DevHeads.net

Postings by LuKreme

Setting up Apache 2.4 with Letsencrypt

I have dehydrate properly renewing certs from Let's Encrypt (which I am using successfully for mail authentication) and I ma trying to get them working for Apache 2.4, but no luck so far.

I created aliases in /usr/local/etc/apache24/ pointing to the files in /usr/local/etc/dehydrated/certs/domain.tld/fullchain.pem and privkey.pem

in httpd.conf I have:

LoadModule ssl_module libexec/apache24/mod_ssl.so

Include etc/apache24/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

/etc/httpd/extra//httpd-ssl.conf:
Listen 443
SSLCipher

Berkeley DB and new install

I know that the Berkeley DB still works in postfix if compiled with that option, but is it the best choice for a new install of postfix?

I have only a couple of tables that use it, but since I am moving entirely to a new machine and new compiles, I don't want to drag along an "old" format if I don't need to.

What other options are there for a virtual table in the form of

<a href="mailto: ... at localdomain dot tld"> ... at localdomain dot tld</a> <a href="mailto: ... at fred dot exampl.com"> ... at fred dot exampl.com</a>

or the similar alias table

user: otheruser

(alias is used entirely on my system to redirect mail to the root account from names like admin, daemon, etc)

I mean, I could m

postfix upgrade-configuration

Looking at Postfix 3.3 and upgrade-configuration I get:

Note: the following files or directories still exist but are
no longer part of Postfix:

/usr/local/etc/postfix/access /usr/local/etc/postfix/aliases
/usr/local/etc/postfix/canonical /usr/local/etc/postfix/generic
/usr/local/etc/postfix/relocated /usr/local/etc/postfix/transport
/usr/local/etc/postfix/virtual

All well and good, but what has replaced them, especially virtual and alias which are a pretty basic part of my mail configuration for local users.

I looked around on postfix.org for 3.3 info and didn't stu

Watching the logs turn round and round

I don't have a question, but I thought I'd share that I've found this extremely useful recently for watching the logs:

tail -f /var/log/maillog | grep -v -E '(cleanup|dnsblog|postscreen|qmgr|anvil))'

It narrows the log down to the data that I'm most interested in (smtp, dovecot, amazes, etc).

Rejecting mail dorm a domain to specific user

Is it possible to reject a mail from a specific domain to a specific user?

Obviously, there are other ways to deal with this, but I have a case where I’d prefer to reject the mail before it is received but I do not want to block the domain for other users.

Copying IMAP messages instead of Forwarding?

Is there a method to use IMAP to move messages to another account on another server for which I have login credentials on delivery instead of simply forwarding? Or would this be a question for the Dovecot list?

I am trying to get around various spam checking and DKIM failures for a local user who uses gmail but whose address is on my server.

OT lightweight IMAP client

Figured someone on the list would have an opinion on a very lightweight feature-poor IMAP client. It doesn't need to do much else but access a single IMAP account and be able to forward emails as attachments. Search would be good, but not required. Searching for queueIDs in the Received header would be fantastic.

Primary considerations are fast and as light on memory use as possible and usable from a Mac (command-line is fine). I know mutt can do IMAP but I don't think it can forward messages as attachments though I am probably wrong. Windows 10 might be useful, but not required.

Forward to gmail and DMARC

I forward mail to a gmail user, but there are a lot of bounces from gmail. I don't honestly care about the ones that google says are spam, but recently I'm also getting DMARC failures on Facebook mails.

Again, not critical, but a bit annoying.

The only thing that I can think to do is disable the forwarding and tell the user to grab mail via POP3, but that means enabling POP3 which I'd rather not do. Gmail does not, IFAIK, allow you to combine your mail with another IMAP account.

Any other ideas?

apache 2.4 and php on Freebsd

Is anyone running Apache 2.4 and mod_php (either 5.6 or 7.0)?

Despite many times building out of ports or manually, I cannot get apache to launch successfully with php enabled. Is there something else I can do to get php working?

I can get apache to load with mod_php56, but loading php pages results in filter_var errors despite filter being definitely installed.

# php -m | grep filter
filter

postfwd

After installing the latest postfix I thought I’d look into postfwd.

1) is this the right place to ask about this package?

2) Is this package generally recommended or not?

3) It appears to me postfwd does largely what post screen would already do. Is that correct or am I missing something?

Supported versions

I used to have a bookmark for a page that showed the currently supported versions of Postfix and (I think) when support ended for previous versions). I seem mohave lost the bookmark and I can’t fin the page on postfix.org which makes me think it isn’t there.

I can get the information by going to <http://www.postfix.org/announcements.html> and looking in specific announcements to see what (if any versions) were obsoleted.

Just as an example, I was trying to find when 2.6 support ended, and after going through he major releases I found it in the 2.10 release announcements.

BBC mapping

if !/backup.*@/
/^([^+_]*).*@(.*)/ backup+${1}.${2}@domain.tld
endif

I currently have the above in recipient_bbc

/etc/postfix/main.cf:

recipient_bcc_maps = pcre:$config_directory/recipient_bcc.pcre

And this works perfectly and stores a copy of all email (sent and received) in a backup account that is set to delete messages after 7 days. This allows me to recover messages which people have deleted or accidentally marked as spam.

However, I would like to exclude a specific domain from this backup including all mail TO and FROM the domain.

Autoresponder?

I have an email account that belonged to someone who died recently. Rather than simply shutdown the account and bounce all future emails, the family would like some sort of automated messages for at least a few months saying something like “<Name> died in November, 2016.

DNSBLOG and whitelisted domains

Only hosts with scores that exceed the postscreen_dnsbl_threshold get logged with their scores, and not IPs that reach the postscreen_dnsbl_whitelist_threshold, is that correct?

I certainly don’t see anything like a DNSBL rank for whitelisted domains. Am I missing it?

New machine

I’m going to setup a new machine and move all the mail onto it. I’ll go with the latest FreeBSD (11.0-RELEASE currently).

more core dumps on apache 2.4

So, I installed roundcube via portmaster, which installed (upgraded) the following:

Nov 24 12:02:08 mail pkg-static: icu-58.1,1 installed
Nov 24 12:03:00 mail pkg-static: pecl-intl-3.0.0_7 installed
Nov 24 12:03:11 mail pkg-static: php56-ldap-5.6.27 installed
Nov 24 12:03:17 mail pkg-static: roundcube-1.2.2,1 installed

At this point I realized that curl had been installed without openssl support, so I reconfigured it and reinstalled it.

Nov 24 12:18:11 mail pkg-static: curl-7.51.0_1 deinstalled
Nov 24 12:23:56 mail pkg-static: curl-7.51.0_1 installed

And here, apache core dump immediately

postscreen logging

I am wondering what the various possible types of events postscreen logs. I checked man postsreen(8) but it doesn’t seem to give them.

I know there are PASS NEW, PASS OLD, CONNECT, DISCONNECT, HANGUP, NOQUEUE, COMMAND, cache, and DNSBL. Any others I am missing?

Are these documented in some other man page?

(Currently I’m interested int he difference between HANGUP and DISCONNECT and NOQUEUE and why sometimes hosts that connect thousands of times with high RBL scores don’t necessarily get HANGUP.)

apache 2.4 core dump on launch, no error logging

When launching apache 2.4 I get a core dump. Nothing is logged to the http-error log. I’ve tried rebuilding it to no avail.

Full encryption

While I know this would result in lost mail, would it be possible with postfix to setup a mail server that:

1) Only accepts encrypted connections
2) Only sends encrypted emails
3) Keeps mail encrypted throughout, including only writing encrypted blobs.

and is there a way to setup an IMAP server to read that encrypted mail and, again, only serve/accept encrypted mail.

I assume there is some metadata that must be unencrypted (to and From_, I’d guess), can the rest of the metadata be encrypted (Data, received, any other headers).

Again, I know this is not practical for a normal mail server, b

A script for generating a user Daily Mail Report

No idea if this will be of interest to anyone, but my users are finding it useful so I’m sharing. I’m sure this is not especially efficient, but it’s running for only a handful of users who are super paranoid about their email.

Reject incoming mail to user+extension

I have a user that uses address extensions quite a lot. one extension she uses has become nothing but spam since her (cancelled) credit card shared the address with advertisers.

She would like to have mail to user+ ... at domain dot tld rejected while not affecting an mail to <a href="mailto: ... at domain dot tld"> ... at domain dot tld</a> or user+ ... at domain dot tld.

My initial idea was in sender_access.pcre add a line:

/^user\+visa89@domain\.tld$/ 550 No Such User

but when I tried that and sent a test message (to a test account) the message came right through.

Warning host name does not resolve

I get a few thousand messages like this every day:

mail postfix/smtpd[59689]: warning: hostname sa0877.azar-a.net does not resolve to address 91.219.236.126

And while I assume that these are all just spammers, it looks like the connection continues to get processed and (at least in the few I’ve checked) eventually gets rejected by an RBL check in postscreen.

This processing takes a while, and several connections are made, so is there anything I should consider doing to speed this reection process up? Or shoudl I just ignore this as “working as intended”?

Scoring TLDs

Is there a simple way that anyone uses to basically setup a map as a sort of fake RBL for post screen scoring?

I’d like to score most of these new TLDs, for example, but I am not necessarily willing to simply blacklist them all (I am blacklisting .top because so far it’s been 100% spam) especially since going forward they will start generating ham sometime next decade.

Creating a log line?

Is it possible to tell postfix to log the from and to for a message after it has been accepted for delivery?

I get a log line that has the from and to in it For NOQUEUE messages, but I’d like the same sort of log line for messages that are being delivered.

Yes, I know the information is there if I search for the queue-id, but it would be helpful if I could get the from address included on the postdix/pipe logline for “status=sent”

If I can’t add this to that line, is there a way to generate a log line something like:

postfix/pipe QUEUEID to=< ... at local dot example.com>, orig-to=< ... at virtual dot

Thousands of login attempts

I have many thousands of these over the last seven days:

Mar 20 10:45:27 mail postfix/smtpd[19480]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

They are all the exact same, including the UGF… portion.

Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from [185.103.253.246]:61153 to [65.121.55.45]:25
Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD [185.103.253.246]:61153
Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from unknown[185.103.253.246]
Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: unknown[185.103.253.246]: SASL LOGIN a

Ache 2.4 and LetsEncrypt

After setting up lets encrypt on my server and running it I end up with the following files:

$ ls -nls
total 48
8 -rw------- 1 443 443 1854 Mar 4 23:38 cert-1457159890.csr
0 -rw------- 1 443 443 0 Mar 4 23:38 cert-1457159890.pem
8 -rw------- 1 443 443 1854 Mar 5 05:06 cert-1457179567.csr
0 -rw------- 1 443 443 0 Mar 5 05:06 cert-1457179567.pem
8 -rw------- 1 443 443 1854 Mar 12 04:35 cert-1457782552.csr
0 -rw------- 1 443 443 0 Mar 12 04:35 cert-1457782552.pem
8 -rw------- 1 443 443 3243 Mar 4 23:38 privkey-1457159890.pem
8 -rw------- 1 443 443 3243 Mar

OT yahoo

I’ve been trying to track down why users have stopped receiving any mail from yahoo users and after searching the logs and even going so far as to create a yahoo mail account and send mail to myself, I see no attempts by yahoo to connect to my server. It seems anything sent to my mail server simply disappears. Showing the gross incompetence of yahoo, there is no NDN generated, so the sender has no idea the mail has not been delivered.

I know this isn;t a postfix problem since postfix is not ever getting anything, but I’m hoping someone on the list has some ideas?

Stripping sender's IP

Are there any consequences to stripping out the Received header that contains the sender’s IP address (and usually their LAN address as well)?

And is adding to header_checks.pcre:

/^Received: .*ESMTPSA.*/ IGNORE

Enough to strip it out, or does it need to be in mime_header_checks as well? (I’ve found conflicting information on this in google searching.)

Copy mail from specific email address to specific email address to other accounts

I have a <a href="mailto: ... at example dot com"> ... at example dot com</a> account that I want to bcc emails from remote <a href="mailto: ... at example dot net"> ... at example dot net</a> (and only remoteuser@ewxamplenet) to another account (<a href="mailto: ... at example dot com"> ... at example dot com</a>)

Only emails that match the sender address would be copied or bcd or whatever to the localuser account.

I thought postfix would be simplest to do this in, but if it makes sense in dovecot, I can do it there.

If this is too much, then copying ALL emails from <a href="mailto: ... at example dot net"> ... at example dot net</a> would be acceptable.

Would it work to put something like this in headerchecks.pcre:

/To:.* ... at example dot com && From:.* ... at example dot net/ REDIRECT