Match SASL username and From address in Zimbra SMTP

Zimbra uses postfix as its MTA. Postifix default configurations have some weakness which we have to modify get optimum performance and fight against spam.

Firstly, postfix has a trusted network [mynetwork] from which users can send mails without verifying their username and password.

Later on if we impose SMTP authentication for sending mails the users the users can still send mails by changing their from address [It is usually happens when a user is compromised]. A reference log is given below for better understanding.


Dec 17 14:17:45 mail postfix/submission/smtpd[8055]: 62B2A7009F9: client=unknown[x.x.x.x], sasl_method=LOGIN, sasl_username=user
Dec 17 14:17:45 mail postfix/qmgr[29613]: 62B2A7009F9: from=<gks@example.com>, size=5705, nrcpt=3 (queue active)


So, we are still in some security holes with our mail server. To be more strict we can match the from address of the user with the username that he uses in SMTP authentication. Let's see how to do that.


Login to Zimbra shell:
su zimbra

Run below command:
zmprov mcf zimbraMtaSmtpdSenderLoginMaps  proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch

Edit the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf  as below:
permit_mynetworks, reject_sender_login_mismatch

Restart zimbra service [Not required actually because Zimbra will automatically apply this after one miniute]:
zmcontrol restart

Now if one of your accounts is compromised, it is not possible to send SPAM mails using different from address which will help you find out the compromised ID easily.

PHP module "mod_rewrite" enable in cPanel

Cpanel is a widely used application for Web and Domain hosting solution. Providers use cPanel & WHM to provide virtual private or dedicated servers for hosting. Web developers worldwide uses URL Rewriting for web sites.

Last time I faced a issue with "mod_rewrite" module of PHP in my shared cPanel hosting server. Later the solution came with following modification.


I have added following lines in a .htaccess file and upload in public_html folder of created user of cPanel.

<IfModule mod_rewrite.c>
DirectoryIndex index.php
RewriteEngine on

RewriteCond $1 !^(index\.php|assets|robots\.txt|favicon\.ico)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ ./index.php/$1 [L,QSA]
</IfModule>

Zimbra Troubleshooting: A network service error has occurred

Sometimes we face a problem with Zimbra webmail interface. If a user wants to login in his webmail it shows "A network service error has occurred". Though its a temporary problem but users became confused and starts feeling unwell about his email service.

By default Zimbra uses DoSFilter Throttling Mechanism to avoid large number of request over a short period of time. So if the Zimbra server see requests more than safe amount from an specific IP address / user that will be throttled and the user may face the mentioned error.

The attribute by which we have to add the safe IP address in Zimbra is "zimbraHttpThrottleSafeIPs". It does not have a default value, however these following IP addresses are whitelisted by default.

1) 127.0.0.1
2) ::1
3) 0:0:0:0:0:0:0:1
4) All mailboxd servers

To add more IP addresses in whitelist please do the following.

Login to Shell >> su zimbra >> zmprov mcf +zimbraHttpThrottleSafeIPs 192.168.2.1 >> zmmailboxdctl restart

Zimbra Tips and Tricks

Zimbra has became a very popular email server solution now-a-days. It has some amazing features for which an administrator cannot avoid it.

When a mail server works in a production environment it needs some tuning to serve its clients in a flawless manner. Here are some of them. The below commands fully functional with Zimbra 8.6 Version.

To check mail queue:
Option 1:
Login to Web Administration >> Monitor >> Mail Queue

Option 2:
Login to Shell >> su zimbra >> mailq


Remove all mails from mail queue:
Login to Shell >> /opt/zimbra/postfix/sbin/postsuper -d ALL


Clear / Remove all mails from a user's mailbox:
Login to Shell >> su zimbra >> zmmailbox -z -m user@yourdomain.com emptyFolder /Inbox


Set external relay MTA(Entire emails):
Login to Shell >> su zimbra >>zmprov ms mail.yourdomain.com zimbraMtaRelayHost mail.external.com:25 >> zmcontrol restart


Remove external relay MTA:
Login to Shell >> su zimbra >> zmprov mcf zimbraMtaRelayHost "" >> >> zmcontrol restart

Zimbra Open Source Edition Logo Change

Zimbra is being very popular in these days. Usually we use Zimbra Open Source Edition for single server deployment. Most of the administrators want to set their company Logo in Webmail interface. Today I will show how to set Logo in Zimbra Webmail.

Basically Zimbra has various themes for Webmail. Here I will describe about default theme only. The Logo size is:

300x48 pixels
200x28 pixels

Step 1: Resize your Logo as above mentioned size and save them in PNG format.

Step 2: Upload your Logos at Zimbra Server using WINSCP / any other software.

Step 3: Rename the Logos as below.

LoginBanner_white.png
AppBanner_white.png

Step 4:
>> Go to /opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbra/skins/_base/logos directory.
>> Copy existing Logos to a safer place or rename them for backup.
>> Copy your uploaded Logos in this directory.

Step 5: Change the ownership of those Logo images by below command.

#chown zimbra:zimbra LoginBanner_white.png
#chown zimbra:zimbra AppBanner_white.png

All done. Now refresh your webmail page and login with a user. You will see the difference.

Zimbra Distribution-list Restriciton

Generally we need to use distribution lists for our regular email communication. Our management may circulate any message to all stuffs which we can fulfill by configuring a distribution list in a mail server. But the problem is when a user replies on a mail received via distribution list it has been delivered to all the members of that distribution list which is not expected.

To stop the users sending emails to a distribution list or restrict it to specific person we have to configure the restriction which is given below.

Step 1: Enable Milter Server from Zimbra Administration Console.
Path: Zimbra Admin Console >> Configure >> Global Settings >> MTA

Step 2: Set a owner of the distribution list you want to set the restriction.
Path: Zimbra Admin >> Manage >> Distribution List >> Select Distribution List >> Owner

Step 3: Login the web console of the owner and set the restriction as required.

Path: Owner web console >> Contacts >> Distribution List >> Right click the targeted list and Click Edit distribution list >> Distribution list Properties.

Set your required restriction and save it.

Zimbra Disclaimer Setup

Enable the use of disclaimers

su zimbra
zmprov mcf zimbraDomainMandatoryMailSignatureEnabled TRUE

The above command will enable disclaimer feature enabled for your zimbra mail server.




Checking the statuszmprov gcf zimbraDomainMandatoryMailSignatureEnabled


Now add HTML Disclaimer messagezmprov md example.com zimbraAmavisDomainDisclaimerHTML "Disclaimer message here"

Add TEXT Disclaimer messagezmprov md example.com zimbraAmavisDomainDisclaimerText "Disclaimer message here"


Check the disclaimer message
zmprov gd example.com zimbraAmavisDomainDisclaimerText zimbraAmavisDomainDisclaimerHTML

exit

Now implement the disclaimer to specific domain
cd /opt/zimbra/
su zimbra./libexec/zmaltermimeconfig -e example.com

Now check the status using Webmail / Email client software.

Allow Services inside Cisco ASA

Sometimes we need to allow requests from Internet to a connected host serving specific service behind a Cisco ASA firewall. Here is a scenario...

In short,
External Interface IP: 222.0.0.10
Internal Interface IP: 111.0.0.1
FTP Server: 111.0.0.2
Web Server: 111.0.0.3

The tasks are given in above image. Here is how to do that...

First assign IP addresses and name the interfaces accordingly.

interface GigabitEthernet0/0
 nameif WAN-Interface
 security-level 0
 ip address 222.0.0.10 255.255.255.252

interface GigabitEthernet0/1
 nameif LAN-Interface
 security-level 20
 ip address 111.0.0.1 255.255.255.240



Now create extended access lists with required permission to hosts and services you required.

access-list PUBLIC-FW-IN extended permit tcp any host 111.0.0.2 eq ftp
access-list PUBLIC-FW-IN extended permit tcp any host 111.0.0.3 eq http


You may see there is no recognized service / port in your ASA for permitting a specific service. For that you have to create a object-group mentioning the port in it. Check below.

object-group service RDP tcp
 port-object eq 3389

Now create access list for permitting that service.

access-list PUBLIC-FW-IN extended permit tcp any host 111.0.0.3 object-group RDP


So.. We already finished creating access lists with required permission. Now we are going to implement it according to traffic direction.

access-group PUBLIC-FW-IN in interface WAN-Interface
access-group PUBLIC-FW-IN in interface LAN-Interface


Now check all the services from internet cloud... Good day..

Zimbra Outgoing mail alias

Edit and add following line in /opt/zimbra/postfix/conf/main.cf

sender_bcc_maps = lmdb:/opt/zimbra/postfix/conf/sender_bcc
<save and exit>


Now add ougoing mail BCC as below.
#vim /opt/zimbra/postfix/conf/sender_bcc

john@zimbra.com                 mumtaz@zimbra.com
faruk@zimbra.com                mumtaz@zimbra.com
<save and exit>

Change the ownership of newly created file.
#chown zimbra:zimbra /opt/zimbra/postfix/conf/sender_bcc


Make db file of sender_bcc to work with Zimbra Postfix.
#su zimbra

#postmap /opt/zimbra/postfix/conf/sender_bcc



Apply above changes now....

$postfix reload

Now check and enjoy...

Cisco Switchport Type: UNI, ENI & NNI

Cisco Catalyst ME3400 switch is a switch usually used at the service provider end.
Although it is a Catalyst many things are different compared to the regular Catalyst
switches.

The ME3400 has three different port types:

UNI – User Network Interface. Port downstream (towards customer). Port can’t run STP,
CDP or Etherchannel protocols like PAgP and LACP.


ENI – Enhanced Network Interface. ENIs have the same functionality as UNIs, but can be configured to support protocol control packets for Cisco Discovery Protocol (CDP), Spanning-Tree Protocol (STP), Link Layer Discovery Protocol (LLDP), and EtherChannel Link Aggregation Control Protocol (LACP) or Port Aggregation Protocol (PAgP).


NNI – Network Node Interface. Sometimes also called network to network interface. This port
is facing upstream towards the core. This port has support for STP, CDP and Etherchannel
protocols.


Note: The default state for a UNI or ENI is administratively down to prevent unauthorized users from gaining access to other ports as you configure the switch. Traffic is not switched between these ports, and all arriving traffic at UNIs or ENIs must leave on NNIs to prevent a user from gaining access to another user's private network. If it is appropriate for two or more UNIs or ENIs to exchange traffic within the switch, the UNIs and ENIs can be assigned to a community VLAN.

Directory copy from Primary Server to Secondary Server Automatically using rsync

Network Topology

Tasks

** SSH Primary to Secondary Server without password

** Install rsync in both server

** Automate a directory to sync with Secondary server

SSH Primary to Secondary Server without password

Login to Primary Server and check the IP address

Login to Secondary Server and check the IP address

From Primary Server create the SSH Key with "ssh-keygen". Please do not provide any password to make it password less.

Create .ssh directory in Secondary Server with below command.

         # mkdir /root/.ssh/

Send the "id_rsa.pub" public key from Primary Server to Secondary Server

       # scp /root/.ssh/id_rsa.pub root@192.168.0.3:/root/.ssh

On Secondary Server create a file name "authorized_keys" and put the content of "id_rsa.pub" on that file

      # touch /root/.ssh/authorized_keys

      # cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys

Set permissions on Secondary Server

      #chmod -R 700 /root/.ssh/

      #chmod -R 640 /root/.ssh/authorized_keys

Now try to login from Primary Server to Secondary server without password

     # ssh 192.168.0.3

Install rsync in both server

On both server run following command to install rsync

     # apt-get install rsync -y

Automate a directory to sync with Secondary server

Let say I want to copy “/home/” directory from Primary Server to Secondary server automatically every day at 1 AM.

Add the line below in /etc/crontab file

00 1 * * *      root              rsync -avzhe ssh /home/ 192.168.0.3:/home/

Now restart cron Service

service cron restart

Enjoy!