DevHeads.net

Postings by LuKreme

Reverse proxy

If I have a secondary web service service running on <a href="http://www.example.com:8000" title="www.example.com:8000">www.example.com:8000</a> and I want to create a reverse proxy on port 8001, how do I prevent users from connecting to <IP>:8000 anyway?

DocumentRoot in ProxyPass?

Is it possible to do something along these lines in the apache.conf files?

DocumentRoot /usr/local/www/roundcube/
ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000${DocumnetRoot}$1

(that is, not have to repeat the information that is already in the configuration)

TLS not offered by host

When connecting to a server that does not offer TLS (or the right level) does postfix log (or can it) the level of security that was offered?

status=deferred (TLS is required, but was not offered by host

(I get very few of these (two servers in the last week), but I'd like to be able to tell the admin of the server what low-level security they are offering).

my smtp_tls* settings:
smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt

and

tls_preempt_cipherlist = yes
tls_ssl_options = no_ticket, no_compression

Apache 2.4 and DirectoryIndex and htaccess

I have a working webroot, and it has an index.php file.

SASL LOGIN authentication failed

In these log lines, what is "UGFzc3dvcmQ6"?

May 12 07:52:07 mail submit-tls/smtpd[32670]: warning: vps1590651.vs.webtropia-customer.com[62.141.41.104]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 12 17:05:14 mail submit-tls/smtpd[87898]: warning: ma350.mars.fastwebserver.de[193.111.198.88]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 12 18:21:36 mail submit-tls/smtpd[65165]: warning: vps1590646.vs.webtropia-customer.com[62.141.41.114]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Root user's sent mail

The root user sends out some periodic mails to users. These mails get placed in /root/sent (an mbox file) instead of in /root/Maildir/.Sent/ (a Maildir directory).

It’s not a big deal, but it makes clearing the mails periodically slightly more difficult.

The mails are sent via a crontab entry much like this:
<command> | mutt -e 'set content_type=text/html' -s "DMR $($YDAY)" <a href="mailto: ... at kreme dot com"> ... at kreme dot com</a> -b <a href="mailto: ... at kreme dot com"> ... at kreme dot com</a>

main.cf:home_mailbox = Maildir/

But I suspect the issue here is mutt and not postfix?

rsyslogd and postfix

This might be of use to others out there.

inet_interfaces

I changed my inet_interfaces setting this morning, and stopped and started postfix (postfix stop; postfix start)

# postconf -n inet_interfaces
inet_interfaces = 127.0.0.1, 65.121.55.42

But when I am trying to send emails to a certain company, I am getting an SPF error (even though my entire netblock is in the SPF settings) that claims I am connecting from a different IP (an IP that is assigned to the same physical machine as postfix) than specified in inet_interfaces.

status=bounced (host mail.synology.com[59.124.61.242] said: 550 5.7.1 < ... at synology dot com>: Recipient address rejected: Me

Read Only account

How would I configure a user so that they could only read mail and not send any mail (even to local users).

Not receiving messages from mail servers

I finally managed to isolate this. I have no been receiving mails from some mail servers and there's very little being logged. I obviously set some configuration that mucked things up.

TLS 1.3

Now that TLS 1.3 has been approved, what is the status of using it with Apache? Last I heard apache 2.4 couldn't build agains openssl 1.1, but that was a year ago.

Which user lookup wins?

When postfix checks for a local user it looks at any local user (like /home/fred), I assume by checking /etc/passwd or similar (I have local users who can receive mail who are not mentioned in any /etc/postfix/* file, so postfix knows about them from somewhere outside of postfix’s config file) and then it also checks for virtual_mailbox_domains and virtual_alias_maps, yes?

If a user lookup matches in BOTH locations due to a misconfiguration, which one “wins”?

Reducing logging

I may have asked this before, but if so I can't find the thread.

I'd like to either reduce the amount that postfix logs or redirect certain events to a secondary log file (that I can put on a shorter rotation than the full mail log).

Is there anyway to redirect, for example, post screen events to a different log file or the warning hostname does not resolve messages?

Suggestion on Redirect parsing

The syntax for redirect treats

Redirect / <a href="http://www.example.com" title="http://www.example.com">http://www.example.com</a>

as a request to redirect, for example, index.html as "http://www.example.com.index.html"

Since I can't think of any reason that this could possibly be desired, it seems the parser should understand that when only a FQDN is specified with a URL scheme, the final '/' is assumed.

this would still allow for <a href="http://www.example.com/new" title="http://www.example.com/new">http://www.example.com/new</a> formats, etc, and would only apply to the specific format xxxx://FQDN

(Although I think even this syntax should assume a final / and that if the "append .

Setting up Apache 2.4 with Letsencrypt

I have dehydrate properly renewing certs from Let's Encrypt (which I am using successfully for mail authentication) and I ma trying to get them working for Apache 2.4, but no luck so far.

I created aliases in /usr/local/etc/apache24/ pointing to the files in /usr/local/etc/dehydrated/certs/domain.tld/fullchain.pem and privkey.pem

in httpd.conf I have:

LoadModule ssl_module libexec/apache24/mod_ssl.so

Include etc/apache24/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

/etc/httpd/extra//httpd-ssl.conf:
Listen 443
SSLCipher

Berkeley DB and new install

I know that the Berkeley DB still works in postfix if compiled with that option, but is it the best choice for a new install of postfix?

I have only a couple of tables that use it, but since I am moving entirely to a new machine and new compiles, I don't want to drag along an "old" format if I don't need to.

What other options are there for a virtual table in the form of

<a href="mailto: ... at localdomain dot tld"> ... at localdomain dot tld</a> <a href="mailto: ... at fred dot exampl.com"> ... at fred dot exampl.com</a>

or the similar alias table

user: otheruser

(alias is used entirely on my system to redirect mail to the root account from names like admin, daemon, etc)

I mean, I could m

postfix upgrade-configuration

Looking at Postfix 3.3 and upgrade-configuration I get:

Note: the following files or directories still exist but are
no longer part of Postfix:

/usr/local/etc/postfix/access /usr/local/etc/postfix/aliases
/usr/local/etc/postfix/canonical /usr/local/etc/postfix/generic
/usr/local/etc/postfix/relocated /usr/local/etc/postfix/transport
/usr/local/etc/postfix/virtual

All well and good, but what has replaced them, especially virtual and alias which are a pretty basic part of my mail configuration for local users.

I looked around on postfix.org for 3.3 info and didn't stu

Watching the logs turn round and round

I don't have a question, but I thought I'd share that I've found this extremely useful recently for watching the logs:

tail -f /var/log/maillog | grep -v -E '(cleanup|dnsblog|postscreen|qmgr|anvil))'

It narrows the log down to the data that I'm most interested in (smtp, dovecot, amazes, etc).

Rejecting mail dorm a domain to specific user

Is it possible to reject a mail from a specific domain to a specific user?

Obviously, there are other ways to deal with this, but I have a case where I’d prefer to reject the mail before it is received but I do not want to block the domain for other users.

Copying IMAP messages instead of Forwarding?

Is there a method to use IMAP to move messages to another account on another server for which I have login credentials on delivery instead of simply forwarding? Or would this be a question for the Dovecot list?

I am trying to get around various spam checking and DKIM failures for a local user who uses gmail but whose address is on my server.

OT lightweight IMAP client

Figured someone on the list would have an opinion on a very lightweight feature-poor IMAP client. It doesn't need to do much else but access a single IMAP account and be able to forward emails as attachments. Search would be good, but not required. Searching for queueIDs in the Received header would be fantastic.

Primary considerations are fast and as light on memory use as possible and usable from a Mac (command-line is fine). I know mutt can do IMAP but I don't think it can forward messages as attachments though I am probably wrong. Windows 10 might be useful, but not required.

Forward to gmail and DMARC

I forward mail to a gmail user, but there are a lot of bounces from gmail. I don't honestly care about the ones that google says are spam, but recently I'm also getting DMARC failures on Facebook mails.

Again, not critical, but a bit annoying.

The only thing that I can think to do is disable the forwarding and tell the user to grab mail via POP3, but that means enabling POP3 which I'd rather not do. Gmail does not, IFAIK, allow you to combine your mail with another IMAP account.

Any other ideas?

apache 2.4 and php on Freebsd

Is anyone running Apache 2.4 and mod_php (either 5.6 or 7.0)?

Despite many times building out of ports or manually, I cannot get apache to launch successfully with php enabled. Is there something else I can do to get php working?

I can get apache to load with mod_php56, but loading php pages results in filter_var errors despite filter being definitely installed.

# php -m | grep filter
filter

postfwd

After installing the latest postfix I thought I’d look into postfwd.

1) is this the right place to ask about this package?

2) Is this package generally recommended or not?

3) It appears to me postfwd does largely what post screen would already do. Is that correct or am I missing something?

Supported versions

I used to have a bookmark for a page that showed the currently supported versions of Postfix and (I think) when support ended for previous versions). I seem mohave lost the bookmark and I can’t fin the page on postfix.org which makes me think it isn’t there.

I can get the information by going to <http://www.postfix.org/announcements.html> and looking in specific announcements to see what (if any versions) were obsoleted.

Just as an example, I was trying to find when 2.6 support ended, and after going through he major releases I found it in the 2.10 release announcements.

BBC mapping

if !/backup.*@/
/^([^+_]*).*@(.*)/ backup+${1}.${2}@domain.tld
endif

I currently have the above in recipient_bbc

/etc/postfix/main.cf:

recipient_bcc_maps = pcre:$config_directory/recipient_bcc.pcre

And this works perfectly and stores a copy of all email (sent and received) in a backup account that is set to delete messages after 7 days. This allows me to recover messages which people have deleted or accidentally marked as spam.

However, I would like to exclude a specific domain from this backup including all mail TO and FROM the domain.

Autoresponder?

I have an email account that belonged to someone who died recently. Rather than simply shutdown the account and bounce all future emails, the family would like some sort of automated messages for at least a few months saying something like “<Name> died in November, 2016.

DNSBLOG and whitelisted domains

Only hosts with scores that exceed the postscreen_dnsbl_threshold get logged with their scores, and not IPs that reach the postscreen_dnsbl_whitelist_threshold, is that correct?

I certainly don’t see anything like a DNSBL rank for whitelisted domains. Am I missing it?

New machine

I’m going to setup a new machine and move all the mail onto it. I’ll go with the latest FreeBSD (11.0-RELEASE currently).

more core dumps on apache 2.4

So, I installed roundcube via portmaster, which installed (upgraded) the following:

Nov 24 12:02:08 mail pkg-static: icu-58.1,1 installed
Nov 24 12:03:00 mail pkg-static: pecl-intl-3.0.0_7 installed
Nov 24 12:03:11 mail pkg-static: php56-ldap-5.6.27 installed
Nov 24 12:03:17 mail pkg-static: roundcube-1.2.2,1 installed

At this point I realized that curl had been installed without openssl support, so I reconfigured it and reinstalled it.

Nov 24 12:18:11 mail pkg-static: curl-7.51.0_1 deinstalled
Nov 24 12:23:56 mail pkg-static: curl-7.51.0_1 installed

And here, apache core dump immediately