Qmail Commands

Though I am not a qmail expert. I would like to share some commands that I know for qmail MTA.

To check mail queue:
/var/qmail/bin/qmail-qstat



To flush mail queue:
qmailctl doqueue



To check SMTP log(running):
tail -f /var/log/qmail/qmail-smtpd/current

@40000000587db4390923aefc tcpserver: pid 14016 from 122.144.8.44
@40000000587db4390937db0c tcpserver: ok 14016 smtp.abc.com:122.144.8.83:25 mail.xyz.com:12.44.08.44::29044
@40000000587db4391081076c tcpserver: end 14016 status 0

14016 is the process ID for a mail.



To check mail delivery log (running):
tail -f /var/log/qmail/qmail-send/current

@40000000587db5611218ba84 starting delivery 8216: msg 8657324 to remote shidfin@yahoo.com
@40000000587db5722cf0c0cc delivery 8216: success: 66.196.118.33_accepted_message./Remote_host_said:_250_ok_dirdel/

8216 is the process ID for delivery.



To set smtproute (relayhost):

vim /var/qmail/control/smtproutes
:mx.outgoingserver.com [for all outgoing mails]
domain1.com:mx1.outgoingserver.com [For specific domain]domain2.com:mx2.outgoingserver.com [For specific domain]



To restart qmail service:
qmailctl restart

Match SASL username and From address in Zimbra SMTP

Zimbra uses postfix as its MTA. Postifix default configurations have some weakness which we have to modify get optimum performance and fight against spam.

Firstly, postfix has a trusted network [mynetwork] from which users can send mails without verifying their username and password.

Later on if we impose SMTP authentication for sending mails the users the users can still send mails by changing their from address [It is usually happens when a user is compromised]. A reference log is given below for better understanding.


Dec 17 14:17:45 mail postfix/submission/smtpd[8055]: 62B2A7009F9: client=unknown[x.x.x.x], sasl_method=LOGIN, sasl_username=user
Dec 17 14:17:45 mail postfix/qmgr[29613]: 62B2A7009F9: from=<gks@example.com>, size=5705, nrcpt=3 (queue active)


So, we are still in some security holes with our mail server. To be more strict we can match the from address of the user with the username that he uses in SMTP authentication. Let's see how to do that.


Login to Zimbra shell:
su zimbra

Run below command:
zmprov mcf zimbraMtaSmtpdSenderLoginMaps  proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch

Edit the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf  as below:
permit_mynetworks, reject_sender_login_mismatch

Restart zimbra service [Not required actually because Zimbra will automatically apply this after one miniute]:
zmcontrol restart

Now if one of your accounts is compromised, it is not possible to send SPAM mails using different from address which will help you find out the compromised ID easily.

PHP module "mod_rewrite" enable in cPanel

Cpanel is a widely used application for Web and Domain hosting solution. Providers use cPanel & WHM to provide virtual private or dedicated servers for hosting. Web developers worldwide uses URL Rewriting for web sites.

Last time I faced a issue with "mod_rewrite" module of PHP in my shared cPanel hosting server. Later the solution came with following modification.


I have added following lines in a .htaccess file and upload in public_html folder of created user of cPanel.

<IfModule mod_rewrite.c>
DirectoryIndex index.php
RewriteEngine on

RewriteCond $1 !^(index\.php|assets|robots\.txt|favicon\.ico)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ ./index.php/$1 [L,QSA]
</IfModule>

Zimbra Troubleshooting: A network service error has occurred

Sometimes we face a problem with Zimbra webmail interface. If a user wants to login in his webmail it shows "A network service error has occurred". Though its a temporary problem but users became confused and starts feeling unwell about his email service.

By default Zimbra uses DoSFilter Throttling Mechanism to avoid large number of request over a short period of time. So if the Zimbra server see requests more than safe amount from an specific IP address / user that will be throttled and the user may face the mentioned error.

The attribute by which we have to add the safe IP address in Zimbra is "zimbraHttpThrottleSafeIPs". It does not have a default value, however these following IP addresses are whitelisted by default.

1) 127.0.0.1
2) ::1
3) 0:0:0:0:0:0:0:1
4) All mailboxd servers

To add more IP addresses in whitelist please do the following.

Login to Shell >> su zimbra >> zmprov mcf +zimbraHttpThrottleSafeIPs 192.168.2.1 >> zmmailboxdctl restart

Zimbra Tips and Tricks

Zimbra has became a very popular email server solution now-a-days. It has some amazing features for which an administrator cannot avoid it.

When a mail server works in a production environment it needs some tuning to serve its clients in a flawless manner. Here are some of them. The below commands fully functional with Zimbra 8.6 Version.

To check mail queue:
Option 1:
Login to Web Administration >> Monitor >> Mail Queue

Option 2:
Login to Shell >> su zimbra >> mailq


Remove all mails from mail queue:
Login to Shell >> /opt/zimbra/postfix/sbin/postsuper -d ALL


Clear / Remove all mails from a user's mailbox:
Login to Shell >> su zimbra >> zmmailbox -z -m user@yourdomain.com emptyFolder /Inbox


Set external relay MTA(Entire emails):
Login to Shell >> su zimbra >>zmprov ms mail.yourdomain.com zimbraMtaRelayHost mail.external.com:25 >> zmcontrol restart


Remove external relay MTA:
Login to Shell >> su zimbra >> zmprov mcf zimbraMtaRelayHost "" >> >> zmcontrol restart

Zimbra Open Source Edition Logo Change

Zimbra is being very popular in these days. Usually we use Zimbra Open Source Edition for single server deployment. Most of the administrators want to set their company Logo in Webmail interface. Today I will show how to set Logo in Zimbra Webmail.

Basically Zimbra has various themes for Webmail. Here I will describe about default theme only. The Logo size is:

300x48 pixels
200x28 pixels

Step 1: Resize your Logo as above mentioned size and save them in PNG format.

Step 2: Upload your Logos at Zimbra Server using WINSCP / any other software.

Step 3: Rename the Logos as below.

LoginBanner_white.png
AppBanner_white.png

Step 4:
>> Go to /opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbra/skins/_base/logos directory.
>> Copy existing Logos to a safer place or rename them for backup.
>> Copy your uploaded Logos in this directory.

Step 5: Change the ownership of those Logo images by below command.

#chown zimbra:zimbra LoginBanner_white.png
#chown zimbra:zimbra AppBanner_white.png

All done. Now refresh your webmail page and login with a user. You will see the difference.

Zimbra Distribution-list Restriciton

Generally we need to use distribution lists for our regular email communication. Our management may circulate any message to all stuffs which we can fulfill by configuring a distribution list in a mail server. But the problem is when a user replies on a mail received via distribution list it has been delivered to all the members of that distribution list which is not expected.

To stop the users sending emails to a distribution list or restrict it to specific person we have to configure the restriction which is given below.

Step 1: Enable Milter Server from Zimbra Administration Console.
Path: Zimbra Admin Console >> Configure >> Global Settings >> MTA

Step 2: Set a owner of the distribution list you want to set the restriction.
Path: Zimbra Admin >> Manage >> Distribution List >> Select Distribution List >> Owner

Step 3: Login the web console of the owner and set the restriction as required.

Path: Owner web console >> Contacts >> Distribution List >> Right click the targeted list and Click Edit distribution list >> Distribution list Properties.

Set your required restriction and save it.

Zimbra Disclaimer Setup

Enable the use of disclaimers

su zimbra
zmprov mcf zimbraDomainMandatoryMailSignatureEnabled TRUE

The above command will enable disclaimer feature enabled for your zimbra mail server.




Checking the statuszmprov gcf zimbraDomainMandatoryMailSignatureEnabled


Now add HTML Disclaimer messagezmprov md example.com zimbraAmavisDomainDisclaimerHTML "Disclaimer message here"

Add TEXT Disclaimer messagezmprov md example.com zimbraAmavisDomainDisclaimerText "Disclaimer message here"


Check the disclaimer message
zmprov gd example.com zimbraAmavisDomainDisclaimerText zimbraAmavisDomainDisclaimerHTML

exit

Now implement the disclaimer to specific domain
cd /opt/zimbra/
su zimbra./libexec/zmaltermimeconfig -e example.com

Now check the status using Webmail / Email client software.

Allow Services inside Cisco ASA

Sometimes we need to allow requests from Internet to a connected host serving specific service behind a Cisco ASA firewall. Here is a scenario...

In short,
External Interface IP: 222.0.0.10
Internal Interface IP: 111.0.0.1
FTP Server: 111.0.0.2
Web Server: 111.0.0.3

The tasks are given in above image. Here is how to do that...

First assign IP addresses and name the interfaces accordingly.

interface GigabitEthernet0/0
 nameif WAN-Interface
 security-level 0
 ip address 222.0.0.10 255.255.255.252

interface GigabitEthernet0/1
 nameif LAN-Interface
 security-level 20
 ip address 111.0.0.1 255.255.255.240



Now create extended access lists with required permission to hosts and services you required.

access-list PUBLIC-FW-IN extended permit tcp any host 111.0.0.2 eq ftp
access-list PUBLIC-FW-IN extended permit tcp any host 111.0.0.3 eq http


You may see there is no recognized service / port in your ASA for permitting a specific service. For that you have to create a object-group mentioning the port in it. Check below.

object-group service RDP tcp
 port-object eq 3389

Now create access list for permitting that service.

access-list PUBLIC-FW-IN extended permit tcp any host 111.0.0.3 object-group RDP


So.. We already finished creating access lists with required permission. Now we are going to implement it according to traffic direction.

access-group PUBLIC-FW-IN in interface WAN-Interface
access-group PUBLIC-FW-IN in interface LAN-Interface


Now check all the services from internet cloud... Good day..

Zimbra Outgoing mail alias

Edit and add following line in /opt/zimbra/postfix/conf/main.cf

sender_bcc_maps = lmdb:/opt/zimbra/postfix/conf/sender_bcc
<save and exit>


Now add ougoing mail BCC as below.
#vim /opt/zimbra/postfix/conf/sender_bcc

john@zimbra.com                 mumtaz@zimbra.com
faruk@zimbra.com                mumtaz@zimbra.com
<save and exit>

Change the ownership of newly created file.
#chown zimbra:zimbra /opt/zimbra/postfix/conf/sender_bcc


Make db file of sender_bcc to work with Zimbra Postfix.
#su zimbra

#postmap /opt/zimbra/postfix/conf/sender_bcc



Apply above changes now....

$postfix reload

Now check and enjoy...

Cisco Switchport Type: UNI, ENI & NNI

Cisco Catalyst ME3400 switch is a switch usually used at the service provider end.
Although it is a Catalyst many things are different compared to the regular Catalyst
switches.

The ME3400 has three different port types:

UNI – User Network Interface. Port downstream (towards customer). Port can’t run STP,
CDP or Etherchannel protocols like PAgP and LACP.


ENI – Enhanced Network Interface. ENIs have the same functionality as UNIs, but can be configured to support protocol control packets for Cisco Discovery Protocol (CDP), Spanning-Tree Protocol (STP), Link Layer Discovery Protocol (LLDP), and EtherChannel Link Aggregation Control Protocol (LACP) or Port Aggregation Protocol (PAgP).


NNI – Network Node Interface. Sometimes also called network to network interface. This port
is facing upstream towards the core. This port has support for STP, CDP and Etherchannel
protocols.


Note: The default state for a UNI or ENI is administratively down to prevent unauthorized users from gaining access to other ports as you configure the switch. Traffic is not switched between these ports, and all arriving traffic at UNIs or ENIs must leave on NNIs to prevent a user from gaining access to another user's private network. If it is appropriate for two or more UNIs or ENIs to exchange traffic within the switch, the UNIs and ENIs can be assigned to a community VLAN.

Directory copy from Primary Server to Secondary Server Automatically using rsync

Network Topology

Tasks

** SSH Primary to Secondary Server without password

** Install rsync in both server

** Automate a directory to sync with Secondary server

SSH Primary to Secondary Server without password

Login to Primary Server and check the IP address

Login to Secondary Server and check the IP address

From Primary Server create the SSH Key with "ssh-keygen". Please do not provide any password to make it password less.

Create .ssh directory in Secondary Server with below command.

         # mkdir /root/.ssh/

Send the "id_rsa.pub" public key from Primary Server to Secondary Server

       # scp /root/.ssh/id_rsa.pub root@192.168.0.3:/root/.ssh

On Secondary Server create a file name "authorized_keys" and put the content of "id_rsa.pub" on that file

      # touch /root/.ssh/authorized_keys

      # cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys

Set permissions on Secondary Server

      #chmod -R 700 /root/.ssh/

      #chmod -R 640 /root/.ssh/authorized_keys

Now try to login from Primary Server to Secondary server without password

     # ssh 192.168.0.3

Install rsync in both server

On both server run following command to install rsync

     # apt-get install rsync -y

Automate a directory to sync with Secondary server

Let say I want to copy “/home/” directory from Primary Server to Secondary server automatically every day at 1 AM.

Add the line below in /etc/crontab file

00 1 * * *      root              rsync -avzhe ssh /home/ 192.168.0.3:/home/

Now restart cron Service

service cron restart

Enjoy!

Enforce Password Complexity in Linux Server

You can use PAM to enforce password complexity in Linux Systems. For Debian / Ubuntu you can use the following file:
/etc/pam.d/common-password


First install the package.
apt-get install libpam-cracklib


Edit "/etc/pam.d/common-password" as per your requirement.

password requisite pam_cracklib.so try_first_pass retry=3 minlength=6 lcredit=1 ucredit=1 dcredit=0 ocredit=1 difok=4

** try_first_pass retry=3 [Number of times to password change retry]
** minlength = 6 [Minimum password length is 6]
** lcredit =1 [Minimum lowercase character is 1]
** ucredit = 1 [Minimum uppercase character is 1]
** dcredit = 0 [Minimum number is 0]
** ocredit = 1 [Minimum number of other character / simbols is 1]
** difok = 4 [New password must be different from previous 4 passwords]


Now modify the options as you need. You can omit options like below.
password requisite pam_cracklib.so try_first_pass retry=3 minlength=6 ucredit=1 dcredit=1 


Save the file and you are done.

htaccess apache2 authentication for specific directory

@@ Apache version 2.4 and above. @@

Create .htaccess file in /var/www/html directory and add following lines

********************************
AuthType Basic
AuthName "Password Required"
AuthUserFile /var/www/html/webmail/.htpasswd
AuthGroupFile /dev/null
Require user webmail
*******************************


Create another file for storing password and save it as blank file
vim /var/www/html/webmail/.htpasswd


Create & store password
htpasswd -m /var/www/html/webmail/.htpasswd webmail


Now enable a module with below command
a2enmod authz_groupfile

Restart apache2 service



Edit apache.conf file with below lines
AccessFileName .htaccess [remove hash (#) in front of this line]

Change below lines from
**********************************
<Directory /var/www>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>
*********************************

to
*********************************
<Directory /var/www/html>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
</Directory>
*********************************


Restart apache2 service and check now. It will prompt you for username and password.

Mikrotik Router BGP Configuration

Today we will learn how to configure BGP routing protocol to ensure auto failover of multiple links from your ISP. Let me describe the scenario first.

Platform: Mikrotik Router
Primary Link IP: 172.17.176.4/27
Secondary Link IP: 172.17.160.6/27
Usable Subnet: 172.17.161.0/30
My ASN: 65503
Remote [ISP] ASN: 203


Here is the connectivity diagram:

So, Let's start the configuration. At first we will assign the primary IP address in ether1, Secondary IP address in ether2 and my usable subnet IP address ether3 interfaces.

Primary IP address assign:

Secondary IP address assign:

My usable IP subnet:

Now we need to create filters to configure BGP. Here is how to do that.

In this case my ISP should send the default route to my router and all other routes should be discarded. Let's see how to create those filters.

A BGP attribute named "local preference" can be used to mark the primary link. Usually BGP uses the default value "local preference = 100" if we don't mention any value for this attribute.



The rule is "Higher local preference will get higher priority". So we set the value to 200 to make a link as Primary link in our configuration.

To discard all other incoming routes do the following.

Do the same thing for Secondary link as well.

We have already finished the configuration of incoming filters. Now we should mention the outgoing filters as well. My ISP should receive the given IP subnet [172.17.161.0/30] from me.

We need to create outgoing filters for Primary and Secondary links as well.

Now start with BGP. Follow the steps below to configure it.

 The final checking for our BGP configuration.

We are done.

 

Live file synchronization across multiple Linux servers using LSYNC

At first please take note I have implemented this in Debian Server.
Perform SSH Login Without Password from Master Server to Slave Server
Master Server:
#ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/root/.ssh/id_rsa):[Just press Enter key]
Enter passphrase (empty for no passphrase): [Just Press enter key]
Enter same passphrase again: [Just Pess enter key]
Your identification has been saved in /home/root/.ssh/id_rsa.

#ssh-copy-id -i ~/.ssh/id_rsa.pub remote-ip

Now test from master server,
# ssh remote-ip
[It will not ask for password and take you to the remote server]


Now Install Lsync on Master Server:
#apt-get update
#apt-get install -y lua5.1 liblua5.1-dev pkg-config rsync asciidoc

# vim /etc/lsyncd/lsyncd.conf.lua
settings {
logfile = "/var/log/lsyncd/lsyncd.log",
statusFile = "/var/log/lsyncd/lsyncd-status.log",
statusInterval = 10
}
sync {
default.rsync,
source="/home/",
target="remote-ip:/home/",
rsync = {
compress = true,
verbose = true,
owner = true,
group = true,
perms = true,
acls = true,
rsh = "/usr/bin/ssh -p 22 -o StrictHostKeyChecking=no"}
}

sync {
default.rsync,
source="/var/mail/",
target="remote-ip:/var/mail/",
rsync = {
compress = true,
verbose = true,
owner = true,
group = true,
perms = true,
acls = true,
rsh = "/usr/bin/ssh -p 22 -o StrictHostKeyChecking=no"}
}
[Save and Exit]

#mkdir /var/log/lsyncd/

#touch /var/log/lsyncd/lsyncd.log

#touch /var/log/lsyncd/lsyncd-status.log

#service lsyncd start


Slave Server:
#apt-get install rsync



Now test from Master Server:
#cd /home/

#touch test-file


Slave Server:
#cd /home/

#ls -lah


############# End of Lsync Configuration #############




*** Keep in mind if you want to backup a mail server to a secondary one you have to move a copy of /etc/passwd, /etc/shadow, /etc/group file from master server to backup server. Follow below steps to do that once in a day ***



Slave server:
#mkdir /root/user-backup-from-master-server

Master server:
#vim /usr/local/src/backup-users
scp /etc/passwd /etc/group /etc/shadow root@remote-ip:/root/user-backup-from-master-server
[Save and Exit]


#chmod 755 /usr/local/src/backup-users


#vim /etc/crontab
01 15 * * *    root    /usr/local/src/backup-users
[Save and Exit]


#/etc/init.d/cron restart


** This procedure will transfer a copy of /etc/passwd, /etc/group, /etc/shadow files everyday at 3:01PM from Master server to Slave server.

Multiple page redirection from single Linux Server using Apache2

I have a Linux server with Apache2 as its web service. I want to redirect two sites pointed to that server to other two websites. At first I was confused how to do that as I work in networking section. Later I got help anyway and I am going to share the solution with you.

First I have to change default page 'index.html' to 'index.php'.


Then I have given below code to redirect those to two sites to another two websites.


##################################
<?php
 $actual_link = "$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
if($actual_link == "www.xyz.com/")
    $redirect_page = "http://www.anotherone.com/";
if($actual_link == "web2.xyz.com/")
    $redirect_page = http://www.anothertwo.com/;
?>
<html>
    <head>
        <meta http-equiv="refresh" content="3;url=<?php echo $redirect_page ?>" />
    </head>
    <body>
        <h1>Please wait, You are redirecting... </h1>
    </body>
</html>
#################################


I am happy with this simple solution. You??

SMTP Authentication using Dovecot

 

Sometimes we got complain from our clients that they cannot send mails using OutLook form different ISP/Network. To avoid this kind of inconvenience we can configure TLS authentication from server. 

Step: 1

vim /etc/dovecot/conf.d/10-master.conf [Edit / Add the following Lines]

  # Postfix smtp-auth

  unix_listener /var/spool/postfix/private/auth {

    mode = 0666

    user = postfix

    group = postfix

  }

 

 

Step: 2

 

Now come to postfix directory and edit main.cf file like following

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
########## Enable TLS ########
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
######################################
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache 

#Authentication from dovecot

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_helo_required = yes

smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions =  permit_mynetworks, permit_sasl_authenticated, reject
broken_sasl_auth_clients = yes
smtpd_sender_restrictions = permit_sasl_authenticated

 

 

 

Step 3: 
Now we need to enable the required SMTP port. Generally we see many providers do not allow default SMTP port 25 and SMTPS port 465. I usually suggest SMTP Submission port 587 in this cases. But keep in mind do not disable default SMTP port 25 from your server. It is required to SMTP communication between server to server.

SMTP Port 25 disable  and Enable 

To enable port 587, edit the file /etc/postfix/master.cf

vim /etc/postfix/master.cf

and remove the # in front of the line:

#submission inet n – n – – smtpd

so that it looks like this:

submission inet n – n – – smtpd

and restart postfix:

/etc/init.d/postfix restart

​

Step: 4 

Now check all the necessary ports are listening in your server.

#netstat –nat | grep LISTEN

And check for the ports 25 (SMTP), 587 (SMTP Submission), 143 (IMAP), 110 (POP3)

 

 

Step: 5

Modify the outlook email client configuration of users like below image.

You are done.