RE: [qmailtoaster] Alma Linux 9 QMT install failure

2022-08-06 Thread CarlC Internet Services Service Desk 
Henry,

 

While I think everyone appreciates the enthusiasm, considering 9 only came out 
a few months ago, Eric [the hardest working man in Qmail] is probably not ready 
for 9 just yet. Give him a while to get a working 9 version ready :) .

 

If you have to spin one up, I would go with Alma Linux 8 for now…

 

Carl

 

From: Henry [mailto:hl1...@yahoo.com.hk] 
Sent: Saturday, August 06, 2022 11:11 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: [qmailtoaster] Alma Linux 9 QMT install failure

 

I try to install new qmt at Alma Linux 9 with script qt_install_cos9.sh but 
failure,

 

No match for argument: daemontools

No match for argument: ucspi-tcp

No match for argument: libsrs2

No match for argument: libsrs2-devel

No match for argument: vpopmail

Error: Unable to find a match: daemontools ucspi-tcp libsrs2 libsrs2-devel 
vpopmail

 

 

Then I check there no 9 repo ,only 7 & 8

 

  
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/7
  
ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/8
 

 

 

is it not "Springdale/Rocky/  Alma Linux 9 QMT" 
available for install now ? thanks

RE: [qmailtoaster] iPhone updates / new ssl breaks connection

2022-04-27 Thread CarlC Internet Services Service Desk 
Remo,

Here's mine... I run the/usr/bin/certbot renewcommand nightly. Then
about an hour after that, I run this [change the secure.carlc.com to what
ever URL your Letsencrypt cert is under]:

#!/bin/bash
#
# Script to copy lets encrypt files to the right area and restart the needed
services.
#
# Initial concept by RCC 06/08.2018
#
# Test if the letsencrypt live cert.pem file was changed in the last 24
hours...
#
if test `find "/etc/letsencrypt/live/secure.carlc.com/cert.pem" -mmin +1440`
then
echo "Cert file is older than 1440 test minutes (24 hours)... STOP!"
exit
fi
echo "Get to work, New cert file is younger than 1440 minutes (24 hours)..."
#
#
# Dovecot just needs a restart as they are using the /etc/letsencrypt/live
files already
#
/usr/sbin/service dovecot restart
#
# Qmail SMTP-SSL
#
# Create a new /var/qmail/control/servercert.pem-NEW
#
# NOTE: order is critical, start with private key, then URL cert, then any
intermediate files.
#
cat /etc/letsencrypt/live/secure.carlc.com/privkey.pem >
/var/qmail/control/servercert.pem-NEW
cat /etc/letsencrypt/live/secure.carlc.com/cert.pem >>
/var/qmail/control/servercert.pem-NEW
cat /etc/letsencrypt/live/secure.carlc.com/chain.pem >>
/var/qmail/control/servercert.pem-NEW
#
# Swap out files, move current to OLD then NEW to current
#
mv /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem-OLD
mv /var/qmail/control/servercert.pem-NEW /var/qmail/control/servercert.pem
chmod 644 /var/qmail/control/servercert.pem
chown root.vchkpw /var/qmail/control/servercert.pem
#
# Need to restart QMAIL
#
/etc/rc.d/init.d/qmail restart
#
# Webmin (thank you QMAIL, we can use the new PEM file as it's the same
format)
#
/usr/sbin/service webmin stop
cat /var/qmail/control/servercert.pem > /etc/webmin/miniserv.pem
/usr/sbin/service webmin start
#
#
#


-Original Message-
From: Remo Mattei [mailto:r...@mattei.org] 
Sent: Wednesday, April 27, 2022 03:07 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] iPhone updates / new ssl breaks connection

Hi David, can you share your config maybe I ping you offline.

Remo

> On Apr 26, 2022, at 23:55, David Bray  wrote:
> 
> I'm using Letsencrypt and it renews every - well not sure, is it 10/11
weeks - the certs are valid for 3 months
> 
> It never has an issue with iOS
> 
> Cheers
> 
> David Bray
> e. da...@brayworth.com
> 
> April 27, 2022 1:47 AM, "Remo Mattei"  wrote:
> 
>> Hello guys, 
>> I got a few of my customers that every year after the upgrade of the SSL
cert do have issues and
>> shows cert expired or not valid. I did not have the issue on my iOS, but
I just wonder if anyone
>> has seen that and how they planned to overcome to this issue. 
>> 
>> Thanks, 
>> Remo
>> -
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> 
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> 


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Certificate

2021-05-12 Thread CarlC Internet Services Service Desk 
Remo,

 

I use LetsEncrypt, but I tell everyone who uses the service to use 
“secure.carlc.com” as the email server name. This causes the IMAP SSL to match 
up with the FQDN they are looking for. I never have an issue when LetsEncrypt 
does it automatic update [which is every 60 days as recommended by 
LetsEncrypt’s certbot] and the customer never gets a SSL cert mismatch.

 

Carl

 

From: Remo Mattei [mailto:r...@mattei.org] 
Sent: Tuesday, May 11, 2021 09:07 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Certificate

 

Yes the thing is 10 dollars for 2 years nothing to change whereas, letencrypt, 
need to change every 90 days and IMAP will prompt you for a new cert.. not 
ideal for customers if you do for your personal servers then that’s good. 

 

Remo  





On May 11, 2021, at 4:04 PM, Rodrigo Cortes mailto:rap...@gmail.com> > wrote:

 

Hi!

 

Use letencrypt, is free :)

 

El mar, 11 may 2021 a las 18:49, mailto:r...@mattei.org> > 
escribió:

Ssls.com  

> Il giorno 11 mag 2021, alle ore 15:03, Scott Hughes   > ha scritto:
> 
> Where is the cheapest place to get a certificate for my server.  The server 
> is in the USA if that matters. Thank you!
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
>  
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
>  
> 
-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
 
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Certificate

2021-05-12 Thread CarlC Internet Services Service Desk 
Rodrigo,

 

Here’s my script for Letsencrypt, obviously, you would change out 
secure.carlc.com with the name of website on the email server that QMAIL runs:

 

[root@mail7 ~]# more copy_letsencrypt_files.sh

#!/bin/bash

#

# Script to copy lets encrypt files to the right area and restart the needed 
services.

#

# Initial concept by RCC 06/08/2018

#

# Test if the letsencrypt live cert.pem file was changed in the last 24 hours...

#

if test `find "/etc/letsencrypt/live/secure.carlc.com/cert.pem" -mmin +1440`

then

echo "Cert file is older than 1440 test minutes (24 hours)... STOP!"

exit

fi

echo "Get to work, New cert file is younger than 1440 minutes (24 hours)..."

#

#

# Dovecot just needs a restart as they are using the /etc/letsencrypt/live 
files already

#

/usr/sbin/service dovecot restart

#

# Qmail SMTP-SSL

#

# Create a new /var/qmail/control/servercert.pem-NEW

#

# NOTE: order is critical, start with private key, then URL cert, then any 
intermediate files.

#

cat /etc/letsencrypt/live/secure.carlc.com/privkey.pem > 
/var/qmail/control/servercert.pem-NEW

cat /etc/letsencrypt/live/secure.carlc.com/cert.pem >> 
/var/qmail/control/servercert.pem-NEW

cat /etc/letsencrypt/live/secure.carlc.com/chain.pem >> 
/var/qmail/control/servercert.pem-NEW

#

# Swap out files, move current to OLD then NEW to current

#

mv /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem-OLD

mv /var/qmail/control/servercert.pem-NEW /var/qmail/control/servercert.pem

chmod 644 /var/qmail/control/servercert.pem

chown root.vchkpw /var/qmail/control/servercert.pem

#

# Need to restart QMAIL

#

/etc/rc.d/init.d/qmail restart

#

# Webmin (thank you QMAIL, we can use the new PEM file as it's the same format)

#

/usr/sbin/service webmin stop

cat /var/qmail/control/servercert.pem > /etc/webmin/miniserv.pem

/usr/sbin/service webmin start

#

#

#

 

From: Rodrigo Cortes [mailto:rap...@gmail.com] 
Sent: Tuesday, May 11, 2021 09:27 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Certificate

 

hi!

 

is a simple script for renew and apply to qmail, dovecot and apache :)

 

I have this solution for other smtp and work fine :)

 

El mar, 11 may 2021 a las 21:07, Remo Mattei (mailto:r...@mattei.org> >) escribió:

Yes the thing is 10 dollars for 2 years nothing to change whereas, letencrypt, 
need to change every 90 days and IMAP will prompt you for a new cert.. not 
ideal for customers if you do for your personal servers then that’s good. 

 

Remo  





On May 11, 2021, at 4:04 PM, Rodrigo Cortes mailto:rap...@gmail.com> > wrote:

 

Hi!

 

Use letencrypt, is free :)

 

El mar, 11 may 2021 a las 18:49, mailto:r...@mattei.org> > 
escribió:

Ssls.com  

> Il giorno 11 mag 2021, alle ore 15:03, Scott Hughes   > ha scritto:
> 
> Where is the cheapest place to get a certificate for my server.  The server 
> is in the USA if that matters. Thank you!
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
>  
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
>  
> 
-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Spamcop's RBL went rogue today for me

2021-01-31 Thread CarlC Internet Services Service Desk 
SPAMCOP.NET was not renewed as a domain by CISCO. There’s a big write up on 
Reddit.

 

https://www.reddit.com/r/sysadmin/comments/l9asw7/spamcop_domain_expiredparked/

 

and

 

https://www.bleepingcomputer.com/news/security/spamcop-anti-spam-service-suffers-an-outage-after-its-domain-expired/

 

So, you could say “This outage brought to you by, CISCO…” …

 

Carl

 

 

From: Jaime Lerner [mailto:jaimeler...@geekgoddess.com] 
Sent: Sunday, January 31, 2021 06:13 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: [qmailtoaster] Spamcop's RBL went rogue today for me

 

Just an FYI that from 11am ET this morning EVERY single email that was 
delivered to my server got rejected from Spamdyke as "DENIED_RBL_MATCH" because 
I had bl.spamcop.net listed as one of my "dns-blacklist-entry" settings (along 
with spamhaus and barracudacentral).

 

I was finally notified via text from one of my clients that their email to be 
bounced as undeliverable so I checked the server at 5pm and found all the 
rejections in the maillog file. Yikes!

 

In case someone else has bl.spamcop.net in their spamdyke.conf file you may 
want to check and make sure that server is receiving mail OK. Have no clue what 
caused it.

[qmailtoaster] Clamd not restarting after update from 101 to 103

2021-01-16 Thread CarlC Internet Services Service Desk 
Ran into an issue where last night, two of my servers with clamav 101
versions updated to 103.

After the update, the old clam was running, so if you reboot, you find that
clam is not starting. In order to fix:

1) Install clamd
Yum install clamd

2) uncomment the "LocalSocket" in /etc/clamd.d/scan.conf so LocalSocket is
enabled.

3) add clamd to system startup
Systemctl enable clamd@scan
Note: the @scan says to use the scan.conf file in step 2

4) start clamd
Systemctl start clamd@scan

5) enable clamav-freshclam
Systemctl enable clamav-freshclam
Systemctl start clamav-freshclam

6) To check that they are enabled, find them using:
Systemctl list-unit-files | grep enabled

Where this was biting me was my older Centos 7 installations that had the
qmail clamav setups and converted to EPEL clamav.

Carl

P.s. If I missed anything, feel free to correct and post back to the list.


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] RedHat's Blog on CentOS

2021-01-13 Thread CarlC Internet Services Service Desk 
https://blog.centos.org/2021/01/centos-community-newsletter-january-2020-210
1/

Interesting read... I still will stand behind any decision Eric has for our
future direction.

Carl


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Clamd suggestions

2020-12-15 Thread CarlC Internet Services Service Desk 
I spent yesterday fighting with this... The newer 103 version had an issue with 
simscan, where it didn't start and read simscan correctly. This caused all my 
submission [port 587] to do "qq soft reject" failures.

I was able to go back to the 101 qmt version that worked correctly on the two 
boxes that had the issues. A third took the 103 update with out a hitch. The 
biggest issue, you MUST do a reboot after install of the 103 to see if clamd 
starts up correctly.

Carl

-Original Message-
From: Remo Mattei [mailto:r...@mattei.org] 
Sent: Tuesday, December 15, 2020 01:29 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Clamd suggestions



> On Dec 14, 2020, at 21:19, Eric Broch  wrote:
> 
> I'm thinking about making the stock CentOS 7 install with EPEL clamd and 
> removing it from the qmt repo altogether. Give me a couple days.
> 
> On 12/14/2020 10:18 PM, Eric Broch wrote:
>> yum --disablerepo=qmt-current update
>> 
>> On 12/14/2020 10:17 PM, Remo Mattei wrote:
>>> Hi all,
>>> I just tried to do the update and I get this
>>> 
>>> --> Processing Conflict: clamav-filesystem-0.103.0-1.el7.noarch conflicts 
>>> clamav < 0.103.0-1.el7
>>> --> Finished Dependency Resolution
>>> Error: Package: clamav-0.102.4-1.el7.x86_64 (@epel)
>>> Requires: clamav-filesystem = 0.102.4-1.el7
>>> Removing: clamav-filesystem-0.102.4-1.el7.noarch (@epel)
>>> clamav-filesystem = 0.102.4-1.el7
>>> Updated By: clamav-filesystem-0.103.0-1.el7.noarch (epel)
>>> clamav-filesystem = 0.103.0-1.el7
>>> Error: clamav-filesystem conflicts with clamav-0.102.4-1.el7.x86_64
>>> Error: Package: clamav-0.102.4-1.el7.x86_64 (@epel)
>>> Requires: clamav-lib = 0.102.4-1.el7
>>> Removing: clamav-lib-0.102.4-1.el7.x86_64 (@epel)
>>> clamav-lib = 0.102.4-1.el7
>>> Updated By: clamav-lib-0.103.0-1.el7.x86_64 (epel)
>>> clamav-lib = 0.103.0-1.el7
>>>   You could try using --skip-broken to work around the problem
>>>   You could try running: rpm -Va --nofiles —nodigest
>>> 
>>> Does anyone have had the same issue? I did in one box to skip broken rpms 
>>> but I wonder if anyone has a work around.
>>> 
>>> Thanks
>>> -
>>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>> 
>> 
>> -
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>> 
> 
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> 


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Future of qmailtoaster on CentOS?

2020-12-11 Thread CarlC Internet Services Service Desk 
That's why I went in business for myself... Except I don't really advertise, I 
pick who I want for clients. This way, I can setup ANY type of VM I want, with 
ANY Linux distro I want to support. And as to going out of business in 3 days, 
that's the old tactic of "I got your money, now what ya gonna do...". And yes, 
I usually provide a similar system to Linode/Digital Ocean/Vultr for similar 
pricing, I just don't have a fancy control panel to play with the VM 100 ways 
to Tuesday. Also, I've been in hosting since 1999... and a Qmail addict since 
then.

This is also why I don't mind if QMAILtoaster moves to FreeBSD or similar. I 
would put a vote in for FreeBSD as that's what pfSense runs on, and it's been 
very successful on that platform. But, I will gladly bow to which ever 
direction Eric thinks is best [And Eric, if we have to change out the 
QMT-Server to another Distro, I'm ready when you are :) ].

I would like to understand something, and I maybe I just don't see the issue(s) 
yet... I swapped two Centos 8 systems over to "stream", and for now, they seem 
good. If Centos 8 stream is going to be 1/2 RHEL and 1/2 Fedora Core, could 
that be a good thing? I understand running production systems, so is it 
possible this could work out running on Centos 8 stream? Or in a year, does all 
hell break loose and Centos 8 becomes as reliable as Microsoft ME?

Carl



-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] qmailtoaster and clamav version: 0.102.2

2020-02-19 Thread CarlC Internet Services Service Desk 
AIZAWA-san,

While it's not the latest, it's still current enough to handle all the ClamAV 
scanning. I'm sure Eric will give you a better explanation, but you are not far 
behind in version and ability.

Carl

-Original Message-
From: あいざわひろし [mailto:cobo...@gmail.com] 
Sent: Wednesday, February 19, 2020 10:05 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: [qmailtoaster] qmailtoaster and clamav version: 0.102.2

hello qmailtoaster-list

yesterday I found freshclam saying
|WARNING: Your ClamAV installation is OUTDATED!
|WARNING: Local version: 0.101.4 Recommended version: 0.102.2

but at
https://linkprotect.cudasvc.com/url?a=ftp%3a%2f%2fftp.qmailtoaster.org%2fpub%2frepo%2fqmt%2fCentOS%2f7%2ftesting%2fx86_64%2f=E,1,vMcygdpTSmtIjwVt8w2fkdLArmHTGyzMifDneQxTJSx-iH3iVhFmjZfyrY4KiPcbiMFSRBOKgWjvAG3nQeea8Dwq4U2soX1yjpJSeb2SeYNkZFqqqg1xFIzJpRFF=0
clamav-0.101.4-10.qt.el7.x86_64.rpm
looks latest.

How can I update clamav ?

--
AIZAWA Hiroshi

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] letsencrypt cert renewal commands

2019-12-03 Thread CarlC Internet Services Service Desk 
I created one that after you run the renew, it will install it”

 

#!/bin/bash

#

# Script to copy lets encrypt files to the right area and restart the needed 
services.

#

# Initial concept by RCC 06/08.2018

#

# Test if the letsencrypt live cert.pem file was changed in the last 24 hours...

#

if test `find "/etc/letsencrypt/live/secure.carlc.com/cert.pem" -mmin +1440`

then

echo "Cert file is older than 1440 test minutes (24 hours)... STOP!"

exit

fi

echo "Get to work, New cert file is younger than 1440 minutes (24 hours)..."

#

#

# Dovecot just needs a restart as they are using the /etc/letsencrypt/live 
files already

#

/usr/sbin/service dovecot restart

#

# Qmail SMTP-SSL

#

# Create a new /var/qmail/control/servercert.pem-NEW

#

# NOTE: order is critical, start with private key, then URL cert, then any 
intermediate files.

#

cat /etc/letsencrypt/live/secure.carlc.com/privkey.pem > 
/var/qmail/control/servercert.pem-NEW

cat /etc/letsencrypt/live/secure.carlc.com/cert.pem >> 
/var/qmail/control/servercert.pem-NEW

cat /etc/letsencrypt/live/secure.carlc.com/chain.pem >> 
/var/qmail/control/servercert.pem-NEW

#

# Swap out files, move current to OLD then NEW to current

#

mv /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem-OLD

mv /var/qmail/control/servercert.pem-NEW /var/qmail/control/servercert.pem

chmod 644 /var/qmail/control/servercert.pem

chown root.vchkpw /var/qmail/control/servercert.pem

#

# Need to restart QMAIL

#

/etc/rc.d/init.d/qmail restart

#

# Webmin (thank you QMAIL, we can use the new PEM file as it's the same format)

#

/usr/sbin/service webmin stop

cat /var/qmail/control/servercert.pem > /etc/webmin/miniserv.pem

/usr/sbin/service webmin start

#

#

#

 

Just change the secure.carlc.com to the name of your server/cert. This assumes 
you have dovecot using the /etc/letsencrypt/live files for SSL/TLS.

 

Carl

 

From: Biju Jose | WHITES Systems [mailto:b...@whitesindia.com] 
Sent: Tuesday, December 03, 2019 03:29 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: RE: [qmailtoaster] letsencrypt cert renewal commands

 

Have you installed certbot ?

 

From: ChandranManikandan mailto:kand...@gmail.com> > 
Sent: 03 December 2019 13:33
To: qmailtoaster-list@qmailtoaster.com 
 
Subject: [qmailtoaster] letsencrypt cert renewal commands

 

Hi Friends,

 

I have installed letsencrypt on COS7 and i try to make cron job as per the 
below steps, but the cert renew and certbot folder are not there in /opt.

 

0 0 * * * /root /opt/certbot renew

 

Is any other way is there or did i made any mistake?

Anyone had the same problem?


 

-- 

Regards,
Manikandan.C

RE: [qmailtoaster] Error on new mailserver setup

2019-10-22 Thread CarlC Internet Services Service Desk 
I think this is the old issue where /var/qmail/bin/qmail-queue is “ln” to 
queue-dk. You might want to undo the “ln” and create a new one to 
qmail-queue.orig ….

 

Carl

 

From: Jeff Koch [mailto:jeffk...@intersessions.com] 
Sent: Tuesday, October 22, 2019 08:50 AM
To: qmailtoaster-list@qmailtoaster.com; Eric Broch 
Subject: [qmailtoaster] Error on new mailserver setup

 


Hi:

Anyone know why we would be seeing this message when trying to send email on a 
new QMT7 setup?

554 qmail-dk: Cannot sign message due to invalid message syntax. (#5.3.0) 


Thanks, Jeff

RE: [qmailtoaster] SSL Problem Dovecot

2019-09-04 Thread CarlC Internet Services Service Desk 
Yup, turns out that’s a left over from before Dovecot 2.2…. It was getting 
ignored and the default is TLSv1.

 

Removed from my config as obsolete.

Carl

 

From: Gary Bowling [mailto:g...@gbco.us] 
Sent: Wednesday, September 04, 2019 01:44 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] SSL Problem Dovecot

 

 

Carl, when I put that statement in my dovecot conf I get the following in my 
log on startup.


Sep 04 13:39:41 config: Warning: Obsolete setting in 
/etc/dovecot/local.conf:22: ssl_protocols has been replaced by ssl_min_protocol
Sep 04 13:39:41 config: Error: Could not find a minimum ssl_min_protocol 
setting from ssl_protocols = TLSv1.2 TLSv1.1 TLSv1 !SSLv3 !SSLv2: Unrecognized 
protocol 'SSLv2'

 

Thanks, Gary 

 

On 9/4/2019 1:20 PM, CarlC Internet Services Service Desk wrote:

For Dovecot, I use

 

ssl_protocols = TLSv1.2 TLSv1.1 TLSv1 !SSLv3 !SSLv2

 

Then under ssl_cipher_list, I have a long list of ciphers [and blocked ones] 
that start with the strongest and work downward from there. When I run a scan 
against IMAPS, any that are found to be compromised, I change the list to 
match. This is why I don’t list mine as its fluid based on the latest scans.

 

$0.02,

Carl

- To 
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
<mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com>  For additional 
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
<mailto:qmailtoaster-list-h...@qmailtoaster.com>

RE: [qmailtoaster] SSL Problem Dovecot

2019-09-04 Thread CarlC Internet Services Service Desk 
For Dovecot, I use

 

ssl_protocols = TLSv1.2 TLSv1.1 TLSv1 !SSLv3 !SSLv2

 

Then under ssl_cipher_list, I have a long list of ciphers [and blocked ones] 
that start with the strongest and work downward from there. When I run a scan 
against IMAPS, any that are found to be compromised, I change the list to 
match. This is why I don’t list mine as its fluid based on the latest scans.

 

$0.02,

Carl

RE: [qmailtoaster] SSL Problem Dovecot

2019-09-04 Thread CarlC Internet Services Service Desk 
Gary,

 

https://www.immuniweb.com/ssl/ 

  is perfect way to test. I think everyone agrees, we just don’t want to set it 
“X” and assume it’s the best.

 

Since Dovecot can use a different encryption list than Qmail, that’s why you 
need to test each port. I think you got the main idea of it now.

 

Carl

 

From: Gary Bowling [mailto:g...@gbco.us] 
Sent: Wednesday, September 04, 2019 10:50 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] SSL Problem Dovecot

 

 

Yes it's a bit tricky for sure. Phones for email, which I have a lot of. I have 
a customer with a fax machine that emails faxes, so it has an email account 
configured in it. All these things run TLSv1 and aren't things I can dictate go 
away.

 

I also found that squirrelmail uses TLSv1 and ECDHE-RSA-AES256-SHA. Since it's 
logging in from 127.0.0.1 to 127.0.0.1 it's not a problem. But it IS a problem 
for setting these things in the server.

 

At this point, I have NO ssl_cipher_list configured in dovecot, so it's using 
whatever the default is. I set it back this way (that's what it was when I 
started this exercise) because everything I configured caused me problems. I 
need to leave the users alone for a bit so they can get some work done :)

 

With it set this way, I scanned my server using https://www.immuniweb.com/ssl/ 

 

 

Looks like it scans both the mail protocols and the web protocols. The only big 
problem is shows is the use of TLSv1, which I'm not sure I can do anything 
about at this point. 

 

There are a few other things it points out that I need to look in to.. 

- Doesn't support TLSv1.3. Not sure I can do anything about this one as I would 
assume it requires an update to openssl.

- The server does not prefer cipher suites. Need to do some research on this 
one.

- The server does not enforce HTTP Strict Transport Security. FIXED by adding 
the following to my virtualhost.

Header always set Strict-Transport-Security "max-age=63072000; 
includeSubdomains;"

 

Gary

RE: [qmailtoaster] SSL Problem Dovecot

2019-09-04 Thread CarlC Internet Services Service Desk 
 

'ALL' adds all of the ciphers (including those with no encrpytion). 

'ALL:-SSLv2' adds all the ciphers and then removes all of the SSLv2 ciphers. 

A reasonable cipherlist is: 
'HIGH:-SSLv3' 

If you want "perfect forward secrecy", try this: 
'ECDHE:DHE:-SSLv3' 
This will yield a subset of the TLSv1.2 ciphers which has the elliptic-curve 
diffie-hellman-ephemerel ciphers first and then standard 
diffie-hellman-ephemerel ciphers after that. 

If you put that into openssl ciphers ( openssl ciphers -v 'HIGH:-SSLv3') you 
will note that you only get TLSv1.2 ciphers.  That is because an important 
concept is the difference between ciphers and protocols.  TLS 1.0 and 1.1 
updated the protocol but added no new ciphers.  (you can confirm this by 
comparing "openssl ciphers -v 'SSLv3' | md5sum" to "openssl ciphers -v 'TLSv1' 
| md5sum"; you'll get an error if you do it with TLSv1.1 because it does not 
even have a list of ciphers). 

But note that older servers, such as centos 5, will not be able to connect to 
you (if you use 'ECDHE:DHE:-SSLv3') because their old version of openssl does 
not support TLSv1.2.  In that case, for STARTTLS, it will fail, which will 
default to smtp transmission as cleartext.  SMTP is somewhat forgiving, as a 
failed STARTTLS connection will fall back to cleartext, whereas most other TLS 
protocols will fail to connect. 

This is a segway into the related topic of "protocols".  Many servers (like 
dovecot) have separate a setting for "TLS cipherlist" and "TLS protocol".  The 
protocol is the algorithm for establishing the connection, and it is 
independent of the ciphers.  You should avoid the SSLv3 or TLSv1 protocols, as 
the these protocols have been found to have weaknesses in how they negotiate 
the connection (completely unrelated to the strength of the ciphers). 

This manpage is a good explanation of all the macros and has examples at the 
end: 
https://www.openssl.org/docs/man1.0.2/man1/ciphers.html 
<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.openssl.org%2fdocs%2fman1.0.2%2fman1%2fciphers.html=E,1,GZDBJFQ_fqu5wHm8spDHGoOndKK2O46kr78UNPkvt9D_pouB5jMsO05SbnXEwG3DZyjsi5OgjmCykXPGthLFHuRnybgRmEposcx4OQ0TZaOA3oc,=0>
  

People with older versions of openssl (i.e. Centos 5) cannot do TLSv1.2 and 
will have no choice but to use ciphers/protocols with known weaknesses, and 
then hope that the other servers do not try to force a certain level of 
cipher/protocol.  That is not supposed to happen (per smtp/STARTTLS protocol), 
but I know for a fact that does:  I finally decided to upgrade from centos-5 
because an important mail server started refusing to receive mail from mine, 
with a complaint about not accepting the SSLv3 ciphers.  I think it was Outlook 
Server, but I'm not sure. 

Hope this helps. 

-Andy 

PS: Someone running the old version of openssl will need to put '-SSLv2" at the 
end of the cipherlist, whereas the newer version no longer supports it so it 
doesn't require removing it.  And NO ONE should be using the SSLv2 protocol, as 
hacking it is trivial. 







On 9/3/2019 1:22 PM, CarlC Internet Services Service Desk wrote: 



Actually, doing the openssl ciphers > /var/qmail/control/tlsservercipher is a 
starting point. 

After I did that, I then ran my server through some tests. I happen to use 
OpenVAS [which tool you want to use to find insecure SSL connections is up to 
you]. It was able to tell me which ciphers to disable and why. Whichever 
product you use to test the SSL should be one that’s up to date [or can be 
brought up to date]. For example, I run the tests against my email server every 
week [for example, I test against port 25, 465 and 587]. In my case, I also use 
OpenVAS to test the HTTPS side as well. 

If you’re using dovecot, you will want to also put the ssl_cipher_list in 
/etc/dovecot/dovecot.conf as well as the ssl_protocols list. This protects your 
IMAPS and POP3S protocols. Again, OpenVAS is set to run against those protocols 
as well. 

Carl 

*From:*Gary Bowling [mailto:g...@gbco.us] 
*Sent:* Tuesday, September 03, 2019 03:35 PM 
*To:* qmailtoaster-list@qmailtoaster.com 
<mailto:qmailtoaster-list@qmailtoaster.com>  
*Subject:* Re: [qmailtoaster] SSL Problem Dovecot 

Thanks for that Carl. I'm running openssl-1.0.2k-16.el7_6.1.x86_64 

Pretty much everything about my server is continuously updated stock Centos 7. 
Currently at CentOS Linux release 7.6.1810 (Core) 

I do have epel installed, which updates some things and the qmt repo. That's 
it, and I'm a stickler for NOT installing anything that isn't done through yum 
and those repos. I've done this long enough to know that it's much easier to 
maintain, migrate to a new server, etc. is you're running everything in a 
managed way. So installing the repos and doing yum installs is pretty much the 
only way anything ever changes on my server, sans config files. 

Would be very interested in knowing not only

RE: [qmailtoaster] SSL Problem Dovecot

2019-09-03 Thread CarlC Internet Services Service Desk 
Actually, doing the openssl ciphers > /var/qmail/control/tlsservercipher is a 
starting point.

 

After I did that, I then ran my server through some tests. I happen to use 
OpenVAS [which tool you want to use to find insecure SSL connections is up to 
you]. It was able to tell me which ciphers to disable and why. Whichever 
product you use to test the SSL should be one that’s up to date [or can be 
brought up to date]. For example, I run the tests against my email server every 
week [for example, I test against port 25, 465 and 587]. In my case, I also use 
OpenVAS to test the HTTPS side as well.

 

If you’re using dovecot, you will want to also put the ssl_cipher_list in 
/etc/dovecot/dovecot.conf as well as the ssl_protocols list. This protects your 
IMAPS and POP3S protocols. Again, OpenVAS is set to run against those protocols 
as well.

 

Carl

 

From: Gary Bowling [mailto:g...@gbco.us] 
Sent: Tuesday, September 03, 2019 03:35 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] SSL Problem Dovecot

 

 

Thanks for that Carl. I'm running openssl-1.0.2k-16.el7_6.1.x86_64

 

Pretty much everything about my server is continuously updated stock Centos 7. 
Currently at CentOS Linux release 7.6.1810 (Core)

 

I do have epel installed, which updates some things and the qmt repo. That's 
it, and I'm a stickler for NOT installing anything that isn't done through yum 
and those repos. I've done this long enough to know that it's much easier to 
maintain, migrate to a new server, etc. is you're running everything in a 
managed way. So installing the repos and doing yum installs is pretty much the 
only way anything ever changes on my server, sans config files.

 

Would be very interested in knowing not only the proper tlsservercipher file 
for this type of server, but also how to create/recreate it if it's a command 
done from openssl. Looks like you can create it with the command.

 

openssl ciphers > /var/qmail/control/tlsservercipher

 

But what I'm reading is that your advice is to NOT do that due to security 
concerns. So what would you recommend?

 

Thanks, Gary

 

On 9/3/2019 3:28 PM, CarlC Internet Services Service Desk wrote:

Your real problem is that this file is different based on which CentOS you’re 
on [or should I say, which openssl is loaded]. If you have CentOS 7, with 
openssl 1.0.2k, you can tune this file to include each cipher you want [the 
file can actually be 10+ lines long wrapped]. This is so you can remove all the 
“hacked” ciphers, especially to force your clients security to remain high. If 
your running openssl 0.9.x, you don’t get the newer TLS ciphers you need to be 
secure.

 

Using the default is way too low, and if you do, you will where someone gets 
hacked over a ‘free’ WiFi connection [because you had SSL 3.0/TLS 1.0 on].

 

Carl

 

From: Gary Bowling [mailto:g...@gbco.us] 
Sent: Tuesday, September 03, 2019 02:58 PM
To: qmailtoaster-list@qmailtoaster.com 
<mailto:qmailtoaster-list@qmailtoaster.com> 
Subject: Re: [qmailtoaster] SSL Problem Dovecot

 

 

So this may be an issue of the tlsserverciphers file. Some times it's 
interesting not knowing what your doing! haha

 

I guess the question I have is.. What is the proper tlsserverciphers for a 
qmailtoaster with a letsencrypt certificate. If that even makes sense.

 

And what is the proper way to actually do it. I've read multiple things on 
various forums, including here. 

 

One says to do:

echo 
"!EDH:!DHE:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES:!NULL:!aNULL:!eNULL"
 > /var/qmail/control/tlsserverciphers

 

One says to do:

openssl ciphers 'MEDIUM:HIGH:!SSLv2:!MD5:!RC4:!3DES' > 
/var/qmail/control/tlsserverciphers

 

yet another says to create a sym link to the servercert.pem file. 

 

ln -sf /var/qmail/control/servercert.pem /var/qmail/control/tlsserverciphers

 

 

I guess it has to do with how tight you want security to be and maybe 
tlsserverciphers can contain various forms of how to define that. Just looking 
for what "most" people would use for an up to date Centos 7 server.

 

Thanks, Gary

 

On 9/3/2019 11:04 AM, Gary Bowling wrote:

 

I had to get a new cert for my server, which I installed yesterday. Now I'm 
having problems with certain clients logging in. I get the following error in 
the dovecot.log.

 

TLS handshaking: SSL_accept() failed: error:1408A10B:SSL routines: 
ssl3_get_client_hello:wrong version number

 

Any help would be appreciated. 

 

Thanks, Gary 

-- 

Gary Bowling


- To 
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
<mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com>  For additional 
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
<mailto:qmailtoaster-list-h...@qmailtoaster.com>  

--

RE: [qmailtoaster] SSL Problem Dovecot

2019-09-03 Thread CarlC Internet Services Service Desk 
Your real problem is that this file is different based on which CentOS you’re 
on [or should I say, which openssl is loaded]. If you have CentOS 7, with 
openssl 1.0.2k, you can tune this file to include each cipher you want [the 
file can actually be 10+ lines long wrapped]. This is so you can remove all the 
“hacked” ciphers, especially to force your clients security to remain high. If 
your running openssl 0.9.x, you don’t get the newer TLS ciphers you need to be 
secure.

 

Using the default is way too low, and if you do, you will where someone gets 
hacked over a ‘free’ WiFi connection [because you had SSL 3.0/TLS 1.0 on].

 

Carl

 

From: Gary Bowling [mailto:g...@gbco.us] 
Sent: Tuesday, September 03, 2019 02:58 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] SSL Problem Dovecot

 

 

So this may be an issue of the tlsserverciphers file. Some times it's 
interesting not knowing what your doing! haha

 

I guess the question I have is.. What is the proper tlsserverciphers for a 
qmailtoaster with a letsencrypt certificate. If that even makes sense.

 

And what is the proper way to actually do it. I've read multiple things on 
various forums, including here. 

 

One says to do:

echo 
"!EDH:!DHE:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES:!NULL:!aNULL:!eNULL"
 > /var/qmail/control/tlsserverciphers

 

One says to do:

openssl ciphers 'MEDIUM:HIGH:!SSLv2:!MD5:!RC4:!3DES' > 
/var/qmail/control/tlsserverciphers

 

yet another says to create a sym link to the servercert.pem file. 

 

ln -sf /var/qmail/control/servercert.pem /var/qmail/control/tlsserverciphers

 

 

I guess it has to do with how tight you want security to be and maybe 
tlsserverciphers can contain various forms of how to define that. Just looking 
for what "most" people would use for an up to date Centos 7 server.

 

Thanks, Gary

 

On 9/3/2019 11:04 AM, Gary Bowling wrote:

 

I had to get a new cert for my server, which I installed yesterday. Now I'm 
having problems with certain clients logging in. I get the following error in 
the dovecot.log.

 

TLS handshaking: SSL_accept() failed: error:1408A10B:SSL routines: 
ssl3_get_client_hello:wrong version number

 

Any help would be appreciated. 

 

Thanks, Gary 

-- 

Gary Bowling


- To 
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
  For additional 
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
  

- To 
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
  For additional 
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Slow speeds on qmt repos

2019-06-19 Thread CarlC Internet Services Service Desk 
Which QMT repo are you pulling from? I know one of the repos run from my VMware 
cluster at the NOC and I don't show any slowness at the NOC.

Carl

-Original Message-
From: Tony White [mailto:t...@ycs.com.au] 
Sent: Wednesday, June 19, 2019 11:35 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: [qmailtoaster] Slow speeds on qmt repos

Hi Folks,
   I am trying to build a new server but am concerned
that I am only getting about ~8.5kb/sec.
   My link is running at 104Mb/s so I am reasonably
sure it is not my end.

   Is there something wrong please?

TIA :)

-- 
best wishes
   Tony White


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] SMTP configuration

2019-06-18 Thread CarlC Internet Services Service Desk 
Ah, so it’s not a setting I can set as I’m running 1.03-2.1 [production].

 

I can wait for the 1.03-3.1 to make it into production, then set it up. To me, 
I’ve warned all clients to NEVER EVER use port 25 [instead, use 465/587 with 
the proper TLS turned on], so this is not a super critical patch.

 

Thanks!

Carl

 

From: Eric Broch [mailto:ebr...@whitehorsetc.com] 
Sent: Tuesday, June 18, 2019 10:38 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] SMTP configuration

 

What about the most recent qmail (1.03-3.1) package in the development tree. It 
has a patch that forces encryption before authentication.

 

On 6/18/2019 6:46 AM, CarlC Internet Services Service Desk wrote:

I have my own OpenVAS server to test my Qmail server for security. One of the 
things I get as a “medium” warning is
 
“The remote host is running SMTP server that allows cleartext logins over 
unencrypted connections.”
 
It’s saying we allow LOGIN and PLAIN for SMTP while supporting the “STARTTLS” 
command.
 
I’ve been looking at the /var/qmail/supervise/smtp/run file but don’t see how 
to turn off the LOGIN and PLAIN for SMTP [or enforce STARTTLS instead]. 
 
Ideas on how to fix this?
 
Carl
 
p.s. if anyone needs a good scanning tool, I highly recommend OpenVAS. After 
all, like Qmail, it’s freeware [or has a free version]

[qmailtoaster] SMTP configuration

2019-06-18 Thread CarlC Internet Services Service Desk 
I have my own OpenVAS server to test my Qmail server for security. One of the 
things I get as a “medium” warning is
 
“The remote host is running SMTP server that allows cleartext logins over 
unencrypted connections.”
 
It’s saying we allow LOGIN and PLAIN for SMTP while supporting the “STARTTLS” 
command.
 
I’ve been looking at the /var/qmail/supervise/smtp/run file but don’t see how 
to turn off the LOGIN and PLAIN for SMTP [or enforce STARTTLS instead]. 
 
Ideas on how to fix this?
 
Carl
 
p.s. if anyone needs a good scanning tool, I highly recommend OpenVAS. After 
all, like Qmail, it’s freeware [or has a free version]

RE: [qmailtoaster] mailserver on AWS

2019-03-02 Thread CarlC Internet Services Service Desk 
Actually, what you do is set this up on the remote server... You create the SSH 
tunnel where the remote server [with port 25 open to the world], connected via 
SSH Tunnel to the remote server [and what port on the remote server you want 
the tunnel to connect to]... Usually, I use key pairs so I can restart the 
remote system without requiring a password.

I've used it before not only for SMTP but for MySQL/Oracle connections between 
a DMZ server and in-house MySQL or Oracle server.

Carl

-Original Message-
From: Eric Broch [mailto:ebr...@whitehorsetc.com] 
Sent: Saturday, March 02, 2019 02:16 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] mailserver on AWS

Carl,

how do you incorporate this in qmail?

On 3/2/2019 12:04 PM, CarlC Internet Services Service Desk wrote:
> Jeff [and Eric],
>
> Look at SSH port forwarding... I've done this before and it works great...  
> You could do what Eric suggested, start on a different port, then on another 
> server at a more reasonable host provider, forward that port 25 to your AWS 
> instance via SSH.
>
> https://www.ssh.com/ssh/tunneling/example
>
> Carl
>
> -Original Message-
> From: Eric Broch [mailto:ebr...@whitehorsetc.com]
> Sent: Saturday, March 02, 2019 01:00 PM
> To: qmailtoaster-list@qmailtoaster.com
> Subject: Re: [qmailtoaster] mailserver on AWS
>
> I'm not sure, maybe start smtp under different port.
>
> On 3/1/2019 4:16 PM, Jeff Koch wrote:
>> I'd like to build a qmailtoaster mailserver on an AWS instance but as
>> you probably know AWS pretty much blocks outgoing traffic on port 25.
>> So I'm thinking that I can tunnel outgoing port 25 traffic to a server
>> on a less picky hosting service. Has anyone ever done something like
>> that or have any info on how to set up that kind of tunnel? or perhaps
>> accomplish the same thing another way/
>>
>> Jeff
>>
>>
>>
-- 
Eric Broch
White Horse Technical Consulting (WHTC)


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] mailserver on AWS

2019-03-02 Thread CarlC Internet Services Service Desk 
Jeff [and Eric],

Look at SSH port forwarding... I've done this before and it works great...  You 
could do what Eric suggested, start on a different port, then on another server 
at a more reasonable host provider, forward that port 25 to your AWS instance 
via SSH.

https://www.ssh.com/ssh/tunneling/example

Carl

-Original Message-
From: Eric Broch [mailto:ebr...@whitehorsetc.com] 
Sent: Saturday, March 02, 2019 01:00 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] mailserver on AWS

I'm not sure, maybe start smtp under different port.

On 3/1/2019 4:16 PM, Jeff Koch wrote:
>
> I'd like to build a qmailtoaster mailserver on an AWS instance but as 
> you probably know AWS pretty much blocks outgoing traffic on port 25. 
> So I'm thinking that I can tunnel outgoing port 25 traffic to a server 
> on a less picky hosting service. Has anyone ever done something like 
> that or have any info on how to set up that kind of tunnel? or perhaps 
> accomplish the same thing another way/
>
> Jeff
>
>
>
-- 
Eric Broch
White Horse Technical Consulting (WHTC)


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Issues with yum update....

2018-12-03 Thread CarlC Internet Services Service Desk 
Yum just started complaining with this:

Could not retrieve mirrorlist
https://www.qmailtoaster.org/qmt-mirrorlist-current error was 14: curl#60 -
"Peer's Certificate issuer is not recognized."

Something expired on the qmt repository?
Carl


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] I do not understand this error!

2018-10-16 Thread CarlC Internet Services Service Desk 
I just tested it… I was able to login [anonymous FTP] and drill down to the 
rpms under CentOS7 as a test…

 

Carl

 

From: Tommi Järvilehto [mailto:tommi.jarvile...@datavahti.fi] 
Sent: Tuesday, October 16, 2018 03:42 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] I do not understand this error!

 

ftp.qmailtoaster.org 

  is not responding.

On 14.10.2018 18:45, Eric Broch wrote:

You can do one of two things:

1) Upgrade to openssl110e on COS 5 : 
https://www.qmailtoaster.org/newopensslcnt50.html 

 

or 

2) Disable encryption for that particular domain: 
https://www.qmailtoaster.org/notls.html 

 

 

On 10/14/2018 9:05 AM, Tony White wrote:

Hi Eric,
  CentOS 5.11 with QMT qmail-toaster-1.03-1.3.18.x86_64.rpm.
I actually think it is the TLS issues I am coming up against.
However this is the only instance of it failing.




best wishes
  Tony White
 
On 15/10/18 01:53, Eric Broch wrote:

What OS are you running and what version of QMT?

 

On 10/13/2018 7:33 PM, Tony White wrote:

Hi folks,
  I sent an email to a person and got this reply...




TLS connect failed: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 
protocol; connected to xxx.xxx.xxx.xxx.
 
Is this error at my end or theirs?
 
-- 
best wishes
  Tony White
 





-- 
Eric Broch
White Horse Technical Consulting (WHTC)

 





-- 
Eric Broch
White Horse Technical Consulting (WHTC)

 

-- 
Tommi Järvilehto
DataVahti Oy
040 732 8032

RE: [qmailtoaster] I do not understand this error!

2018-10-14 Thread CarlC Internet Services Service Desk 
When I see this, it’s because the customer’s email client does not support TLS 
1.1 or 1.2…

 

The last time, for me, it was a Windows 7 PC running Outlook 2007… I had to 
point the client to the websites that show how to install the latest TLS 
support onto Windows 7.

 

Carl

 

From: Tony White [mailto:t...@ycs.com.au] 
Sent: Saturday, October 13, 2018 09:34 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: [qmailtoaster] I do not understand this error!

 

Hi folks,
  I sent an email to a person and got this reply...




TLS connect failed: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 
protocol; connected to xxx.xxx.xxx.xxx.
 
Is this error at my end or theirs?
 
-- 
best wishes
  Tony White

[qmailtoaster] LetsEncrypt auto update file...

2018-08-14 Thread CarlC Internet Services Service Desk 
Only because others are talking security and LetEncrypt… I put together a 
script that I run AFTER certbot renew checks are run. Figured I would include 
it here for the Qmail community to use:

 

[root@mail7 ~]# more copy_letsencrypt_files.sh

#!/bin/bash

#

# Script to copy lets encrypt files to the right area and restart the needed 
services.

#

# Initial concept by RCC 06/08.2018

#

# Test if the letsencrypt live cert.pem file was changed in the last 24 hours...

#

if test `find "/etc/letsencrypt/live/secure.carlc.com/cert.pem" -mmin +1440`

then

echo "Cert file is older than 1440 test minutes (24 hours)... STOP!"

exit

fi

echo "Get to work, New cert file is younger than 1440 minutes (24 hours)..."

#

#

# Dovecot just needs a restart as they are using the /etc/letsencrypt/live 
files already

#

/usr/sbin/service dovecot restart

#

# Qmail SMTP-SSL

#

# Create a new /var/qmail/control/servercert.pem-NEW

#

# NOTE: order is critical, start with private key, then URL cert, then any 
intermediate files.

#

cat /etc/letsencrypt/live/secure.carlc.com/privkey.pem > 
/var/qmail/control/servercert.pem-NEW

cat /etc/letsencrypt/live/secure.carlc.com/cert.pem >> 
/var/qmail/control/servercert.pem-NEW

cat /etc/letsencrypt/live/secure.carlc.com/chain.pem >> 
/var/qmail/control/servercert.pem-NEW

#

# Swap out files, move current to OLD then NEW to current

#

mv /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem-OLD

mv /var/qmail/control/servercert.pem-NEW /var/qmail/control/servercert.pem

chmod 644 /var/qmail/control/servercert.pem

chown root.vchkpw /var/qmail/control/servercert.pem

#

# Need to restart QMAIL

#

/etc/rc.d/init.d/qmail restart

#

# Webmin (thank you QMAIL, we can use the new PEM file as it's the same format)

#

/usr/sbin/service webmin stop

cat /var/qmail/control/servercert.pem > /etc/webmin/miniserv.pem

/usr/sbin/service webmin start

#

#

#

 

 

 

Obviously, make changes where you need to :) … I’ve had this on a few 
production QMail CentOS 7 servers [with secure.carlc.com changed to the servers 
main FQDN].

 

If this helps anyone, I’m happy.

Carl

RE: [qmailtoaster] tlsserverciphers

2018-06-05 Thread CarlC Internet Services Service Desk 
I guess nobody has an idea how to limit SMTP-SSL and SUBMISSION to only allow 
TLS 1, TLS 1.1 and TLS 1.2?

-Original Message-
From: CarlC Internet Services Service Desk [mailto:ab...@carlc.com] 
Sent: Sunday, June 03, 2018 09:38 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: RE: [qmailtoaster] tlsserverciphers

ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2

It's when I add the :!SSLv3 that I lose SSLv3 [good], TLS1 [bad] and TLS1.1 
[don't care because it's really the same as 1.2].

Carl

-Original Message-
From: Eric Broch [mailto:ebr...@whitehorsetc.com] 
Sent: Sunday, June 03, 2018 09:06 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] tlsserverciphers

I don't think I have had any issues like this with Thunderbird. What's 
your tlsserverciphers file look like?




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] tlsserverciphers

2018-06-03 Thread CarlC Internet Services Service Desk 
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2

It's when I add the :!SSLv3 that I lose SSLv3 [good], TLS1 [bad] and TLS1.1 
[don't care because it's really the same as 1.2].

Carl

-Original Message-
From: Eric Broch [mailto:ebr...@whitehorsetc.com] 
Sent: Sunday, June 03, 2018 09:06 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] tlsserverciphers

I don't think I have had any issues like this with Thunderbird. What's 
your tlsserverciphers file look like?




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] tlsserverciphers

2018-06-02 Thread CarlC Internet Services Service Desk 
Is there any way to disable the SSLv3 protocol without it taking out TLS
1.0?

When I add ":-SSLv3" to tlsserverciphers, I end up with just TLS 1.2
working... That's not good for any Thunderbird clients, they cannot longer
connect to the smtp-ssl on port 465. Was there a patch, or something done
that can allow us to disable just SSLv3 [like -SSLv2 does for SSLv2]?

Carl


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Delivery fail

2018-01-19 Thread CarlC Internet Services Service Desk 
I seem to remember this has something to do DNS… I know if the box is running 
its own BIND, then restart bind [ranges from “/etc/rc.d/init.d/named restart” 
to systemctl restart named).

 

Carl

 

 

From: Jeff Koch [mailto:jeffk...@intersessions.com] 
Sent: Friday, January 19, 2018 11:17 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: [qmailtoaster] Delivery fail

 


Hi:

We see entries like this in the qmail/send log when clients try to send to a 
particular domain:

2018-01-18 14:49:03.821437500 starting delivery 93767: msg 21453716 to remote 
mvelasq...@prevenir.com.ec  
2018-01-18 14:49:39.016795500 delivery 93767: deferral: 
CNAME_lookup_failed_temporarily._(#4.4.3)/


Does anyone know what this entry is trying to tell us? and what would a CNAME 
lookup have to do with sending email?

Jeff

[qmailtoaster] Fail2ban for Squirrelmail.

2017-12-29 Thread CarlC Internet Services Service Desk 
Dan,

I have it working showing the IP address:

In /etc/fail2ban/jail.conf:

# squirrelmail
[squirrelmail-iptables]
enabled  = true
filter   = squirrelmail
action   = iptables[name=SquirrelMail, port=http, protocol=tcp]
   sendmail-squirrelmail[name=SquirrelMail,dest=ab...@carlc.com, 
sender=ab...@carlc.com]
# adjust logpath with Squirrelmail's squirrel_logger plugin log
logpath  = /var/log/squirrelmail.log
maxretry = 5


-Then in /etc/fail2ban/filter.d/squirrelmail.conf


[Definition]

failregex = ^ \[LOGIN_ERROR\].*from : Unknown user or password 
incorrect\.$

ignoreregex =

[Init]

datepattern = ^%%m/%%d/%%Y %%H:%%M:%%S

# DEV NOTES:
#
# Author: Daniel Black

For sendmail-squirrelmail in /etc/fail2ban/action.d, I copied 
sendmail-whois-lines.conf to sendmail-squirrelmail.conf and changed the very 
last line to:

# Path to the log files which contain relevant lines for the abuser IP
#
logpath = /var/log/squirrelmail.log

I hope this helps...
Carl


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] connection issues again.

2017-12-29 Thread CarlC Internet Services Service Desk 
Would FAIL2BAN be an ideal setup here? I use it to control the attacks 
[example: more than 10 failed logins in 1 day, your banned for "X" hours].

Fail2ban also works with the SquirrelMail, Roundcube, etc... I have it setup on 
SMTP, SMTPS, SUBMISSION, POP3s and IMAPs. You can also use FAIL2BAN for SSH and 
ftp. The part I like, you can have fail2ban to send you an email that looks 
like this:

example

The IP 202.62.224.40 has just been banned by Fail2Ban after
10 attempts against pop3.


Lines containing IP:202.62.224.40 in /var/log/maillog

Dec 28 21:49:59 mail7 spamdyke[978]: DENIED_RELAYING from: x...@tea.com to: 
eax...@yahoo.com origin_ip: 202.62.224.40 origin_rdns: solar.ortel.net auth: 
(unknown) encryption: (none) reason: (empty)
Dec 28 21:50:24 mail7 vpopmail[1202]: vchkpw-smtp: null password given 
Newsletter:202.62.224.40
Dec 28 21:51:11 mail7 vpopmail[1263]: vchkpw-smtp: null password given 
Company:202.62.224.40
Dec 28 21:51:46 mail7 vpopmail[1324]: vchkpw-smtp: null password given 
root:202.62.224.40
Dec 28 21:52:58 mail7 vpopmail[1451]: vchkpw-smtp: null password given 
temp:202.62.224.40
Dec 28 21:53:18 mail7 vpopmail[1492]: vchkpw-smtp: null password given 
Test:202.62.224.40
Dec 28 21:54:22 mail7 vpopmail[1577]: vchkpw-smtp: null password given 
abuse:202.62.224.40
Dec 28 21:54:42 mail7 vpopmail[1598]: vchkpw-smtp: null password given 
MYSQL:202.62.224.40
Dec 28 21:55:16 mail7 vpopmail[1804]: vchkpw-smtp: null password given 
office:202.62.224.40
Dec 28 21:55:44 mail7 vpopmail[1844]: vchkpw-smtp: vpopmail user not found 
customer@:202.62.224.40
Dec 28 21:56:07 mail7 vpopmail[1870]: vchkpw-smtp: vpopmail user not found 
company@:202.62.224.40
Dec 28 21:56:50 mail7 vpopmail[1920]: vchkpw-smtp: vpopmail user not found 
testing@:202.62.224.40
Dec 28 21:57:19 mail7 vpopmail[1961]: vchkpw-smtp: vpopmail user not found 
temp@:202.62.224.40
Dec 28 21:57:39 mail7 vpopmail[1991]: vchkpw-smtp: vpopmail user not found 
test@:202.62.224.40
Dec 28 21:59:11 mail7 vpopmail[2288]: vchkpw-smtp: vpopmail user not found 
newsletter@:202.62.224.40
Dec 28 21:59:37 mail7 vpopmail[2473]: vchkpw-smtp: vpopmail user not found 
customer@:202.62.224.40
Dec 28 22:00:05 mail7 vpopmail[2826]: vchkpw-smtp: vpopmail user not found 
company@:202.62.224.40
Dec 28 22:00:49 mail7 vpopmail[2888]: vchkpw-smtp: vpopmail user not found 
testing@:202.62.224.40
Dec 28 22:01:05 mail7 vpopmail[2919]: vchkpw-smtp: vpopmail user not found 
postmaster@:202.62.224.40

end example

If needed, I can post a few fail2ban scripts but I'm pretty sure they are 
available on the web for qmail if you search for them.

Carl

-Original Message-
From: A. Galatis [mailto:a...@unet.de] 
Sent: Friday, December 29, 2017 10:25 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: AW: [qmailtoaster] connection issues again.

Hi Tony,

i have a script counting authentification errors from ip-addresses.
If an address appears more then my threshhold it is blocked vi iptables.
The log where I count ist he usual maillog.

Andreas

-Ursprüngliche Nachricht-
Von: jin [mailto:jinhit...@gmail.com] 
Gesendet: Freitag, 29. Dezember 2017 15:59
An: qmailtoaster-list@qmailtoaster.com
Betreff: Re: [qmailtoaster] connection issues again.

Hi Remo
Are using some kind of autonomous app/scrpt to block them ? If  so, what kind 
of app/script are you using for drop them ?

On 29 Dec 2017 5:19 p.m., "Remo Mattei"  wrote:


Yes I created some rules based on connection time like 30 sec 5 min 30 
min etc. Dropped them.

Il giorno 29 dic 2017, alle ore 06:07, Solo  ha scritto:

Hi Tony.

Yes I see a lot - in my logs I think it's those spammers that tries to
connect to Your server using a lot of different names and end up getting
refused by vpopmail - se my logwatch file below (all ip addresses match
log entries in maillog and vpopmail)

- vpopmail Begin 


No Such User Found:
   4f3c5634.2010906@ - 1 Time(s)
   abc@ - 1 Time(s)
   ada@ - 1 Time(s)
   agenda@ - 1 Time(s)
   am@ - 1 Time(s)
   benson@ - 1 Time(s)
   biblioteca@ - 1 Time(s)
   caja@ - 1 Time(s)
   careers@ - 1 Time(s)

and so on

they time out usually.

Others!  correct if I'm wrong...

Regards,
Finn Von B

> Den 29-12-2017 kl. 14:40 skrev Tony White:
> Hi folks,
>   Is anyone else seeing a single ip connecting hundreds even thousands
> of times but never sending any mail? I end up blocking these using 
iptables
> but I do not understand why it is happening.
>
> TIA
>
> Example
> 2017-12-30 00:31:31.653614500 tcpserver: status: 2/100

RE: Re: [qmailtoaster] probles error 4.4.2

2017-07-21 Thread CarlC Internet Services Service Desk 
On the DNS, why do we get two answers??

 

nslookup 186.18.13.252

Server: 8.8.4.4

Address:8.8.4.4#53

 

Non-authoritative answer:

252.13.18.186.in-addr.arpa  name = sistemas-sg.com.ar.

252.13.18.186.in-addr.arpa  name = mail.sistemas-sg.com.ar.

 

Authoritative answers can be found from:



 

Could that be part of the cause?

Carl

 

From: Eric Broch [mailto:ebr...@whitehorsetc.com] 
Sent: Friday, July 21, 2017 02:35 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Fwd: Re: [qmailtoaster] probles error 4.4.2

 

 

Does this happen every time for addresses like 190.139.111.5 or just some of 
the time. In other words will mail to 190.139.111.5 work sometimes and 
sometimes not?

On 7/21/2017 12:27 PM, Gustavo De Poli wrote:

yes 

 

 

2017-07-21 15:27 GMT-03:00 Eric Broch :

So mail from 186.18.13.252 (your address) to outside addresses (like 
190.139.111.5) fail, is this correct?

 

On 7/21/2017 12:23 PM, Gustavo De Poli wrote:

NO my new IP is 186.18.13.252

 

2017-07-21 15:23 GMT-03:00 Eric Broch :

Is 190.139.111.5 your new public IP? 




On 7/21/2017 11:01 AM, Gustavo De Poli wrote:

Hi everybody.

(sorry my inglish)

i have a qmail from 3 year ago, over centos 6. behind other centes with 
iptables and nat

10 days ago my isp change my public IP.
>From that day, some mails get me this error...

 " Connected_to_190.139.111.5_but_connection_died._(#4.4.2)/ "

i check DNS and i supose it is good..

where mus i lookfor problem ??



 

-- 
Eric Broch
White Horse Technical Consulting (WHTC)

 





-- 
Eric Broch
White Horse Technical Consulting (WHTC)

 





-- 
Eric Broch
White Horse Technical Consulting (WHTC)

RE: [qmailtoaster] POP3 Secure on port 995

2017-05-26 Thread CarlC Internet Services Service Desk 
Oops... Forgot to say that if you're running dovecot:

For CentOS 7 / Qmail server:  look in /etc/dovecot/dovecot.conf and make all 
changes there.

Carl

-Original Message-
From: CarlC Internet Services Service Desk [mailto:ab...@carlc.com] 
Sent: Friday, May 26, 2017 12:43 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: RE: [qmailtoaster] POP3 Secure on port 995

Tony,

While you're fixing that, check out 
http://www.qmailwiki.org/Qmail-control-files#control.2Ftlsserverciphers ...

You can kill off all the older hackable SSLv2 and even kill off SSLv3 and TLSv1 
if you don't have customers on older equipment/phones.

I use the following ssltest.sh script from 
http://www.tuxad.de/blog/archives/2014/10/04/script_to_test_supported_ssl_ciphers/index.html
 . It will give you a list of available protocols and you can check to see if 
any have leaks/vulnerabilities. 

Carl


-Original Message-
From: Tony White [mailto:t...@ycs.com.au] 
Sent: Friday, May 26, 2017 08:13 AM
To: Jaime Lerner
Subject: Re: [qmailtoaster] POP3 Secure on port 995

Hmm,
   Sorry to all I found out why it was not working.
I was trying to use STARTTLS not SSL/TLS.
All happy now.

If you want to test the certificate on your system try using this...

  openssl s_client -connect mail.yourservername.com:995

change the port to check other secure connection.

best wishes
   Tony White

On 26/05/2017 21:54, Tony White wrote:

> Hi all,
>   Can someone please point me to a doc or explain why
> I am unable to make use of secure pop3?
>   The port is open ie firewall but when I connect it simply
> times out.
>   I would love this to work but cannot find an answer yet.
>
> TIA ;)
>


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] POP3 Secure on port 995

2017-05-26 Thread CarlC Internet Services Service Desk 
Tony,

While you're fixing that, check out 
http://www.qmailwiki.org/Qmail-control-files#control.2Ftlsserverciphers ...

You can kill off all the older hackable SSLv2 and even kill off SSLv3 and TLSv1 
if you don't have customers on older equipment/phones.

I use the following ssltest.sh script from 
http://www.tuxad.de/blog/archives/2014/10/04/script_to_test_supported_ssl_ciphers/index.html
 . It will give you a list of available protocols and you can check to see if 
any have leaks/vulnerabilities. 

Carl


-Original Message-
From: Tony White [mailto:t...@ycs.com.au] 
Sent: Friday, May 26, 2017 08:13 AM
To: Jaime Lerner
Subject: Re: [qmailtoaster] POP3 Secure on port 995

Hmm,
   Sorry to all I found out why it was not working.
I was trying to use STARTTLS not SSL/TLS.
All happy now.

If you want to test the certificate on your system try using this...

  openssl s_client -connect mail.yourservername.com:995

change the port to check other secure connection.

best wishes
   Tony White

On 26/05/2017 21:54, Tony White wrote:

> Hi all,
>   Can someone please point me to a doc or explain why
> I am unable to make use of secure pop3?
>   The port is open ie firewall but when I connect it simply
> times out.
>   I would love this to work but cannot find an answer yet.
>
> TIA ;)
>


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] New updates maybe have spamdyke issues.

2017-05-16 Thread CarlC Internet Services Service Desk 
This morning, upgraded the following:

May 16 06:37:45 Updated: spamassassin-3.4.1-1.qt.el7.x86_64
May 16 06:37:56 Updated: simscan-1.4.0-1.qt.el7.x86_64
May 16 06:37:56 Updated: jasper-libs-1.900.1-30.el7_3.x86_64
May 16 06:37:57 Updated: ghostscript-9.07-20.el7_3.5.x86_64
May 16 06:38:07 Updated: qmailmrtg-4.2-3.qt.el7.x86_64
May 16 06:38:07 Updated: spamdyke-5.0.1-0.qt.el7.x86_64

Found that some commands have changes, before going nuts, I recommend
everyone read:

http://www.spamdyke.org/documentation/UPGRADING_version_4_to_version_5.txt

I had a few changes that are required in spamdyke.conf... You will SMTP up
[port 25] but you won't connect until spamdyke.conf is upgraded.

Carl


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Centos 5 and PCRE

2017-03-07 Thread CarlC Internet Services Service Desk 
 

 

From: Gary Bowling [mailto:g...@gbco.us] 



>Now the question is... how important is it to upgrade to Centos6 or Centos7?

I did it to get openssl-1.0.x and kill anything below TLS 1.1. CentOS 5 is 
limited to openssl-0.9.6 unless you do major surgery [maybe easier now but 
getting openssl-1.0.x was a hardship a few years ago for CentOS 5], you could 
not get TLS 1.1 or 1.2 on CentOS 5. I have had a few clients get hacked a few 
years ago due to SSLv2 [note: They were using free WiFi anywhere they could] 
when SSLv2 was first found to have issues.

Carl

RE: [qmailtoaster] Sending outbound email works, but takes about 10 seconds.

2017-02-21 Thread CarlC Internet Services Service Desk 
Found the slowness...

In the "run" file for smtp-ssl, I have:

BLACKLIST=`cat /var/qmail/control/blacklists-ssl`

Well, That file does not exist, so that plays havoc with:

exec /usr/bin/softlimit -m 128000 \
/usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 465 \
$RBLSMTPD $BLACKLIST $SMTPD $VCHKPW /bin/true 2>&1

Created a blacklists-ssl file with a minimal "-r b.barracudacentral.org" and
now sending is fast as can be...

Carl


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Sending outbound email works, but takes about 10 seconds.

2017-02-19 Thread CarlC Internet Services Service Desk 


-Original Message-
From: Tonix - 
>Check your dns. It looks like it takes time to solve client reverse ip.

I'm using 8.8.4.4, 4.2.2.1 and 8.8.8.8... They do run pretty fast. That's in
/etc/resolv.conf. It's the same setting as the old Email server had.

Does QMail use a different place to look it up?

Carl


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Squirrelmail stopped working.

2017-02-19 Thread CarlC Internet Services Service Desk 
Eric,

Yeah, found it... It was the fact conf.pl is NOT modifying the right file...


Turns out all of the settings are in /etc/squirrelmail/config_local.php.

I had to manually edit that file to $imap_auth_mech = 'login' and it
works...

Carl

-Original Message-
From: Eric Broch [mailto:ebr...@whitehorsetc.com] 
Sent: Sunday, February 19, 2017 10:53 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Squirrelmail stopped working.

Did you restart dovecot?


On 2/19/2017 7:25 AM, CarlC Internet Services Service Desk wrote:
> Now, this one is just weird... I tested squirrelmail and even had others
> test before changing the IP address to make a server live...
>
> After changing the IP address, squirrelmail fails to login. But here's the
> fun part, it's set to use localhost. Maybe someone else can see what I'm
> missing:
>
> Using /usr/share/squirrelmail/config/conf.pl, I have:
>
> IMAP Settings
> --
> 4.  IMAP Server: localhost
> 5.  IMAP Port  : 143
> 6.  Authentication type: digest-md5
> 7.  Secure IMAP (TLS)  : false
> 8.  Server software: uw
> 9.  Delimiter  : /
>
> When I try to login via squirrelmail, dovecot shows the following:
>
> Feb 19 09:14:20 imap-login: Info: Aborted login (auth failed, 1 attempts
in
> 2 secs): user=, method=DIGEST-MD5,
> rip=127.0.0.1, lip=127.0.0.1, secured, session=<PaM6w+JI+Np/AAAB>
>
> And squirrelmail configtest only complains about short tags in PHP being
> off.
>
> Carl
>
>
>
>
>
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>

-- 
Eric Broch, IMSO, DAM, NGOO, DITH, URTS
White Horse Technical Consulting (WHTC)


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Sending outbound email works, but takes about 10 seconds.

2017-02-19 Thread CarlC Internet Services Service Desk 


-Original Message-
From: Eric Broch 

>does this happen in your webmail, squirrelmail and roundcube?


Nope... Only with anything using smtp-ssl (port 465)...

Carl


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Squirrelmail stopped working.

2017-02-19 Thread CarlC Internet Services Service Desk 
Now, this one is just weird... I tested squirrelmail and even had others
test before changing the IP address to make a server live...

After changing the IP address, squirrelmail fails to login. But here's the
fun part, it's set to use localhost. Maybe someone else can see what I'm
missing:

Using /usr/share/squirrelmail/config/conf.pl, I have:

IMAP Settings
--
4.  IMAP Server: localhost
5.  IMAP Port  : 143
6.  Authentication type: digest-md5
7.  Secure IMAP (TLS)  : false
8.  Server software: uw
9.  Delimiter  : /

When I try to login via squirrelmail, dovecot shows the following:

Feb 19 09:14:20 imap-login: Info: Aborted login (auth failed, 1 attempts in
2 secs): user=, method=DIGEST-MD5,
rip=127.0.0.1, lip=127.0.0.1, secured, session=

And squirrelmail configtest only complains about short tags in PHP being
off.

Carl





-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Sending outbound email works, but takes about 10 seconds.

2017-02-19 Thread CarlC Internet Services Service Desk 

With a newly installed QMT, when we send emails, it works... But it takes
about 10 seconds.. It just sits at sending on the client side waiting for
the server to complete. Before I go digging into this, has anyone else seen
this? Or is it some simple setting I've missed :)

Thanks,
Carl


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Validating RBLs are in use

2017-02-14 Thread CarlC Internet Services Service Desk 
Chris,

I loaded a stock QMT install, and in /var/qmail/supervise/smtp/run, it has the 
line:

BLACKLIST=`cat /var/qmail/control/blacklists`

Which is used by SMTP before SPAMDYKE is called:

exec /usr/bin/softlimit -m 6400 \
 /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
 -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
 $RBLSMTPD $BLACKLIST \
 $SPAMDYKE --config-file $SPAMDYKE_CONF \
 $SMTPD $VCHKPW /bin/true 2>&1

I would think you could use either blacklists in /var/qmail/control/ or the 
spamdyke config. Either should work... Using RBL to block it might be 
faster/less load on the server than waiting for SpamDyke to startup, but either 
way will work.

And for blacklist in /var/qmail/control/blacklists, mine is:

-r b.barracudacentral.org -r bl.spamcop.net -r zen.spamhaus.org -r 
cbl.abuseat.org -r dul.dnsbl.sorbs.net

Note: to use barracudacentral, you must sign up with them and give them your IP 
address to allow access. So don't Copy/Paste this unless you're signed up with 
barracuda. It is free, and barracuda only blocks KNOWN/HARD spammers.

In either case, you would see the blocks in the /var/log/qmail/smtp/current [or 
other files in that area].

Carl


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Roundcube with QMT

2017-02-14 Thread CarlC Internet Services Service Desk 
Angus,

Thanks, you setups helped. I used Eric's to get it running, then read over 
yours and added a few goodies. This was the perfect 1-2 punch to get roundcube 
running on our new CentOS 7 server.

Carl


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Roundcube with QMT

2017-02-14 Thread CarlC Internet Services Service Desk 
>It is that simple!
>Roundcube comes with EPEL

>Again, look at the top of the page, here: 
>http://www.qmailtoaster.com/extras.html

Eric,

Your right, it was that simple :) ... Got it working thanks to the instructions.

Thanks, I owe you a beer.
Carl


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Roundcube with QMT

2017-02-13 Thread CarlC Internet Services Service Desk 
Dan,

Cool, I was always interested in Roundcube.

Any gotcha's on installation? Or do I just "yum install roundcube" [Doubt
it's that easy or I would be that lucky] :) ?

Thanks!
Carl

-Original Message-
From: Dan McAllister 

Roundcube is the service most of my clients prefer.
It will work with either Courier or Dovecot
It can work side-by-side with other webmail options (that's how I determined
that my clients prefer RC -- I let them choose!

Dan



-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] SQwebmail

2017-02-12 Thread CarlC Internet Services Service Desk 
For our newer CentOS 7 qmail servers, does anyone have a recommended
procedure to build SQwebmail [and do we need to load Courier? I hope not].
We have squirrelmail working [thank you Eric], but wanted to see what other
webmail type applications we can load, and we have a few users who want to
stay with SQwebmail.

How about Roundcube?

Do these require rebuilding the qmail server [for example: Roundcube
requires --with-pdo-mysql]? Or is it as simple as "yum install roundcube"
and configure to your needs?

Again, Thanks in advance!
Carl




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Converting an old Qmail server with old short passwords to newer Qmail

2017-02-12 Thread CarlC Internet Services Service Desk 
Cool, I've seen John's website before and it's helped before. Thanks for
pointing it out. 

 

Your scripts saved me. I was able to see that in all the domains, only MINE
[the oldest] has this problem J . THOSE passwords I can reinsert using
qmailadmin. All other domains on the server have the proper "1$1" type
password.

 

Thank you!

Carl

 

From: Eric Broch [mailto:ebr...@whitehorsetc.com] 
Sent: Sunday, February 12, 2017 03:28 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Converting an old Qmail server with old short
passwords to newer Qmail

 

Hi Carl,

I don't know if this will help but from John Simpson's web I found a
tutorial on converting Sendmail to Qmail here
<https://qmail.jms1.net/sendmail-migration.shtml> .

On it he shows how to bring passwords over from Sendmail, and it seems
Sendmail only has encrypted email passwords.

John uses "./vadduser -e 'encrypted password' a...@domain.tld" to add email
accounts.

Since your email addresses are already added could you not use the following
command:

./vmoduser -e 'encrypted password' a...@domain.tld

To do something similar? 

John, used a bash script (redirected to create another script) to extract
the usernames and passwords from Sendmail printing them in a formatted
command (vadduser) string (see link above).

You could extract password from your mysql account with the following
commands:

1) Build a domain list:

echo "show tables" | mysql -u vpopuser -ppassword vpopmail | grep -v valias
| grep -v lastauth | grep -v dir_control | grep -v Tables_in_vpopmail

2) Dump the users in the domain

echo "select pw_passwd, pw_name from $domain_tld where
pw_clear_passwd='unknown'" | mysql -u vpopuser -ppassword vpopmail | grep -v
pw_passwd

Eric

P.S. I hope this helps.

 

On 2/11/2017 11:17 PM, CarlC Internet Services Service Desk wrote:

 
I'm converting an older CentOS 5 server [which started life as a CentOS 4
server many years ago] to a new CentOS 7 server.
 
I've moved everything over, and was doing rsyncs [and Database updates of
vpopmail/valias].
 
I've hit an interesting problem, the new CentOS 7 server will not allow me
to login/access an email account with the old style 12-14 length encrypted
password. I even tried old_passwords=1 in my.cnf thinking that might enable
the old MySQL V4 password format as it looks like that. Any of the newer
accounts that have the longer encrypted password work fine. The other hint
that an email address will work is if the pw_clear_password is not unknown,
then it works.
 
I can run vchangepw against the account, then it works... I then see the new
longer format, but this does not help me in that many of these email
accounts I do not have the original password.
 
Is there any easy way to find all the older accounts with old passwords and
convert them to the new format. Almost a "if pw_clear_password = unknown,
then upgrade password to new password". I have around 200+ domains with
plenty of email accounts that have the old format... 
 
Thanks,
Carl
 
 
-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
 





-- 
Eric Broch, IMSO, DAM, NGOO, DITH, URTS
White Horse Technical Consulting (WHTC)

[qmailtoaster] Converting an old Qmail server with old short passwords to newer Qmail

2017-02-11 Thread CarlC Internet Services Service Desk 

I'm converting an older CentOS 5 server [which started life as a CentOS 4
server many years ago] to a new CentOS 7 server.

I've moved everything over, and was doing rsyncs [and Database updates of
vpopmail/valias].

I've hit an interesting problem, the new CentOS 7 server will not allow me
to login/access an email account with the old style 12-14 length encrypted
password. I even tried old_passwords=1 in my.cnf thinking that might enable
the old MySQL V4 password format as it looks like that. Any of the newer
accounts that have the longer encrypted password work fine. The other hint
that an email address will work is if the pw_clear_password is not unknown,
then it works.

I can run vchangepw against the account, then it works... I then see the new
longer format, but this does not help me in that many of these email
accounts I do not have the original password.

Is there any easy way to find all the older accounts with old passwords and
convert them to the new format. Almost a "if pw_clear_password = unknown,
then upgrade password to new password". I have around 200+ domains with
plenty of email accounts that have the old format... 

Thanks,
Carl


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Uptick in spam / sa-learn

2017-01-30 Thread CarlC Internet Services Service Desk 
 

 

From: Eric Broch [mailto:ebr...@whitehorsetc.com] 



>. I know of another individual who uses a Barracuda Anti-Spam appliance that 
>works well.

 
Eric, IMHO, hit the nail on the head. Don’t expect the mail server [or should I 
say Qmail server] to handle the front end spam. We use Barracuda with great 
results. They have both an appliance [our setup] or you can go through their 
services. Trouble is, many of these come at a cost, and some are big bucks. 
 
I have used one that is opensource for our clients who want their own, and it’s 
been pretty good. It’s EFA Project [efa-project.org]. It’s done a reasonable 
job for the cost, but it does require tinkering to get just right.
 
And yes, Spammers are evil and never sleep. 
Carl

RE: [qmailtoaster] Problemas...

2016-08-04 Thread CarlC Internet Services Service Desk 
>CNAME lookup failed temporarily. (#4.4.3)



Many years ago I remember that the problem was in DNS, and the server was 
running its own DNS:

 

/etc/rc.d/init.d/named restart

 

Use the fix it.

 

Also, wasn’t there some big DNS qmail patch that fixes this issue?

 

Carl

RE: [qmailtoaster] How to make mirror all the emails with all the mailbox in another server or storage

2016-07-25 Thread CarlC Internet Services Service Desk 
>In this case, What i am thinking, Why should i make all the emails sync with 
>another server or storage disk at the same time when deliver the email.

 

I’m sure someone else has a better answer, but you could just rsync the 
/home/vpopmail/domains/ area without a delete [that is the 
default for rsync]. It’s just a matter of how many times you want to run it per 
hour…

 

Another possible solution would be to do something like this:

 

Create .qmail- for each email account [the .qmail-* 
files go in /home/vpopmail/domains/ directory] with the following 
contents:

 

/home/vpopmail/domains///Maildir/

/home/vpopmail/domains///Maildir

 

For this to work, you just create the 
/home/vpopmail/domains///Maildir directories with 
proper vpopmail.vchkpw protections. A copy of all inbound email will go to both 
areas, the live [top] one and the bottom [backup] area. The only issue with 
this solution, you don’t have a copy of any sent items if the user is using a 
web interface [and you want to catch those as well].

 

Again, I’m sure someone on the list has a better way to do this than I.

Carl

RE: [qmailtoaster] latest version of qmt or vm please

2016-07-18 Thread CarlC Internet Services Service Desk 
>I'm running it on CentOS 7 with no problem using those same files. I'm on a 
>VPS though, I didn't try it in VMWare.

 

Same here… I just spun up a new CentOS 7 and loaded the latest qmt about 3 
months ago. No issues what so ever.

 

Carl

RE: [qmailtoaster] catch all account and the spam

2016-07-11 Thread CarlC Internet Services Service Desk 
>From: Dan McAllister

>Now I can't just reply to HOW without adding my 2-cents worth as to why I
think "bounce-no-mailbox" is the WORST of the options:

>-  It allows spammers to "mine" your domain for "good" email
addresses (which then get sold!). how? Send a note to a...@yourdomain.com,
b...@yourdomain.com, etc. For each one that does NOT get a bounceback, you have
a good address! SPAM IT!

>-  Once your domain is "mature" (been around a few years), your
"catchall" account will get thousands of emails a day - from spammers trying
to mine your domain!

 

My question is, would this not lead spammer to try to use your domain name
as a FROM? What I mean by that is, if you're not bouncing the bad addresses,
then a spammer can use your domain [I know, many don't check SPF or where
the domain is allowed to send email from records], to send email outbound.
Most email servers will check to see if the return email address is valid,
and qmail would say anth...@yourdomain.com is valid. While it would get
dumped into /dev/null since  you have "delete" as the final destination, I'm
not entirely sure allowing all email address for your domain to work is a
good idea.

 

I know a few years ago, I did have a few customers this happened to. We had
to disable the catch-all and instead, set it to bounce-no-mailbox. When we
did that, the spammers stopped trying to use the domain as a "from" address
[and yes, SPF records made no difference. it was the open catch-all that led
the spammers to use the domain as a "from" address].

 

Again, YMMV.

Carl

RE: [qmailtoaster] qmailtoaster installation large installation

2016-02-18 Thread CarlC Internet Services Service Desk 
I’ve been using Qmail since 2000, and as an ISP, it’s saved my rear end more 
times than I can tell you compared to other Email servers I’ve had to deal 
with… I’ve been lurking on the QMT lists via the web for years, and finally 
decided to join the list.

 

Largest we got for a while was over 500 domains with various email sizes. What 
I found I had to scale was the /home directory, namely under the 
/home/vpopmail/domains area by, if needed, creating separate partitions for 
each area [example 0,1,2,etc…]. I do remember that if you take the default of 
just creating a partition, you could easily run out of inodes. I’ve had to 
create the partitions like this:

 

mke2fs -g 16384 -b 2048 -i 2048 -T small -j -L /home /dev/cciss/c0d0p6

 

Reason I had to do this was I would have plenty of free space, Terabytes even, 
and could not write to the drive. Obviously, change it to meet your needs but 
if you want to continue to use ext4, watch the inode sizes.

 

I’ve run the ISP email server on HP Proliant with only twin Dual core 
processors and 4Gb of memory. My new one, and part of the reason I’m on the 
list now, is under CentOS 7. The only difference in size is more memory 
[caching for the hard drives]. I think you find, Alex, that the RAM and Disk 
speeds matter more than CPU with Qmail, it’s that efficient. I started on an 
old P4 400Mhz with 1Gb memory and a couple of domains. So scaling Qmail out is 
not all bad.

 

The only time I’ve seen CPU intensive on the system is on a reboot, you may 
find fail2ban to take a CPU for itself while it catches back up on the log 
file. This is why I would recommend at least 4 vCPU.

 

So, to answer your question, Alex, I would say you’re more likely to increase 
RAM and Disk space as you grow.

 

As to backup, Eric hits a great point. If possible, I recommend that you run 
the system as a VM so you can snapshot it and get a very consistent backup of 
the email databases.

 

And to everyone’s hard work on the list, thank you so much!

Carl C.