[BlueOnyx:25301] Re: Proftpd, configuration issues / wishes

[Tobias Gablunsky]

Hello Michael,

> 
> Hi Tobias,
> 
> > 1) Users complain about certificate warnings, even when there is a valid
> > certificate installed. 
> > 
> > This can be fixed by delivering the proper ca cert, like i.e. dovecot
> > does. This can easily be accomplished by adding an entry
> > 
> > 
> >     TLSCertificateChainFile /etc/pki/dovecot/certs/ca.pem
> 
> It's only since recently that ProFTPd can do SNI and the general idea is
> that BlueOnyx 5211R will get a ProFTPd with SNI support enabled and I
> then port that back to 5210R and 5209R.
 
well we already have a "solution" in place: we create one big letsencrypt cert that includes all servernames used for ftp and mail services on the machine. This of course is only semi-automatic and more of a hack. But it works for us (on 5209R), no customer complaining about certificate warnings anymore. So this additional option would make our solution kind of round.

> > 2) We restrict PassivePorts to a smaller value than default to not have
> > to open firewalls too much to the outside.
> > 
> > 3) We disable mod_ban as we already have a working fail2ban
> > installation. I don't like to have too many sources to look for the
> > reason of a connection problem.
> > 
> > But these changes are getting overriden every now an then. 
> 
> Yes, these are currently hard-coded into the config and we replace that
> with every ProFTPd update. I'll see if we can make it configurable via
> the GUI and then retain the settings through updates.

Do you have some kind of schedule for that feature?

Thank you very much!

Tobias

> 
> -- 
> With best regards
> 
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>