I plan to upgrade from a Bytemark Symbiosis server to a Brightbox Sympl server.
Step 1 - installation is complete.
Now I’m experimenting to see what has changed
First question - can I confirm that the outgoing firewall setup means that scripts can curl to other servers with no limitations? On Symbiosis I had to add Paypal, Stripe etc to /etc/symbiosis/firewall/outgoing.d/50-reject-www-data
(sorry - I could probably fiddle about and confirm this for myself, but hopefully it is easy for someone to confirm/deny my suspicion and save me experimenting!)
Yes, I’m pretty sure there are no restrictions on outgoing connections in Sympl.
(I think it was dropped, or scheduled to be dropped, from Symbiosis when development stopped.)
And welcome to the Sympl forum!
Yes, this was dropped in Symbiosis Stretch, (so effectively only in Symbiosis Jessie), as it caused a LOT of headaches, effectively stopping things from updating and leading to more security issues.
Is another difference the fact that incoming email can now be pop3’d from a mail box using the domain name as the server and the Letsencrypt SSL certificate works (i.e. it matches the domain)? Previously email had to be collected via the server’s generic domain name.
Sorry if I’ve got terminology wrong here. I have enough knowledge to be dangerous. But then that is why I’m using Sympl and trusting you guys to have set Sympl up correctly
Yes, I think this is a result of LetsEncrypt making it easier to include subdomains so mail.yourdomain.tld can use a certificate, and dovecot supporting SNI, but Sympl certainly sets things up to take advantage of it.
(in contast, pure-ftpd in Debian 10 still does not support SNI, but future versions will, so currently you have to use the generic server name for FTPS)
Yes, this this is due to Sympl supporting SNI by default, so it configures Dovecot and Exim to re-use all available hostnames on whatever certificates you have in place at the moment.
For now, it doesn’t get certs with the mail, pop3, imap subdomains and so on, but that is one of the planned features (along with wildcard DNS) in the update I’m working on at the moment.
It may simply be the client being more lax with a not-exactly-matching name on the cert, unless you have an alias for mail.example.com pointing to example.com…?