Smokes your problems, coughs fresh air.

Author: halfgaar (Page 15 of 26)

Halfgaar is Wiebe. Wiebe is a contributing author on this weblog. He also has a lot of stuff (such as long, in-depth articles) on his personal website.

Wiebe's day job is as a senior software developer and system administrator at YTEC.

In his free time, he built the free, open-source FlashMQ software. Together with Jeroen and Rowan, he is now building a managed MQTT hosting business around his open masterpiece.

Working with a postfix mail queue

Some useful commands when working with a postfix mailqueue:

  • “postsuper -r ALL”. Requeues all messages.
  • “postcat [file]”. Views queue files in /var/spool/bla.
  • “postqueue”. Deal with queue.
This one is to remove all messages with a certain recipient:
mailq | tail -n +2 | grep -v '^ *(' | awk  'BEGIN { RS = "" }  { if ($8 == "person@example.com" && $9 == "") print $1 } ' | tr -d '*!' | postsuper -d -

I believe there were more, but I can’t remember them. Wish I had blogged earlier…

Rewrite rules to redirect to a temporary offline page

Sometimes you want to take a site offline for a while. You can put this in .htaccess or the vhost config:

ErrorDocument 503 "We are performing maintenance on the site. Check back in a few minutes."
RewriteCond %{REMOTE_ADDR} !=1.2.3.4
RewriteEngine On
RewriteRule .* - [R=503,L]

When using .htaccess, be sure to have AllowOverride All.

Or when using HTML files and images:

<VirtualHost *>
  ServerAdmin webmaster@ytec.nl
  ServerName www.example.nl
 
  DocumentRoot /var/www/down/
 
  ErrorDocument 503 /maintenance.html
 
  RewriteCond %{REQUEST_URI} =/maintenance.html [OR]
  RewriteCond %{REQUEST_URI} =/logo.jpg
  RewriteRule (.*) $1 [L]
 
  RewriteEngine On
  RewriteRule .* - [R=503,L]
</VirtualHost>

Enabling authentication and SSL for Postfix on Debian

I used this document as main source. This blogpost is also useful.

First install libsasl2 and configure it. Enable it in /etc/default/sasl.

First make the sasl config file in /etc/postfix/sasl which says:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Then configure the ssl paramters in postfix (the following is deprecated. See aforementioned official postfix docs for good way):

# According to official docs, this should be in one pem file.
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
# This should be smtp_tls_security_level = may, because use_tls is deprecated.
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
# I don't know if this one is also needed.
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
# When TLS encryption is optional in the Postfix SMTP server, do not announce or accept SASL authentication over unencrypted connections. 
smtpd_tls_auth_only=yes

Then enable the three smtps lines in master.cf:

smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

Then you need to do some hacking to get the jailed postfix to access /var/run/saslauthd:

rm -r /var/run/saslauthd/
mkdir -p /var/spool/postfix/var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run
chgrp sasl /var/spool/postfix/var/run/saslauthd
# Add user postfix to group sasl
adduser postfix sasl

Then you should be good to go. Start all daemons.

Changing an apache virtual host to ssl

To change a virtual host in apache to ssl:

#Redirect all normal traffic to the https site.
<VirtualHost *:80>
  RewriteEngine on
  RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [L,R]
</VirtualHost>
 
# This virtual host was *:80 first
<VirtualHost *:443>
   DocumentRoot /bla
   # If I don't specify this, nagios's check_ssl_cert doesn't work.
   ServerName www.joho.com
 
   # These lines were added to make it SSL
   SSLEngine on
   SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
   SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
   # if you have an official certificate, also add some of these:
   SSLCertificateChainFile /etc/ssl/certs/bla
 
   <Directory /bla>
      Order allow,deny
      Allow from all
      AllowOverride None
      Options -MultiViews FollowSymlinks Indexes
   </Directory>
 
</VirtualHost>

Redirect multiple domains to one

When a site is available under multiple domains, it is usually bad idea to not have them all redirect to one domain. In apache, do this:

RewriteEngine On
RewriteCond %{HTTP_HOST}   !=www.domain.com
RewriteRule ^(.*)$         http://www.domain.com$1 [L,R=permanent] 

Making Windows RDP more secure

I don’t really trust the security of RDP, so therefore I’d like to take some extra security measures. I found this article explaining a lot.

First put users in the remote desktop group. You can do this by right clicking on my computer, or through the conventional manager.

Administrators are always allowed access and you may want to disable this. To do that, click Start – Programs – Administrative Tools (%SystemRoot%\system32\secpol.msc /s), then Local Security Policy. With “Allow logon through Terminal Services” you can define the groups that can logon with RDP. Remote Administrators if you want.

Now you want to have some kind of automatic block after a certain number of failed attempts. In the same policy editor, go to “Account Policies – Account Lockout Policy”. Set the threshold to something useful, with useful values. I prefer not to use indefinate timeouts, to avoid legitimate people from being blocked forever.

Next you want to change the encryption level. You can do this by running “%SystemRoot%\system32\gpedit.msc /s”, going to Administrative Templates – Windows Components – Terminal Services. From there it depends on the windows version, but look for security and change:

  • Set client connection encryption level. Enabled, to high.
  • Always prompt client for password upon connection. Enabled.
  • Require Secure RPC Communication. Enabled.

Unfortunately, forcing SSL is incompatible with the linux rdesktop client.

You may need to run gpupdate (source).

Generating key and certificate for courier-imap

To create a self-signed certificate for courier-imap:

openssl req -new -x509 -days 3650 -nodes -out imapd.pem -keyout imapd.pem

This will create a pem file with key and certificate in it. When asked for the common-name, enter the FQDN.

Don’t forget to specify the maildir path correctly in the imapd-ssl config file, as well as some other config parameters that are duplicated for imapd-ssl.

source.

« Older posts Newer posts »

© 2024 BigSmoke

Theme by Anders NorenUp ↑