Tag Archives: ispconfig

ispconfig tlsa patch for dane using postfix

Hi There

I’ve added TLSA DNS RR support to my ispconfig server. This howto relies on my previous post which adds dnssec support to ispconfig. http://www.paranoids.at/bind9-ispconfig-dnssec-inline-signing-ubuntu-1204/

Actually I’m using ubuntu 14.04 with most recent version of ispconfig 3. With ubuntu 14.04 you don’t need the bind ppa cause bind version in 14.04 supports auto keyrollover for dnssec singed zones.

Simply copy the files as following:

cd /usr/local/ispconfig/interface/web/dns
cp -av dns_srv_edit.php  dns_tlsa_edit.php
cp -av form/dns_srv.tform.php form/dns_tlsa.tform.php
cp -av templates/dns_srv_edit.htm templates/dns_tlsa_edit.htm
cp -av lib/lang/de_dns_srv.lng templates/dns_tlsa_edit.htm

Then run the patches agains every file mentioned in the patch.

Here the patch for the interface:
Here the patch for the server:

You also have to alter the table structure of dns_rr in dbispconfig. You only have to edit type as following:


Here some nice Firefox tool to verify your dnssec and tlsa records: https://www.dnssec-validator.cz/

Here the config snippets from postfix’s main.cf:

smtp_dns_support_level = dnssec
smtp_tls_security_level = dane

Have fun!

sogo auth with mysql and mysql(view) against ispconfig database


fist step let mysql listen on:
therefore verify your /etc/mysql/my.cnf

cat /etc/mysql/my.cnf | grep bind
#bind-address		=

(should be done @ispconfig install)

create a mysql database and a user and grant all privileges to that user

GRANT ALL PRIVILEGES ON  `sogo` . * TO  'sogo'@';

use mysql database as root and create special view

use sogo;
CREATE VIEW sogo_auth_view AS
SELECT  email AS c_uid,
             email AS c_name,
             password AS c_password,
             name AS c_cn,
             email AS mail
FROM dbispconfig.mail_user
WHERE disableimap='n' AND postfix ='y';

in your sogo config set the following lines:


Have Fun!

bind9 ispconfig dnssec inline signing ubuntu 12.04


here some nice howto:

install ispconfig as shown on howtoforge:
http://www.howtoforg … -dovecot-ispconfig-3

install bind9.9 from ubuntu ppa because bind9.8 does not support inline-signing.
add to your sources list:

deb http://ppa.launchpad.net/malcscott/bind9.9/ubuntu precise main 
deb-src http://ppa.launchpad.net/malcscott/bind9.9/ubuntu precise main
aptitude install bind9

create directory for your zone keys and create em:

[code]mkdir /var/cache/bind/keys/
cd /var/cache/bind/keys/
dnssec-keygen -r /dev/urandom -f KSK domain.tld
dnssec-keygen -r /dev/urandom domain.tld
chown bind:bind *

(this should be patched too in ispconfig) hadn’t got the time for it

patch the ispconfig template as following:

--- a/usr/local/ispconfig/server/conf/bind_named.conf.local.master
+++ b/usr/local/ispconfig/server/conf/bind_named.conf.local.master
@@ -4,6 +4,8 @@
 zone "<tmpl_var name='zone'>" {
         type master;
 <tmpl_var name='options'>        file "<tmpl_var name='zonefile_path'>";
+       auto-dnssec maintain;
+       inline-signing yes;

add to your named.conf.options following line:

key-directory "/var/cache/bind/keys/";
service bind9 restart

you must push your DS-RR to your registrar
in my case nic.at
how to extract it out of your public key:

cd /var/cache/bind/keys/
dnssec-dsfromkey -1 Kdomain.tld.KSK#

here some nice links:
https://kb.isc.org/a … -9.9.0-Examples.html

have fun!