RSS

  • YouTube
  • LinkedIn
  • Google

Archives for : Linux

Servidor de Email –; Part 4 ; Postfix 3

Part 1 ; Configure main.cf file

This is the third part of the process of creating the mail server on a CentOS 7 and the first part of the Postfix configuration. If you came here by accident, better read one of the publications below first:

Part 1 ; Installation of packages

Part 2 ; Configuring MariaDB

Part 3 ; Dovecot configuration

Postfix is the most important part of our mail server. He will be responsible for talking with other MTAs for you to receive and send e-mail messages and so that it can be reached it is necessary that he be identifiable by the name of the server or your hostname.



Continue Reading >>

Servidor de Email –; Part 3 ; Dovecot

This is the third part of the process of creating the mail server on a CentOS 7. If you came here by accident, You should read first the previous publications

Part 1 ; Installation of packages

Part 2 ; Configuring MariaDB

Dovecot is an MDA (Mail Delivery Agent) means is an agent that transport messages from Postfix to virtual message boxes. In this section we will configure the Dovecot installation to force users to use SSL when they connect, in this way never sending passwords in plain text mode.

I always like to keep the original files of any definition for if I end up getting lost while changing settings. I can say that this step is not needed if you are doing this tutorial entirely, However, If you already have a previous configuration and is just improving it I strongly suggest you make copies of your files.

In our case, the configuration files will be in /etc/dovecot/conf.d/. We can then make copies with the command:

Creating user

Dovecot will store messages (and all your content) in a directory defined in the configuration file and for it can do that must run under a user with the appropriate permissions. The following commands will create this user and group. I will use a common standard for these names that make it easy enough to search for solutions to problems on the internet.

Editing configuration Files

First file we configure authentication is. How do we use a table in MariaDB database to store users and passwords we point out that in two files. The first sets the authentication type and second as the Dovecot will do the authentication validation.

Edit the file /etc/dovecot/CONF.d/10-auth file and uncomment (or add) the lines below:

After, Edit the file /etc/dovecot/CONF.d/auth-sql.conf.ext for you to have the following lines:

ATTENTION: The last few lines that differ slightly from the original commentary about the argument Home.

We must also set up the data connection with the MariaDB through file /etc/dovecot/dovecot-sql.conf.ext. This file is not created at the facility so we create.

NOTE: Use the same data as that used in the step to set up the database in MariaDB

We will make several changes to the main configuration file of the Dovecot which is the 10-master file. The number in front of the file indicates the load order (priority). You can user any editor of your choice. I like Vim because I'm so used to your commands, but nothing prevents to use nano for example.

To improve the security of the server and reduce attacks we will disable access unencrypted. For this we assign the door is sufficient 0 for imap and pop3 services. Only imaps and pop3s are available. You will need to use a SSL key that we will create later ahead.

Change also the following settings:

SSL Certificate

So we can use the cryptographic services necessary both in user authentication to access your account and to ensure that the postfixadmin and roundcube are under secure connections create SSL keys valid. At this point we're going to do the configuration by creating a self-signed key (self-signed) which is created during the installation of the Dovecot. This key cannot be used to validate the secure browser connection. Later we will change this setting to use a SSL key obtained by Certbot (Lets Encrypt) in conjunction with Nginx and DNS settings.

If you are following the steps of this tutorial, you do not need to no change in the file /etc/dovecot/conf.d/10-ssl.conf which should contain the following lines

If the files do not exist or alternatively recreate them (must be done if you have changed the hostname, for example) do the following:

Edit the file /etc/pki/dovecot/dovecot-openssl.cnf and change the entries according to the information that you have.

After you have changed the file, If the files already exist /etc/pki/dovecot/certs/dovecot.pem and /etc/pki/dovecot/private/dovecot.pem, delete them and then run the script mkcert.sh.

The output of the script should be something like this:

Other configuration still in the file/etc/dovecot/conf.d/10-ssl.conf related to encryption is the optional attribute ssl_dh. Add or uncomment the line:

and run the following command to generate the file .PEM:

Running the above command usually take a long time, sometimes even near 1 time. You can also use a command below to generate the same file more quickly.

Log file

By default Dovecot will use the log mechanism syslog the CentOS, that usually sends the information to the file /var/log/messages. As later I will show you how to spread several attempts to attack and one of them includes the use of the script fail2ban, that makes analysis of logs is best define a unique file so we don't have to monitor log file that changes constantly.

To define a unique log file, Let's open the Dovecot log configuration /etc/dovecot/CONF.d/10-logging file and change or add the following lines.

Save the file and restart the service

Make sure the file/var/log/dovecot.log has been created and contains information indicating that the service is operating normally.

Firewall rules

If you are following this tutorial from the start in a default installation, It is possible that the connection ports are closed to the outside world. The commands below aim to release the doors imaps (993), pop3s (995) before you can connect an email client like Outlook or Gmail. Even if they are open, later in another publication, I'm going to show you a list of firewall rules to improve safety.

First make sure that the service firewalld is running. If you are stopped, probably all the doors that have a listener service will be open.

Check the line of the State that can be as Active (running) or as inactive (dead). If you're as inactive, There is no need to continue. If you're as active, We will list which ports are open externally.

In the example above, only dhcpv6-client and ssh are allowed. We then add the required ports to receive and send e-mail externally.

As you can see in the example, Add imaps and pop3s services that are being heard by Dovecot service. Later we will also add the smtp ports and submission that will be heard by the Postfix (master). Note that I won't open the imap and pop3 ports unsafe because I want to force the use of SSL/TLS.

To make sure that the doors are open you can even try doing telnet ports 993 and 995 another system on the same network and verify that the file /var/log/dovecot.log Displays the attempts. If you do not have conditions at the time of taking the test in this way check the output of the command below?

And that's all for now. Then We configure Postfix 3.

Correcting modules not loaded error on Centos 6. x

A common problem after upgrading a kernel via yum on Centos is not creating the new kernel modules.
An example of this error happens when you try to use grep as in the print below.

This indicates that the directory 2.6.32-042stab 123.9 and therefore any module in your content can be loaded.

To correct this problem, the simplest way is this recipe:

This will create the directory and dependencies to modules for the kernel currently in use (uname -r).

If the problem is not resolved with the above commands. Try to reinstall the kernel via yum with the commands below.

And then try the commands listed earlier.

I hope you find it useful both when it was for me.

How to clear deferred messages from Postfix Queue

Today I was watching the log file from Postfix (in CentOS 6.X default is /var/log/maillog) and saw a lot of messages being deferred.

and these messages did repeat from time to time.

Continue Reading >>

How to fix date / time on Centos 6.X for your timezone even in logfiles

Today I came across a problem when using the Fail2ban that help me so much to keep my server online even under brute-force attack.

One of my filters were not barring the several attempts to authenticate to a my services although it was fine. I decided to increase the Findtime the common configuration and it began to block.

So it was time to understand why with a findtime down he couldn't spread. I began to check in detail the settings and I realized that even though I changed the time for my timezone to the official schedule of Brasilia, the logs continued to display the schedule in UTC. Suspected that it could be this and decided to change the schedule that is placed in the logs (/var/log/messages).

Bingo!

After the change, and confirm that the logs were using the same schedule that the reported in date changed the findtime to values which wanted and everything worked as expected.

Follow the recipe to change the schedule.

Timezone information are on file /etc/localtime and if he's not on what you want simply replaces him for what he wants and that is present in /usr/share/zoneinfo/. In my case, how I wish the schedule of Brasília, I used /usr/share/zoneinfo/America/Sao_Paulo.

Now just try using the date command and check the output should be something like:

Even after these changes, the logs will continue to have the time the old-fashioned way. To change this edit the file /etc/sysconfig/clock and add the following lines to also reflect your timezone.

In my case, I had to restart the server for the changes to surtissem effect but just restarting the rsyslog service already solve.

See you!.

How to fix LOCALE error on Debian Linux/Ubuntu

Today I had to look at the logs to an FTP server that runs under the pure-ftp and I realized that the timetables were all in UTC .
As I needed to send part of the logs to a third party that makes use of it and are not familiar with systems, could end up taking place some misunderstanding. I decided then that should keep the logs of all the applications on Brazilian time zone.
According to the documentation of the pure-ftp it uses environment variables to determine which will be the schedule included in the logs

Continue Reading >>

Servidor de Email –; Part 1 ; Necessary facilities

I have my own mail server using Postfix, Dovecot, MariaDB, SpamAssassin, ClamAV, Amavisd-new, fail2ban, nginx, postfixadmin and RoundCube under CentOS 7.
Although it has several recipes for how to configure this package, It took me many hours to figure out how to keep the service running correctly, each setting in main.cf and master.cf and in order to achieve in reducing the flood of spam that arrives every minute.
And anti-spam is the focus of this publication. I have suffered and still suffer with the constant attempts to use my services as a zombie or shedding of viruses, fraud and everything else you can.

I lost count of how many times my DNS service stopped by excess of connection attempts to entupiam the memory and forced the s.. cutting processes to conserve resources and the named was chosen for being the weakest link.
So, This article has focus in the proper configuration for private mail services, a few users and few domains. Certainly a lot of what is in this short manual serves to world-class services, but I believe that for these cases the use of tools or dedicated and specialized services should always be taken into consideration.



Continue Reading >>

Creating PostgreSQL database with different encoding

How to create a database UTF8 in a server in LATIN1 or creating a LATIN1 database on a server into UTF8?

PostgreSQL has these things. It does not allow the creation of databases with different Encoding in a same template.
Today I tried to create a new database in UTF8 and came across the following:

This is because the locale of the S.. are in latin1 and when PostgreSQL was installed it absorbs this setting.
When I tried to install in an encoding other than the default set he complained for not being in accordance with the default template that is the template1.

Continue Reading >>

How to decrease the size of VMDK virtual disks-part 3

If you want to read the part 1 This tutorial, Click here.
If you want to read the part 2 This tutorial, Click here.

In the previous item made a cloning a disk with a single partition. In the next lines I'll show you how I cloned a disk with a single partition primary and logic for two primary partitions and a logic with a mount point for the swap that originally was in a file.

NOTE: I did use information from this site, to solve problems with the new boot disk. Do as I, always cite your sources.

Using as a basis the information of part 1 This tutorial, We will add a new disk to the virtual machine.

Continue Reading >>

Como diminuir o tamanho de discos virtuais VMDK –; part 2

If you haven't read the part 1, You can access it here.

Continuing the tutorial, We will now start the cloning of disks. The first part of the cloning is a disk that does not contain the operating system. If you want to go straight to the cloning system bootable, You can skip this part and go straight to the part 3.

Time to start cloning. We start the virtual machine in terminal mode (for if you have graphical environment) and login as root or we become root with the command su –; to be able to execute the instructions of partitioning, formatting and cloning, respectively without the need for sudo all command.

In terminal type fdisk-l for list disks and partitions:

Note that our disks appear as being /dev/sda, /dev/sdb, /dev/sdc (I marked in red to make it more visible) and beside its size. That order the, b, (c) is the connection order on IDE port. As our record was included in the Secondary Slave and on Primary Slave is the CDROM (see image on the 1) He is the third system disk, IE, o /dev/sdc.
We will from now on to partition and format the drive. Type the command Fdisk/dev/sdc.

Continue Reading >>