DevHeads.net

Postings by LuKreme

Sporadic, repeated connections from aws

I've had the following in my fqrdns.pcre checks for quite awhile:

/^ec2(-[12]?[0-9]{1,2}){4}\.compute-[0-9]\.amazonaws\.com$/ REJECT Generic - Please relay via ISP (amazonaws.com)

And I have noticed that I frequently get a series of 50 or more connection attempts from some aws server out there in a burst (50+ connections in a few minutes).

Fine, everything is working as it should with my settings, the connection is dropped right away (although the REJECT is not logged).

Am I right in blocking these connections?

unable to find user

I am using postfix => spamass-milter => SpamAssassin and I get occasional errors like these.

spamd: handle_user (userdir) unable to find user: 'virtualuser'

For example, if I have a virtual user "john" who redirects to the local user jsmith, I get that error with the username of "john" while mail to jsmith goes through fine.

Is it possible to send the user name to the milter after virtual maps have been applied?

apache service unavailable

Due to a large blizzard, we lost power for some period of time today, and the server's UPS didn't hold out. After the power was back, https responds to all attempts to connect with

"The service is not available. Please try again later."

displayed in the browser.

Nothing shows up in the httpd-error.log, but httpd-access.log looks odd.

ClamAV-milter

Trying to configure clamav-milter with postfix-current-3.4.20181105,5 under FreeBSD 11.2-RELEASE, but I’ve missed something since no mail is actually getting processed by ClamAV-milter, including the EICAR test mails which sail through without triggering anything.

I’ve tried to provide everything that could be relevant (mostly in an effort to re-examine everything) but at this point I’m stumped.

smtpd_milters =
unix:/var/run/spamass-milter.sock,
unix:/var/run/clamav/clmilter.sock

# sockstat | grep milter
root spamass-mi 24145 4 stream /var/run/spamass-milter.sock
clamav cla

0 length robot.txt

This is probably a coincidence, but I had one of my hosted sites (with no php code anywhere, and certainly no .php files) returning a script error on load instead of showing the non-php webpage:

[proxy_fcgi:error] [pid 88148] [client xx.xx.xx.xx:63137] AH01071: Got error 'Primary script unknown\n’

And it would display a blank page for a few seconds, then “File Not Found” would appear.

Updating to php 7.0 and having apache still work?

Once again I have tried, and failed, to move from php 5.6 to php 7.0 (using postmaster under FreeBSD 11.3-RELEASE). The results are largely the same, php pages don’t load either "Primary script unknown” or complaints about filter(0 (which is built in to both php56 and php70).

I’m sure this is all my doing.

So… is there a decent document or how-to or step-by-step on how to updated the php under apache without everything in apache breaking?

(php itself works fine, it’s the integration with apache 2.24 that I keep managing to FUBAR. Currently on apache 2.4.35)

Reverse proxy

If I have a secondary web service service running on <a href="http://www.example.com:8000" title="www.example.com:8000">www.example.com:8000</a> and I want to create a reverse proxy on port 8001, how do I prevent users from connecting to <IP>:8000 anyway?

DocumentRoot in ProxyPass?

Is it possible to do something along these lines in the apache.conf files?

DocumentRoot /usr/local/www/roundcube/
ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000${DocumnetRoot}$1

(that is, not have to repeat the information that is already in the configuration)

TLS not offered by host

When connecting to a server that does not offer TLS (or the right level) does postfix log (or can it) the level of security that was offered?

status=deferred (TLS is required, but was not offered by host

(I get very few of these (two servers in the last week), but I'd like to be able to tell the admin of the server what low-level security they are offering).

my smtp_tls* settings:
smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt

and

tls_preempt_cipherlist = yes
tls_ssl_options = no_ticket, no_compression

Apache 2.4 and DirectoryIndex and htaccess

I have a working webroot, and it has an index.php file.

SASL LOGIN authentication failed

In these log lines, what is "UGFzc3dvcmQ6"?

May 12 07:52:07 mail submit-tls/smtpd[32670]: warning: vps1590651.vs.webtropia-customer.com[62.141.41.104]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 12 17:05:14 mail submit-tls/smtpd[87898]: warning: ma350.mars.fastwebserver.de[193.111.198.88]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 12 18:21:36 mail submit-tls/smtpd[65165]: warning: vps1590646.vs.webtropia-customer.com[62.141.41.114]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Root user's sent mail

The root user sends out some periodic mails to users. These mails get placed in /root/sent (an mbox file) instead of in /root/Maildir/.Sent/ (a Maildir directory).

It’s not a big deal, but it makes clearing the mails periodically slightly more difficult.

The mails are sent via a crontab entry much like this:
<command> | mutt -e 'set content_type=text/html' -s "DMR $($YDAY)" <a href="mailto: ... at kreme dot com"> ... at kreme dot com</a> -b <a href="mailto: ... at kreme dot com"> ... at kreme dot com</a>

main.cf:home_mailbox = Maildir/

But I suspect the issue here is mutt and not postfix?

rsyslogd and postfix

This might be of use to others out there.

inet_interfaces

I changed my inet_interfaces setting this morning, and stopped and started postfix (postfix stop; postfix start)

# postconf -n inet_interfaces
inet_interfaces = 127.0.0.1, 65.121.55.42

But when I am trying to send emails to a certain company, I am getting an SPF error (even though my entire netblock is in the SPF settings) that claims I am connecting from a different IP (an IP that is assigned to the same physical machine as postfix) than specified in inet_interfaces.

status=bounced (host mail.synology.com[59.124.61.242] said: 550 5.7.1 < ... at synology dot com>: Recipient address rejected: Me

Read Only account

How would I configure a user so that they could only read mail and not send any mail (even to local users).

Not receiving messages from mail servers

I finally managed to isolate this. I have no been receiving mails from some mail servers and there's very little being logged. I obviously set some configuration that mucked things up.

TLS 1.3

Now that TLS 1.3 has been approved, what is the status of using it with Apache? Last I heard apache 2.4 couldn't build agains openssl 1.1, but that was a year ago.

Which user lookup wins?

When postfix checks for a local user it looks at any local user (like /home/fred), I assume by checking /etc/passwd or similar (I have local users who can receive mail who are not mentioned in any /etc/postfix/* file, so postfix knows about them from somewhere outside of postfix’s config file) and then it also checks for virtual_mailbox_domains and virtual_alias_maps, yes?

If a user lookup matches in BOTH locations due to a misconfiguration, which one “wins”?

Reducing logging

I may have asked this before, but if so I can't find the thread.

I'd like to either reduce the amount that postfix logs or redirect certain events to a secondary log file (that I can put on a shorter rotation than the full mail log).

Is there anyway to redirect, for example, post screen events to a different log file or the warning hostname does not resolve messages?

Suggestion on Redirect parsing

The syntax for redirect treats

Redirect / <a href="http://www.example.com" title="http://www.example.com">http://www.example.com</a>

as a request to redirect, for example, index.html as "http://www.example.com.index.html"

Since I can't think of any reason that this could possibly be desired, it seems the parser should understand that when only a FQDN is specified with a URL scheme, the final '/' is assumed.

this would still allow for <a href="http://www.example.com/new" title="http://www.example.com/new">http://www.example.com/new</a> formats, etc, and would only apply to the specific format xxxx://FQDN

(Although I think even this syntax should assume a final / and that if the "append .

Setting up Apache 2.4 with Letsencrypt

I have dehydrate properly renewing certs from Let's Encrypt (which I am using successfully for mail authentication) and I ma trying to get them working for Apache 2.4, but no luck so far.

I created aliases in /usr/local/etc/apache24/ pointing to the files in /usr/local/etc/dehydrated/certs/domain.tld/fullchain.pem and privkey.pem

in httpd.conf I have:

LoadModule ssl_module libexec/apache24/mod_ssl.so

Include etc/apache24/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

/etc/httpd/extra//httpd-ssl.conf:
Listen 443
SSLCipher

Berkeley DB and new install

I know that the Berkeley DB still works in postfix if compiled with that option, but is it the best choice for a new install of postfix?

I have only a couple of tables that use it, but since I am moving entirely to a new machine and new compiles, I don't want to drag along an "old" format if I don't need to.

What other options are there for a virtual table in the form of

<a href="mailto: ... at localdomain dot tld"> ... at localdomain dot tld</a> <a href="mailto: ... at fred dot exampl.com"> ... at fred dot exampl.com</a>

or the similar alias table

user: otheruser

(alias is used entirely on my system to redirect mail to the root account from names like admin, daemon, etc)

I mean, I could m

postfix upgrade-configuration

Looking at Postfix 3.3 and upgrade-configuration I get:

Note: the following files or directories still exist but are
no longer part of Postfix:

/usr/local/etc/postfix/access /usr/local/etc/postfix/aliases
/usr/local/etc/postfix/canonical /usr/local/etc/postfix/generic
/usr/local/etc/postfix/relocated /usr/local/etc/postfix/transport
/usr/local/etc/postfix/virtual

All well and good, but what has replaced them, especially virtual and alias which are a pretty basic part of my mail configuration for local users.

I looked around on postfix.org for 3.3 info and didn't stu

Watching the logs turn round and round

I don't have a question, but I thought I'd share that I've found this extremely useful recently for watching the logs:

tail -f /var/log/maillog | grep -v -E '(cleanup|dnsblog|postscreen|qmgr|anvil))'

It narrows the log down to the data that I'm most interested in (smtp, dovecot, amazes, etc).

Rejecting mail dorm a domain to specific user

Is it possible to reject a mail from a specific domain to a specific user?

Obviously, there are other ways to deal with this, but I have a case where I’d prefer to reject the mail before it is received but I do not want to block the domain for other users.

Copying IMAP messages instead of Forwarding?

Is there a method to use IMAP to move messages to another account on another server for which I have login credentials on delivery instead of simply forwarding? Or would this be a question for the Dovecot list?

I am trying to get around various spam checking and DKIM failures for a local user who uses gmail but whose address is on my server.

OT lightweight IMAP client

Figured someone on the list would have an opinion on a very lightweight feature-poor IMAP client. It doesn't need to do much else but access a single IMAP account and be able to forward emails as attachments. Search would be good, but not required. Searching for queueIDs in the Received header would be fantastic.

Primary considerations are fast and as light on memory use as possible and usable from a Mac (command-line is fine). I know mutt can do IMAP but I don't think it can forward messages as attachments though I am probably wrong. Windows 10 might be useful, but not required.

Forward to gmail and DMARC

I forward mail to a gmail user, but there are a lot of bounces from gmail. I don't honestly care about the ones that google says are spam, but recently I'm also getting DMARC failures on Facebook mails.

Again, not critical, but a bit annoying.

The only thing that I can think to do is disable the forwarding and tell the user to grab mail via POP3, but that means enabling POP3 which I'd rather not do. Gmail does not, IFAIK, allow you to combine your mail with another IMAP account.

Any other ideas?

apache 2.4 and php on Freebsd

Is anyone running Apache 2.4 and mod_php (either 5.6 or 7.0)?

Despite many times building out of ports or manually, I cannot get apache to launch successfully with php enabled. Is there something else I can do to get php working?

I can get apache to load with mod_php56, but loading php pages results in filter_var errors despite filter being definitely installed.

# php -m | grep filter
filter

postfwd

After installing the latest postfix I thought I’d look into postfwd.

1) is this the right place to ask about this package?

2) Is this package generally recommended or not?

3) It appears to me postfwd does largely what post screen would already do. Is that correct or am I missing something?