Procmailrc altered from maildir to mailbox

 Hi

 

I use Virtualmin with Postfix and Procmail to make email management.

In initial state mail is delivered in in /home/$domain/homes/$user .

I make a server upgrade to install new versions of software and improuve network security.

After upgrade all mails goes in /var/mail/$user.

What is the cause.....

In initial state i have:

cat /usr/local/etc/procmailrc

DROPPRIVS=yes
#/usr/local/etc/procmailrc:
LOGFILE=/var/log/procmail.log
TRAP=/usr/local/etc/webmin/virtual-server/procmail-logger.pl
:0wi
VIRTUALMIN=|/usr/local/etc/webmin/virtual-server/lookup-domain.pl --exitcode 73 $LOGNAME
EXITCODE=$?
:0
* ?/bin/test "$EXITCODE" = "73"
/dev/null
EXITCODE=0
:0
* ?/bin/test "$VIRTUALMIN" != ""
{
INCLUDERC=/usr/local/etc/webmin/virtual-server/procmail/$VIRTUALMIN
}
DEFAULT=$HOME/Maildir/
ORGMAIL=$HOME/Maildir/


DROPPRIVS=yes

==========================================================

After upgrade, the upgrade scripts change me following settings in procmailrc

#DEFAULT=/var/mail/$LOGNAME
#ORGMAIL=/var/mail/$LOGNAME

From this cause all mail were deliovered in /var/mail/ folder.

Opennms Error "Caused by: org.opennms.core.schema.MigrationException: an error occurred getting the version from the database"

 This error is beacause installer (/opt/opennms/bin/install -dis) can't connect to postgresql server with standard user.

In many cases to fix this error we need to create a postgresl user and database.

systemctl start postgresql

su - postgres -c "createuser -P opennms"

su - postgres -c "createdb -O opennms opennms"

su - postgres -c "psql -U postgres" 
 

After that we need to edit the following config file to modify username/password 

 vi /etc/opennms/opennms-datasources.xml    or

vi /opt/opennms/etc/opennms-datasources.xml 

In many cases we need to edit the posegresql config file

 /var/lib/pgsql/data/pg_hba.conf with:

##local   all             all                                     peer
local   all             all                                     trust
 

##host    all             all             127.0.0.1/32            ident
host    all             all             127.0.0.1/32            trust
 

You need to add port 8980 in firewall

root@localhost:~# firewall-cmd --permanent --add-port=8980/tcp
success
root@localhost:~# systemctl restart firewalld 

Integrate spamassasin into postfix mail server

 

bash script to rewrite spam method

This is a simple method to integrate SpamAssassin. All spam e-mail will still come through to your address(es), but it will be clearly marked as spam.

1) Create a bash script to receive e-mail from Postfix and pipe it to SpamAssassin for rewriting. Then forward the rewritten version to Postfix's sendmail implementation:

{{{#!highlight bash
#!/bin/bash
#
# spamfilter.sh
#
# Simple filter to plug SpamAssassin into the Postfix MTA
#
# Modified by Jeremy Morton
#
# This script should probably live at /usr/bin/spamfilter.sh
# ... and have 'chown root:root' and 'chmod 755' applied to it.
#
# For use with:
# Postfix 20010228 or later
# SpamAssassin 2.42 or later

# Note: Modify the file locations to suit your particular
# server and installation of SpamAssassin.
# File locations:
# (CHANGE AS REQUIRED TO SUIT YOUR SERVER) SENDMAIL=/usr/sbin/sendmail SPAMASSASSIN=/usr/bin/spamc

logger <<<"Spam filter piping to SpamAssassin, then to: $SENDMAIL $@"
${SPAMASSASSIN} | ${SENDMAIL} "$@"

exit $?
}}}
This, of course, assumes you're using the spamd/spamc implementation of SpamAssassin to improve performance - spamc is the command you'll want to invoke to check an e-mail (by setting SPAMASSASSIN to its location).

2) Ensure the newly-created /usr/bin/spamfilter.sh has correct permissions (0755), and is owned by root:root.

3) Modify the /etc/postfix/master.cf file; first, change the first 'smtp' line of the file to:

smtp      inet  n       -       -       -       -       smtpd -o content_filter=spamfilter

Then, add the following (a call to our newly-created spamfilter script) at the end:

spamfilter
          unix  -       n       n       -       -       pipe
   flags=Rq user=spamd argv=/usr/bin/spamfilter.sh -oi -f ${sender} ${recipient}

This setup assumes you have a 'spamd' user for the script to be run as. If you wish to run it as a different user, modify the 'user' argument above.

4) Restart the Postfix service.

Now, Postfix should be sending every incoming e-mail through the spamfilter.sh script (which means it's going through SpamAssassin), with the e-mail headers (and maybe the rest of the e-mail, if it's spam) being rewritten before being delivered to the target mailbox. Optionally, you may wish to tweak SpamAssassin's configuration to cause it to rewrite the e-mails in a more useful way (only rewrite spam mail subject but not whole e-mail, add a 'ham' header to give detailed info on even non-spam, etc.)

5) (optional) Tweak SpamAssasin's configuration. Ensure that the below is in /etc/mail/spamassassin/local.cf and then restart SpamAssassin:

# Rewrite the subject of suspected spam e-mails
#rewrite_header Subject *****SPAM*****
rewrite_header Subject *****SPAM***** (_SCORE_)
# Just add an X-Spam-Report header to suspected spam, rather than rewriting the content of the e-mail
report_safe 0
# Also we want to add a detailed ham report header to even e-mail that ISN'T suspected to be spam
add_header ham HAM-Report _REPORT_
# Set the threshold at which a message is considered spam (3 is usually sufficient)
required_score 3.0

Source 

Convert vmdk disk to vhd

 To convert vmdk to vhd you can use hyper-v tool but in many cases not work.

Another way to convert the disk is with VBoxManage.exe

When I export VM disk from ESXi, the OS give me two files.

In my case Win10.vmdk is with descriptors and Win10-flat.vmdk is the image of virtual machine

=========================================================

f:\VM>dir

 Volume in drive F has no label.

 Volume Serial Number is 5640-B933

 Directory of f:\VM

01/13/2024  05:14 PM    <DIR>          .

01/13/2024  05:14 PM    <DIR>          ..

01/13/2024  03:49 PM    85,899,345,920 Win10-flat.vmdk

01/13/2024  03:36 PM               501 Win10.vmdk

               2 File(s) 85,899,346,421 bytes

               2 Dir(s)  815,193,800,704 bytes free

======================================================

In this moment I try to convert image to vhd format with following command:

c:\Program Files\Oracle\VirtualBox>VBoxManage.exe clonehd --format vhd f:\WM\Win10.vmdk f:\VM\win10.vhd

0%...10%...20%...30%...

FreeBSD Iscsi with zfs

 

2. Configurare ZFS:

Create s ZFS pool and data set (zvol) to serve as iSCSI volume. For example to create o pool name mypool and zvol named myzvol:

sudo zpool create mypool /dev/ada0 
sudo zfs create -V 100G mypool/myzvol
After that we need to install istgt
pkg install istgt
In my case will use following config files:
auth.conf
#[AuthGroup1]
  Comment "Group for the Test Disk"
  Auth "iqn.1991-05.com.microsoft:vm111wdc.test.soft:testdisk"  "between12and16" 
[AuthGroup9999]
  Comment "Group for discovery"
  Auth "iqn.1991-05.com.microsoft:vm111wdc.test.soft"  "discovermenow"

#
[AuthGroup10000]
#  Comment "Group for unit controller"
#  Auth "ctluser" "test" "mutualuser" "mutualsecret"
istgt.conf

[Global]
  Comment "Global section"
  NodeBase "iqn.1991-05.com.microsoft:vm111wdc.test.soft"
#  DiscoveryAuthMethod CHAP
#  DiscoveryAuthGroup AuthGroup9999

  #The following values were not editied
  PidFile /var/run/istgt.pid
#  AuthFile /usr/local/etc/istgt/auth.conf
  MediaDirectory /var/istgt
  LogFacility "local7"

  Timeout 30
  NopInInterval 20

  MaxSessions 16
  MaxConnections 4
  MaxR2T 32
  MaxOutstandingR2T 16
  DefaultTime2Wait 2
  DefaultTime2Retain 60
  FirstBurstLength 262144
  MaxBurstLength 1048576
  MaxRecvDataSegmentLength 262144
  InitialR2T Yes
  ImmediateData Yes
  DataPDUInOrder Yes
  DataSequenceInOrder Yes
  ErrorRecoveryLevel 0

#Unit controller
[UnitControl]
  Comment "Internal Logical Unit Controller"
#  AuthMethod CHAP Mutual
#  AuthGroup AuthGroup10000
  Portal UC1 127.0.0.1:3261
  Netmask 127.0.0.1

#Portal of the Test Disk
[PortalGroup1]
  Comment "SINGLE PORT TEST"
  Portal DA1 10.100.200.109:3260

#Initiators for the Test Disk
[InitiatorGroup1]
  Comment "Initiator Group1"
  InitiatorName "iqn.1991-05.com.microsoft:vm111wdc.test.soft"
  Netmask 10.100.200.0/24

#Test Disk
[LogicalUnit1]
  Comment "Test Disk"
  TargetName testdisk
  TargetAlias "ISCSI Test Disk"
  Mapping PortalGroup1 InitiatorGroup1
#  AuthMethod CHAP
#  AuthGroup AuthGroup1

  ReadOnly No
  UnitType Disk
  UnitOnline Yes

  UseDigest Auto
#  UnitType Pass

LUN0 Storage /dev/zvol/storage/storage 26T


istgtcontrol.conf


[Global] 
 Comment "Sample Configuration" 
 Timeout 60 
 AuthMethod CHAP Mutual 
 Auth "ctluser" "test" "mutualuser" "mutualsecret" 
 Host localhost
  Port 3261 
 TargetName "iqn.1991-05.com.microsoft:vm111wdc.test.soft" 
 Lun 0 
 Flags "ro" 
 Size "auto"

file2ban qmail configuration

 

# Install fail2ban

# yum install fail2ban -y

# Create the filter definition files in filter.d

# cat >/etc/fail2ban/filter.d/qmail-smtp-authnotavail.conf << EOL
[Definition]
#Looks for failed auth outside TLS to SMTP
failregex = 503 auth not available \(\#5\.3\.3\) - <HOST>
ignoreregex =
EOL

# cat >/etc/fail2ban/filter.d/qmail-smtps-auth.conf<< EOL
[Definition]
#Looks for failed password logins to SMTP
failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
EOL

# cat >/etc/fail2ban/filter.d/qmail-smtps-passfail.conf<< EOL
[Definition]
#Looks for failed password logins to SMTP
failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
EOL

# cat >/etc/fail2ban/filter.d/qmail-smtps-usernotfound.conf<< EOL
[Definition]
failregex = vchkpw-smtps: vpopmail user not found .*:<HOST>
ignoreregex =
EOL

# cat >/etc/fail2ban/filter.d/qmail-submission-passfail.conf<< EOL
[Definition]
failregex = vchkpw-submission: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
EOL

# cat >/etc/fail2ban/filter.d/qmail-submission-usernotfound.conf<< EOL
[Definition]
failregex = vchkpw-submission: vpopmail user not found .*:<HOST>
ignoreregex =
EOL

# Add filter definitions to jail.conf

# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak-`date`

# cat >>/etc/fail2ban/jail.conf << EOL

[qmail-submission-passfail]
enabled = true
filter  = qmail-submission-passfail
action  = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto

[qmail-submission-usernotfound]
enabled = true
filter  = qmail-submission-usernotfound
action  = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto

[qmail-smtps-passfail]
enabled  = true
filter   = qmail-smtps-passfail
action   = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp]
logpath  = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto

[qmail-smtps-usernotfound]
enabled = true
filter = qmail-smtps-usernotfound
action = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto

[qmail-smtp-authnotavail]
enabled = true
filter = qmail-smtp-authnotavail
action = iptables[name=QMAIL-SMTP, port=25, protocol=tcp]
logpath = /var/log/qmail/smtptx/current
maxretry = 3
bantime = 86400
findtime = 300
backend = auto

EOL

# Set up Authorization not available

   In order to log SMTP transactions do the following:
   1) # qmailctl stop
   2) Add 'SMTP_DEBUG="1"' to /etc/tcprules.d/tcp.smtp 
   3) Replace contents of '/var/qmail/supervise/smtp/log/run' script with below to log transactions to different file: 
      
      #!/bin/sh
      LOGSIZE=`cat /var/qmail/control/logsize`
      LOGCOUNT=`cat /var/qmail/control/logcount`
      exec /usr/bin/setuidgid qmaill \
        /usr/bin/multilog t s$LOGSIZE n$LOGCOUNT \
        '-*' '+@* server:[*' '+@* client:[*' /var/log/qmail/smtptx \
        '+*' '-@* server:[*' '-@* client:[*' /var/log/qmail/smtp 2>&1
   4) # qmailctl start && qmailctl cdb
   5) # tail -f /var/log/qmail/smtptx/current | tai64nlocal

# Start fail2ban

# systemctl start fail2ban


# Script to check blocking

# cat >./f2bstat << EOL
#!/bin/bash

for FILTER in qmail-submission-passfail \
              qmail-submission-usernotfound \
              qmail-smtps-passfail \
              qmail-smtps-usernotfound \
              qmail-smtp-authnotavail
do
   fail2ban-client status $FILTER
   echo ""
done

EOL

# Set permissions & run script (w/output sample)

# chmod 755 ./f2bstat && ./f2bstat

qmail-submission-passfail:

Status for the jail: qmail-submission-passfail
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     1
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

qmail-submission-usernotfound:

Status for the jail: qmail-submission-usernotfound
|- Filter
|  |- Currently failed: 7
|  |- Total failed:     7
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

qmail-smtps-passfail:

Status for the jail: qmail-smtps-passfail
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

qmail-smtps-usernotfound:

Status for the jail: qmail-smtps-usernotfound
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 2
   |- Total banned:     2
   `- Banned IP list:   5.34.207.174 212.70.149.72

qmail-smtp-authnotavail:

Status for the jail: qmail-smtp-authnotavail
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/qmail/smtptx/current
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

source 

Make a simple encrypted connection

 If you need to make a secure connection to a device and test if works can try this command:

 (In our case have a secure connection to imap server //port 993)

openssl s_client -connect your.server.ip:993

To to same test connections unencrypted (plaintext) you can try:   telnet your.server.ip 993