msgbartop
MAC OS X, Linux, Windows and other IT Tips and Tricks
msgbarbottom

05 May 18 Minimize the Digests shown Headers in Mailman 2.1.xx

Problem:
Digests in Mailman are composed of a lots of unneeded headers which clutter the messages.

Solution:
Edit the Mailman configuration file manually as follows:
WARNING !!!: These headers are part of a the ‘RFC 1153’ which if changed can have unpredictable or unwanted effects.
So here I kept the headers: Date:, From:, Subject:, Keywords(if any), and Content-Type(quite important to keep)

Steps:
Rename the automatically compiled Python config file:
mv /usr/lib/mailman/Mailman/Defaults.pyc /usr/lib/mailman/Mailman/Defaults.pyc.orig

Edit the config file:
mcedit /usr/lib/mailman/Mailman/Defaults.py

and make the following changes from:

# Headers which should be kept in both RFC 1153 (plain) and MIME digests. RFC
# 1153 also specifies these headers in this exact order, so order matters.
MIME_DIGEST_KEEP_HEADERS = [
'Date', 'From', 'To', 'Cc', 'Subject', 'Message-ID', 'Keywords',
# I believe we should also keep these headers though.
'In-Reply-To', 'References', 'Content-Type', 'MIME-Version',
'Content-Transfer-Encoding', 'Precedence', 'Reply-To', 'List-Post',
# Mailman 2.0 adds these headers
'Message',
]
#
# The order in this list controls the order of the RFC 1153 digest headers.
# Also, any headers in this list will be kept in the MIME digest even if they
# don't appear in the MIME list above. Finally, headers appearing in both
# lists must be casewise the same or duplication can result in the digest.
PLAIN_DIGEST_KEEP_HEADERS = [
'Message',
# RFC 1153 headers in order
'Date', 'From', 'To', 'Cc', 'Subject', 'Message-ID', 'Keywords',
'Content-Type',
]

TO:

# Headers which should be kept in both RFC 1153 (plain) and MIME digests. RFC
# 1153 also specifies these headers in this exact order, so order matters.
#MIME_DIGEST_KEEP_HEADERS = [
# 'Date', 'From', 'To', 'Cc', 'Subject', 'Message-ID', 'Keywords',
# # I believe we should also keep these headers though.
# 'In-Reply-To', 'References', 'Content-Type', 'MIME-Version',
# 'Content-Transfer-Encoding', 'Precedence', 'Reply-To', 'List-Post',
# # Mailman 2.0 adds these headers
# 'Message',
# ]
#
MIME_DIGEST_KEEP_HEADERS = [
'Date', 'From', 'Subject', 'Keywords',
# I believe we should also keep these headers though.
'In-Reply-To', 'References', 'Content-Type', 'MIME-Version',
'Content-Transfer-Encoding', 'Precedence', 'Reply-To', 'List-Post',
]
#
# The order in this list controls the order of the RFC 1153 digest headers.
# Also, any headers in this list will be kept in the MIME digest even if they
# don't appear in the MIME list above. Finally, headers appearing in both
# lists must be casewise the same or duplication can result in the digest.
#PLAIN_DIGEST_KEEP_HEADERS = [
# 'Message',
# # RFC 1153 headers in order
# 'Date', 'From', 'To', 'Cc', 'Subject', 'Message-ID', 'Keywords',
# 'Content-Type',
# ]
#
PLAIN_DIGEST_KEEP_HEADERS = [
# RFC 1153 headers in order
'Date', 'From', 'Subject', 'Keywords',
'Content-Type',
]

Note: This might look confusing but just take a good look at the changes I made and you can see that I simply eliminated some headers from the 2 lists.
I simply kept the original version but commented it out as a reference in case things go wrong and I need to re-introduce some of them.

02 May 18 Configuring Domain Relaying with ISPConfig 3.1.xx

Intention:
Redirect (reroute) specific email addresses via, for example, an SMTP service:

Steps:
– Enter the destination domain in the Advanced Routing Table (Email ==> Email Accounts/Email Routing)
– Enter the same destination domain in the (Email ==> Global Filters / Relay Recipients) as @domain

Example:
eg. rerouting all emails of destination domain mydomain.com via a relay server (relay.myserver.com)

(Email ==> Email Accounts / Email Routing)
Select ‘Add new Transport’
Fill in the fields:
Server: (Select the server)
Domain: mydomain.com
Type: (select smtp)
No MX lookup: (leave unchecked)
Destination: relay.myserver.com
Sort by: 1
Active: (Checked)

(Email ==> Global Filters / Relay Recipients)
Select: ‘Add new relay reciepient’

Fill in the fields:
Server: (Chose the server)
Relay recipient: @mydomain.com
Active: (Checked)

02 May 18 No Type list in ISPConfig 3.1.11

Problem:
The brand new version of ISPConfig 3.1.11 when I add or modify an email transport, no value is displayed anymore on “type”.

Solution:
Ref: https://git.ispconfig.org/ispconfig/ispconfig3/issues/4924
Edit /usr/local/ispconfig/interface/web/mail/mail_transport_edit.php
Change this line:
$app->tpl->setVar($rec, null, true);
to this:
$app->tpl->setVar($rec);
and should work again.

23 Mar 18 Changing the mailman subscribers ‘moderation’ bit on the command line

Intro:
In my mailman installation with over 3K subscribers I could not find why the web interface didn’t allow me to change the ‘moderation’ bit of subscribers, or any other property. So I found this tool which allows me to the ‘moderation’ bit for any subscriber using the command line. Sinc ethe Python module for doing this is not provided with mailman you need to add it and run the command as follows:

Add the following content to the new file called: /usr/lib/mailman/bin/mod.py
#! /usr/bin/python
# mod.py
#
from Mailman import mm_cfg
import sys
#
def mod(list):
for member in list.getMembers():
if list.getMemberOption(member, mm_cfg.Moderate):
print member, "is moderated"
#
def set(list, member, value):
value = not not (int(value))
if list.isMember(member):
list.Lock()
list.setMemberOption(member, mm_cfg.Moderate, value)
print "%s's moderated flag set to %d" % (member, value)
list.Save()
list.Unlock()
else:
print member, "not a member"

Command for changing the moderation’ bit:
eg. for myname@mydomain.com in ‘people’ mailing list
Turning ON the ‘moderation’ bit:
/usr/lib/mailman/bin/withlist -r mod.set people myname@mydomain.com 1
Turning OFF the ‘moderation’ bit:
/usr/lib/mailman/bin/withlist -r mod.set people myname@mydomain.com 0
Turning ON the ‘moderation’ bit for ALL subscribers in the mailing list:
for member in $(/usr/lib/mailman/bin/list_members people) ; do
/usr/lib/mailman/bin/withlist -r mod.set people $member 1
done

23 Dec 17 Rectify mailman URLs after a hostname change

Intro:
I had to change the server name of my mailman server. I changed it in /etc/mailman/mm_cfg.py as follows:
# Default domain for email addresses of newly created MLs
DEFAULT_EMAIL_HOST = 'mailman.myserver.com'
#-------------------------------------------------------------
# Default host for web interface of newly created MLs
DEFAULT_URL_HOST = 'mailman.myserver.com'

BUT! Some links in the mailman site were OK (new) and others were not OK(Old servername)

SOLUTION:
To remedy to this all the mailing list need to be internally modified to reflect the new hostmname in the sites URLs and the emails URLs.
Ref: https://mail.python.org/pipermail/mailman-users/2006-February/049052.html
Simply run the following 2 commands:
cd /usr/lib/mailman/bin/
./withlist -l -a -r fix_url -- -v

This runs withlist and tells it to lock the lists (-l) process all lists (-a) process by calling fix_url in the module fix_url.py with arguments of the list instance and -v which causes fix_url to report what it’s doing. The — is to separate the -v option for fix_url from the withlist options since there’s no listname to do that in this case.

For mailing lists with different URL then the site is suggesting the following:
———————————–
If you have more than one virtual host, you have to process the lists
one at a time with

bin/withlist -l -r fix_url listname -u url_host

but you could wrap that in a shell script to run the command repeatedly
for all the listname/url_host pairs.
———————————–

21 Dec 17 Blocking reception of full TLDs

Intro:
Lately I was receiving a lot of spam from a ‘.date’ TLD sources and wanted to block all these emails using Postfix.
Here is a solution found at: https://serverfault.com/questions/728641/blacklisting-tld-in-postfix/728658

Steps:
Install the Postfix PCRE dictionary
apt-get install postfix-pcre
Configure postfix
postconf -e smtpd_sender_restrictions=pcre:/etc/postfix/rejected_domains
postconf -e reject_unauth_destinations=pcre:/etc/postfix/rejected_domains

Edit the new file /etc/postfix/rejected_domains with the following content:
/\.date$/ REJECT All Date Domains
Reload Postfix
service postfix reload

11 Dec 17 OpenDKIM doesn’t start after Upgrade from Jessie to Stretch

Introduction:
After having done a dist-upgrade fo Jessie to Stretch OpenDKIM didn’t start any more.
After research I found the answer which worked for me in this site:
https://serverfault.com/questions/847435/cant-change-opendkim-socket-in-debian-stretch-in-etc-default-opendkim

INFO:
I’m using the ‘inet’ socket for the communication between Postfix and OpenDKIM at port 12345.
eg. My config in of OpenDKIM in Postfix:
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345

Solution found in the above web site:
/lib/opendkim/opendkim.service.generate
systemctl daemon-reload
service opendkim restart

Note: There are other solutions for the ones that use other kind of communication sockets for the communication between Postfix and OpenDKIM found in the same above site.

Solution: Regenerate the proper

02 Sep 17 Transferring IMAP account mails and folders to another IMAP account on another server

Introduction:
The other day I was asked to install a completely new email server and transfer all the email accounts from the old mail server to the new one. I noticed that since the new mail server was using a different mail INBOX format I had to do some research and found this really good tool to do exactly what I needed called: imapsync

Installing the tool:
This tool programmed in Perl and is not free. It can be bought at http://imapsync.lamiral.info/.
Note: It does a great job and it’s really worth its price when you think of the time and hassle saved by using it.

Using the tool:
Example 1: Copying all the mails in folder INBOX from jim account on localhost to another server with the same credentials:
– First we do a dry-run to see what will be transferred when I run it normally:

imapsync --dry \
--host1 localhost --user1 jim --password1 'secret1' --folder INBOX --tls2 \
--host2 mail.myserver2.com --user2 jim --password2 'secret1' --nofoldersizes --nofoldersizesatend

Example 2: Copying all the mails and folders(no dry-run) from account martin@myserver1.com on localhost to a new account on another server with different credentials:
imapsync \
--host1 localhost --user1 martin@myserver1.com --password1 secret1 \
--host2 mail.myserver2.com --user2 martin@myserver2.com --password2 secret2

16 May 17 Hardening the SSL security in Apache, Dovecot and Postfix

Introduction:

After having gotten a report from OpenVAS that my SSL security level of the mail server were medium, I looked for ways to improve this.
I found very good sites which helps me making these improvements:
https://weakdh.org/sysadmin.html
https://wiki.dovecot.org/SSL/DovecotConfiguration
https://bettercrypto.org/static/applied-crypto-hardening.pdf
Based on this site and extending to cover dovecot mail service here is the result:

Hardening Apache:

In /etc/apache2/mods-available/ssl.conf
Change the following parameters as follows:
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DH+3DES:!RSA+3DES
SSLHonorCipherOrder on

Hardening Dovecot:

Note: you should have openssl >=1.0.0 dovecot >=2.1.x required, better dovecot >=2.2.x because of ECDHE support Dovecot tryies to use PFS by default, so besides the enabled SSL almost no actions are required change the log settings to see the cipher, grep for a login_log_format_elements in dovecot configs and add %k to it
eg:
login_log_format_elements = "user=< %u> method=%m rip=%r lip=%l mpid=%e %c %k"
Configure the allowed ciphers. Server side enforcement works only for dovecot >=2.2.6
In /etc/dovecot/conf.d/ssl.conf
Change some parameters as follows:
ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
#only for dovecot >=2.2.6, enforce the server cipher preference
ssl_prefer_server_ciphers = yes
#disable SSLv2 and SSLv3
ssl_protocols = !SSLv2 !SSLv3

Add the following parameter:
ssl_dh_parameters_length = 2048
Delete the file /var/lib/dovecot/ssl-parameters.dat
and restart Dovecot service:
service dovecot restart
Dovecote seeing that the Diffie Hellman parameters are assigned to be 2048 bits long and that its file is just been deleted, will regenerate a new one in the background.

Hardening Postfix

In /etc/postfix/main.cf
Change or add the following configuration parameters:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_dh1024_param_file=/etc/ssl/dh2048.pem

Generate a new Diffie Hellman parameters file as follows:
openssl dhparam -out /etc/ssl/dh2048.pem 2048

24 Feb 17 Whitelisting Hosts in Postfix/Amavis

Introduction:
I have an email server with very strong spam filtering and every now and then it does see the emails that I send from our own networks as SPAM.
In order to bypass the SPAM scanner for those networks without bypassing the virus scanning of Amavis I found these instructions in Internet at:
http://verchick.com/mecham/public_html/spam/bypassing.html#1

Allow clients on my internal network to bypass scanning by using the ‘MYNETS’ policy bank. You can use the built in ‘MYNETS’ policy bank to allow clients included in $mynetworks. Let’s assume you allow all (or most) clients on your internal network to send outbound mail through your spamfilter.
The IP addresses of these clients are included in Postfix’ $mynetworks in main.cf:
mynetworks = 127.0.0.0/8 !192.168.1.1 192.168.1.0/24
In /etc/amavis/conf.d/50-user @mynetworks determines which clients will use the ‘MYNETS’ policy bank:
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
!192.168.1.1 192.168.1.0/24 );

And you would configure the ‘MYNETS’ policy bank as desired:
Also added to /etc/amavis/conf.d/50-user
$policy_bank{'MYNETS'} = { # clients in @mynetworks
bypass_spam_checks_maps => [1], # don't spam-check internal mail
bypass_banned_checks_maps => [1], # don't banned-check internal mail
bypass_header_checks_maps => [1], # don't header-check internal mail
};

When using the “MYNETS’ policy bank, you must use *_send_xforward_command in master.cf which enables forwarding of the client’s IP address to amavisd-new.:
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20

(or)
lmtp-amavis unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20