Symbiosis differences


I plan to upgrade from a Bytemark Symbiosis server to a Brightbox Sympl server.

Step 1 - installation is complete.
Now I’m experimenting to see what has changed :slight_smile:

First question - can I confirm that the outgoing firewall setup means that scripts can curl to other servers with no limitations? On Symbiosis I had to add Paypal, Stripe etc to /etc/symbiosis/firewall/outgoing.d/50-reject-www-data
(sorry - I could probably fiddle about and confirm this for myself, but hopefully it is easy for someone to confirm/deny my suspicion and save me experimenting!)

If this is the case, then I’ll update Sympl for Symbiosis Users - Sympl Wiki to mention that.


Yes, I’m pretty sure there are no restrictions on outgoing connections in Sympl.
(I think it was dropped, or scheduled to be dropped, from Symbiosis when development stopped.)
And welcome to the Sympl forum!

1 Like

Welcome, @fogma!

Yes, this was dropped in Symbiosis Stretch, (so effectively only in Symbiosis Jessie), as it caused a LOT of headaches, effectively stopping things from updating and leading to more security issues.

Thanks for confirmation. I’ve updated the wiki to reflect this :slight_smile:

1 Like

Is another difference the fact that incoming email can now be pop3’d from a mail box using the domain name as the server and the Letsencrypt SSL certificate works (i.e. it matches the domain)? Previously email had to be collected via the server’s generic domain name.

Sorry if I’ve got terminology wrong here. I have enough knowledge to be dangerous. But then that is why I’m using Sympl and trusting you guys to have set Sympl up correctly :smiley:

Yes, I think this is a result of LetsEncrypt making it easier to include subdomains so mail.yourdomain.tld can use a certificate, and dovecot supporting SNI, but Sympl certainly sets things up to take advantage of it.

(in contast, pure-ftpd in Debian 10 still does not support SNI, but future versions will, so currently you have to use the generic server name for FTPS)

Yes, this this is due to Sympl supporting SNI by default, so it configures Dovecot and Exim to re-use all available hostnames on whatever certificates you have in place at the moment.

For now, it doesn’t get certs with the mail, pop3, imap subdomains and so on, but that is one of the planned features (along with wildcard DNS) in the update I’m working on at the moment.

1 Like

Yet I can configure mail clients to use the ‘mail’ subdomain now and it doesn’t complain about non-matching certificates - how does that work?

It may simply be the client being more lax with a not-exactly-matching name on the cert, unless you have an alias for pointing to…?

Indeed it is. IOS devices play up the most while other clients don’t moan at all. It is quite well documented with a little search.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.