Category: Technology (Page 23 of 48)
Some useful commands when working with a postfix mailqueue:
- “postsuper -r ALL”. Requeues all messages.
- “postcat [file]”. Views queue files in /var/spool/bla.
- “postqueue”. Deal with queue.
mailq | tail -n +2 | grep -v '^ *(' | awk 'BEGIN { RS = "" } { if ($8 == "person@example.com" && $9 == "") print $1 } ' | tr -d '*!' | postsuper -d -
I believe there were more, but I can’t remember them. Wish I had blogged earlier…
Sometimes you want to take a site offline for a while. You can put this in .htaccess or the vhost config:
ErrorDocument 503 "We are performing maintenance on the site. Check back in a few minutes." RewriteCond %{REMOTE_ADDR} !=1.2.3.4 RewriteEngine On RewriteRule .* - [R=503,L]
When using .htaccess, be sure to have AllowOverride All.
Or when using HTML files and images:
<VirtualHost *> ServerAdmin webmaster@ytec.nl ServerName www.example.nl DocumentRoot /var/www/down/ ErrorDocument 503 /maintenance.html RewriteCond %{REQUEST_URI} =/maintenance.html [OR] RewriteCond %{REQUEST_URI} =/logo.jpg RewriteRule (.*) $1 [L] RewriteEngine On RewriteRule .* - [R=503,L] </VirtualHost>
I used this document as main source. This blogpost is also useful.
First install libsasl2 and configure it. Enable it in /etc/default/sasl.
First make the sasl config file in /etc/postfix/sasl which says:
pwcheck_method: saslauthd mech_list: PLAIN LOGIN
Then configure the ssl paramters in postfix (the following is deprecated. See aforementioned official postfix docs for good way):
# According to official docs, this should be in one pem file. smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key # This should be smtp_tls_security_level = may, because use_tls is deprecated. smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache # I don't know if this one is also needed. smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache # When TLS encryption is optional in the Postfix SMTP server, do not announce or accept SASL authentication over unencrypted connections. smtpd_tls_auth_only=yes
Then enable the three smtps lines in master.cf:
smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
Then you need to do some hacking to get the jailed postfix to access /var/run/saslauthd:
rm -r /var/run/saslauthd/ mkdir -p /var/spool/postfix/var/run/saslauthd ln -s /var/spool/postfix/var/run/saslauthd /var/run chgrp sasl /var/spool/postfix/var/run/saslauthd # Add user postfix to group sasl adduser postfix sasl
Then you should be good to go. Start all daemons.
To put “on [date] x wrote” instead of “x wrote” above a quote, set the mailnews.reply_header_type param to 2.
By default, you can’t use prints in a django app, because mod_wsgi restricts that. You can change that by putting this in your configuration:
WSGIRestrictStdout Off
To change a virtual host in apache to ssl:
#Redirect all normal traffic to the https site. <VirtualHost *:80> RewriteEngine on RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [L,R] </VirtualHost> # This virtual host was *:80 first <VirtualHost *:443> DocumentRoot /bla # If I don't specify this, nagios's check_ssl_cert doesn't work. ServerName www.joho.com # These lines were added to make it SSL SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key # if you have an official certificate, also add some of these: SSLCertificateChainFile /etc/ssl/certs/bla <Directory /bla> Order allow,deny Allow from all AllowOverride None Options -MultiViews FollowSymlinks Indexes </Directory> </VirtualHost>
When a site is available under multiple domains, it is usually bad idea to not have them all redirect to one domain. In apache, do this:
RewriteEngine On RewriteCond %{HTTP_HOST} !=www.domain.com RewriteRule ^(.*)$ http://www.domain.com$1 [L,R=permanent]
I don’t really trust the security of RDP, so therefore I’d like to take some extra security measures. I found this article explaining a lot.
First put users in the remote desktop group. You can do this by right clicking on my computer, or through the conventional manager.
Administrators are always allowed access and you may want to disable this. To do that, click Start – Programs – Administrative Tools (%SystemRoot%\system32\secpol.msc /s), then Local Security Policy. With “Allow logon through Terminal Services” you can define the groups that can logon with RDP. Remote Administrators if you want.
Now you want to have some kind of automatic block after a certain number of failed attempts. In the same policy editor, go to “Account Policies – Account Lockout Policy”. Set the threshold to something useful, with useful values. I prefer not to use indefinate timeouts, to avoid legitimate people from being blocked forever.
Next you want to change the encryption level. You can do this by running “%SystemRoot%\system32\gpedit.msc /s”, going to Administrative Templates – Windows Components – Terminal Services. From there it depends on the windows version, but look for security and change:
- Set client connection encryption level. Enabled, to high.
- Always prompt client for password upon connection. Enabled.
- Require Secure RPC Communication. Enabled.
Unfortunately, forcing SSL is incompatible with the linux rdesktop client.
You may need to run gpupdate (source).
To create a self-signed certificate for courier-imap:
openssl req -new -x509 -days 3650 -nodes -out imapd.pem -keyout imapd.pem
This will create a pem file with key and certificate in it. When asked for the common-name, enter the FQDN.
Don’t forget to specify the maildir path correctly in the imapd-ssl config file, as well as some other config parameters that are duplicated for imapd-ssl.
Recent Comments