MAC OS X, Linux, Windows and other IT Tips and Tricks

02 Sep 17 Transferring IMAP account mails and folders to another IMAP account on another server

The other day I was asked to install a completely new email server and transfer all the email accounts from the old mail server to the new one. I noticed that since the new mail server was using a different mail INBOX format I had to do some research and found this really good tool to do exactly what I needed called: imapsync

Installing the tool:
This tool programmed in Perl and is not free. It can be bought at
Note: It does a great job and it’s really worth its price when you think of the time and hassle saved by using it.

Using the tool:
Example 1: Copying all the mails in folder INBOX from jim account on localhost to another server with the same credentials:
– First we do a dry-run to see what will be transferred when I run it normally:

imapsync --dry \
--host1 localhost --user1 jim --password1 'secret1' --folder INBOX --tls2 \
--host2 --user2 jim --password2 'secret1' --nofoldersizes --nofoldersizesatend

Example 2: Copying all the mails and folders(no dry-run) from account on localhost to a new account on another server with different credentials:
imapsync \
--host1 localhost --user1 --password1 secret1 \
--host2 --user2 --password2 secret2

16 May 17 Hardening the SSL security in Apache, Dovecot and Postfix


After having gotten a report from OpenVAS that my SSL security level of the mail server were medium, I looked for ways to improve this.
I found very good sites which helps me making these improvements:
Based on this site and extending to cover dovecot mail service here is the result:

Hardening Apache:

In /etc/apache2/mods-available/ssl.conf
Change the following parameters as follows:
SSLHonorCipherOrder on

Hardening Dovecot:

Note: you should have openssl >=1.0.0 dovecot >=2.1.x required, better dovecot >=2.2.x because of ECDHE support Dovecot tryies to use PFS by default, so besides the enabled SSL almost no actions are required change the log settings to see the cipher, grep for a login_log_format_elements in dovecot configs and add %k to it
login_log_format_elements = "user=< %u> method=%m rip=%r lip=%l mpid=%e %c %k"
Configure the allowed ciphers. Server side enforcement works only for dovecot >=2.2.6
In /etc/dovecot/conf.d/ssl.conf
Change some parameters as follows:
#only for dovecot >=2.2.6, enforce the server cipher preference
ssl_prefer_server_ciphers = yes
#disable SSLv2 and SSLv3
ssl_protocols = !SSLv2 !SSLv3

Add the following parameter:
ssl_dh_parameters_length = 2048
Delete the file /var/lib/dovecot/ssl-parameters.dat
and restart Dovecot service:
service dovecot restart
Dovecote seeing that the Diffie Hellman parameters are assigned to be 2048 bits long and that its file is just been deleted, will regenerate a new one in the background.

Hardening Postfix

In /etc/postfix/
Change or add the following configuration parameters:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

Generate a new Diffie Hellman parameters file as follows:
openssl dhparam -out /etc/ssl/dh2048.pem 2048

24 Feb 17 Whitelisting Hosts in Postfix/Amavis

I have an email server with very strong spam filtering and every now and then it does see the emails that I send from our own networks as SPAM.
In order to bypass the SPAM scanner for those networks without bypassing the virus scanning of Amavis I found these instructions in Internet at:

Allow clients on my internal network to bypass scanning by using the ‘MYNETS’ policy bank. You can use the built in ‘MYNETS’ policy bank to allow clients included in $mynetworks. Let’s assume you allow all (or most) clients on your internal network to send outbound mail through your spamfilter.
The IP addresses of these clients are included in Postfix’ $mynetworks in
mynetworks = !
In /etc/amavis/conf.d/50-user @mynetworks determines which clients will use the ‘MYNETS’ policy bank:
@mynetworks = qw( [::1] [FE80::]/10 [FEC0::]/10
! );

And you would configure the ‘MYNETS’ policy bank as desired:
Also added to /etc/amavis/conf.d/50-user
$policy_bank{'MYNETS'} = { # clients in @mynetworks
bypass_spam_checks_maps => [1], # don't spam-check internal mail
bypass_banned_checks_maps => [1], # don't banned-check internal mail
bypass_header_checks_maps => [1], # don't header-check internal mail

When using the “MYNETS’ policy bank, you must use *_send_xforward_command in which enables forwarding of the client’s IP address to amavisd-new.:
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20

lmtp-amavis unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20

31 Mar 16 Fixing Spamassassin in Debian Jessie(8)

For a long time under Debian Wheezy Spamassassin was running quite well until I upgraded the system to Jessie. That is when Spamassassin(spamd) started to crash every now and then without giving much reasons why.

Cause of error message:
Looking in the system logs(/var/log/syslog) I found the following error:
spamd[7490]: util: refusing to untaint suspicious path: "/${SAHOME}"
I’m not sure if this is the cause of the crashes but it certainly doesn’t help. So I figured I should first try to solve this error first. According to this site since the Spamassassin is now started via ‘systemd’ the variables set in the init config file (/etc/default/spamassassin) are not expanded and they are passed on ‘as-is’ on the command line for starting spamd process. eg.
OPTIONS="--create-prefs --max-children 5 --username spamd --helper-home-dir ${SAHOME}"

Since this file will not be overwritten during updates the suggestion was to write the value of this variable directly in the OPTIONS line in (/etc/default/spamassassin) as follows:
OPTIONS="--create-prefs --max-children 5 --username spamd --helper-home-dir /var/lib/spamassassin/"
Now at least this error doesn’t occur any more and time will tell if the crashes of spamd are still happening.

10 Dec 15 Creating a web certificate CSR file.

The process of buying an SSL certificate for a web site is usually as follows:
– You create a secret key and CSR files using the method showm in this post.
– You cut and paste the content of the CSR file into a field in a SSL Vendor web site
– The SSL vendor produces a certificate based on the CSR you provided and send it to you.
– You download the CA Certificate from the SSL provider’s site
– You install the private keyfile, the CA certificate and the certificate in the web server and bobs’s-your-uncle.

The following procdeure is an extract from the site:—openssl
Generate a CSR & Private Key:
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privatekey.key

Fill out the following fields as prompted:
Note: The following characters can not be accepted: <> ~ ! @ # $ % ^ * / \ ( ) ?.,&

Field Example
============ ==========================================
Country Name US (2 Letter Code)
State or Province New Hampshire (Full State Name)
Locality Portsmouth (Full City name)
Organization GMO GlobalSign Inc (Entity's Legal Name)
Organizational Unit Support (Optional, e.g. a department)
Common Name (Domain or Entity name

03 Aug 15 Groupoffice: No modules available

Once in a while right after I logged in Group Office I get the error message:
No modules available.

Here is a URI that refreshes the cache: