Back to Changelog
v1.0.200
Comprehensive SSL automation upgrade — wildcard and SAN aggregate certificate strategies, subdomain provisioning correctness, OCSP stapling, and mail delivery reliability
New Features
2- New SSL Auto-Issue strategies: Let's Encrypt wildcard via Cloudflare DNS-01 (one cert covers every present and future subdomain) and SAN aggregate (one cert covering parent + www + all active subdomain FQDNs, capped at 95 SANs). Drastically reduces ACME challenge surface and rate-limit pressure.
- OCSP Stapling enabled by default in all nginx vhost templates (main domain and subdomain blocks). Improves TLS handshake latency and prevents user IP leak to CA OCSP responders. Harmless on self-signed certs.
Improvement
1- SMTP relay control matches cPanel behavior: mynetworks always includes 127.0.0.0/8, [::1]/128 and the panel primary IP; smtpd_recipient_restrictions enforces permit_mynetworks, optional permit_sasl_authenticated, and reject_unauth_destination.
Bug Fixes
4- Subdomain SSL HTTP-01 challenge now succeeds on all active subdomains. Three layered fixes: path-walk permission re-asserted to 0755, .well-known POSIX ACL inheritance corrected, and document_root tree made world-readable for nginx and Apache.
- Subdomain Apache vhost generation gate aligned with nginx generator. Previously, domains with web_server=nginx had their subdomain proxied to Apache without a corresponding Apache vhost, causing Apache to fall back to the wrong default vhost. All 11 gate checks unified.
- SpamAssassin/Postfix integration: when spamc binary or spamd user is absent, integration is now silently disabled instead of writing a broken master.cf entry that caused Postfix to reject all inbound mail.
- Postfix master.cf parser no longer activates commented-out smtp entries; a processed flag ensures only the first matched block is toggled.