only tested the script on Debian 7-9 and Ubuntu 14-18 so far. If you are using CentOS for example, you may have to install the ionCube-Loader manually

For the manual installation we recommend to use https://www.howtoforge.com/tutorial/how-to-install-ioncube-loader/

If the ionCube-Loader is installed, you start the installation:

php -q install.php

After that you only have to log in to ISPConfig as admin and activate the module GDPR for the user admin (under System / CP User / Edit User). Then log off once and log on again.

Update

Just start

/usr/local/ispconfig/server/scripts/gdpr/gdpr_update.sh

You can also download the current version, unpack the archive, change to the ispconfig-gdpr directory and then call php -q update.php.

Features of the GDPR Plugin:

  • Automatic generation of order processing (GDPR) contracts by a client
  • Automatic generation of order processing (GDPR) contracts by the admin for a client
  • Generated order processing (GDPR) contracts are saved directly as PDF files
  • Ability for the client to revoke an existing agreement
  • Upload option for the admin to provide additional contracts / data for a client
  • Support of several companies
  • Individual templates for generating contracts
  • Individual templates for sending email
  • Ability to store contracts and other data on the hard disk or directly in the database
  • Export function for the data stored for a client (PDF or XML)
  • The GDPR Plugin is integrated in ISPConfig and can be accessed via the ISPConfig Admin/Client Login
  • Standard PDF templates for companies

License

The ISPConfig GDPR Plugin is an extension to ISPConfig and is not subject to the BSD license.

One license costs 80,00 EUR (95,20 EUR incl. 19% Tax) and includes updates for one year after activation of the license.

Customers who already have a license and want to receive further updates after one year can extend the “update time” for another year for 40.00 (47.60 EUR incl. 19% Tax).

Manual

You can download the manual for free here.

ISPConfig GDPR

In order to get ISPConfig GDPR compatible, we think that the default log file storage time for websites should be decreased and the statistics should be turned off. ISPConfig itself has no problems with the GDPR, because you can delete customers at any time and all data stored with this customer will be removed from your server.

With the next ISPConfig release 3.1.12 the storage time of 10 days will be standard for new websites. However, a change for existing websites does not make sense, as the software is also used outside of the EU.

Problem Statistics

The programs for creating web server statistics AWStats and Webalizer, which can be used with ISPConfig, also output the complete IP addresses of website visitors, if no corresponding adjustments have been made to the code.

We consider this to be incompatible with the GDPR and have therefore deactivated the statistics on all our web servers (own and full-managed). To avoid doing this manually for each page, you will find a small bash code at the end, which you can simply run as root on your server. If you don’t have a –defaults-file, you can use -p instead and then enter your root password for MySQL. Of course you can also enter the commands in PHPMyAdmin.

Problem Logfiles

The default setting for log files of all web sites is 30 days. We think that a significantly lower value is sufficient. Here we take 10 days as an example. However, you should certainly ask yourself whether you really need to store the data for that long time. The complete IP is certainly needed in the logfiles to secure the server or to detect problems. But if you haven’t noticed an attack after 10 days, even a longer storage time won’t help much…

Solution

Don’t forget to make the changes on all servers if you have a multi-server setup.

And this is how it works with a single SQL call:

mysql --defaults-file=/etc/mysql/debian.cnf --database=dbispconfig -e "
ALTER TABLE web_domain CHANGE stats_type stats_type varchar(255) DEFAULT ''; 
ALTER TABLE web_domain CHANGE log_retention log_retention INT(11) NOT NULL DEFAULT '10'; 
UPDATE web_domain SET log_retention = '10' WHERE log_retention > 10;
UPDATE web_domain SET stats_type = '';
"

 

ISPConfig Automail

With our plugin ISPConfig Automail you can automatically configure email clients like Thunderbird or Outlook.

If you use one or more mail servers for the domains makes no difference. Just define the appropriate data such as host name and port for each mail server. everything else is done through a small web page that provides an Autoconfig service (Thunderbird) or Autodiscover service (Outlook).

Autoconfig and Autodiscover request XML files via different addresses, to configure the email client according to your specifications.

To use the ISPConfig Automail, you only need a current version of ISPConfig and a website (Apache or nginx).

The plugin consists of two parts

  • the interface plugin for ISPConfig to manage the settings
  • a script to generate the relevant XML documents under the respective domain

In this example example.com is your domain, over which the automatic setup of the mail clients will run. You are free to choose this domain. The domain client.com is the domain that queries example.com for the setup.

Install ISPConfig Automail

cd /tmp
wget https://download.schaal-it.net/ispconfig-automail.tgz
tar xfz ispconfig-automail.tgz
cd automail
php install.php

Activate the plugin

Log in to ISPConfig as admin, go to System / CP User and activate the module automail for the user admin. After you have logged off and on again, the module is available for you.

Remote-User

Create a remote user who can use the “automail functions”. If you have a multi-server setup, you may need to allow remote access.

Configure the plugin

Under Provider-ID you enter a unique ID that identifies your setup. You can use the domain name of your server.

The two Hostnames are the names by which mails are retrieved (IMAP/POP3) and sent (SMTP). If you run everything on the same server, you must enter the same name in both fields.

For Ports, enter the ports that should be used for your mail server.

ISPConfig Automailer Setup

Create the required DNS records

You need an A-record for autoconfig.example.com and autodiscover.example.com pointing to your web server. If you use IPv6, you should also create AAAA records.

Create two entries in each customer domain. A simple CNAME is enough for autoconfig:

autoconfig.client.com. CNAME autoconfig.example.com.

For autodiscover an SRV record is recommended. This will give you a certificate warning during setup, but it is the easiest way to set up any number of customer domains:

_autodiscover._tcp.client.com. SRV 0 0 443 autodiscover.example.com.

Create the website in ISPConfig

Now you have to create the website autoconfig.example.com with PHP support and without auto subdomain in ISPConfig. You should also secure this site using SSL. This is not required for autoconfig, but will be needed later for autodiscover. You can easily use Let’s Encrypt

You have to set the directives for Apache or nginx accordingly:

Apache

ServerAlias autoconfig.*

nginx

location ^~ /config\.php { deny all; }

location / { 
rewrite autodiscover\.xml$ /index.php last; 
rewrite Autodiscover\.xml$ /index.php last; 
rewrite config-v1\.1\.xml$ /index.php last; 
}
server_name autoconfig.*;

With alias or server_name this domain can be used later by any customer or email domain.

Create the alias domain autodiscover.example.com and point it to autoconfig.example.com. You don’t need any redirects, the important thing is that the domain has an SSL certificate. A-Records in DNS are enough to point to your web server so you can use Let’s Encrypt.

Upload the script to the webseite

Upload the files from the website directory from the archive to the newly created website and adjust the data in config.php. Rename the htaccess to .htaccess. If you use nginx, you can also delete the file directly.

Test

You can easily test Autoconfig via wget:

wget http://autoconfig.client.com/config-v1.1.xml?emailaddress=test@client.com -O test

In the file test you will find the result. The email address must exist of course.

For Autodiscover there is the Microsoft Remote Connectivity Analyzer.

 

Spammail understand header and move mails

Various scanners can be used to scan incoming and outgoing mail. For example, ISPConfig uses SpamAssassin, ClamAV and Amavis. The individual threshold values (more on this later) can be defined individually.

To prevent spammers from appearing in the inbox, you can automatically move mails to a separate folder based on an individual spam value. This makes spam mails visible via an IMAP client or a webmailer and reduces the risk of not seeing a mail mistakenly identified as spam.

Caution: when the mails are picked up using POP3, the moved mails will not be retrieved. They are no longer in the inbox, but in a subfolder. This moving is always done directly on the server.

Scan Procedure

  • postfix receives the mail
  • and relays the mail to amavis
  • on the basis of different spam rules (see also current rules for SpamAssassin from schaal @it) the mail gets different information in the header
  • Amavis sends the mail back to Postfix

Structure of a mailheader

We deliberately leave out most of the entries from a mailheader because they are not relevant for detecting or moving spam. The essential lines of a mail header see e.g. like this:

 X-Virus-Scanned: Debian amavisd-new at scan.schaal-it.net
 X-Spam-Flag: YES
 X-Spam-Score: 7.039
 X-Spam-Level: *******
 X-Spam-Status: Yes, score=7.039 tagged_above=3 required=5 tests=[BAYES_50=0.8, DATE_IN_PAST_24_48=1.34, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SCHAALIT_HEADER_964=5] autolearn=no

X-Virus-Scanned

The first line shows which scanner was used. If you want other information, you can adjust the Amavis-Config accordingly. For Debian or Ubuntu, this would be $ X_HEADER_LINE in /etc/amavis/conf.d/20-debian_defaults.

X-Spam-Flag

If this is set to YES, the mail was classified as spam.

X-Spam-Score

The X-Spam score is the value that SpamAssassin has determined based on its filter rules for the mail. In ISPConfig, you can define the value from which a mail should be marked as spam (5.00 for Trigger happy) under Policy – Spamfilter policy – Tag Level in the “SPAM tag2 level” field.

X-Spam-Level

This is the integer value of X-Spam-Score in * – in our case, the score is 7.039 and thus there are seven asterisks. You can use the value with your own filter, if you do not want to take the X-Spam-Score.

X-Spam-Status

Yes, score=7.039 this is the same as in X-Spam’s flag and X-Spam score.

tagged_above=3 specifies the value from which these lines listed here should be inserted into the header. For ISPConfig, this is the “SPAM tag level” for the Spamfilter policy.

required=5 is the value from which the mail is then marked as spam and the X-Spam flag is set to YES. For the Spamfilter policy, this is the “SPAM tag2 level”

tests= shows you which individual rules SpamAssassin has applied and how many points have been set for this mail:

BAYES_50, DATE_IN_PAST_24_48 and SCHAALIT_HEADER_964 have increased the value, the signing with DKIM has reduced the score by a total of 0.1 (DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU) and RP_MATCHES_RCVD has decreased the value by 0.001.

overall, therefore:

0.8 + 1.34 + 5 = 7.14

0.1 – 0.1 – 0.1 = -0,1

– 0.001

And this brings us to score of 7.039

If you are interested in the contents of the tests, you can find the rules in different folders in /var/lib/spamassassin. As an example we take the rule SCHAALIT_HEADER_964:

header SCHAALIT_HEADER_964 From =~ /\@pkv.*\.(online|net|com|org|co|info|de)/
describe SCHAALIT_HEADER_964 schaal @it Spam
Header-964 score SCHAALIT_HEADER_964 5

The rule applies to the from line in the mail. In doing so, a RegEx is used, which spans various spam mails on the subject of german private health insurance.

Move the mail to the spam folder

After Postfix has returned the mail from Amavis (see Scan Procedure), the mail is either sent, or – if the recipient is one of our users – delivered via Dovecot into the mailbox.

The local delivery of the mail by Dovecot is one of the decisive points: if the mail was previously marked as spam by SpamAssassin, it is not moved to the inbox, but to the subfolder Junk. For ISPConfig, the checkbox for the email account in the email filters must be set to “Move Spam Emails to Junk directory”.

Basics about the filters with ISPConfig

  1. A spam filter must be selected for the domain or mailbox. If a filter is defined for the domain and the mailbox, the settings from the mailbox are in place. If only the domain has a filter, it’s also used for the mailbox. In short: Mailbox overwrites domain – this is the only way, to define individual policies for each mailbox. If you use an alias, the policy for the domain applies.
  2. The selected spam filter must be defined in such a way that the corresponding values also “fit” to the mail. If our filter had a “SPAM tag2 level” of 10, the mail would not be marked as spam.
  3. Spam-mails will only be moved if “Move Spam Emails to Junk directory” is set.
  4. Only the administrator can change or create policies. If every user had the possibility, this would affect all the mailboxes that use this filter. If you are in doubt, you better suggest an additional guideline.

Current rules for SpamAssassin from schaal @it

Current rules for SpamAssassin from schaal @itWe regularly publish new rules for the spamfilter SpamAssassin of the Apache Software Foundation Apache Software Foundation. Of course, you can also use the rules for the ISPConfig spam filter settings.

Most of our rules have a score of 5.

Our rules can be used free of charge. For this, only our channel has to be added to the SpamAssassin-Config or our script has to be installed. Please do not forget to restart SpamAssassin after installing or updating rules.

SpamAssassin uses DNS checks to detect new rules so that the script can be called every hour or at least dayly without generating a significant load.

Install our ruleset:

sa-update --nogpg --channel sa.schaal-it.net

To keep the rules up-to-date, just install a simple shell-script in /etc/cron.hourly:

cd /etc/cron.hourly && wget sa.schaal-it.net/sa-update && chown root.root sa-update && chmod 755 sa-update

This will install this script:

#!/bin/sh
# schaal @it
#
# Simple script to update SpamAssassin

SYSLOG_TAG=sa-update

compile=0

logger -d -t $SYSLOG_TAG "Start SA-Update"

sa-update --nogpg
retval="$?"
if [ $retval -eq 0 ]; then compile=1; fi


sa-update --nogpg --channel updates.spamassassin.org
retval="$?"
if [ $retval -eq 0 ]; then compile=1; fi

sa-update --nogpg --channel sa.schaal-it.net
retval="$?"
if [ $retval -eq 0 ]; then compile=1; fi

if [ $compile -eq 1 ]; then
	logger -d -t $SYSLOG_TAG "SA-Update found"
	sa-compile
	/etc/init.d/amavis restart
else
	logger -d -t $SYSLOG_TAG "No SA-Update found"
fi

To add more rules to the spam filter simply add one or more blocks before if [ $compile -eq 1 ]; then:

sa-update --nogpg --channel updates.spamassassin.org
retval="$?"
if [ $retval -eq 0 ]; then compile=1; fi

sa-update --nogpg --channel sought.rules.yerp.org
retval="$?"
if [ $retval -eq 0 ]; then compile=1; fi

sa-update --nogpg --channel spamassassin.heinlein-support.de
retval="$?"
if [ $retval -eq 0 ]; then compile=1; fi

ISPConfig Backup-Space remote

You can use our BackupSpace to run ISPConig with this as an external backup space.

ISPConfig offers you the possibility to save the backups directly to an external storage. It makes no sense to back up relevant data for recovery directly on the server, which should be restored in case of any problems.

To do this enable the option  “Backup directory is a mount” and create a small shell-script.

Mount-Script

The script /usr/local/ispconfig/server/scripts/backup_dir_mount.sh is used to mount the external memory before backups. With our backup space you only need two lines:

#!/bin/bash
sshfs DEINE-ID@DEINE-ID.backup.schaal-it.com:/backups/backup /var/backup

Finally, set the right permissions for the script:

chown root.root /usr/local/ispconfig/server/scripts/backup_dir_mount.sh
chmod 700 /usr/local/ispconfig/server/scripts/backup_dir_mount.sh

If you want, you can unmount the space after the backups. Just create the script /usr/local/ispconfig/server/scripts/backup_dir_umount.sh:

#!/bin/bash
umount /var/backup

Whether you’re using umount or not, it’s up to you. If the backup space is not mounted, ISPConfig will always attempt to mount the storage. This is not only the case with backups, but also when restoring individual backups.