[qmailtoaster] CBL Listing

2009-09-02 Thread Gary Bowling 


I keep getting listed on the CBL list. I have been through all the 
recommendations for checking my server, but can't seem to find anything 
wrong. I'm sure it's something simple I'm overlooking. This all started 
when I upgraded to the qmailtoaster, I previously ran Bill Shupp's 
toaster and have never had this problem before.


I have checked the smtpgreeting with telnet and it indeed responds 
correctly (at least as far as I can tell). The response (mail.gbco.us) 
also corresponds to the rDNS for the ip address which is also matched 
with the mx record.


So, I'm at a loss as to why I keep getting blacklisted by CBL, which 
says it only checks for headers. Anyone have any other suggestions for 
what I've missed?


Thanks, Gary

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] CBL Listing

2009-09-02 Thread Gary Bowling 





I have tested for open relay and the test comes back negative, my
understanding is that the toaster is not an open relay by default and
unless I've done something whacky I've not done anything to change that.

As for a spammer, well that's always a possibility. I have gone through
isoqlog stats and queried all the top senders. None of them are sending
abnormally large numbers of messages. There are a few users that send
250 or so once per week, but these are "auto dealerships" and they send
service reminders to their customers, which are "opt in" emails and
should not be triggering anything. 

I am having my desktop tech go out and run virus/spyware checkers on a
few others just to make sure. 

Oddly, it seems to happen for a week or so after adding a new domain.
Could just be coincidence, not sure. When I first switched over to the
toaster, I fought this for several weeks. Then it settled down with no
listings for about 3 weeks. Then I added a domain and have now been
listed twice since the add. Again, all speculation as to whether that
has anything to do with it, just trying to give out as much info as
possible in case someone has seen this. 

Gary

Maxwell Smart wrote:

  CBL usually means you have a spammer in your midst, have been hacked or
victim of malware, or are an open relay.

Gary Bowling wrote:
  
  
I keep getting listed on the CBL list. I have been through all the
recommendations for checking my server, but can't seem to find
anything wrong. I'm sure it's something simple I'm overlooking. This
all started when I upgraded to the qmailtoaster, I previously ran Bill
Shupp's toaster and have never had this problem before.

I have checked the smtpgreeting with telnet and it indeed responds
correctly (at least as far as I can tell). The response (mail.gbco.us)
also corresponds to the rDNS for the ip address which is also matched
with the mx record.

So, I'm at a loss as to why I keep getting blacklisted by CBL, which
says it only checks for headers. Anyone have any other suggestions for
what I've missed?

Thanks, Gary

-

Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and
installations.
 If you need professional help with your setup, contact them today!
-

Please visit qmailtoaster.com for the latest news, updates, and
packages.
 To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com



  
  
-
Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.
 
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



  


-- 
________
Gary Bowling
GBCO.US
g...@gbco.us




-
Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.
 
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] CBL Listing

2009-09-02 Thread Gary Bowling 


Thanks very much for checking it out. I know it's difficult to try to 
answer everyone's questions and I do appreciate it. Also, thanks for all 
the hard work on the toaster, it's a good one!


I'll see if I can track down who is sending out spam emails.

Thanks

Gary

Jake Vickers wrote:

Gary Bowling wrote:


The list is http://cbl.abuseat.org/ and I'm not listed there 
currently as I just removed it about an hour ago. I've removed the 
listing about every 2 days for the last 10 days or so, trying to stay 
on top of it until I can figure out why I keep getting listed.




Everything looked okay. Your mail server is behind a NAT was the only 
thing I saw, and not really that big of a deal.
I think you'll find that your problem is one of your users. 
abuseat.org normally only lists you if your server sends one of their 
spamtraps a message - since they're spam traps, any messages going to 
them are almost guaranteed to be spam.


- 

Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and 
installations.

 If you need professional help with your setup, contact them today!
- 

Please visit qmailtoaster.com for the latest news, updates, and 
packages.
 To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com






--

Gary Bowling
GBCO.US
g...@gbco.us



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] can't send mail

2009-09-11 Thread Gary Bowling 


I had an issue with a blackberry user, so I went to the video to
recompile the toaster to allow the / characters in the from address.

All went well with the recompile and subsequent re-install.

However, after the re-install I can no longer send or receive mail even 
to a local user. It seems all the mail queues up, so I'm not losing 
mail, and whatever is in the queue all releases if I restart qmail 
(qmailctl restart).


In my toaster I had removed domain keys, by changing the link to
qmail-queue to point to qmail-queue-orig, and I had installed spamdyke
so I had to change the /service/smtp/run to link to
/service/smtp/run.spamdyke, I remembered to change those back. But there
is still something I'm missing.

Unfortunately I didn't think about it changing all my settings until
after the fact. I'm sure there is some other customization that I need
to fix that I am missing.

Any help would be appreciated as restarting qmail every 15 minutes or so
to get mail to deliver is NOT working for me on a Friday :)

Thanks, Gary


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] can't send mail

2009-09-11 Thread Gary Bowling 


I get nothing in the send log when I send a message. If I continue to 
watch the send log as I do a qmailctl restart, it then logs all the 
outgoing mail as normal.


Thanks,

Gary

Eric Shubert wrote:

Gary Bowling wrote:


I had an issue with a blackberry user, so I went to the video to
recompile the toaster to allow the / characters in the from address.

All went well with the recompile and subsequent re-install.

However, after the re-install I can no longer send or receive mail 
even to a local user. It seems all the mail queues up, so I'm not 
losing mail, and whatever is in the queue all releases if I restart 
qmail (qmailctl restart).


In my toaster I had removed domain keys, by changing the link to
qmail-queue to point to qmail-queue-orig, and I had installed spamdyke
so I had to change the /service/smtp/run to link to
/service/smtp/run.spamdyke, I remembered to change those back. But there
is still something I'm missing.

Unfortunately I didn't think about it changing all my settings until
after the fact. I'm sure there is some other customization that I need
to fix that I am missing.

Any help would be appreciated as restarting qmail every 15 minutes or so
to get mail to deliver is NOT working for me on a Friday :)

Thanks, Gary



What is in the send log?



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] can't send mail

2009-09-11 Thread Gary Bowling 


Based on your last question, I have now also discovered that a 
stop/start of send will also deliver the email.


svc -d /service/send
svc -u /service/send

and it clears the email. I can't find any errors in any log.

Thanks, Gary

Eric Shubert wrote:

Gary Bowling wrote:


I had an issue with a blackberry user, so I went to the video to
recompile the toaster to allow the / characters in the from address.

All went well with the recompile and subsequent re-install.

However, after the re-install I can no longer send or receive mail 
even to a local user. It seems all the mail queues up, so I'm not 
losing mail, and whatever is in the queue all releases if I restart 
qmail (qmailctl restart).


In my toaster I had removed domain keys, by changing the link to
qmail-queue to point to qmail-queue-orig, and I had installed spamdyke
so I had to change the /service/smtp/run to link to
/service/smtp/run.spamdyke, I remembered to change those back. But there
is still something I'm missing.

Unfortunately I didn't think about it changing all my settings until
after the fact. I'm sure there is some other customization that I need
to fix that I am missing.

Any help would be appreciated as restarting qmail every 15 minutes or so
to get mail to deliver is NOT working for me on a Friday :)

Thanks, Gary



What is in the send log?



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] can't send mail

2009-09-11 Thread Gary Bowling 


Here it is:

service qmail stat
authlib: up (pid 1097) 6520 seconds
clamd: up (pid 1061) 6520 seconds
imap4: up (pid 5073) 5237 seconds
imap4-ssl: up (pid 5071) 5237 seconds
pop3: up (pid 5089) 5237 seconds
pop3-ssl: up (pid 5066) 5237 seconds
send: up (pid 19445) 100 seconds
smtp: up (pid 10875) 3220 seconds
smtp2: up (pid 5068) 5237 seconds
spamd: up (pid 1054) 6520 seconds
submission: up (pid 5095) 5237 seconds
tmda-ofmipd: up (pid 1091) 6520 seconds
tmda-ssl: up (pid 5113) 5237 seconds
authlib/log: up (pid 1326) 1420511 seconds
clamd/log: up (pid 6186) 16105 seconds
imap4/log: up (pid 1309) 1420511 seconds
imap4-ssl/log: up (pid 1307) 1420511 seconds
pop3/log: up (pid 1320) 1420511 seconds
pop3-ssl/log: up (pid 1328) 1420512 seconds
send/log: up (pid 1314) 1420512 seconds
smtp2/log: up (pid 1334) 1420512 seconds
smtp/log: up (pid 1319) 1420512 seconds
spamd/log: up (pid 13378) 29382 seconds
submission/log: up (pid 1323) 1420512 seconds
tmda-ofmipd/log: up (pid 1331) 1420512 seconds
tmda-ssl/log: up (pid 1311) 1420512 seconds



Eric Shubert wrote:

Yeah, I think that
# service qmail doqueue
would do the same thing.

What do you see from:
# service qmail stat

Gary Bowling wrote:


Based on your last question, I have now also discovered that a 
stop/start of send will also deliver the email.


svc -d /service/send
svc -u /service/send

and it clears the email. I can't find any errors in any log.

Thanks, Gary

Eric Shubert wrote:

Gary Bowling wrote:


I had an issue with a blackberry user, so I went to the video to
recompile the toaster to allow the / characters in the from 
address.


All went well with the recompile and subsequent re-install.

However, after the re-install I can no longer send or receive mail 
even to a local user. It seems all the mail queues up, so I'm not 
losing mail, and whatever is in the queue all releases if I restart 
qmail (qmailctl restart).


In my toaster I had removed domain keys, by changing the link to
qmail-queue to point to qmail-queue-orig, and I had installed spamdyke
so I had to change the /service/smtp/run to link to
/service/smtp/run.spamdyke, I remembered to change those back. But 
there

is still something I'm missing.

Unfortunately I didn't think about it changing all my settings until
after the fact. I'm sure there is some other customization that I need
to fix that I am missing.

Any help would be appreciated as restarting qmail every 15 minutes 
or so

to get mail to deliver is NOT working for me on a Friday :)

Thanks, Gary



What is in the send log?



- 

Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and 
installations.

 If you need professional help with your setup, contact them today!
- 

Please visit qmailtoaster.com for the latest news, updates, and 
packages.
 To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com









--

Gary Bowling
GBCO.US
g...@gbco.us



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] can't send mail

2009-09-11 Thread Gary Bowling 


Just reflective of the last restart. From looking at the server 
everything seems to be operating as normal..


Also, just several FYIs..

- When I rebuilt qmail-toaster to remove the / in chkusr, I actually 
also upgraded. My server was running qmail-toaster-1.03 1.3.18 prior to 
the work and qmail-toaster-1.03 1.3.19 after. I also notice there are a 
few other minor updates to other packages since my old 1.3.18, such as 
my simscan is 1.4.0.-1.3.1 and I notice it's now 1.4.0-1.3.8 on the 
download.


- The smtp2 service you see running is smtp on an alternate port so my 
road warriors work from any ISP, which was unchanged by the new update.


- The crappy old tmda stuff was installed from Bill Shupp's toaster as 
that's what I used to run. I'm trying to get rid of it but have a few 
users who are holding on to it.. But again, that didn't change and I 
don't believe any of that install touches any of the toaster files, it 
just uses .qmail files in users directories to do it's thing.


Gary

Eric Shubert wrote:
Is the send daemon having a problem staying up? Or is that time simply 
reflective of the last time you restarted it?


Gary Bowling wrote:


Here it is:

service qmail stat
authlib: up (pid 1097) 6520 seconds
clamd: up (pid 1061) 6520 seconds
imap4: up (pid 5073) 5237 seconds
imap4-ssl: up (pid 5071) 5237 seconds
pop3: up (pid 5089) 5237 seconds
pop3-ssl: up (pid 5066) 5237 seconds
send: up (pid 19445) 100 seconds
smtp: up (pid 10875) 3220 seconds
smtp2: up (pid 5068) 5237 seconds
spamd: up (pid 1054) 6520 seconds
submission: up (pid 5095) 5237 seconds
tmda-ofmipd: up (pid 1091) 6520 seconds
tmda-ssl: up (pid 5113) 5237 seconds
authlib/log: up (pid 1326) 1420511 seconds
clamd/log: up (pid 6186) 16105 seconds
imap4/log: up (pid 1309) 1420511 seconds
imap4-ssl/log: up (pid 1307) 1420511 seconds
pop3/log: up (pid 1320) 1420511 seconds
pop3-ssl/log: up (pid 1328) 1420512 seconds
send/log: up (pid 1314) 1420512 seconds
smtp2/log: up (pid 1334) 1420512 seconds
smtp/log: up (pid 1319) 1420512 seconds
spamd/log: up (pid 13378) 29382 seconds
submission/log: up (pid 1323) 1420512 seconds
tmda-ofmipd/log: up (pid 1331) 1420512 seconds
tmda-ssl/log: up (pid 1311) 1420512 seconds



Eric Shubert wrote:

Yeah, I think that
# service qmail doqueue
would do the same thing.

What do you see from:
# service qmail stat

Gary Bowling wrote:


Based on your last question, I have now also discovered that a 
stop/start of send will also deliver the email.


svc -d /service/send
svc -u /service/send

and it clears the email. I can't find any errors in any log.

Thanks, Gary

Eric Shubert wrote:

Gary Bowling wrote:


I had an issue with a blackberry user, so I went to the video to
recompile the toaster to allow the / characters in the from 
address.


All went well with the recompile and subsequent re-install.

However, after the re-install I can no longer send or receive 
mail even to a local user. It seems all the mail queues up, so 
I'm not losing mail, and whatever is in the queue all releases if 
I restart qmail (qmailctl restart).


In my toaster I had removed domain keys, by changing the link to
qmail-queue to point to qmail-queue-orig, and I had installed 
spamdyke

so I had to change the /service/smtp/run to link to
/service/smtp/run.spamdyke, I remembered to change those back. 
But there

is still something I'm missing.

Unfortunately I didn't think about it changing all my settings until
after the fact. I'm sure there is some other customization that I 
need

to fix that I am missing.

Any help would be appreciated as restarting qmail every 15 
minutes or so

to get mail to deliver is NOT working for me on a Friday :)

Thanks, Gary



What is in the send log?



- 

Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and 
installations.
 If you need professional help with your setup, contact them 
today!
- 

Please visit qmailtoaster.com for the latest news, updates, and 
packages.
 To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com














--

Gary Bowling
GBCO.US
g...@gbco.us



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr

Re: [qmailtoaster] can't send mail

2009-09-11 Thread Gary Bowling 

Yikes.. well, ok then. I rebooted, but still the same. Very perplexing as
I have checked stuff until I don't know what else to check..

Gary


 Sounds like qmail-send isn't able to read the queue after it's cycled
 through once, like it's blocked or something. I'm not real familiar with
 how that mechanism works.

 I wonder if there isn't a zombie process hanging around that's gumming
 up the works. Have you (dare I say) rebooted?

 Gary Bowling wrote:

 Just reflective of the last restart. From looking at the server
 everything seems to be operating as normal..

 Also, just several FYIs..

 - When I rebuilt qmail-toaster to remove the / in chkusr, I actually
 also upgraded. My server was running qmail-toaster-1.03 1.3.18 prior to
 the work and qmail-toaster-1.03 1.3.19 after. I also notice there are a
 few other minor updates to other packages since my old 1.3.18, such as
 my simscan is 1.4.0.-1.3.1 and I notice it's now 1.4.0-1.3.8 on the
 download.

 - The smtp2 service you see running is smtp on an alternate port so my
 road warriors work from any ISP, which was unchanged by the new update.

 - The crappy old tmda stuff was installed from Bill Shupp's toaster as
 that's what I used to run. I'm trying to get rid of it but have a few
 users who are holding on to it.. But again, that didn't change and I
 don't believe any of that install touches any of the toaster files, it
 just uses .qmail files in users directories to do it's thing.

 Gary

 Eric Shubert wrote:
 Is the send daemon having a problem staying up? Or is that time simply
 reflective of the last time you restarted it?

 Gary Bowling wrote:

 Here it is:

 service qmail stat
 authlib: up (pid 1097) 6520 seconds
 clamd: up (pid 1061) 6520 seconds
 imap4: up (pid 5073) 5237 seconds
 imap4-ssl: up (pid 5071) 5237 seconds
 pop3: up (pid 5089) 5237 seconds
 pop3-ssl: up (pid 5066) 5237 seconds
 send: up (pid 19445) 100 seconds
 smtp: up (pid 10875) 3220 seconds
 smtp2: up (pid 5068) 5237 seconds
 spamd: up (pid 1054) 6520 seconds
 submission: up (pid 5095) 5237 seconds
 tmda-ofmipd: up (pid 1091) 6520 seconds
 tmda-ssl: up (pid 5113) 5237 seconds
 authlib/log: up (pid 1326) 1420511 seconds
 clamd/log: up (pid 6186) 16105 seconds
 imap4/log: up (pid 1309) 1420511 seconds
 imap4-ssl/log: up (pid 1307) 1420511 seconds
 pop3/log: up (pid 1320) 1420511 seconds
 pop3-ssl/log: up (pid 1328) 1420512 seconds
 send/log: up (pid 1314) 1420512 seconds
 smtp2/log: up (pid 1334) 1420512 seconds
 smtp/log: up (pid 1319) 1420512 seconds
 spamd/log: up (pid 13378) 29382 seconds
 submission/log: up (pid 1323) 1420512 seconds
 tmda-ofmipd/log: up (pid 1331) 1420512 seconds
 tmda-ssl/log: up (pid 1311) 1420512 seconds



 Eric Shubert wrote:
 Yeah, I think that
 # service qmail doqueue
 would do the same thing.

 What do you see from:
 # service qmail stat

 Gary Bowling wrote:

 Based on your last question, I have now also discovered that a
 stop/start of send will also deliver the email.

 svc -d /service/send
 svc -u /service/send

 and it clears the email. I can't find any errors in any log.

 Thanks, Gary

 Eric Shubert wrote:
 Gary Bowling wrote:

 I had an issue with a blackberry user, so I went to the video to
 recompile the toaster to allow the / characters in the from
 address.

 All went well with the recompile and subsequent re-install.

 However, after the re-install I can no longer send or receive
 mail even to a local user. It seems all the mail queues up, so
 I'm not losing mail, and whatever is in the queue all releases if
 I restart qmail (qmailctl restart).

 In my toaster I had removed domain keys, by changing the link to
 qmail-queue to point to qmail-queue-orig, and I had installed
 spamdyke
 so I had to change the /service/smtp/run to link to
 /service/smtp/run.spamdyke, I remembered to change those back.
 But there
 is still something I'm missing.

 Unfortunately I didn't think about it changing all my settings
 until
 after the fact. I'm sure there is some other customization that I
 need
 to fix that I am missing.

 Any help would be appreciated as restarting qmail every 15
 minutes or so
 to get mail to deliver is NOT working for me on a Friday :)

 Thanks, Gary


 What is in the send log?


 -


 --
 -Eric 'shubes'


 -
 Qmailtoaster is sponsored by Vickers Consulting Group
 (www.vickersconsulting.com)
 Vickers Consulting Group offers Qmailtoaster support and
 installations.
   If you need professional help with your setup, contact them today!
 -
  Please visit qmailtoaster.com for the latest news, updates, and
 packages.

   To unsubscribe, e-mail:
 qmailtoaster-list-unsubscr...@qmailtoaster.com
  For additional commands, e-mail:
 qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] can't send mail

2009-09-11 Thread Gary Bowling 
/4260538 mode to 600
  queue/intd/4260378 is mode 644, should be 600
  changed queue/intd/4260378 mode to 600
  queue/intd/4260637 is mode 644, should be 600
  changed queue/intd/4260637 mode to 600


 There's a queue_repair.py script in QTP. I'd give that a shot (after
 flushing the queue and stopping qmail). Just a swag at this point.

 Gary Bowling wrote:
 Yikes.. well, ok then. I rebooted, but still the same. Very perplexing
 as
 I have checked stuff until I don't know what else to check..

 Gary


 Sounds like qmail-send isn't able to read the queue after it's cycled
 through once, like it's blocked or something. I'm not real familiar
 with
 how that mechanism works.

 I wonder if there isn't a zombie process hanging around that's gumming
 up the works. Have you (dare I say) rebooted?

 Gary Bowling wrote:
 Just reflective of the last restart. From looking at the server
 everything seems to be operating as normal..

 Also, just several FYIs..

 - When I rebuilt qmail-toaster to remove the / in chkusr, I actually
 also upgraded. My server was running qmail-toaster-1.03 1.3.18 prior
 to
 the work and qmail-toaster-1.03 1.3.19 after. I also notice there are
 a
 few other minor updates to other packages since my old 1.3.18, such as
 my simscan is 1.4.0.-1.3.1 and I notice it's now 1.4.0-1.3.8 on the
 download.

 - The smtp2 service you see running is smtp on an alternate port so my
 road warriors work from any ISP, which was unchanged by the new
 update.

 - The crappy old tmda stuff was installed from Bill Shupp's toaster as
 that's what I used to run. I'm trying to get rid of it but have a few
 users who are holding on to it.. But again, that didn't change and I
 don't believe any of that install touches any of the toaster files, it
 just uses .qmail files in users directories to do it's thing.

 Gary

 Eric Shubert wrote:
 Is the send daemon having a problem staying up? Or is that time
 simply
 reflective of the last time you restarted it?

 Gary Bowling wrote:
 Here it is:

 service qmail stat
 authlib: up (pid 1097) 6520 seconds
 clamd: up (pid 1061) 6520 seconds
 imap4: up (pid 5073) 5237 seconds
 imap4-ssl: up (pid 5071) 5237 seconds
 pop3: up (pid 5089) 5237 seconds
 pop3-ssl: up (pid 5066) 5237 seconds
 send: up (pid 19445) 100 seconds
 smtp: up (pid 10875) 3220 seconds
 smtp2: up (pid 5068) 5237 seconds
 spamd: up (pid 1054) 6520 seconds
 submission: up (pid 5095) 5237 seconds
 tmda-ofmipd: up (pid 1091) 6520 seconds
 tmda-ssl: up (pid 5113) 5237 seconds
 authlib/log: up (pid 1326) 1420511 seconds
 clamd/log: up (pid 6186) 16105 seconds
 imap4/log: up (pid 1309) 1420511 seconds
 imap4-ssl/log: up (pid 1307) 1420511 seconds
 pop3/log: up (pid 1320) 1420511 seconds
 pop3-ssl/log: up (pid 1328) 1420512 seconds
 send/log: up (pid 1314) 1420512 seconds
 smtp2/log: up (pid 1334) 1420512 seconds
 smtp/log: up (pid 1319) 1420512 seconds
 spamd/log: up (pid 13378) 29382 seconds
 submission/log: up (pid 1323) 1420512 seconds
 tmda-ofmipd/log: up (pid 1331) 1420512 seconds
 tmda-ssl/log: up (pid 1311) 1420512 seconds



 Eric Shubert wrote:
 Yeah, I think that
 # service qmail doqueue
 would do the same thing.

 What do you see from:
 # service qmail stat

 Gary Bowling wrote:
 Based on your last question, I have now also discovered that a
 stop/start of send will also deliver the email.

 svc -d /service/send
 svc -u /service/send

 and it clears the email. I can't find any errors in any log.

 Thanks, Gary

 Eric Shubert wrote:
 Gary Bowling wrote:
 I had an issue with a blackberry user, so I went to the video to
 recompile the toaster to allow the / characters in the from
 address.

 All went well with the recompile and subsequent re-install.

 However, after the re-install I can no longer send or receive
 mail even to a local user. It seems all the mail queues up, so
 I'm not losing mail, and whatever is in the queue all releases
 if
 I restart qmail (qmailctl restart).

 In my toaster I had removed domain keys, by changing the link to
 qmail-queue to point to qmail-queue-orig, and I had installed
 spamdyke
 so I had to change the /service/smtp/run to link to
 /service/smtp/run.spamdyke, I remembered to change those back.
 But there
 is still something I'm missing.

 Unfortunately I didn't think about it changing all my settings
 until
 after the fact. I'm sure there is some other customization that
 I
 need
 to fix that I am missing.

 Any help would be appreciated as restarting qmail every 15
 minutes or so
 to get mail to deliver is NOT working for me on a Friday :)

 Thanks, Gary

 What is in the send log?

 -

 --
 -Eric 'shubes'


 -
 Qmailtoaster is sponsored by Vickers Consulting Group
 (www.vickersconsulting.com)
 Vickers Consulting Group offers Qmailtoaster support and
 installations.
   If you need professional help with your

[qmailtoaster] unable to read controls (#4.3.0)

2010-08-10 Thread Gary Bowling 


I just updated my OS to the latest version of Centos 5.5 and now I can't 
send email. I am getting the error


an error occurred sending mail: the mail server sent an incorrect 
greeting: unable to read controls (#4.3.0)


Then I get

The message could not be sent because the connection to SMTP server 
mail.gbco.us was lost in the middle of the transaction.


Oddly enough, I can't really find any errors in the qmail logs. I 
thought it was a permissions error in /var/qmail/control but can't find 
anything there, here's a list of the permissions.


drwxr-xr-x 12 root qmail 4096 Jul 19 11:33 ..
-rw-r--r--  1 vpopmail qmail   32 Jul 19 11:31 badloadertypes
-rw-r--r--  1 root root  2048 Aug 10 09:25 badloadertypes.cdb
-rw-r--r--  1 vpopmail qmail   25 Jul 19 11:31 badmailfrom
-rw-r--r--  1 vpopmail qmail   29 Jul 19 11:31 badmailto
-rw-r--r--  1 vpopmail qmail  360 Jul 19 11:31 badmimetypes
-rw-r--r--  1 root root  2048 Aug 10 09:25 badmimetypes.cdb
-rw-r--r--  1 vpopmail qmail   20 Jul 19 11:31 blacklists
drwxr-xr-x  2 vpopmail qmail 4096 Jul 19 11:18 certs
drwxr-xr-x  2 vpopmail qmail 4096 Sep 11  2009 certtemp
lrwxrwxrwx  1 root qmail   14 Jul 19 11:33 clientcert.pem - 
servercert.pem

-rw-r--r--  1 vpopmail qmail3 Apr 24  2008 concurrencyincoming
-rw-r--r--  1 vpopmail qmail3 Oct  6  2005 concurrencylocal
-rw-r--r--  1 vpopmail qmail3 Oct  6  2005 concurrencyremote
-rw-r--r--  1 vpopmail qmail9 Jul 19 11:31 databytes
-rw-r--r--  1 vpopmail qmail   11 Jun  7  2007 defaultdelivery
-rw-r--r--  1 vpopmail qmail8 Jun  7  2007 defaultdomain
-rw-r--r--  1 vpopmail qmail1 Jul 17  2009 defaulthost
-rw-r--r--  1 vpopmail qmail  245 Aug 10 01:01 dh1024.pem
-rw-r--r--  1 vpopmail qmail  156 Aug 10 01:01 dh512.pem
drwxr-xr-x 21 root qmail 4096 Jul 19 11:31 domainkeys
-rw-r--r--  1 vpopmail qmail  887 Sep 20  2006 key
-rw-r--r--  1 vpopmail qmail  963 Sep 20  2006 key.enc
-rw-r--r--  1 vpopmail qmail   13 Jul 26 06:34 locals
-rw---  1 vpopmail qmail0 Jan 19  2007 locals.lock
-rw-r--r--  1 vpopmail qmail3 Jul 28  2009 logcount
-rw-r--r--  1 vpopmail qmail8 Jul 19 11:31 logsize
-rw-r--r--  1 vpopmail qmail   13 Aug  3  2009 me
-rw-r--r--  1 vpopmail qmail2 Apr 21  2006 mfcheck
drwxr-xr-x  2 vpopmail qmail 4096 Sep 19  2008 oldcert
-rw-r--r--  1 vpopmail qmail8 Jun  7  2007 plusdomain
-rw-r--r--  1 vpopmail qmail0 Jul 19 11:31 policy
-rw-r--r--  1 vpopmail qmail  187 Oct 18  2005 pop3ds.conf
-rw-r--r--  1 vpopmail qmail7 Oct  6  2005 queuelifetime
-rw-r--r--  1 vpopmail qmail  646 Jul 26 06:34 rcpthosts
-rw-r--r--  1 vpopmail qmail  437 May  2  2006 rcpthosts.backup
-rw---  1 vpopmail qmail0 Jan 19  2007 rcpthosts.lock
-rw-r--r--  1 vpopmail qmail  497 Aug 10 01:01 rsa512.pem
-rw-r-  1 vpopmail qmail  497 Sep 20  2006 rsa512.pem.old
-rw-r--r--  1 vpopmail qmail  908 Aug  1  2009 servercert.crt
-rw-r--r--  1 vpopmail qmail  680 Aug  1  2009 servercert.csr
-rw-r--r--  1 vpopmail qmail  891 Aug  1  2009 servercert.key
-rw-r--r--  1 vpopmail qmail  963 Aug  1  2009 servercert.key.enc
-rw-r--r--  1 vpopmail qmail 1799 Aug  1  2009 servercert.pem
-rw-r-  1 vpopmail qmail 2359 Feb  2  2009 servercert.pem.old
-rw-r--r--  1 root qmail 1689 Nov 29  2009 servercert.pem.rpmnew
-rw-r--r--  1 clamav   root59 Sep 11  2009 simcontrol
-rw-r--r--  1 root root  2129 Aug 10 09:25 simcontrol.cdb
-rw-r--r--  1 vpopmail qmail   82 Apr 25  2008 simcontrol-old
-rw-r--r--  1 vpopmail qmail  250 Jul 20  2009 simmcontrol.internap-server
-rw-r--r--  1 root root  2165 Aug 10 09:25 simversions.cdb
-rw-r--r--  1 vpopmail qmail   14 Aug  2  2009 smtpgreeting
-rw-r--r--  1 vpopmail qmail0 Jul 19 11:31 smtproutes
-rw-r--r--  1 vpopmail qmail2 Jul 19 11:31 spfbehavior
-rw-r--r--  1 vpopmail qmail  247 Aug  3  2009 temp
lrwxrwxrwx  1 root root35 Jul 19 11:33 tlsclientciphers - 
/var/qmail/control/tlsserverciphers

-rw-r--r--  1 vpopmail qmail  600 Jul 19 11:33 tlsserverciphers
-rw-r--r--  1 vpopmail qmail 1148 Jul 26 06:34 virtualdomains
-rw---  1 vpopmail qmail0 Jan 19  2007 virtualdomains.lock

I thought it might be a spamdyke problem, so I disabled that, but no luck.

Then I disabled starttls in my client send and it's working now. 
However, I really don't want to send email unencrypted.


Any help would be greatly appreciated.

Thanks, Gary

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail:

Re: [qmailtoaster] Re: unable to read controls (#4.3.0)

2010-08-10 Thread Gary Bowling 


Thanks Eric, I may have found the problem, although it has been a bit 
intermittent so I've not completely declared victory yet. I re-generated 
my cert for the server and that seems to have resolved it. I wonder if 
there is something in the new version of openssl as that was installed 
in the upgrade.


Here's all I got when I did a telnet to localhost.

qmail]# telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
421 unable to read controls (#4.3.0)
Connection closed by foreign host.

Thanks

Gary

On 8/10/2010 10:13 AM, Eric Shubert wrote:

Gary Bowling wrote:


I just updated my OS to the latest version of Centos 5.5 and now I 
can't send email. I am getting the error


an error occurred sending mail: the mail server sent an incorrect 
greeting: unable to read controls (#4.3.0)


Then I get

The message could not be sent because the connection to SMTP server 
mail.gbco.us was lost in the middle of the transaction.


Oddly enough, I can't really find any errors in the qmail logs. I 
thought it was a permissions error in /var/qmail/control but can't 
find anything there, here's a list of the permissions.


drwxr-xr-x 12 root qmail 4096 Jul 19 11:33 ..
-rw-r--r--  1 vpopmail qmail   32 Jul 19 11:31 badloadertypes
-rw-r--r--  1 root root  2048 Aug 10 09:25 badloadertypes.cdb
-rw-r--r--  1 vpopmail qmail   25 Jul 19 11:31 badmailfrom
-rw-r--r--  1 vpopmail qmail   29 Jul 19 11:31 badmailto
-rw-r--r--  1 vpopmail qmail  360 Jul 19 11:31 badmimetypes
-rw-r--r--  1 root root  2048 Aug 10 09:25 badmimetypes.cdb
-rw-r--r--  1 vpopmail qmail   20 Jul 19 11:31 blacklists
drwxr-xr-x  2 vpopmail qmail 4096 Jul 19 11:18 certs
drwxr-xr-x  2 vpopmail qmail 4096 Sep 11  2009 certtemp
lrwxrwxrwx  1 root qmail   14 Jul 19 11:33 clientcert.pem - 
servercert.pem

-rw-r--r--  1 vpopmail qmail3 Apr 24  2008 concurrencyincoming
-rw-r--r--  1 vpopmail qmail3 Oct  6  2005 concurrencylocal
-rw-r--r--  1 vpopmail qmail3 Oct  6  2005 concurrencyremote
-rw-r--r--  1 vpopmail qmail9 Jul 19 11:31 databytes
-rw-r--r--  1 vpopmail qmail   11 Jun  7  2007 defaultdelivery
-rw-r--r--  1 vpopmail qmail8 Jun  7  2007 defaultdomain
-rw-r--r--  1 vpopmail qmail1 Jul 17  2009 defaulthost
-rw-r--r--  1 vpopmail qmail  245 Aug 10 01:01 dh1024.pem
-rw-r--r--  1 vpopmail qmail  156 Aug 10 01:01 dh512.pem
drwxr-xr-x 21 root qmail 4096 Jul 19 11:31 domainkeys
-rw-r--r--  1 vpopmail qmail  887 Sep 20  2006 key
-rw-r--r--  1 vpopmail qmail  963 Sep 20  2006 key.enc
-rw-r--r--  1 vpopmail qmail   13 Jul 26 06:34 locals
-rw---  1 vpopmail qmail0 Jan 19  2007 locals.lock
-rw-r--r--  1 vpopmail qmail3 Jul 28  2009 logcount
-rw-r--r--  1 vpopmail qmail8 Jul 19 11:31 logsize
-rw-r--r--  1 vpopmail qmail   13 Aug  3  2009 me
-rw-r--r--  1 vpopmail qmail2 Apr 21  2006 mfcheck
drwxr-xr-x  2 vpopmail qmail 4096 Sep 19  2008 oldcert
-rw-r--r--  1 vpopmail qmail8 Jun  7  2007 plusdomain
-rw-r--r--  1 vpopmail qmail0 Jul 19 11:31 policy
-rw-r--r--  1 vpopmail qmail  187 Oct 18  2005 pop3ds.conf
-rw-r--r--  1 vpopmail qmail7 Oct  6  2005 queuelifetime
-rw-r--r--  1 vpopmail qmail  646 Jul 26 06:34 rcpthosts
-rw-r--r--  1 vpopmail qmail  437 May  2  2006 rcpthosts.backup
-rw---  1 vpopmail qmail0 Jan 19  2007 rcpthosts.lock
-rw-r--r--  1 vpopmail qmail  497 Aug 10 01:01 rsa512.pem
-rw-r-  1 vpopmail qmail  497 Sep 20  2006 rsa512.pem.old
-rw-r--r--  1 vpopmail qmail  908 Aug  1  2009 servercert.crt
-rw-r--r--  1 vpopmail qmail  680 Aug  1  2009 servercert.csr
-rw-r--r--  1 vpopmail qmail  891 Aug  1  2009 servercert.key
-rw-r--r--  1 vpopmail qmail  963 Aug  1  2009 servercert.key.enc
-rw-r--r--  1 vpopmail qmail 1799 Aug  1  2009 servercert.pem
-rw-r-  1 vpopmail qmail 2359 Feb  2  2009 servercert.pem.old
-rw-r--r--  1 root qmail 1689 Nov 29  2009 servercert.pem.rpmnew
-rw-r--r--  1 clamav   root59 Sep 11  2009 simcontrol
-rw-r--r--  1 root root  2129 Aug 10 09:25 simcontrol.cdb
-rw-r--r--  1 vpopmail qmail   82 Apr 25  2008 simcontrol-old
-rw-r--r--  1 vpopmail qmail  250 Jul 20  2009 
simmcontrol.internap-server

-rw-r--r--  1 root root  2165 Aug 10 09:25 simversions.cdb
-rw-r--r--  1 vpopmail qmail   14 Aug  2  2009 smtpgreeting
-rw-r--r--  1 vpopmail qmail0 Jul 19 11:31 smtproutes
-rw-r--r--  1 vpopmail qmail2 Jul 19 11:31 spfbehavior
-rw-r--r--  1 vpopmail qmail  247 Aug  3  2009 temp
lrwxrwxrwx  1 root root35 Jul 19 11:33 tlsclientciphers - 
/var/qmail/control/tlsserverciphers

-rw-r--r--  1 vpopmail qmail  600 Jul 19 11:33 tlsserverciphers
-rw-r--r--  1 vpopmail qmail 1148 Jul 26 06:34 virtualdomains
-rw---  1 vpopmail qmail0 Jan 19  2007 virtualdomains.lock

I thought it might be a spamdyke problem, so I disabled that, but no 
luck.


Then I disabled starttls in my client send and it's working now. 
However, I really don't want to send email unencrypted.


Any

Re: [qmailtoaster] Re: unable to read controls (#4.3.0)

2010-08-10 Thread Gary Bowling 


Thanks George, that probably explains it as I haven't upgraded my OS in 
over a year so the problem may have shown up some time ago.


Gary

On 8/10/2010 10:28 AM, George Varagas wrote:

  Yes the cert could be a problem. And I too have had an issue with
openssl. It was a few months ago though.
George

On 8/10/2010 8:22 AM, Gary Bowling wrote:
   

Thanks Eric, I may have found the problem, although it has been a bit
intermittent so I've not completely declared victory yet. I
re-generated my cert for the server and that seems to have resolved
it. I wonder if there is something in the new version of openssl as
that was installed in the upgrade.

Here's all I got when I did a telnet to localhost.

qmail]# telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
421 unable to read controls (#4.3.0)
Connection closed by foreign host.

Thanks

Gary

On 8/10/2010 10:13 AM, Eric Shubert wrote:
 

Gary Bowling wrote:
   

I just updated my OS to the latest version of Centos 5.5 and now I
can't send email. I am getting the error

an error occurred sending mail: the mail server sent an incorrect
greeting: unable to read controls (#4.3.0)

Then I get

The message could not be sent because the connection to SMTP server
mail.gbco.us was lost in the middle of the transaction.

Oddly enough, I can't really find any errors in the qmail logs. I
thought it was a permissions error in /var/qmail/control but can't
find anything there, here's a list of the permissions.

drwxr-xr-x 12 root qmail 4096 Jul 19 11:33 ..
-rw-r--r--  1 vpopmail qmail   32 Jul 19 11:31 badloadertypes
-rw-r--r--  1 root root  2048 Aug 10 09:25 badloadertypes.cdb
-rw-r--r--  1 vpopmail qmail   25 Jul 19 11:31 badmailfrom
-rw-r--r--  1 vpopmail qmail   29 Jul 19 11:31 badmailto
-rw-r--r--  1 vpopmail qmail  360 Jul 19 11:31 badmimetypes
-rw-r--r--  1 root root  2048 Aug 10 09:25 badmimetypes.cdb
-rw-r--r--  1 vpopmail qmail   20 Jul 19 11:31 blacklists
drwxr-xr-x  2 vpopmail qmail 4096 Jul 19 11:18 certs
drwxr-xr-x  2 vpopmail qmail 4096 Sep 11  2009 certtemp
lrwxrwxrwx  1 root qmail   14 Jul 19 11:33 clientcert.pem -
servercert.pem
-rw-r--r--  1 vpopmail qmail3 Apr 24  2008 concurrencyincoming
-rw-r--r--  1 vpopmail qmail3 Oct  6  2005 concurrencylocal
-rw-r--r--  1 vpopmail qmail3 Oct  6  2005 concurrencyremote
-rw-r--r--  1 vpopmail qmail9 Jul 19 11:31 databytes
-rw-r--r--  1 vpopmail qmail   11 Jun  7  2007 defaultdelivery
-rw-r--r--  1 vpopmail qmail8 Jun  7  2007 defaultdomain
-rw-r--r--  1 vpopmail qmail1 Jul 17  2009 defaulthost
-rw-r--r--  1 vpopmail qmail  245 Aug 10 01:01 dh1024.pem
-rw-r--r--  1 vpopmail qmail  156 Aug 10 01:01 dh512.pem
drwxr-xr-x 21 root qmail 4096 Jul 19 11:31 domainkeys
-rw-r--r--  1 vpopmail qmail  887 Sep 20  2006 key
-rw-r--r--  1 vpopmail qmail  963 Sep 20  2006 key.enc
-rw-r--r--  1 vpopmail qmail   13 Jul 26 06:34 locals
-rw---  1 vpopmail qmail0 Jan 19  2007 locals.lock
-rw-r--r--  1 vpopmail qmail3 Jul 28  2009 logcount
-rw-r--r--  1 vpopmail qmail8 Jul 19 11:31 logsize
-rw-r--r--  1 vpopmail qmail   13 Aug  3  2009 me
-rw-r--r--  1 vpopmail qmail2 Apr 21  2006 mfcheck
drwxr-xr-x  2 vpopmail qmail 4096 Sep 19  2008 oldcert
-rw-r--r--  1 vpopmail qmail8 Jun  7  2007 plusdomain
-rw-r--r--  1 vpopmail qmail0 Jul 19 11:31 policy
-rw-r--r--  1 vpopmail qmail  187 Oct 18  2005 pop3ds.conf
-rw-r--r--  1 vpopmail qmail7 Oct  6  2005 queuelifetime
-rw-r--r--  1 vpopmail qmail  646 Jul 26 06:34 rcpthosts
-rw-r--r--  1 vpopmail qmail  437 May  2  2006 rcpthosts.backup
-rw---  1 vpopmail qmail0 Jan 19  2007 rcpthosts.lock
-rw-r--r--  1 vpopmail qmail  497 Aug 10 01:01 rsa512.pem
-rw-r-  1 vpopmail qmail  497 Sep 20  2006 rsa512.pem.old
-rw-r--r--  1 vpopmail qmail  908 Aug  1  2009 servercert.crt
-rw-r--r--  1 vpopmail qmail  680 Aug  1  2009 servercert.csr
-rw-r--r--  1 vpopmail qmail  891 Aug  1  2009 servercert.key
-rw-r--r--  1 vpopmail qmail  963 Aug  1  2009 servercert.key.enc
-rw-r--r--  1 vpopmail qmail 1799 Aug  1  2009 servercert.pem
-rw-r-  1 vpopmail qmail 2359 Feb  2  2009 servercert.pem.old
-rw-r--r--  1 root qmail 1689 Nov 29  2009 servercert.pem.rpmnew
-rw-r--r--  1 clamav   root59 Sep 11  2009 simcontrol
-rw-r--r--  1 root root  2129 Aug 10 09:25 simcontrol.cdb
-rw-r--r--  1 vpopmail qmail   82 Apr 25  2008 simcontrol-old
-rw-r--r--  1 vpopmail qmail  250 Jul 20  2009
simmcontrol.internap-server
-rw-r--r--  1 root root  2165 Aug 10 09:25 simversions.cdb
-rw-r--r--  1 vpopmail qmail   14 Aug  2  2009 smtpgreeting
-rw-r--r--  1 vpopmail qmail0 Jul 19 11:31 smtproutes
-rw-r--r--  1 vpopmail qmail2 Jul 19 11:31 spfbehavior
-rw-r--r--  1 vpopmail qmail  247 Aug  3  2009 temp
lrwxrwxrwx  1 root root35 Jul 19 11:33 tlsclientciphers -
/var/qmail/control/tlsserverciphers
-rw-r--r--  1 vpopmail qmail  600 Jul 19 11:33

[qmailtoaster] qmail-dk

2014-06-26 Thread Gary Bowling 


I recently had some problems with some domain key errors. Following the 
suggestions in the list, I tried to disable domain keys by doing a ln 
-sf qmail-queue.orig qmail-queue


However, when I did this it completely broke my server, I could not send 
or receive any email, I would get this error in the smtp logs.


qmail-smtpd: qq soft reject (mail server temporarily rejected message 
(#4.3.0)


I think it has to do with my tcp.smtp rules. Over the years I have 
probably gotten this thing out of whack. I have simscan 1.4 and pretty 
much wish to use it to scan everything. There really isn't anything 
unusual about my server. Can I get some help with what my tcp.smtp file 
is suppose to look like? Here's what it is now.


127.:allow,RELAYCLIENT=,DKSIGN=/var/qmail/control/domainkeys/%/private,QMAILQUEUE=/var/qmail/bin/simscan
:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=,QMAILQUEUE=/var/qmail/bin/simscan,DKQUEUE=/var/qmail/b
in/qmail-queue.orig,DKSIGN=/var/qmail/control/domainkeys/%/private


It sounds like the latest recommendation is to get rid of qmail-dk and 
use the qmail-queue.orig, if I do that here's what I think my tcp.smtp 
should look like, will this work? Suggestions on making it better?


127.:allow,RELAYCLIENT=,QMAILQUEUE=/var/qmail/bin/simscan
:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRONGRCPTLIMIT=10,QMAILQUEUE=/var/qmail/bin/simscan



Thanks for the help, gb

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qmail-dk

2014-06-26 Thread Gary Bowling 


Update, I just changed my tcp.smtp to what I have listed below and then 
linked to qmail-queue.orig and continued to get these.


qmail-smtpd: qq soft reject (mail server temporarily rejected message 
(#4.3.0)


When I leave the tcp.smtp as set at the bottom and link back to qmail-dk 
I get this error on some messages.


qmail-smtpd: qq hard reject (qmail-dk: Cannot sign message due to 
invalid message syntax. (#5.3.0)


Due to the 2nd error, I would really like to get rid of qmail-dk, but 
every time I link back to the qmail-queue.orig I get the soft rejects on 
ALL mail. Is it something in my tcp.smtp or is it something else? For 
now I have put it back to qmail-dk, at least I get most of the mail with 
the hard rejects only happening on some emails.


Thanks, gb



On 6/26/2014 9:21 PM, Gary Bowling wrote:


I recently had some problems with some domain key errors. Following 
the suggestions in the list, I tried to disable domain keys by doing a 
ln -sf qmail-queue.orig qmail-queue


However, when I did this it completely broke my server, I could not 
send or receive any email, I would get this error in the smtp logs.


qmail-smtpd: qq soft reject (mail server temporarily rejected message 
(#4.3.0)


I think it has to do with my tcp.smtp rules. Over the years I have 
probably gotten this thing out of whack. I have simscan 1.4 and pretty 
much wish to use it to scan everything. There really isn't anything 
unusual about my server. Can I get some help with what my tcp.smtp 
file is suppose to look like? Here's what it is now.


127.:allow,RELAYCLIENT=,DKSIGN=/var/qmail/control/domainkeys/%/private,QMAILQUEUE=/var/qmail/bin/simscan 

:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=,QMAILQUEUE=/var/qmail/bin/simscan,DKQUEUE=/var/qmail/b 


in/qmail-queue.orig,DKSIGN=/var/qmail/control/domainkeys/%/private


It sounds like the latest recommendation is to get rid of qmail-dk and 
use the qmail-queue.orig, if I do that here's what I think my tcp.smtp 
should look like, will this work? Suggestions on making it better?


127.:allow,RELAYCLIENT=,QMAILQUEUE=/var/qmail/bin/simscan
:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRONGRCPTLIMIT=10,QMAILQUEUE=/var/qmail/bin/simscan 





Thanks for the help, gb

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com





-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: qmail-dk

2014-06-26 Thread Gary Bowling 


On 6/26/2014 9:47 PM, Eric Shubert wrote:

On 06/26/2014 06:41 PM, Gary Bowling wrote:


Update, I just changed my tcp.smtp to what I have listed below and then
linked to qmail-queue.orig and continued to get these.

qmail-smtpd: qq soft reject (mail server temporarily rejected message
(#4.3.0)

When I leave the tcp.smtp as set at the bottom and link back to qmail-dk
I get this error on some messages.

qmail-smtpd: qq hard reject (qmail-dk: Cannot sign message due to
invalid message syntax. (#5.3.0)

Due to the 2nd error, I would really like to get rid of qmail-dk, but
every time I link back to the qmail-queue.orig I get the soft rejects on
ALL mail. Is it something in my tcp.smtp or is it something else? For
now I have put it back to qmail-dk, at least I get most of the mail with
the hard rejects only happening on some emails.

Thanks, gb



On 6/26/2014 9:21 PM, Gary Bowling wrote:


I recently had some problems with some domain key errors. Following
the suggestions in the list, I tried to disable domain keys by doing a
ln -sf qmail-queue.orig qmail-queue

However, when I did this it completely broke my server, I could not
send or receive any email, I would get this error in the smtp logs.

qmail-smtpd: qq soft reject (mail server temporarily rejected message
(#4.3.0)

I think it has to do with my tcp.smtp rules. Over the years I have
probably gotten this thing out of whack. I have simscan 1.4 and pretty
much wish to use it to scan everything. There really isn't anything
unusual about my server. Can I get some help with what my tcp.smtp
file is suppose to look like? Here's what it is now.

127.:allow,RELAYCLIENT=,DKSIGN=/var/qmail/control/domainkeys/%/private,QMAILQUEUE=/var/qmail/bin/simscan 



:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=,QMAILQUEUE=/var/qmail/bin/simscan,DKQUEUE=/var/qmail/b 



in/qmail-queue.orig,DKSIGN=/var/qmail/control/domainkeys/%/private


It sounds like the latest recommendation is to get rid of qmail-dk and
use the qmail-queue.orig, if I do that here's what I think my tcp.smtp
should look like, will this work? Suggestions on making it better?

127.:allow,RELAYCLIENT=,QMAILQUEUE=/var/qmail/bin/simscan
:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRONGRCPTLIMIT=10,QMAILQUEUE=/var/qmail/bin/simscan 






Thanks for the help, gb

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com






-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




What are your permissions on qmail-queue.orig? Should be:

lrwxrwxrwx 1 root   root  16 Mar 24 11:31 
/var/qmail/bin/qmail-queue - qmail-queue.orig
-rws--x--x 1 qmailq qmail  22348 Mar 24 11:18 
/var/qmail/bin/qmail-queue.orig


tcp.smtp should have:
:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRONGRCPTLIMIT=10,QMAILQUEUE=/var/qmail/bin/simscan,NOP0FCHECK=1 



as the last line. The 127. line is only for using squirrelmail with no 
authentication. It's better to configure SM to authenticate, then you 
don't need the 127. line in tcp.smtp. This change will be stock soon 
if it isn't already.





Thanks Eric, I have this for permissions.

lrwxrwxrwx  1 root   root  16 Jun 26 20:50 qmail-queue - 
qmail-queue.orig

-rwx--x--x  1 qmailq qmail  24776 Sep  3  2012 qmail-queue.orig


Looks like I need to set the sticky bit on qmail-queue.orig, I'll try 
that. I'll also mod up the tcp.smtp and let you know.


Gb


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: qmail-dk

2014-06-26 Thread Gary Bowling 


On 6/26/2014 9:47 PM, Eric Shubert wrote:

On 06/26/2014 06:41 PM, Gary Bowling wrote:


Update, I just changed my tcp.smtp to what I have listed below and then
linked to qmail-queue.orig and continued to get these.

qmail-smtpd: qq soft reject (mail server temporarily rejected message
(#4.3.0)

When I leave the tcp.smtp as set at the bottom and link back to qmail-dk
I get this error on some messages.

qmail-smtpd: qq hard reject (qmail-dk: Cannot sign message due to
invalid message syntax. (#5.3.0)

Due to the 2nd error, I would really like to get rid of qmail-dk, but
every time I link back to the qmail-queue.orig I get the soft rejects on
ALL mail. Is it something in my tcp.smtp or is it something else? For
now I have put it back to qmail-dk, at least I get most of the mail with
the hard rejects only happening on some emails.

Thanks, gb



On 6/26/2014 9:21 PM, Gary Bowling wrote:


I recently had some problems with some domain key errors. Following
the suggestions in the list, I tried to disable domain keys by doing a
ln -sf qmail-queue.orig qmail-queue

However, when I did this it completely broke my server, I could not
send or receive any email, I would get this error in the smtp logs.

qmail-smtpd: qq soft reject (mail server temporarily rejected message
(#4.3.0)

I think it has to do with my tcp.smtp rules. Over the years I have
probably gotten this thing out of whack. I have simscan 1.4 and pretty
much wish to use it to scan everything. There really isn't anything
unusual about my server. Can I get some help with what my tcp.smtp
file is suppose to look like? Here's what it is now.

127.:allow,RELAYCLIENT=,DKSIGN=/var/qmail/control/domainkeys/%/private,QMAILQUEUE=/var/qmail/bin/simscan 



:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRONGRCPTLIMIT=10,DKVERIFY=,QMAILQUEUE=/var/qmail/bin/simscan,DKQUEUE=/var/qmail/b 



in/qmail-queue.orig,DKSIGN=/var/qmail/control/domainkeys/%/private


It sounds like the latest recommendation is to get rid of qmail-dk and
use the qmail-queue.orig, if I do that here's what I think my tcp.smtp
should look like, will this work? Suggestions on making it better?

127.:allow,RELAYCLIENT=,QMAILQUEUE=/var/qmail/bin/simscan
:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRONGRCPTLIMIT=10,QMAILQUEUE=/var/qmail/bin/simscan 






Thanks for the help, gb

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com






-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




What are your permissions on qmail-queue.orig? Should be:

lrwxrwxrwx 1 root   root  16 Mar 24 11:31 
/var/qmail/bin/qmail-queue - qmail-queue.orig
-rws--x--x 1 qmailq qmail  22348 Mar 24 11:18 
/var/qmail/bin/qmail-queue.orig


tcp.smtp should have:
:allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRONGRCPTLIMIT=10,QMAILQUEUE=/var/qmail/bin/simscan,NOP0FCHECK=1 



as the last line. The 127. line is only for using squirrelmail with no 
authentication. It's better to configure SM to authenticate, then you 
don't need the 127. line in tcp.smtp. This change will be stock soon 
if it isn't already.





Eric, that worked once I got the rws--x--x permissions on 
qmail-queue.orig. Now I have to figure out how to set squirrelmail with 
auth, but that's for another day. Thanks for the help as always!


GB


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qtp-newmodel

2015-05-22 Thread Gary Bowling 

  
  
On 5/22/2015 9:01 AM, Gary Bowling wrote:

  
  On 5/22/2015 8:53 AM, Eric Broch wrote:
  

On 5/22/2015 6:16 AM, Gary Bowling
  wrote:

Are
  the toaster packages referenced with qtp-newmodel still being
  updated? I run this every month to update my toaster, but
  haven't seen any updates in a long time. Not even a spam
  update. 
  
  Thanks, gary 
  
  -


  
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
  
  For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  
  

Gary,

[Q]tp-newmodel is for CentOS 5 and is no longer being supported
as far as I know. I am creating rpms for QTP from the latest
source (tar.gz) available for CentOS 5 (x86 and x86_64) and they
are on my ftp site, here.

Eric Broch
  
  
  Thanks Eric, yea I'm still running CentOS 5. I know, it's out of
  date, but with security updates it's still a fine platform for my
  mail server! I'll check out your ftp site. Are these in a yum repo
  some where? Or added to EPEL?
  
  Gary
  
  -
To
  unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com


Ok, looking at your ftp site, I see I'm way behind! I'm running
clamav-toaster-0.98.4-1.4.8 and spamassassin-toaster-3.3.2-1.4.3. So
there are several updates between mine and the latest.

Is it ok to rpm -Uvh the latest clamav and spamassassin or should I
do each do each update in between mine and the latest?

Also I don't use dovecot, never had a reason to change as things
have always worked well. Is that going to cause any problems with
these updates?

Thanks, Gary



  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] qtp-newmodel

2015-05-22 Thread Gary Bowling 
Are the toaster packages referenced with qtp-newmodel still being 
updated? I run this every month to update my toaster, but haven't seen 
any updates in a long time. Not even a spam update.


Thanks, gary

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qtp-newmodel

2015-05-22 Thread Gary Bowling 

  
  
On 5/22/2015 8:53 AM, Eric Broch wrote:

  
  On 5/22/2015 6:16 AM, Gary Bowling
wrote:
  
  Are
the toaster packages referenced with qtp-newmodel still being
updated? I run this every month to update my toaster, but
haven't seen any updates in a long time. Not even a spam update.


Thanks, gary 

-


To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


  
  Gary,
  
  [Q]tp-newmodel is for CentOS 5 and is no longer being supported as
  far as I know. I am creating rpms for QTP from the latest source
  (tar.gz) available for CentOS 5 (x86 and x86_64) and they are on
  my ftp site, here.
  
  Eric Broch


Thanks Eric, yea I'm still running CentOS 5. I know, it's out of
date, but with security updates it's still a fine platform for my
mail server! I'll check out your ftp site. Are these in a yum repo
some where? Or added to EPEL?

Gary

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qtp-newmodel

2015-05-22 Thread Gary Bowling 

  
  
On 5/22/2015 10:22 AM, Eric Broch wrote:

  
  On 5/22/2015 7:01 AM, Gary Bowling
wrote:
  
  

On 5/22/2015 8:53 AM, Eric Broch wrote:

  
  On 5/22/2015 6:16 AM, Gary
Bowling wrote:
  
  Are

the toaster packages referenced with qtp-newmodel still
being updated? I run this every month to update my toaster,
but haven't seen any updates in a long time. Not even a spam
update. 

Thanks, gary 

-




To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


  
  Gary,
  
  [Q]tp-newmodel is for CentOS 5 and is no longer being
  supported as far as I know. I am creating rpms for QTP from
  the latest source (tar.gz) available for CentOS 5 (x86 and
  x86_64) and they are on my ftp site, here.
  
  Eric Broch


Thanks Eric, yea I'm still running CentOS 5. I know, it's out of
date, but with security updates it's still a fine platform for
my mail server! I'll check out your ftp site. Are these in a yum
repo some where? Or added to EPEL?

Gary

-
To

unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  
  Gary,
  
  Not to be contrary, but CentOS 5 is not out of date..., yet. There
  is support for it for another 2 years. I'm running 2 servers with
  CentOS 5. Of all the versions currently available, I like it best
  and I've had the least number of problems with it. Grrrwhy the
  continual upgrades? The RPM's I provide on my FTP site for the QTP
  are not available on EPEL as it would not have the configuration
  that is specific to a QT server. I'd like to put my rpms up on
  qtp.qmailtoaster.com so they'd be available with qtp-newmodel, but
  I don't know how. Anyway, that's life. I plan on making the rpms
  for CentOS 5 available until sometime past its end-of-life, maybe
  longer. I still have a CentOS 4 toaster that's running strong and
  doing a sufficient job for that client.
  
  EricB.


Eric, double thumbs up to that!! I totally agree and thanks for all
the hard work. Also thanks to Tony for the good suggestion on
testing the RPMs first. Like you I found the perl modules missing. I
know I could find the latest for those in cpan, but I like to keep
things in RPMs. 

So I found the perl modules on rpmforge which I have a yum channel
for that I mostly keep disabled unless I need something. So a yum
--enablerepo=rpmforge install perl-Geo-IP perl-Net-CIDR-Lite fixed
that. 

Then I installed the RPMs from Eric's site and all appears to be
good. 

As for Dovecot, I've looked through those before but since I don't
have any problems with my current installation I'm not going to rock
the boat unless I need to. 

Thanks, Gary
  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qtp-newmodel

2015-05-22 Thread Gary Bowling 

  
  
On 5/22/2015 11:39 AM, Tony White wrote:

  
  Hi Gary,
    As an FYI it might worth adding the EPEL repo as it has later
  update to the GeoIP rpm's and dependencies.
  
  best wishes
  Tony White

On 23/05/2015 01:25, Gary Bowling wrote:

  

On 5/22/2015 10:22 AM, Eric Broch wrote:

  
  On 5/22/2015 7:01 AM, Gary
Bowling wrote:
  
  

On 5/22/2015 8:53 AM, Eric Broch wrote:

  
  On 5/22/2015 6:16 AM, Gary
Bowling wrote:
  
  Are the toaster packages referenced with
qtp-newmodel still being updated? I run this every month
to update my toaster, but haven't seen any updates in a
long time. Not even a spam update. 

Thanks, gary 

-






To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


  
  Gary,
  
  [Q]tp-newmodel is for CentOS 5 and is no longer being
  supported as far as I know. I am creating rpms for QTP
  from the latest source (tar.gz) available for CentOS 5
  (x86 and x86_64) and they are on my ftp site, here.
  
  Eric Broch


Thanks Eric, yea I'm still running CentOS 5. I know, it's
out of date, but with security updates it's still a fine
platform for my mail server! I'll check out your ftp site.
Are these in a yum repo some where? Or added to EPEL?

Gary

-
To



unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  
  Gary,
  
  Not to be contrary, but CentOS 5 is not out of date..., yet.
  There is support for it for another 2 years. I'm running 2
  servers with CentOS 5. Of all the versions currently
  available, I like it best and I've had the least number of
  problems with it. Grrrwhy the continual upgrades? The
  RPM's I provide on my FTP site for the QTP are not available
  on EPEL as it would not have the configuration that is
  specific to a QT server. I'd like to put my rpms up on
  qtp.qmailtoaster.com so they'd be available with qtp-newmodel,
  but I don't know how. Anyway, that's life. I plan on making
  the rpms for CentOS 5 available until sometime past its
  end-of-life, maybe longer. I still have a CentOS 4 toaster
  that's running strong and doing a sufficient job for that
  client.
  
  EricB.


Eric, double thumbs up to that!! I totally agree and thanks for
all the hard work. Also thanks to Tony for the good suggestion
on testing the RPMs first. Like you I found the perl modules
missing. I know I could find the latest for those in cpan, but I
like to keep things in RPMs. 

So I found the perl modules on rpmforge which I have a yum
channel for that I mostly keep disabled unless I need something.
So a yum --enablerepo=rpmforge install perl-Geo-IP
perl-Net-CIDR-Lite fixed that. 

Then I installed the RPMs from Eric's site and all appears to be
good. 

As for Dovecot, I've looked through those before but since I
don't have any problems with my current installation I'm not
going to rock the boat unless I need to. 

Thanks, Gary
-
To

unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  
  


Ah, thanks for that Tony. I have epel set up the same way, not sure
why I used rpmforge as a first try. So a yum --enablerepo=epel
update  updated those. I usually only try rpmforge if I can't find
something.

Gary
  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Centos 5 and PCRE

2017-03-06 Thread Gary Bowling 

  
  


I too have a Centos5 toaster and followed the notes in this mail
  list to resolve the clamd problems. Thanks for the help, it kept
  me from too much down time.


Now the question is... how important is it to upgrade to Centos6
  or Centos7?


I have compiled and installed pcre-7.6 in /usr/local/ on my box.
  My understanding is that this should resolve the problems with
  newer clamd updates. I still have the stock pcre-6.6-9 as well.


Will this indeed resolve the issues with clamd? If it does, then
  at least that gives me an option. Here's a pcretest on my box.
 pcretest -C
  PCRE version 7.6 2008-01-28
  Compiled with
    UTF-8 support
    Unicode properties support
    Newline sequence is LF
    \R matches all Unicode newlines
    Internal link size = 2
    POSIX malloc threshold = 10
    Default match limit = 1000
    Default recursion depth limit = 1000
    Match recursion uses stack
  



The other question is, how important is it to get off Centos5?
  I've had the box for many years and it's been incredibly stable
  and reliable. I hate to rock the boat right now. 



Thanks for the help and for the product that is sooo good I
  rarely have to send anything to this list!


-- 
  
  
  
  Gary Bowling
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Centos 5 and PCRE

2017-03-06 Thread Gary Bowling 

  
  


Thanks Eric, no Dovecot here. I know it's better, but I never had
  any problems so didn't take the time to change to it. If I moved
  to a new platform I would use it. I guess really clam is the only
  thing that updates on a regular basis. And it's the only thing
  that updates without admin help. So if that's all good, it
  shouldn't be a problem.



Gary 


On 3/6/2017 7:29 PM, Eric Broch wrote:

I ran CentOS 4 QMT for several years after end-of-life
  with no ill effects. I'm not sure it will affect the qmail
  packages much only the peripheral packages...like clamav. If
  you're using Dovecot, only up to ~2.10 is supported on CentOS 5.
  
  
  
  On 3/6/2017 4:20 PM, Gary Bowling wrote:
  
  


I too have a Centos5 toaster and followed the notes in this mail
list to resolve the clamd problems. Thanks for the help, it kept
me from too much down time.



Now the question is... how important is it to upgrade to Centos6
or Centos7?



I have compiled and installed pcre-7.6 in /usr/local/ on my box.
My understanding is that this should resolve the problems with
newer clamd updates. I still have the stock pcre-6.6-9 as well.



Will this indeed resolve the issues with clamd? If it does, then
at least that gives me an option. Here's a pcretest on my box.


 pcretest -C

PCRE version 7.6 2008-01-28

Compiled with

  UTF-8 support

  Unicode properties support

  Newline sequence is LF

  \R matches all Unicode newlines

  Internal link size = 2

  POSIX malloc threshold = 10

  Default match limit = 1000

  Default recursion depth limit = 1000

  Match recursion uses stack



The other question is, how important is it to get off Centos5?
I've had the box for many years and it's been incredibly stable
and reliable. I hate to rock the boat right now.



Thanks for the help and for the product that is sooo good I
rarely have to send anything to this list!



-- 


Gary Bowling



- To
unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com For additional
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
  


  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] qtp utils

2017-06-23 Thread Gary Bowling 

  
  


There used to be a bunch of utilities installed with the "plus"
  packages. qtp-newmodel, qtp-backup, qtp-sa-update, etc. 



What happened to all those? I can't seem to find them in my new
  install on CentOS7.


Thanks, Gary

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] CentOS 7 Upgrade

2017-06-10 Thread Gary Bowling 

  
  
On 6/10/2017 12:52 PM, Gary Bowling wrote:

  
  
  
  I recently upgraded my centos 5 to a new centos 7 box. This
also caused a change from courier imap to dovecot so some of my
issues have been with that move. I now have most things working
correctly. However I'm stumped on a problem with squirrelmail. 
  
  
  
  I have a user that you get this error upon log in. 
  
  
  
  ERROR: Could not complete request.
Query: THREAD REFERENCES ISO-8859-1 ALL
Reason Given: [SERVERBUG] Internal error occurred. Refer to
server log for more information. [2017-06-10 16:45:01] (0.038 +
0.000 + 0.037 secs).
  
  
  The user has a number of folders created with mail sorted to
the folders. I only get this error when you click the INBOX. Any
other folder or box that is selected properly shows the mail
messages in the folder. The user is also almost over quota so
they are getting a quota warning.
  
  
  
  I also do not get this on my mail box, which is not displaying
a quota warning so I wonder if it has to do with the quota
warning.
  
  
  Thanks, Gary
  
-
  To unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com



update: I cleared up the quota issue and I'm still getting the same
error on the inbox, so nothing to do with quotas.

Gary 
  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] CentOS 7 Upgrade

2017-06-10 Thread Gary Bowling 

  
  


I recently upgraded my centos 5 to a new centos 7 box. This also
  caused a change from courier imap to dovecot so some of my issues
  have been with that move. I now have most things working
  correctly. However I'm stumped on a problem with squirrelmail. 



I have a user that you get this error upon log in. 



ERROR: Could not complete request.
  Query: THREAD REFERENCES ISO-8859-1 ALL
  Reason Given: [SERVERBUG] Internal error occurred. Refer to server
  log for more information. [2017-06-10 16:45:01] (0.038 + 0.000 +
  0.037 secs).


The user has a number of folders created with mail sorted to the
  folders. I only get this error when you click the INBOX. Any other
  folder or box that is selected properly shows the mail messages in
  the folder. The user is also almost over quota so they are getting
  a quota warning.



I also do not get this on my mail box, which is not displaying a
  quota warning so I wonder if it has to do with the quota warning.


Thanks, Gary

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] CentOS 7 Upgrade

2017-06-10 Thread Gary Bowling 

  
  


I found an error in dovecot.log saying "Error: Maildir filename
  has wrong S value"


After some research, I have resolved the problem by adding this
  to the /etc/dovecot/toaster.conf file.
maildir_broken_filename_sizes=yes


However, I'm not sure this is really the best way to fix this.
  Any suggestions?


Gary 




On 6/10/2017 12:59 PM, Gary Bowling
  wrote:


  
  On 6/10/2017 12:52 PM, Gary Bowling wrote:
  



I recently upgraded my centos 5 to a new centos 7 box. This
  also caused a change from courier imap to dovecot so some of
  my issues have been with that move. I now have most things
  working correctly. However I'm stumped on a problem with
  squirrelmail. 



I have a user that you get this error upon log in. 



ERROR: Could not complete request.
  Query: THREAD REFERENCES ISO-8859-1 ALL
  Reason Given: [SERVERBUG] Internal error occurred. Refer to
  server log for more information. [2017-06-10 16:45:01] (0.038
  + 0.000 + 0.037 secs).


The user has a number of folders created with mail sorted to
  the folders. I only get this error when you click the INBOX.
  Any other folder or box that is selected properly shows the
  mail messages in the folder. The user is also almost over
  quota so they are getting a quota warning.



I also do not get this on my mail box, which is not
  displaying a quota warning so I wonder if it has to do with
  the quota warning.


Thanks, Gary

- To
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  
  
  
  update: I cleared up the quota issue and I'm still getting the
  same error on the inbox, so nothing to do with quotas.
  
  Gary 
-
  To unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com


  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Squirrelmail auth problems

2017-06-11 Thread Gary Bowling 

  
  


I found an old thread from Eric saying to change the
  /etc/dovecot/toaster.conf line cache_key=%u to cache_key=%u%r


That line was in two places in the toaster.conf file, so I
  changed both of them. 



We'll see if that resolves the issue. 



Thanks, Gary


On 6/11/2017 8:36 AM, Gary Bowling
  wrote:


  
  
  
  Since I upgraded my server to CentOS 7 and the latest toaster,
I'm getting sporadic failures logging in from squirrelmail.
  
  
  They fail about 30% of the time. When I get a failure it shows
an "auth failed" in the dovecot.log file even though the
password is correct. I can wait a few minutes, try again,
pasting the same password and it works. 
  
  
  I don't have all that many users and over the weekend there are
  very few logins. I'm concerned that this will increase Mon when
  traffic picks up.
  
  Any thoughts? Thanks, Gary 
-
  To unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com


  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] CentOS 7 Upgrade

2017-06-11 Thread Gary Bowling 

  
  


Thanks to Eric's suggestion, I went through the list of messages
  and found the ones where the "S" values didn't reflect the file
  size and renamed them matching the S value in the file name with
  the file size. 



I then removed the maildir_broken_filename_sizes=yes from the
  /etc/dovecot/toaster.conf file and all is well. So that problem is
  resolved. 



Thanks, Gary 


On 6/10/2017 1:22 PM, Gary Bowling
  wrote:


  
  
  
  I found an error in dovecot.log saying "Error: Maildir filename
has wrong S value"
  
  
  After some research, I have resolved the problem by adding this
to the /etc/dovecot/toaster.conf file.
  maildir_broken_filename_sizes=yes
  
  
  However, I'm not sure this is really the best way to fix this.
Any suggestions?
  
  
  Gary 
  
  
  
  
  On 6/10/2017 12:59 PM, Gary Bowling
wrote:
  
  

On 6/10/2017 12:52 PM, Gary Bowling wrote:

  
  
  
  I recently upgraded my centos 5 to a new centos 7 box. This
also caused a change from courier imap to dovecot so some of
my issues have been with that move. I now have most things
working correctly. However I'm stumped on a problem with
squirrelmail. 
  
  
  
  I have a user that you get this error upon log in. 
  
  
  
  ERROR: Could not complete request.
Query: THREAD REFERENCES ISO-8859-1 ALL
Reason Given: [SERVERBUG] Internal error occurred. Refer to
server log for more information. [2017-06-10 16:45:01]
(0.038 + 0.000 + 0.037 secs).
  
  
  The user has a number of folders created with mail sorted
to the folders. I only get this error when you click the
INBOX. Any other folder or box that is selected properly
shows the mail messages in the folder. The user is also
almost over quota so they are getting a quota warning.
  
  
  
  I also do not get this on my mail box, which is not
displaying a quota warning so I wonder if it has to do with
the quota warning.
  
  
  Thanks, Gary
  
- To
  unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
  For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



update: I cleared up the quota issue and I'm still getting the
same error on the inbox, so nothing to do with quotas.

Gary 
- To
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  
  
-
  To unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com


  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Squirrelmail auth problems

2017-06-11 Thread Gary Bowling 

  
  


Since I upgraded my server to CentOS 7 and the latest toaster,
  I'm getting sporadic failures logging in from squirrelmail.


They fail about 30% of the time. When I get a failure it shows an
  "auth failed" in the dovecot.log file even though the password is
  correct. I can wait a few minutes, try again, pasting the same
  password and it works. 


I don't have all that many users and over the weekend there are very
few logins. I'm concerned that this will increase Mon when traffic
picks up.

Any thoughts? Thanks, Gary 
  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: CNAME_lookup_failed_temporarily._(#4.4.3)/

2018-04-26 Thread Gary Bowling 

  
  


Yea that makes perfect sense, have to always be careful not to
  break anything. Thanks for all the effort. 



Gary 


On 4/26/2018 12:36 PM, Eric Broch
  wrote:


  
  One of the reason I haven't put this in production yet is that
some users have dkim enabled and this will replace the
qmail-remote perl file with a qmail-remote binary. I guess I
have to figure out a way around it maybe some checking during
install along these lines: if qmail-remote.orig exists back it
up (qmail-remote.orig.bak) and replace it with the new binary.
  
  
  On 4/26/2018 10:28 AM, Gary Bowling
wrote:
  
  



Seems like this should show up when I do a yum update if I
  have the qmt.repo enabled. Or maybe it's still in testing?
  Which I don't have enabled by default. 



Gary


On 4/26/2018 10:53 AM, Eric Broch
  wrote:


  
  Hi Peter, 
  
  This is not a Big DNS failure. It's a problem with CNAME
lookup, and qmailtoaster is patched with the Big DNS patch.
  Dan Bernstein recommended
the removal of the CNAME lookup portion of the code (patch
below), which I did, a function in dns object module which
is called by qmail-remote. There are new binaries with this
patch at the following locations for respective CentOS
version:
  CentOS 7: ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/7/development/x86_64/qmail-1.03-2.2.qt.el7.x86_64.rpm


CentOS 6: ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/6/development/x86_64/qmail-1.03-1.1.qt.el6.x86_64.rpm


CentOS 5: ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/development/i386/qmail-toaster-1.03-1.3.23.i386.rpm


ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/development/x86_64/qmail-toaster-1.03-1.3.23.x86_64.rpm
  Eric
  
  CNAME lookup remove patch:
  
  
  --- qmailqmt/dns.c  2018-01-21 09:03:56.201694493 -0700
+++ qmailqmt-new/dns.c  2018-01-21 09:06:40.696619489 -0700
@@ -249,32 +249,7 @@
 int dns_cname(sa)
 stralloc *sa;
 {
- int r;
- int loop;
- for (loop = 0;loop < 10;++loop)
-  {
-   if (!sa->len) return loop;
-   if (sa->s[sa->len - 1] == ']') return loop;
-   if (sa->s[sa->len - 1] == '.') { --sa->len;
continue; }
-   switch(resolve(sa,T_CNAME))
-    {
- case DNS_MEM: return DNS_MEM;
- case DNS_SOFT: return DNS_SOFT;
- case DNS_HARD: return loop;
- default:
-   while ((r = findname(T_CNAME)) != 2)
-   {
-    if (r == DNS_SOFT) return DNS_SOFT;
-    if (r == 1)
- {
-  if (!stralloc_copys(sa,name)) return DNS_MEM;
-  break;
- }
-   }
-   if (r == 2) return loop;
-    }
-  }
- return DNS_HARD; /* alias loop */
+   return 0;
 }

 #define FMT_IAA 40
  
  
  
  
  
  
  On 4/24/2018 12:48 AM, Peter
Peltonen wrote:
  
  
No ideas? From the archives I can see others have been struggling with
the same issue...

Peter

On Wed, Apr 18, 2018 at 6:52 PM, Peter Peltonen
<peter.pelto...@gmail.com> wrote:


  I am getting this error when sending to the tyks.fi domain:

2018-04-18 18:15:18.787618500 starting delivery 32313: msg 2232943 to
remote ***@tyks.fi
2018-04-18 18:16:01.777845500 delivery 32313: deferral:
CNAME_lookup_failed_temporarily._(#4.4.3)/

I've been searching for this error and found the following:

1) known error for qmail + bind combination
2) fix is to either patch with qmailtoaster-big-dns.patch or use other
recursor than bind

Before I can proceed with 2) I have some questions though:

* Why is the patch not installed by default in the toaster? I can see
Shubert had it:

https://github.com/QMailToaster/qmail/blob/master/qmailtoaster-big-dns.patch

* As I understood it, the problem is a response too big that BIND
cannot handle. I am a bit confused here, as the tyks.fi lookup does
not return a big response and it does not have any CNAME records in
it. Could this error be caused by something else?

* If I would to change resolveer and not to patch, can I both run a
BIND server an

Re: [qmailtoaster] Re: CNAME_lookup_failed_temporarily._(#4.4.3)/

2018-04-26 Thread Gary Bowling 

  
  


Seems like this should show up when I do a yum update if I have
  the qmt.repo enabled. Or maybe it's still in testing? Which I
  don't have enabled by default. 



Gary


On 4/26/2018 10:53 AM, Eric Broch
  wrote:


  
  Hi Peter, 
  
  This is not a Big DNS failure. It's a problem with CNAME
lookup, and qmailtoaster is patched with the Big DNS patch.
  Dan Bernstein recommended
the removal of the CNAME lookup portion of the code (patch
below), which I did, a function in dns object module which is
called by qmail-remote. There are new binaries with this patch
at the following locations for respective CentOS version:
  CentOS 7: ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/7/development/x86_64/qmail-1.03-2.2.qt.el7.x86_64.rpm


CentOS 6: ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/6/development/x86_64/qmail-1.03-1.1.qt.el6.x86_64.rpm


CentOS 5: ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/development/i386/qmail-toaster-1.03-1.3.23.i386.rpm


ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/5/development/x86_64/qmail-toaster-1.03-1.3.23.x86_64.rpm
  Eric
  
  CNAME lookup remove patch:
  
  
  --- qmailqmt/dns.c  2018-01-21 09:03:56.201694493 -0700
+++ qmailqmt-new/dns.c  2018-01-21 09:06:40.696619489 -0700
@@ -249,32 +249,7 @@
 int dns_cname(sa)
 stralloc *sa;
 {
- int r;
- int loop;
- for (loop = 0;loop < 10;++loop)
-  {
-   if (!sa->len) return loop;
-   if (sa->s[sa->len - 1] == ']') return loop;
-   if (sa->s[sa->len - 1] == '.') { --sa->len;
continue; }
-   switch(resolve(sa,T_CNAME))
-    {
- case DNS_MEM: return DNS_MEM;
- case DNS_SOFT: return DNS_SOFT;
- case DNS_HARD: return loop;
- default:
-   while ((r = findname(T_CNAME)) != 2)
-   {
-    if (r == DNS_SOFT) return DNS_SOFT;
-    if (r == 1)
- {
-  if (!stralloc_copys(sa,name)) return DNS_MEM;
-  break;
- }
-   }
-   if (r == 2) return loop;
-    }
-  }
- return DNS_HARD; /* alias loop */
+   return 0;
 }

 #define FMT_IAA 40
  
  
  
  
  
  
  On 4/24/2018 12:48 AM, Peter Peltonen
wrote:
  
  
No ideas? From the archives I can see others have been struggling with
the same issue...

Peter

On Wed, Apr 18, 2018 at 6:52 PM, Peter Peltonen
 wrote:


  I am getting this error when sending to the tyks.fi domain:

2018-04-18 18:15:18.787618500 starting delivery 32313: msg 2232943 to
remote ***@tyks.fi
2018-04-18 18:16:01.777845500 delivery 32313: deferral:
CNAME_lookup_failed_temporarily._(#4.4.3)/

I've been searching for this error and found the following:

1) known error for qmail + bind combination
2) fix is to either patch with qmailtoaster-big-dns.patch or use other
recursor than bind

Before I can proceed with 2) I have some questions though:

* Why is the patch not installed by default in the toaster? I can see
Shubert had it:

https://github.com/QMailToaster/qmail/blob/master/qmailtoaster-big-dns.patch

* As I understood it, the problem is a response too big that BIND
cannot handle. I am a bit confused here, as the tyks.fi lookup does
not return a big response and it does not have any CNAME records in
it. Could this error be caused by something else?

* If I would to change resolveer and not to patch, can I both run a
BIND server and have a different resolver at the same time on the same
server?

Best,
Peter


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


  
  
  -- 
Eric Broch
White Horse Technical Consulting (WHTC)



  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qmail upgrade

2018-02-01 Thread Gary Bowling 

  
  
I moved from a CentOS-5 box to a CentOS-7 box last year, so I did
  a full migration/upgrade. It works, but I just want to make sure I
  did things the right way. 



In my /etc/tcprules.d/tcp.smtp file I have
  QMAILQUEUE="/var/qmail/bin/simscan"
I do NOT use domainkeys or DKIM and still have my qmail-queue
  -> /var/qmail/bin/qmail-dk


Maybe I had a problem with that link and muddled around and
  changed it to "simscan" but I don't remember. 



Here are some versions on my machine. 



qmt-release-1-4.qt.el7.noarch
  qmt-plus-1-0.qt.el7.noarch
  qmailmrtg-4.2-3.qt.el7.x86_64
  qmailadmin-1.2.16-2.qt.el7.x86_64
  qmail-1.03-2.1.qt.el7.x86_64


systemd service:    clamav-daemon.service:   [  OK  ]
  systemd service: clamav-daemon.socket:   [  OK  ]
  systemd service: clamav-freshclam:   [  OK  ]
  systemd service:    spamd:   [  OK  ]
  systemd service:  dovecot:   [  OK  ]
  systemd service:  mariadb:   [  OK  ]
  systemd service:    httpd:   [  OK  ]
  systemd service: ntpd:   [  OK  ]
  systemd service: sshd:   [  OK  ]
  systemd service:  network:   [  OK  ]
  systemd service:    crond:   [  OK  ]
  systemd service:    acpid:   [  OK  ]
  systemd service:  atd:   [  OK  ]
  systemd service:   autofs:   [  OK  ]
  systemd service:   smartd:   [  OK  ]
  systemd service:   irqbalance:   [  OK  ]
  



Please advise as to the right way to do this. 



Thanks, Gary 

On 2/1/2018 12:43 AM, Eric Broch wrote:

Hello
  list,
  
  
  If anyone has upgraded qmail lately, especially those of you who
  DO NOT use domainkeys and those who DO use dkim, remember that an
  upgrade overwrites the qmail binaries (/var/qmail/bin). This could
  affect domainkeys, which you really shouldn't use anymore IMHO,
  and DKIM signing.
  
  
  1) Domainkeys: If you DON'T use domainkeys and you've upgrade you
  might have to unlink qmail-queue from qmail-dk and link (ln -s) it
  to qmail-queue.orig. Another approach is to simply change
  QMAILQUEUE in /etc/tcprules.d/tcp.smtp (below).
  
  
  QMAILQUEUE="/var/qmail/bin/qmail-queue.orig"
  
  
  
  2) DKIM: On upgrade the perl script 'qmail-remote' which calls
  'qmail-remote.orig', will be overwritten...run the following
  commands
  
  
  #   wget -O /var/qmail/bin/qmail-remote
  https://raw.githubusercontent.com/qmtoaster/dkim/master/qmail-remote
  
  
  # chown root:qmail /var/qmail/bin/qmail-remote
  
  
  # chmod 777 /var/qmail/bin/qmail-remote
  
  
  Sorry about the inconvenience.
  
  
  Comments and suggestions please!
  
  


  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] ClamAV 0.99.3-2 Problem

2018-01-27 Thread Gary Bowling 

  
  


Per the previous thread, I tried updating to ClamAV 0.99.3-2 on
  my CentOS 7 box. 



The services are not created properly. I tried both the yum
  update via the test repository and also tried downloading the RPM
  from and installing via rpm -Uvh. Both have the same issue. 



Prior to installing, my toaststat shows this. 

systemd service:    clamav-daemon.service:   [  OK  ]
  systemd service: clamav-daemon.socket:   [  OK  ]
  systemd service: clamav-freshclam:   [  OK  ]



After installing, my toaststat shows this.
systemd service: clamav-freshclam:   [  FAILED  ]


With no services created for clamav-daemon. 



Also, with this situation if I enable clam in my simcontrol file,
  it doesn't work. 



Thanks, Gary

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] ClamAV 0.99.3-2 Problem

2018-01-27 Thread Gary Bowling 

  
  


Yes, good here to. I did not have to execute the systemctl
  commands, mine just worked. Thanks for all the work. 


Gary 


On 1/27/2018 11:21 AM, Eric Broch
  wrote:


  
  Thanks Rodrigo (and to all) for testing.
  
  
  On 1/27/2018 9:19 AM, Rodrigo Cortes
wrote:
  
  

  
Hi!!!
  

Working fine now!

  
  Thx.


  2018-01-27 13:18 GMT-03:00 Eric Broch
<ebr...@whitehorsetc.com>:
I had to
  do the following:
  
  systemctl start clamav-freshclam.service
  
  systemctl enable clamav-freshclam.service
  

  
  
  On 1/27/2018 9:16 AM, Eric Broch wrote:
  
OK

Try now

ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/7/testing/x86_64/clamav-0.99.3-2.qt.el7.x86_64.rpm




On 1/27/2018 8:30 AM, Gary Bowling wrote:

  
  
  Per the previous thread, I tried updating to
  ClamAV 0.99.3-2 on my CentOS 7 box.
  
  
  The services are not created properly. I tried
  both the yum update via the test repository and
  also tried downloading the RPM from and installing
  via rpm -Uvh. Both have the same issue.
  
  
  Prior to installing, my toaststat shows this.
  
  systemd service:    clamav-daemon.service:  
  [  OK  ]
  systemd service: clamav-daemon.socket:  
  [  OK  ]
  systemd service: clamav-freshclam:  
  [  OK  ]
  
  
  After installing, my toaststat shows this.
  
  systemd service: clamav-freshclam:  
  [  FAILED  ]
  
  
  With no services created for clamav-daemon.
  
  
  Also, with this situation if I enable clam in my
  simcontrol file, it doesn't work.
  
  
  Thanks, Gary
  
  -
  To unsubscribe, e-mail: qmailtoaster-list-unsubscribe@qmailtoaster.com
  For additional commands, e-mail: qmailtoaster-list-help@qmailtoaster.com
  


  
  
  -- 
  Eric Broch
  White Horse Technical Consulting (WHTC)
  
  
  -
  To unsubscribe, e-mail: qmailtoaster-list-unsubscribe@qmailtoaster.com
  For additional commands, e-mail: qmailtoaster-list-help@qmailtoaster.com
  

  

  
  

  
  
  -- 
Eric Broch
White Horse Technical Consulting (WHTC)



  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] CNAME lookup failed temporarily -- workarounds?

2018-02-15 Thread Gary Bowling 

  
  


Thanks for that Jeff, yes YMMV and every situation is different,
  my old server was a mysql version and didn't have those
  challenges. For sure set up the new box and test things prior to
  changing DNS. Until you change DNS, everything is still on the old
  box giving you time to test and determine if you're ready to go. 



Gary


On 2/15/2018 9:44 AM, Jeff Koch wrote:


  
  Angus - I would be very
cautious about switching if you've been using the non-mysql
(cdb) version of the qmail toaster and you have many domains on
the mailserver. You'll have to run a bunch of scripts to convert
vpasswd and the dot-qmail forwards to the mysql format. And each
domain has to be handled individually. I did this conversion
with a mailserver with 150 domains and it took several days.

The good news is that Eric Broch recently put together a CDB
version of the QMT 7 and I just finished converting a mailserver
with 20 domains. It went much faster. I was able to tar-zip and
dump in the entire /home/vpopmail/domains directory. Of course I
had to update things in the /var/qmail/control and /users
directories and setup some symlinks to handle changed locations.
I'm still standing by and listening for user comments but it
seems to be working very well.

Next, I plan to tackle two old qmail servers with over a 1000
domains each.

Jeff
  
  On 2/15/2018 9:31 AM, Gary Bowling
wrote:
  
  



For what it's worth, I was in the same boat last year and
  made the decision to move it to a new server. Set up a new
  CentOS 7 box as a virtual server at linode. Which was very
  painless. The install of the toaster on that box was a breeze,
  the guys have done a great job of supplying us with RPMs and
  scripts to get it done easily.



Moving over all the old mail was likewise very easy and just
  worked. I rsync'd from the old box to the new. The tricky part
  is cutting the users over. You need to set your DNS ttl to
  something really low (I first set mine to 4 hours, then to 1
  minute the day of the cutover). That makes your mx and A
  records move very quickly. At cut time, change your dns, do a
  final rsync of all the old mail, make sure you're ownership
  and permissions are all right and you're done. 



The transition was much smoother and easier than I had
  thought and everything worked like a charm. 



So while it's not what you're looking for in terms of a short
  term fix. I do encourage you to take the plunge and move it.
  It's really not that bad and will clean up your entire
  environment. 



Gary


On 2/15/2018 9:16 AM, Angus
  McIntyre wrote:

I'm
  running a fairly ancient qmail (netqmail-1.0.5, according to
  the manual) on CentOS 5, and I'm starting to get bitten with
  increasing frequency by the 'CNAME lookup failed temporarily'
  bug. 
  
  I urgently need to build a new host with an up-to-date OS and
  the latest version of qmail and move everything over, but I
  don't have the time to do that right now. I'm very hesitant to
  screw with this particular configuration (which is a mess) in
  case I bring everything crashing down around my ears. 
  
  So the question is, is there any easy (temporary) fix for this
  issue? 
  
  Thanks, 
  
  Angus 
  
- 
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
  
  For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  
  
  


- To
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  
  


  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] CNAME lookup failed temporarily -- workarounds?

2018-02-15 Thread Gary Bowling 

  
  


For what it's worth, I was in the same boat last year and made
  the decision to move it to a new server. Set up a new CentOS 7 box
  as a virtual server at linode. Which was very painless. The
  install of the toaster on that box was a breeze, the guys have
  done a great job of supplying us with RPMs and scripts to get it
  done easily.



Moving over all the old mail was likewise very easy and just
  worked. I rsync'd from the old box to the new. The tricky part is
  cutting the users over. You need to set your DNS ttl to something
  really low (I first set mine to 4 hours, then to 1 minute the day
  of the cutover). That makes your mx and A records move very
  quickly. At cut time, change your dns, do a final rsync of all the
  old mail, make sure you're ownership and permissions are all right
  and you're done. 



The transition was much smoother and easier than I had thought
  and everything worked like a charm. 



So while it's not what you're looking for in terms of a short
  term fix. I do encourage you to take the plunge and move it. It's
  really not that bad and will clean up your entire environment. 



Gary


On 2/15/2018 9:16 AM, Angus McIntyre
  wrote:

I'm
  running a fairly ancient qmail (netqmail-1.0.5, according to the
  manual) on CentOS 5, and I'm starting to get bitten with
  increasing frequency by the 'CNAME lookup failed temporarily' bug.
  
  
  I urgently need to build a new host with an up-to-date OS and the
  latest version of qmail and move everything over, but I don't have
  the time to do that right now. I'm very hesitant to screw with
  this particular configuration (which is a mess) in case I bring
  everything crashing down around my ears.
  
  
  So the question is, is there any easy (temporary) fix for this
  issue?
  
  
  Thanks,
  
  
  Angus
  
  
-
  
  To unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com
  
  
  


  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] password complexity and length

2018-04-04 Thread Gary Bowling 

  
  


Last time I checked it was either not possible or not easy to
  implement password rules one the toaster. But that was a long time
  ago. 



Has anything changed in that regard?

-- 
  
  Gary Bowling

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] password complexity and length

2018-04-05 Thread Gary Bowling 

  
  


Thanks Jeff. Just to make sure, if I do that edit it doesn't
  affect any existing passwords? Only inputting any new passwords or
  changing any passwords?


Also, I guess a user can still change their password via
  squirrelmail and bypass these rules? That rarely happens on my
  server, but just want to make sure I understand.



Thanks, Gary


On 4/4/2018 11:03 PM, Jeff Koch wrote:


  
  You can insert
_javascript_ password rules in the html code templates for
qmailadmin.

Here's a simple password strength _javascript_ that goes in the
top of mod_user.html

<br>
<br>
function passwordStrength(password)<br>
{<br>
    var desc = new Array();<br>
    desc[0] = "Very Weak";<br>
    desc[1] = "Weak";<br>
    desc[2] = "Better";<br>
    desc[3] = "Medium";<br>
    desc[4] = "Strong";<br>
    desc[5] = "Strongest";<br>
<br>
    var score   = 0;<br>
<br>
    //if password bigger than 7 give 1 point<br>
    if (password.length > 7) score++;<br>
<br>
    //if password has both lower and uppercase characters
give 1 point<br>
    if ( ( password.match(/[a-z]/) ) && (
password.match(/[A-Z]/) ) ) score++;<br>
<br>
    //if password has at least one number give 1 point<br>
    if (password.match(/\d+/)) score++;<br>
<br>
    //if password has at least one special characther give 1
point<br>
    if (
password.match(/.[!,@,#,$,%,^,&,*,?,_,~,-,(,)]/) ) score++;<br>
<br>
    //if password bigger than 12 give another 1 point<br>
    if (password.length > 12) score++;<br>
<br>

document.getElementById("passwordDescription").innerHTML =
desc[score];<br>
 document.getElementById("passwordStrength").className =
"strength" + score;<br>
<br>
 if (score > 2 ) {<br>
   document.getElementById("btnSubmit").disabled =
false;<br>
 }else{<br>
   document.getElementById("btnSubmit").disabled = true;<br>
 }<br>
<br>
 return score;<br>
}<br>
<br>


then further along in the code we have:

  
    
  
    
  
    Password strength:
    Password
not entered
  
  
    
    
    
    
    
      

Passwords must be at least eight
characters and include three of the following four types: upper
case letters, lower case letters, numbers and special
characters.




Regards, Jeff







  
  On 4/4/2018 6:51 PM, Gary Bowling
wrote:
  
  



Last time I checked it was either not possible or not easy to
  implement password rules one the toaster. But that was a long
  time ago. 



Has anything changed in that regard?

-- 
  
  Gary Bowling

- To
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  
  


  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] password complexity and length

2018-04-05 Thread Gary Bowling 

  
  


Ah, answered one of my own questions. Squirrelmail calls
  qmailadmin, so it would change there as well.


I don't believe it would do anything to existing users passwords,
  but just want to confirm before giving it a try.



Thanks, Gary


On 4/5/2018 7:42 AM, Gary Bowling
  wrote:


  
  
  
  Thanks Jeff. Just to make sure, if I do that edit it doesn't
affect any existing passwords? Only inputting any new passwords
or changing any passwords?
  
  
  Also, I guess a user can still change their password via
squirrelmail and bypass these rules? That rarely happens on my
server, but just want to make sure I understand.
  
  
  
  Thanks, Gary
  
  
  On 4/4/2018 11:03 PM, Jeff Koch
wrote:
  
  

You can insert
  _javascript_ password rules in the html code templates for
  qmailadmin.
  
  Here's a simple password strength _javascript_ that goes in the
  top of mod_user.html
  
  <br>
  <br>
  function passwordStrength(password)<br>
  {<br>
      var desc = new Array();<br>
      desc[0] = "Very Weak";<br>
      desc[1] = "Weak";<br>
      desc[2] = "Better";<br>
      desc[3] = "Medium";<br>
      desc[4] = "Strong";<br>
      desc[5] = "Strongest";<br>
  <br>
      var score   = 0;<br>
  <br>
      //if password bigger than 7 give 1 point<br>
      if (password.length > 7) score++;<br>
  <br>
      //if password has both lower and uppercase characters
  give 1 point<br>
      if ( ( password.match(/[a-z]/) ) && (
  password.match(/[A-Z]/) ) ) score++;<br>
  <br>
      //if password has at least one number give 1 point<br>
      if (password.match(/\d+/)) score++;<br>
  <br>
      //if password has at least one special characther give
  1 point<br>
      if (
  password.match(/.[!,@,#,$,%,^,&,*,?,_,~,-,(,)]/) )
  score++;<br>
  <br>
      //if password bigger than 12 give another 1 point<br>
      if (password.length > 12) score++;<br>
  <br>
  
  document.getElementById("passwordDescription").innerHTML =
  desc[score];<br>
   document.getElementById("passwordStrength").className
  = "strength" + score;<br>
  <br>
   if (score > 2 ) {<br>
     document.getElementById("btnSubmit").disabled =
  false;<br>
   }else{<br>
     document.getElementById("btnSubmit").disabled =
  true;<br>
   }<br>
  <br>
   return score;<br>
  }<br>
  <br>
  
  
  then further along in the code we have:
  
    
      
    
      
    
      Password strength:
      Password
  not entered
    
    
      
      
      
      
      
    
  
  Passwords must be at least eight
  characters and include three of the following four types:
  upper case letters, lower case letters, numbers and special
  characters.
  
  
  
  
  Regards, Jeff
  
  
  
  
  
  
  

On 4/4/2018 6:51 PM, Gary Bowling
  wrote:
    

  
  
  
  Last time I checked it was either not possible or not easy
to implement password rules one the toaster. But that was a
long time ago. 
  
  
  
  Has anything changed in that regard?
  
  -- 

Gary Bowling
  
-

Re: [qmailtoaster] password complexity and length

2018-04-05 Thread Gary Bowling 

  
  


Thanks, I made the modifications and I get the note in qmailadmin
  and it lists whether my password is weak,strong,etc. 



However, it still allows me to put in a non-secure password and
  accepts it. How do I make it "fail" on a password that doesn't
  meet the requirements?


By the way, I think this should be the default in the qmailadmin
  code. 



Thanks, Gary 


On 4/5/2018 10:04 AM, Jeff Koch wrote:


  
  Sorry - I left out this
piece of code - goes right before the code that says password2.
It's been 10 years since we looked at this.

    
  ##X110:
  
    
  
    
  
  Jeff
  
  On 4/5/2018 9:55 AM, Jeff Koch wrote:
  
  

Hi Gary:
  
  Only affects new passwords entered in mod_user.html. You'll
  need to add similar _javascript_.to 'add_user.html'. You can do
  the same in squirrelmail if you can find the correct place to
  slug in the _javascript_. The code analyzes text entered in the
  input field  'password' and grays out the submit button until
  the password meets the test criteria. It's pretty basic code
  and I'm sure _javascript_ experts could do a lot to improve it
  and give more clues to the users.
  
  Once of the problems with messing with the templates is that
  there is no table defining the hash mark codes like ##tt ##tu
  ##X251. If anyone has a cheat sheet please share.
  
  Jeff

On 4/5/2018 7:42 AM, Gary Bowling
  wrote:


  
  
  
  Thanks Jeff. Just to make sure, if I do that edit it
doesn't affect any existing passwords? Only inputting any
new passwords or changing any passwords?
  
  
  Also, I guess a user can still change their password via
squirrelmail and bypass these rules? That rarely happens on
my server, but just want to make sure I understand.
  
  
  
  Thanks, Gary
  
  
  On 4/4/2018 11:03 PM, Jeff Koch
wrote:
  
  

You can insert
  _javascript_ password rules in the html code templates for
  qmailadmin.
  
  Here's a simple password strength _javascript_ that goes in
  the top of mod_user.html
  
  <br>
  <br>
  function passwordStrength(password)<br>
  {<br>
      var desc = new Array();<br>
      desc[0] = "Very Weak";<br>
      desc[1] = "Weak";<br>
      desc[2] = "Better";<br>
      desc[3] = "Medium";<br>
      desc[4] = "Strong";<br>
      desc[5] = "Strongest";<br>
  <br>
      var score   = 0;<br>
  <br>
      //if password bigger than 7 give 1 point<br>
      if (password.length > 7) score++;<br>
  <br>
      //if password has both lower and uppercase
  characters give 1 point<br>
      if ( ( password.match(/[a-z]/) ) && (
  password.match(/[A-Z]/) ) ) score++;<br>
  <br>
      //if password has at least one number give 1 point<br>
      if (password.match(/\d+/)) score++;<br>
  <br>
      //if password has at least one special characther
  give 1 point<br>
      if (
  password.match(/.[!,@,#,$,%,^,&,*,?,_,~,-,(,)]/) )
  score++;<br>
  <br>
      //if password bigger than 12 give another 1 point<br>
      if (password.length > 12) score++;<br>
  <br>
  
  document.getElementById("passwordDescription").innerHTML =
  desc[score];<br>
  
  document.getElementById("passwordStrength").className =
  "strength" + score;<br>
  <br>
   if (score > 2 ) {<br>
     document.ge

Re: [qmailtoaster] password complexity and length

2018-04-05 Thread Gary Bowling 

  
  


Also, does the code below replace the old "password1" section?
  Which looked like this.


  
      ##X110:
      
    



And I assume the password2 section remains the same, which looked
  like this. 



  
      ##X091
      
    
  



Thanks and sorry for all the questions, I'm not a coder
  (obviously!) which of course is why I have a toaster in the first
  place. But I can follow directions!


Gary


On 4/5/2018 10:04 AM, Jeff Koch wrote:


  
  Sorry - I left out this
piece of code - goes right before the code that says password2.
It's been 10 years since we looked at this.

    
  ##X110:
  
    
  
    
  
  Jeff
  
  On 4/5/2018 9:55 AM, Jeff Koch wrote:
  
  

Hi Gary:
  
  Only affects new passwords entered in mod_user.html. You'll
  need to add similar _javascript_.to 'add_user.html'. You can do
  the same in squirrelmail if you can find the correct place to
  slug in the _javascript_. The code analyzes text entered in the
  input field  'password' and grays out the submit button until
  the password meets the test criteria. It's pretty basic code
  and I'm sure _javascript_ experts could do a lot to improve it
  and give more clues to the users.
  
  Once of the problems with messing with the templates is that
  there is no table defining the hash mark codes like ##tt ##tu
  ##X251. If anyone has a cheat sheet please share.
  
  Jeff

On 4/5/2018 7:42 AM, Gary Bowling
  wrote:


  
  
  
  Thanks Jeff. Just to make sure, if I do that edit it
doesn't affect any existing passwords? Only inputting any
new passwords or changing any passwords?
  
  
  Also, I guess a user can still change their password via
squirrelmail and bypass these rules? That rarely happens on
my server, but just want to make sure I understand.
  
  
  
  Thanks, Gary
  
  
  On 4/4/2018 11:03 PM, Jeff Koch
wrote:
  
  

You can insert
  _javascript_ password rules in the html code templates for
  qmailadmin.
  
  Here's a simple password strength _javascript_ that goes in
  the top of mod_user.html
  
  <br>
  <br>
  function passwordStrength(password)<br>
  {<br>
      var desc = new Array();<br>
      desc[0] = "Very Weak";<br>
      desc[1] = "Weak";<br>
      desc[2] = "Better";<br>
      desc[3] = "Medium";<br>
      desc[4] = "Strong";<br>
      desc[5] = "Strongest";<br>
  <br>
      var score   = 0;<br>
  <br>
      //if password bigger than 7 give 1 point<br>
      if (password.length > 7) score++;<br>
  <br>
      //if password has both lower and uppercase
  characters give 1 point<br>
      if ( ( password.match(/[a-z]/) ) && (
  password.match(/[A-Z]/) ) ) score++;<br>
  <br>
      //if password has at least one number give 1 point<br>
      if (password.match(/\d+/)) score++;<br>
  <br>
      //if password has at least one special characther
  give 1 point<br>
      if (
  password.match(/.[!,@,#,$,%,^,&,*,?,_,~,-,(,)]/) )
  score++;<br>
  <br>
      //if password bigger than 12 give another 1 point<br>
      if (password.length > 12) score++;<br>
  <br>
  
  document.getElementById("passwordDescription").innerHTML =
  desc[score];<br>
  
  document.getElementById("passwordStrength").className =
  "strength" + scor

Re: [qmailtoaster] password complexity and length

2018-04-05 Thread Gary Bowling 

  
  


Perfect, that worked!!


Thanks very much. 



Gary 


On 4/5/2018 11:01 AM, Jeff Koch wrote:


  
  For that section:

The original code was this:

 
  
  
  
  
  
  
  
    ##X092:
    
  
  
    ##X110:
    
  
  
    ##X091
    
  
##tq  
    ##X249:
    
##ta
  
  ##X251
 .
..
    
 
  
 
    
   
   




The modified code looks like this:

   
  
  
  
  
  
  
  
  
    
  ##X092:
  
    
  
    
    
  ##X110:
  
    
  
    
    
  ##X091
  
    
  
    
  
    Password strength:
    Password
not entered
  
  
    
    
    
    
    
  

Passwords must be at least eight
characters and include three of the following four types: upper
case letters, lower case letters, numbers and special
characters.



  ##tq
  
    ##X249:
    
##ta
    
##X251

...
..
  
    

    
    
  
  
    




Jeff


  
  On 4/5/2018 10:39 AM, Gary Bowling
wrote:
  
  



Also, does the code below replace the old "password1"
  section? Which looked like this.


  
      ##X110:
      
    



And I assume the password2 section remains the same, which
  looked like this. 



  
      ##X091
      
    
  



Thanks and sorry for all the questions, I'm not a coder
  (obviously!) which of course is why I have a toaster in the
  first place. But I can follow directions!


Gary


On 4/5/2018 10:04 AM, Jeff Koch
  wrote:


  
  Sorry - I left out
this piece of code - goes right before the code that says
password2. It's been 10 years since we looked at this.

    
  ##X110:
  
    
  
    
  
  Jeff
  
  On 4/5/2018 9:55 AM, Jeff Koch
wrote:
  
  

Hi Gary:
  
  Only affects new passwords entered in mod_user.html.
  Y

Re: [qmailtoaster] qmt.repo for centos7

2019-01-10 Thread Gary Bowling 

  
  


Excellent. Thanks, just wanted to confirm so I don't go looking
  for updates elsewhere. 



Gary

On 1/10/2019 11:41 AM, Eric Broch
  wrote:

here's
  the most recent set up
  
  
  # cat /etc/yum.repos.d/qmt.repo
  
  
  [qmt-current]
  
  # Qmailtoaster current repository
  
  name=QMT Current Repository
  
  mirrorlist=https://www.qmailtoaster.org/qmt-mirrorlist-current
  
#mirrorlist=https://raw.githubusercontent.com/qmtoaster/mirrorlist/master/qmt-mirrorlist-current
  
  #mirrorlist=file:///etc/yum.repos.d/qmt-mirrorlist-current
  
#baseurl=ftp://ftp.qmailtoaster.com/pub/repo/qmt/CentOS/$releasever/current/$basearch/
  
  enabled=1
  
  gpgcheck=0
  
  priority=7
  
  [qmt-testing]
  
  # Qmailtoaster testing repository
  
  name=QMT Testing Repository
  
  mirrorlist=https://www.qmailtoaster.org/qmt-mirrorlist-testing
  
#mirrorlist=https://raw.githubusercontent.com/qmtoaster/mirrorlist/master/qmt-mirrorlist-testing
  
  #mirrorlist=file:///etc/yum.repos.d/qmt-mirrorlist-testing
  
#baseurl=ftp://ftp.qmailtoaster.com/pub/repo/qmt/CentOS/$releasever/testing/$basearch/
  
  enabled=0
  
  gpgcheck=0
  
  priority=7
  
  [qmt-devel]
  
  # Qmailtoaster development repository
  
  name=QMT Development Repository
  
  mirrorlist=https://www.qmailtoaster.org/qmt-mirrorlist-development
  
#mirrorlist=https://raw.githubusercontent.com/qmtoaster/mirrorlist/master/qmt-mirrorlist-development
  
  #mirrorlist=file:///etc/yum.repos.d/qmt-mirrorlist-development
  
#baseurl=ftp://ftp.qmailtoaster.com/pub/repo/qmt/CentOS/$releasever/development/$basearch/
  
  enabled=0
  
  gpgcheck=0
  
  priority=7
  
  
  
  
  On 1/10/2019 8:26 AM, Gary Bowling wrote:
  
  


Is the qmt.repo for centos 7 still valid? I don't think I've
received an update from that channel in a long time and seems
like the last time I updated clamav I did it manually.



Thanks, Gary


-- 


Gary Bowling



- To
unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com For additional
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] qmt.repo for centos7

2019-01-10 Thread Gary Bowling 

  
  


Is the qmt.repo for centos 7 still valid? I don't think I've
  received an update from that channel in a long time and seems like
  the last time I updated clamav I did it manually. 



Thanks, Gary

-- 
  
  Gary Bowling
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] mailserver on AWS

2019-03-02 Thread Gary Bowling 

  
  


I looked into this at one point. But you can get a VPS at linode
  for $25/month capable of running a full qmailtoaster. Obviously
  not powerful enough for a million users, but I have over 1000
  spread across 10 or so domains on it with no issues.


With AWS, if you get a dedicated IP address you just spent
  $25/month. Then there are message fees, data fees, compute usage,
  metrics, etc. etc. All the fees are small, but added up I found it
  to be more expensive than just running a toaster on linode. There
  are possibly other vendors too, I'm not doing an advertisement for
  linode, that's just who I wound up using.


Depending on the number of users and traffic, you might be able
  to get by with an even smaller VPS. I have one for DNS that is
  only $5/month, 1G ram, 1 CPU, 25G storage. Scale your machine
  up/down depending on your requirements.



Gary

On 3/2/2019 2:57 PM, Chris wrote:


  
  
I've been researching moving my toaster from its current
  home into AWS, which is why I had those URLs bookmarked. 
  Haven't actually done it yet, so I don't know how AWS deals
  with complaints.  Sorry I can't be more helpful on that front.


-Chris

  
  
  
On Sun, Mar 3, 2019 at 8:53 AM
  Jeff Koch 
  wrote:


   Hi Chris - I have heard that AWS is really
  unforgiving if any spam gets sent out of the mailserver.
  Have you had experience running a full mailserver on AWS? 
  
  
  Despite everything we do to control outgoing spam -
  including send throttling - our users get hacked and their
  email credentials get used by spammers. We are able to
  limit the damage to a minimal amount of spam but
  nevertheless we get some complaints.
  
  Jeff

On
  3/2/2019 2:27 PM, Chris wrote:


  AWS has a form where you can request the
outbound smtp limitations be removed for a legitimate
mail server.  

Amazon Web
Services - MAIL SERVER 





They also have a form for requesting reverse DNS on
  your elastic IP so your mail doesn't run afoul of DNS
  validation.


Route 53
Reverse DNS 



  
  
  
On Sun, Mar 3, 2019 at
  7:07 AM Eric Broch 
  wrote:

I'm not sure, maybe
  start smtp under different port.
  
  On 3/1/2019 4:16 PM, Jeff Koch wrote:
  >
  > I'd like to build a qmailtoaster mailserver on an
  AWS instance but as 
  > you probably know AWS pretty much blocks outgoing
  traffic on port 25. 
  > So I'm thinking that I can tunnel outgoing port
  25 traffic to a server 
  > on a less picky hosting service. Has anyone ever
  done something like 
  > that or have any info on how to set up that kind
  of tunnel? or perhaps 
  > accomplish the same thing another way/
  >
  > Jeff
  >
  >
  >
  -- 
  Eric Broch
  White Horse Technical Consulting (WHTC)
  
  
-
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
  For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  

  


  

  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] fail2ban and 'null password given'

2019-06-03 Thread Gary Bowling 

  
  


Good reminder to check my fail2ban config. I did and found that
  it wasn't running since moving my config over to Centos 7 and
  rebuilding my server. 



The systemctl status fail2ban.service gives me no information as
  to why it's not starting nor do the logs.


So, I guess I need to do some more investigating as to why my
  service is not starting. Any ideas would be helpful. I'm running
  the same configs as are listed in the referenced wiki.


Gary



On 6/3/2019 7:37 AM, Angus McIntyre
  wrote:

If
  you're smart, you're probably running 'fail2ban' (or something
  similar) on your qmailtoaster to block password-guessing attempts.
  You may also have used the rules given at:
  
  
      http://wiki.qmailtoaster.com/index.php/Fail2Ban
  
  
  to configure it.
  
  
  This morning I happened to check my logs and discovered a
  ridiculous number of password-guessing attempts from a single IP,
  all of which had apparently gone unblocked by fail2ban. It turned
  out that the attacker was sending an empty password string, so
  that the log lines looked something like:
  
  
   vchkpw-submission: null password given phil:192.129.186.58
  
  
  There was no corresponding rule in my
  '/etc/fail2ban/filter.d/vpopmail.conf' to capture this case, so
  the attacker was able to try over and over again, unbanned.
  
  
  The attack script seems to be badly broken: it hits the same
  usernames over and over again, always with the same null password,
  and without even including the hostname part of the username (i.e.
  'phil' rather than 'p...@example.com'), so I'd rate its chances of
  succeeding as minimal. Still, it'll inflate your log files, so you
  probably want to ban it.
  
  
  So you might want to consider tweaking your fail2ban configuration
  to ensure that the failregex in 'vpopmail.conf' successfully
  matches 'null password given' as well as the default 'vpopmail
  user not found' string.
  
  
  Angus
  
  
  
  
-
  
  To unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com
  
  
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] SSL Problem Dovecot

2019-09-03 Thread Gary Bowling 

  
  


I had to get a new cert for my server, which I installed
  yesterday. Now I'm having problems with certain clients logging
  in. I get the following error in the dovecot.log.


TLS handshaking: SSL_accept() failed: error:1408A10B:SSL
  routines: ssl3_get_client_hello:wrong version number


Any help would be appreciated. 



Thanks, Gary 

-- 
  
  Gary Bowling
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] SSL Problem Dovecot

2019-09-03 Thread Gary Bowling 

  
  


So this may be an issue of the tlsserverciphers file. Some times
  it's interesting not knowing what your doing! haha



I guess the question I have is.. What is the proper
  tlsserverciphers for a qmailtoaster with a letsencrypt
  certificate. If that even makes sense.



And what is the proper way to actually do it. I've read multiple
  things on various forums, including here. 



One says to do:
 echo
"!EDH:!DHE:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES:!NULL:!aNULL:!eNULL"
  > /var/qmail/control/tlsserverciphers


One says to do:
openssl ciphers 'MEDIUM:HIGH:!SSLv2:!MD5:!RC4:!3DES' >
  /var/qmail/control/tlsserverciphers


yet another says to create a sym link to the servercert.pem file.
  



ln -sf /var/qmail/control/servercert.pem
  /var/qmail/control/tlsserverciphers




I guess it has to do with how tight you want security to be and
  maybe tlsserverciphers can contain various forms of how to define
  that. Just looking for what "most" people would use for an up to
  date Centos 7 server.



Thanks, Gary



On 9/3/2019 11:04 AM, Gary Bowling
  wrote:


  
  
  
  I had to get a new cert for my server, which I installed
yesterday. Now I'm having problems with certain clients logging
in. I get the following error in the dovecot.log.
  
  
  TLS handshaking: SSL_accept() failed: error:1408A10B:SSL
routines: ssl3_get_client_hello:wrong version number
  
  
  Any help would be appreciated. 
  
  
  
  Thanks, Gary 
  
  -- 
________
Gary Bowling

  
-
  To unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] SSL Problem Dovecot

2019-09-03 Thread Gary Bowling 

  
  


Thanks for that Carl. I'm running
  openssl-1.0.2k-16.el7_6.1.x86_64


Pretty much everything about my server is continuously updated
  stock Centos 7. Currently at CentOS Linux release 7.6.1810 (Core)


I do have epel installed, which updates some things and the qmt
  repo. That's it, and I'm a stickler for NOT installing anything
  that isn't done through yum and those repos. I've done this long
  enough to know that it's much easier to maintain, migrate to a new
  server, etc. is you're running everything in a managed way. So
  installing the repos and doing yum installs is pretty much the
  only way anything ever changes on my server, sans config files.


Would be very interested in knowing not only the proper
  tlsservercipher file for this type of server, but also how to
  create/recreate it if it's a command done from openssl. Looks like
  you can create it with the command.



openssl ciphers > /var/qmail/control/tlsservercipher


But what I'm reading is that your advice is to NOT do that due to
  security concerns. So what would you recommend?



Thanks, Gary



On 9/3/2019 3:28 PM, CarlC Internet
  Services Service Desk wrote:


  
  
  
  
Your
real problem is that this file is different based on which
CentOS you’re on [or should I say, which openssl is loaded].
If you have CentOS 7, with openssl 1.0.2k, you can tune this
file to include each cipher you want [the file can actually
be 10+ lines long wrapped]. This is so you can remove all
the “hacked” ciphers, especially to force your clients
security to remain high. If your running openssl 0.9.x, you
don’t get the newer TLS ciphers you need to be secure.
 
Using
the default is way too low, and if you do, you will where
someone gets hacked over a ‘free’ WiFi connection [because
you had SSL 3.0/TLS 1.0 on].
 
Carl
 

  
From:
    Gary Bowling [mailto:g...@gbco.us] 
Sent: Tuesday, September 03, 2019 02:58 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] SSL Problem Dovecot
  

 
 
So this may be an issue of the tlsserverciphers file. Some
  times it's interesting not knowing what your doing! haha
 
I guess the question I have is.. What is the proper
  tlsserverciphers for a qmailtoaster with a letsencrypt
  certificate. If that even makes sense.
 
And what is the proper way to actually do it. I've read
  multiple things on various forums, including here. 
 
One says to do:
echo
"!EDH:!DHE:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES:!NULL:!aNULL:!eNULL"
  > /var/qmail/control/tlsserverciphers
 
One says to do:
openssl ciphers 'MEDIUM:HIGH:!SSLv2:!MD5:!RC4:!3DES' >
  /var/qmail/control/tlsserverciphers
 
yet another says to create a sym link to the servercert.pem
  file. 
 
ln -sf /var/qmail/control/servercert.pem
  /var/qmail/control/tlsserverciphers
 
 
I guess it has to do with how tight you want security to be
  and maybe tlsserverciphers can contain various forms of how to
  define that. Just looking for what "most" people would use for
  an up to date Centos 7 server.
 
Thanks, Gary
 

      On 9/3/2019 11:04 AM, Gary Bowling wrote:


   
  I had to get a new cert for my server, which I installed
yesterday. Now I'm having problems with certain clients
logging in. I get the following error in the dovecot.log.
   
  TLS handshaking: SSL_accept() failed: error:1408A10B:SSL
routines: ssl3_get_client_hello:wrong version number
   
  Any help would be appreciated. 
   
  Thanks, Gary 
  
-- 
  ________
  Gary Bowling
  
  
  -
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoast

Re: [qmailtoaster] test

2019-09-05 Thread Gary Bowling 

  
  


Success!


Gary


On 9/5/2019 10:27 AM, Eric Broch wrote:

mail
  test
  
  
  
-
  
  To unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com
  
  
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] SSL Problem Dovecot

2019-09-04 Thread Gary Bowling 

  
  


Interesting. Thanks for the doveconf -a command, didn't know
  about that one. Also shows that I have 

ssl_prefer_server_ciphers = no


Which might need to be changed to "yes"


Gary 



On 9/4/2019 11:21 AM, Eric Broch wrote:


  
  

  

  

  
You can find out your Dovecot cipher
  list with this command:
  # doveconf -a | grep cipher
  ssl_cipher_list =
ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
  
  
  
  I changed the Dovecot cipher list to point to
a file and it works fine with above settings in
the file.
  ssl_cipher_list =

  
  
  
  When I changed the Dovecot cipher list to
point to qmail's ciphers
  ssl_cipher_list =

  
  I Get errors in the Dovecot log: imap-login:
Error: Failed to initialize SSL server context:
Can't set cipher list to (output list below).
  
  
  
  
  
  
  
]# cat /var/qmail/control/tlsclientciphers
DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:KRB5-IDEA-CBC-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA
  
  
  

  

  

  

  
  
  
On Wed, Sep 4, 2019 at 9:02 AM
  CarlC Internet Services Service Desk <ab...@carlc.com>
  wrote:


  

  Gary,
   
  https://www.immuniweb.com/ssl/
is perfect way to test. I think everyone agrees, we just
don’t want to set it “X” and assume it’s the best.
   
  Since Dovecot can use a different
encryption list than Qmail, that’s why you need to test
each port. I think you got the main idea of it now.
   
  Carl
   
  

  From:
      Gary Bowling [mailto:g...@gbco.us]
  
  Sent: Wednesday, September 04, 2019 10:50
  AM
  To: qmailtoaster-list@qmailtoaster.com
  Subject: Re: [qmailtoaster] SSL Problem
  Dovecot

  
   
   
  Yes it's a bit tricky for sure. Phones for email, which
I have a lot of. I have a customer with a fax machine
that emails faxes, so it has an email account configured
in it. All these things run TLSv1 and aren't things I
can dictate go away.
   
  I also found that squirrelmail uses TLSv1 and
ECDHE-RSA-AES256-SHA. Since it's

Re: [qmailtoaster] SSL Problem Dovecot

2019-09-04 Thread Gary Bowling 

  
  


Carl, when I put that statement in my dovecot conf I get the
  following in my log on startup.


  Sep 04 13:39:41 config: Warning: Obsolete setting in
  /etc/dovecot/local.conf:22: ssl_protocols has been replaced by
  ssl_min_protocol
  Sep 04 13:39:41 config: Error: Could not find a minimum
  ssl_min_protocol setting from ssl_protocols = TLSv1.2 TLSv1.1
  TLSv1 !SSLv3 !SSLv2: Unrecognized protocol 'SSLv2'



Thanks, Gary 



On 9/4/2019 1:20 PM, CarlC Internet
  Services Service Desk wrote:


  
  
  
  

  

  
For Dovecot, I use
 
ssl_protocols = TLSv1.2
TLSv1.1 TLSv1 !SSLv3 !SSLv2
 
Then under
ssl_cipher_list, I have a long list of ciphers [and
blocked ones] that start with the strongest and work
downward from there. When I run a scan against
IMAPS, any that are found to be compromised, I
change the list to match. This is why I don’t list
mine as its fluid based on the latest scans.
 
$0.02,
Carl
  

  

  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] SSL Problem Dovecot

2019-09-04 Thread Gary Bowling 

  
  


Correct, the default is 

ssl_min_protocol = TLSv1


which is newer than SSLv3 and SSLv2 is no longer even supported
  at all. 



So effectively the default is the same as your old list of
  TLSv1.2 TLSv1.1 TLSv1 !SSLv3 !SSLv2


Gary



On 9/4/2019 1:51 PM, CarlC Internet
  Services Service Desk wrote:


  
  
  
  
Yup,
turns out that’s a left over from before Dovecot 2.2…. It
was getting ignored and the default is TLSv1.
 
Removed
from my config as obsolete.
Carl
 

  
From:
Gary Bowling [mailto:g...@gbco.us] 
Sent: Wednesday, September 04, 2019 01:44 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] SSL Problem Dovecot
  

 
 
Carl, when I put that statement in my dovecot conf I get the
  following in my log on startup.

  Sep 04 13:39:41 config: Warning: Obsolete setting in
  /etc/dovecot/local.conf:22: ssl_protocols has been replaced by
  ssl_min_protocol
  Sep 04 13:39:41 config: Error: Could not find a minimum
  ssl_min_protocol setting from ssl_protocols = TLSv1.2 TLSv1.1
  TLSv1 !SSLv3 !SSLv2: Unrecognized protocol 'SSLv2'
 
Thanks, Gary 
 

  On 9/4/2019 1:20 PM, CarlC Internet
Services Service Desk wrote:


  

  

  For Dovecot, I use
   
  ssl_protocols = TLSv1.2
  TLSv1.1 TLSv1 !SSLv3 !SSLv2
   
  Then under
  ssl_cipher_list, I have a long list of ciphers
  [and blocked ones] that start with the strongest
  and work downward from there. When I run a scan against
  IMAPS, any that are found to be compromised, I
  change the list to match. This is why I don’t list
  mine as its fluid based on the latest scans.
   
  $0.02,
  Carl

  

  

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] SSL Problem Dovecot

2019-09-04 Thread Gary Bowling 

  
  


Yes it's a bit tricky for sure. Phones for email, which I have a
  lot of. I have a customer with a fax machine that emails faxes, so
  it has an email account configured in it. All these things run
  TLSv1 and aren't things I can dictate go away.



I also found that squirrelmail uses TLSv1 and
  ECDHE-RSA-AES256-SHA. Since it's logging in from 127.0.0.1 to
  127.0.0.1 it's not a problem. But it IS a problem for setting
  these things in the server.


At this point, I have NO ssl_cipher_list configured in dovecot,
  so it's using whatever the default is. I set it back this way
  (that's what it was when I started this exercise) because
  everything I configured caused me problems. I need to leave the
  users alone for a bit so they can get some work done :)



With it set this way, I scanned my server using https://www.immuniweb.com/ssl/


Looks like it scans both the mail protocols and the web
  protocols. The only big problem is shows is the use of TLSv1,
  which I'm not sure I can do anything about at this point. 



There are a few other things it points out that I need to look in
  to.. 

- Doesn't support TLSv1.3. Not sure I can do anything about this
  one as I would assume it requires an update to openssl.
- The server does not prefer cipher suites. Need to do some
  research on this one.
- The server does not enforce HTTP Strict Transport Security.
  FIXED by adding the following to my virtualhost.

Header always set Strict-Transport-Security "max-age=63072000;
  includeSubdomains;"



Gary


On 9/4/2019 10:01 AM, CarlC Internet
  Services Service Desk wrote:


  
  
  
  
The
problem is, you have to walk a fine line with your
“customers”. If they are on an old version of Outlook on
Windows 7, it’s possible they can’t do TLS 1.2 or even 1.1…
I had a few clients like that and explained that they had to
run Windows Update to get the W7 system up to TLS 1.1/1.2.
The reason they don’t see this using web based? The browser
can have its own library of TLS. Another email client,
Thunderbird, has issues as well and you have to be careful
as to how high you make the settings [unless you can dictate
the email client to your customer base, then you can demand
a client that supports all high level TLS 1.2].
 
And,
just putting it on “HIGH” will result in some breakable
ciphers being used. You really need to run a TLS/SSL scan
against your ports to see which ones you still have open or
in use to make sure you lock down the system correctly.
 
Carl
 

  
From:
    Gary Bowling [mailto:g...@gbco.us] 
Sent: Wednesday, September 04, 2019 09:19 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] SSL Problem Dovecot
  

 
 
FYI. I wanted to see in the log files, what version people
  were using prior to making changes. To do that you need to add
  a %k to the login_log_format_elements line in the dovecot
  configuration. So I added this to the /etc/dovecot/local.conf
  file on my toaster.
 
login_log_format_elements = user=<%u> method=%m rip=%r
  lip=%l mpid=%e %c %k
 
After doing this, and watching the logs. I was surprised to
  find quite a few logins with TLSv1. The log file shows "TLSv1
  with cipher ECDHE-RSA-AES256-SHA (256/256 bits)"
 
So much for using HIGH:-SSLv3 in the dovecot config!
 
I'm not sure how to log the version in qmail. Or even which
  log it would be in. 
 
Which also brings up another question. When you require (as
  we all do now) verification of user/password on "send" in the
  clients. Which is an SMTP outgoing server config in most
  clients. Will that show up in the dovecot logs or in the
  qmail/smtp/send logs? I'm not sure which application does that
  verification.
 
Thanks, Gary
 

      On 9/4/2019 8:04 AM, Gary Bowling wrote:


   
  That's excellent info Andy, many thanks for that!! I'm
going to have to go back and read it about 10 times and
possibly go read the referenced material too!
   
  Questions, I think you are saying that I can put either
'HIGH:-SSLv3' in the tlsserverciphers file (and also in the
dovecot.conf

Re: [qmailtoaster] SSL Problem Dovecot

2019-09-04 Thread Gary Bowling 

  
  


Thanks for that Carl. I will try that in my dovecot. 



An interesting note.. The default dovecot ciphers are
ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH


When I did a 

openssl ciphers
'ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH' 
  > /var/qmail/control/tlsserverciphers


I could then not longer send to the qmailtoaster list!!   haha...



Gary

On 9/4/2019 1:20 PM, CarlC Internet
  Services Service Desk wrote:


  
  
  
  

  

  
For Dovecot, I use
 
ssl_protocols = TLSv1.2
TLSv1.1 TLSv1 !SSLv3 !SSLv2
 
Then under
ssl_cipher_list, I have a long list of ciphers [and
blocked ones] that start with the strongest and work
downward from there. When I run a scan against
IMAPS, any that are found to be compromised, I
change the list to match. This is why I don’t list
mine as its fluid based on the latest scans.
 
$0.02,
Carl
  

  

  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] SSL Problem Dovecot

2019-09-04 Thread Gary Bowling 

  
  


FYI. I wanted to see in the log files, what version people were
  using prior to making changes. To do that you need to add a %k to
  the login_log_format_elements line in the dovecot configuration.
  So I added this to the /etc/dovecot/local.conf file on my toaster.



login_log_format_elements = user=<%u> method=%m rip=%r
  lip=%l mpid=%e %c %k



After doing this, and watching the logs. I was surprised to find
  quite a few logins with TLSv1. The log file shows "TLSv1 with
  cipher ECDHE-RSA-AES256-SHA (256/256 bits)"



So much for using HIGH:-SSLv3 in the dovecot config!



I'm not sure how to log the version in qmail. Or even which log
  it would be in. 



Which also brings up another question. When you require (as we
  all do now) verification of user/password on "send" in the
  clients. Which is an SMTP outgoing server config in most clients.
  Will that show up in the dovecot logs or in the qmail/smtp/send
  logs? I'm not sure which application does that verification.



Thanks, Gary



    On 9/4/2019 8:04 AM, Gary Bowling
  wrote:


  
  
  
  That's excellent info Andy, many thanks for that!! I'm going to
have to go back and read it about 10 times and possibly go read
the referenced material too!
  
  
  Questions, I think you are saying that I can put either
'HIGH:-SSLv3' in the tlsserverciphers file (and also in the
dovecot.conf file) or I can do openssl ciphers -v 'HIGH:-SSLv3'
> tlsserverciphers to put the full individual ciphers in the
list?
  
  
  Can I also put the full individual ciphers in the dovecot.conf?
I probably wouldn't, but just curious. 
  
  
  
  I understand the info about the client/server negotiation. But
then you talk about other servers, I suppose the server to
server delivery over smtp. In that scenario, does the sending
server send the list of ciphers and the receiving server match
that to what it has and pick the first overlapping cipher to
use?
  
  
  In the case of dovecot, if you specify a cipher list and also a
min protocol, I'm assuming it won't use a cipher for something
lower than the specified protocol, even if it's in the list?
Maybe it doesn't offer up a cipher that doesn't meet the min
protocol spec?
  
  
  For my server, I'm not sure I care whether I receive mail from
a Centos 5 server. I realize many here are still using them, but
it's been out of support for a while so it should be either
patched or upgraded. I guess bottom line is I need to try
something like the following:
  
  
  tlsservercipher contains ''ECDHE:DHE:-SSLv3'   (without the
quotes?)
  toaster.conf (in the /etc/dovecot/ dir) contains
  ssl_cipher_list = ECDHE:DHE:-SSLv3
  ssl_min_protocol = TLSv1.2
  
  
  Then I need to watch logs to see if I have problems. I'm
guessing problems would show up in both the dovecot.log and the
/var/log/qmail/smtp or /var/log/qmail/send logs.
  
  
  
  Thanks, Gary
  
  
  
  
  On 9/4/2019 1:46 AM, Andrew Swartz
wrote:
  
  Some
background: 

During the TLS negotiation, the client gives the server a list
of ciphers which it supports, then from that list the server
chooses which one to use. 

The server's cipher list is a list, in order of preference, of
the ciphers it will use (from the client's list).  If there is
no overlap between what the client offers and what the server
requires, then the connection fails. 

The server dose not use the cipher list itself, but rather just
passes the list to openssl when it requests establishment of the
TLS connection.  Therefore essentially all servers/clients use
the same format cipherlist. 

The next thing to know is that the list can specify individual
ciphers or macros like "TLSv1.2".  Most people do not specify
individual ciphers but rather just use the macros. 

There is no right or wrong for a cipher list, as the most
appropriate list is the one which best meets your security
requirements. 

The cipherlist "builds" a list of ciphers: 

'ALL' adds all of the ciphers (including those with no
encrpytion). 

'ALL:-SSLv2' adds all the ciphers and then removes all of the
SSLv2 ciphers. 

A reasonable cipherlist is: 
'HIGH:-SSLv3' 

If you want "p

Re: [qmailtoaster] SSL Problem Dovecot

2019-09-04 Thread Gary Bowling 
y
  servers (like dovecot) have separate a setting for "TLS
  cipherlist" and "TLS protocol".  The protocol is the algorithm for
  establishing the connection, and it is independent of the
  ciphers.  You should avoid the SSLv3 or TLSv1 protocols, as the
  these protocols have been found to have weaknesses in how they
  negotiate the connection (completely unrelated to the strength of
  the ciphers).
  
  
  This manpage is a good explanation of all the macros and has
  examples at the end:
  
  https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
  
  
  People with older versions of openssl (i.e. Centos 5) cannot do
  TLSv1.2 and will have no choice but to use ciphers/protocols with
  known weaknesses, and then hope that the other servers do not try
  to force a certain level of cipher/protocol.  That is not supposed
  to happen (per smtp/STARTTLS protocol), but I know for a fact that
  does:  I finally decided to upgrade from centos-5 because an
  important mail server started refusing to receive mail from mine,
  with a complaint about not accepting the SSLv3 ciphers.  I think
  it was Outlook Server, but I'm not sure.
  
  
  Hope this helps.
  
  
  -Andy
  
  
  PS: Someone running the old version of openssl will need to put
  '-SSLv2" at the end of the cipherlist, whereas the newer version
  no longer supports it so it doesn't require removing it.  And NO
  ONE should be using the SSLv2 protocol, as hacking it is trivial.
  
  
  
  
  
  
  
  
  On 9/3/2019 1:22 PM, CarlC Internet Services Service Desk wrote:
  
  Actually, doing the openssl ciphers >
/var/qmail/control/tlsservercipher is a starting point.


After I did that, I then ran my server through some tests. I
happen to use OpenVAS [which tool you want to use to find
insecure SSL connections is up to you]. It was able to tell me
which ciphers to disable and why. Whichever product you use to
test the SSL should be one that’s up to date [or can be brought
up to date]. For example, I run the tests against my email
server every week [for example, I test against port 25, 465 and
587]. In my case, I also use OpenVAS to test the HTTPS side as
well.


If you’re using dovecot, you will want to also put the
ssl_cipher_list in /etc/dovecot/dovecot.conf as well as the
ssl_protocols list. This protects your IMAPS and POP3S
protocols. Again, OpenVAS is set to run against those protocols
    as well.


Carl


*From:*Gary Bowling [mailto:g...@gbco.us]

*Sent:* Tuesday, September 03, 2019 03:35 PM

*To:* qmailtoaster-list@qmailtoaster.com

*Subject:* Re: [qmailtoaster] SSL Problem Dovecot


Thanks for that Carl. I'm running
openssl-1.0.2k-16.el7_6.1.x86_64


Pretty much everything about my server is continuously updated
stock Centos 7. Currently at CentOS Linux release 7.6.1810
(Core)


I do have epel installed, which updates some things and the qmt
repo. That's it, and I'm a stickler for NOT installing anything
that isn't done through yum and those repos. I've done this long
enough to know that it's much easier to maintain, migrate to a
new server, etc. is you're running everything in a managed way.
So installing the repos and doing yum installs is pretty much
the only way anything ever changes on my server, sans config
files.


Would be very interested in knowing not only the proper
tlsservercipher file for this type of server, but also how to
create/recreate it if it's a command done from openssl. Looks
like you can create it with the command.


openssl ciphers > /var/qmail/control/tlsservercipher


But what I'm reading is that your advice is to NOT do that due
to security concerns. So what would you recommend?


Thanks, Gary


On 9/3/2019 3:28 PM, CarlC Internet Services Service Desk wrote:


    Your real problem is that this file is different based on
which

    CentOS you’re on [or should I say, which openssl is loaded].
If you

    have CentOS 7, with openssl 1.0.2k, you can tune this file
to

    include each cipher you want [the file can actually be 10+
lines

    long wrapped]. This is so you can remove all the “hacked”
ciphers,

    especially to fo

Re: [qmailtoaster] SSL Problem Dovecot

2019-09-04 Thread Gary Bowling 
ssl_protocols list. This protects your IMAPS and POP3S
  protocols. Again, OpenVAS is set to run against those
  protocols as well. 
  
  Carl 
  
  *From:*Gary Bowling [mailto:g...@gbco.us]
  
  *Sent:* Tuesday, September 03, 2019 03:35 PM 
  *To:* qmailtoaster-list@qmailtoaster.com
  
  *Subject:* Re: [qmailtoaster] SSL Problem Dovecot 
  
  Thanks for that Carl. I'm running
  openssl-1.0.2k-16.el7_6.1.x86_64 
  
  Pretty much everything about my server is continuously updated
  stock Centos 7. Currently at CentOS Linux release 7.6.1810
  (Core) 
  
  I do have epel installed, which updates some things and the
  qmt repo. That's it, and I'm a stickler for NOT installing
  anything that isn't done through yum and those repos. I've
  done this long enough to know that it's much easier to
  maintain, migrate to a new server, etc. is you're running
  everything in a managed way. So installing the repos and doing
  yum installs is pretty much the only way anything ever changes
  on my server, sans config files. 
  
  Would be very interested in knowing not only the proper
  tlsservercipher file for this type of server, but also how to
  create/recreate it if it's a command done from openssl. Looks
  like you can create it with the command. 
  
  openssl ciphers > /var/qmail/control/tlsservercipher 
  
  But what I'm reading is that your advice is to NOT do that due
  to security concerns. So what would you recommend? 
  
  Thanks, Gary 
  
  On 9/3/2019 3:28 PM, CarlC Internet Services Service Desk
  wrote: 
  
      Your real problem is that this file is different based on
  which 
      CentOS you’re on [or should I say, which openssl is
  loaded]. If you 
      have CentOS 7, with openssl 1.0.2k, you can tune this file
  to 
      include each cipher you want [the file can actually be 10+
  lines 
      long wrapped]. This is so you can remove all the “hacked”
  ciphers, 
      especially to force your clients security to remain high.
  If your 
      running openssl 0.9.x, you don’t get the newer TLS ciphers
  you need 
      to be secure. 
  
      Using the default is way too low, and if you do, you will
  where 
      someone gets hacked over a ‘free’ WiFi connection [because
  you had 
      SSL 3.0/TLS 1.0 on]. 
  
      Carl 
  
      *From:*Gary Bowling [mailto:g...@gbco.us]
  
      *Sent:* Tuesday, September 03, 2019 02:58 PM 
      *To:* qmailtoaster-list@qmailtoaster.com
  
      
  
      *Subject:* Re: [qmailtoaster] SSL Problem Dovecot 
  
      So this may be an issue of the tlsserverciphers file. Some
  times 
      it's interesting not knowing what your doing! haha 
  
      I guess the question I have is.. What is the proper
  tlsserverciphers 
      for a qmailtoaster with a letsencrypt certificate. If that
  even 
      makes sense. 
  
      And what is the proper way to actually do it. I've read
  multiple 
      things on various forums, including here. 
  
      One says to do: 
  
      echo 
     
"!EDH:!DHE:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES:!NULL:!aNULL:!eNULL"
   > /var/qmail/control/tlsserverciphers 
  
      One says to do: 
  
      openssl ciphers 'MEDIUM:HIGH:!SSLv2:!MD5:!RC4:!3DES' >
  
      /var/qmail/control/tlsserverciphers 
  
      yet another says to create a sym link to the
  servercert.pem file. 
  
      ln -sf /var/qmail/control/servercert.pem 
      /var/qmail/control/tlsserverciphers 
  
      I guess it has to do with how tight you want security to
  be and 
      maybe tlsserverciphers can contain various forms of how to
  define 
      that. Just looking for what "most" people would use for an
      up to 
      date Centos 7 server. 
  
      Thanks, Gary 
  
      On 9/3/2019 11:04 AM, Gary Bowling wrote: 
  
      I had to get a new cert for my server, which I
  installed 
      yesterday. Now I'm having problems with certain
  clients logging 
      in. I get the following error in the dove

Re: [qmailtoaster] Qmail Toaster Repos Timing Out

2019-09-09 Thread Gary Bowling 

  
  


That's what I have with the exception of testing being "enabled =
  0"


Gary 



On 9/9/2019 5:08 AM, Philip wrote:


  
  I was wondering what is actually the "official" yum repo file ?
  I am using this :
  [qmt-current]
# Qmailtoaster current repository
name=QMT Current Repository
mirrorlist=https://www.qmailtoaster.org/qmt-mirrorlist-current
#mirrorlist=https://raw.githubusercontent.com/qmtoaster/mirrorlist/master/qmt-mirrorlist-current
#mirrorlist=file:///etc/yum.repos.d/qmt-mirrorlist-current
#baseurl=ftp://ftp.qmailtoaster.com/pub/repo/qmt/CentOS/$releasever/current/$basearch/
enabled=1
gpgcheck=0
priority=7
[qmt-testing]
# Qmailtoaster testing repository
name=QMT Testing Repository
mirrorlist=https://www.qmailtoaster.org/qmt-mirrorlist-testing
#mirrorlist=https://raw.githubusercontent.com/qmtoaster/mirrorlist/master/qmt-mirrorlist-testing
##mirrorlist=file:///etc/yum.repos.d/qmt-mirrorlist-testing
#baseurl=ftp://ftp.qmailtoaster.com/pub/repo/qmt/CentOS/$releasever/testing/$basearch/
#baseurl=ftp://ftp.whitehorsetc.com/pub/repo/qmt/CentOS/7/testing/x86_64/
enabled=1
gpgcheck=0
priority=7
[qmt-devel]
# Qmailtoaster development repository
name=QMT Development Repository
mirrorlist=https://www.qmailtoaster.org/qmt-mirrorlist-development
#mirrorlist=https://raw.githubusercontent.com/qmtoaster/mirrorlist/master/qmt-mirrorlist-development
#mirrorlist=file:///etc/yum.repos.d/qmt-mirrorlist-development
#baseurl=ftp://ftp.qmailtoaster.com/pub/repo/qmt/CentOS/$releasever/development/$basearch/
enabled=0
gpgcheck=0
priority=7
  
  
  
  qtp.qmailtoatser.COM is timing out very often
  .ORG is fine
  
  
  On 9/8/19 8:55 PM, Eric Broch wrote:
  
  

qtp is not a repo under the current structure. I'd like to
  know the file in /etc/yum.repos.d that contains
  qtp.qmailtoaster.com. If you find it delete it and rerun yum.



the link (http://qtp.qmailtoaster.com/repos/nodist/repodata/repomd.xml)
  is found in

On 9/8/2019 8:37 AM, Roxanne
  Sandesara wrote:


  
  Yes.
  
  
  
http://qtp.qmailtoaster.com/repos/nodist/repodata/repomd.xml:
  [Errno 12] Timeout on http://qtp.qmailtoaster.com/repos/nodist/repodata/repomd.xml:
  (28, 'Connection timed out after 30001 milliseconds')



  On Sep 7, 2019, at 7:58 AM, Eric Broch 
wrote:
  
  


  Is the script still failing?
  
  On 9/7/2019 4:58 AM,
Roxanne Sandesara wrote:
  
  

Script started on Sat 07 Sep 2019
  06:52:56 AM EDT
[roxie@mail ~]$ ping ftp.whitehorsetc.com


PING whitehorsetc.com
  (66.62.95.221) 56(84) bytes of data.


64 bytes from mail.whitehorsetc.com
  (66.62.95.221): icmp_seq=1 ttl=53 time=124 ms


64 bytes from mail.whitehorsetc.com
  (66.62.95.221): icmp_seq=2 ttl=53 time=91.3 ms


64 bytes from mail.whitehorsetc.com
  (66.62.95.221): icmp_seq=3 ttl=53 time=87.0 ms


64 bytes from mail.whitehorsetc.com
  (66.62.95.221): icmp_seq=4 ttl=53 time=88.8 ms


64 bytes from mail.whitehorsetc.com
  (66.62.95.221): icmp_seq=5 ttl=53 time=86.7 ms


^C


--- whitehorsetc.com ping
  statistics ---


5 packets transmitted, 5 received, 0%
  packet loss, time 5634ms


rtt min/avg/max/mdev =
  86.753/95.590/124.034/14.318 ms




[roxie@mail ~]$ ping qmt-server.carlc.com


PING

Re: [qmailtoaster] Qmail Toaster Repos Timing Out

2019-09-09 Thread Gary Bowling 

  
  


Agreed. Checked my old backups, I've not had qtp Listed
  anywhere in any of the repo files in years. And have had no
  problem with yum updates.


Gary


On 9/9/2019 8:23 AM, Eric Broch wrote:

There
  is a web page pointed to by qtp.qmailtoaster.com, however, the DNS
  server has gone down in the past 2 months and had to be rebuilt.
  That record may have been missed.
  
  
  It should not affect the repositories, though.
  
  
  On 9/9/2019 6:05 AM, Eric Broch wrote:
  
  There is not a repo being pointed to by
the fqdn qtp.qmailtoaster.com.


I don't know how often I have to say this.


If you're getting a timeout with yum for the above fqdn either
something has been added to your repository file our you're
working off an old file left over from CentOS 5/6.



On 9/9/2019 5:52 AM, Eric Broch wrote:


  
  qtp.qmailtoatser.COM is timing out very often
  
  
  .ORG is fine
  
  


-

To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com


  
  
-
  
  To unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com
  
  
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] DKIM and SPF configurations

2019-09-27 Thread Gary Bowling 

  
  


The recent questions about setting up DKIM prompted me to review
  my setup and see if I needed to tighten things up a bit. ALL of my
  config surrounding these things is very old, so what are the best
  practices in 2019?



On the receiving side of things, my server has spfbehavior set to
  2 and I believe the default is 3. I seem to recall many years ago
  having problems rejecting email, that I didn't want rejected, with
  it set to 3. But that's been so long ago, it's not worth
  considering. Do most of you have it set to 3? And have you had any
  problems with that if you do?


For DKIM receiving, I'm doing that in spamassassin/spamd. But it
  appears that spamassassin just assigns a score if there is a
  DKIM_INVALID situation and that score seems to be pretty low. Is
  this really the right way to handle receiving messages where DKIM
  is concerned? I'm sure there is a way to increase the DKIM_INVALID
  score, but not sure of the ramifications of that. Do any of you
  change those settings? Or do DKIM checking somewhere else for
  improvements?



On the outbound side of things. 

For my DNS, I have SPF records that have been there for years,
  that affects other domains receiving mail from my server. So not
  sure how much good it does, but it's there.



I do not have DKIM set up. Many years ago it seemed pretty
  useless from what I read, so I didn't bother with it. From what I
  understand, if the receiving end doesn't check for DKIM, then it
  does nothing. Or like in my servers case, it just adds a tiny bit
  of score to spamassasin, so minimal help. But maybe enough are
  doing something more robust now for it to be useful. Maybe I
  should implement this now?



What are everyone's thoughts on all this in 2019? Should I be
  doing stricter checking of spf? Does DKIM actually provide a
  useful service? And are there better ways to handle DKIM checking?


All discussion and help is greatly appreciated!


Thanks Gary 

-- 
  
  Gary Bowling
   The
Moderns on Spotify 
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] letsencrypt cert renewal commands

2019-12-06 Thread Gary Bowling 

  
  


If you've installed certbot from the repository, you don't need a
  cron job. Just enable the certbot timer with:


systemctl enable certbot-renew.timer


Gary


On 12/6/2019 12:22 AM,
  ChandranManikandan wrote:


  
  Hi Eric,


My path is:   /usr/bin/certbot


then i have made in crontab like below. lets see for the
  renewal time.


0 0 * * * /usr/bin/certbot renew 



  
  
  
On Tue, Dec 3, 2019 at 9:53 PM
  Eric Broch 
  wrote:


  
# whereis certbot

On 12/3/2019 1:03 AM, ChandranManikandan wrote:


  Hi Friends,


I have installed letsencrypt on COS7 and i try to
  make cron job as per the below steps, but the cert
  renew and certbot folder are not there in /opt.


0 0 * * * /root /opt/certbot renew


Is any other way is there or did i made any
  mistake?
Anyone had the same problem?
  
  
  -- 
  

  Regards,
  Manikandan.C


  

  

  

  
  
  
  
  -- 
  

  Regards,
  Manikandan.C


  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] One domain email is not working from virtual host

2019-09-25 Thread Gary Bowling 

  
  


Have you also made sure the box is listening on the ports in
  question? 



Do this command
netstat -an | egrep
  '0.0.0.0:25|0.0.0.0:80|0.0.0.0:110|0.0.0.0:143'


You should get this in return if the services are running
  correctly. 

tcp    0  0 0.0.0.0:110
  0.0.0.0:*   LISTEN
  tcp    0  0 0.0.0.0:143
  0.0.0.0:*   LISTEN
  tcp    0  0 0.0.0.0:80 
  0.0.0.0:*   LISTEN
  tcp    0  0 0.0.0.0:25 
  0.0.0.0:*   LISTEN





On 9/25/2019 8:49 AM, Eric Broch wrote:


  
  I'd do a tailored tcpdump on the non-working interface while
you tried to connect to see if packets are even getting to the
host.
  
  On 9/25/2019 4:28 AM,
ChandranManikandan wrote:
  
  

Hi Tony,
  
  
  These ip's are pinging and hosting the same server with
configure multiple network.
  These are working earlier well but suddenly is not
working this domain reliancehrconsulting.com
  i have stopped iptables also but no luck to respond the
143 and 25 ports and port 80 for this domain only.
  
  



  On Wed, Sep 25, 2019 at 5:56
PM Tony White  wrote:
  
  Hi,

pan-asia.in is
49.128.39.115

reliancehrconsulting.com
49.128.39.123


best wishes
   Tony White

On 25/9/19 7:03 pm, ChandranManikandan wrote:

> Hi Eric,
>
> The working domain is pan-asia.in

and command is telnet domain.com

143 and 
> telnet domain.com  25.
> Both the domains are fqdn
> Working domain pan-asia.in

> non working domain reliancehrconsulting.com

>
>
> On Wed, Sep 25, 2019 at 4:12 PM Eric Broch >
wrote:
>
>     What commands are you using to telnet to the
working and non-working domains, the fqdn? If you are using
the fqdn has
>     the domain expired?
>
>     On 9/25/2019 12:44 AM, ChandranManikandan wrote:
>>     Hi Friends,
>>
>>     I have running centos 6.7 with 64 bit with
multiple domains using qmailtoaster.
>>     all the domains configured web and email with
letsencrypt certificate.
>>     One domain is not working suddenly web and
email.
>>     I have tried to ping and able to get the ip
address result.
>>     and also tried using telnet 143 and 25 port is
not connecting, but the same ports are connected for other
domain
>>     which was running the same machine.
>>     I have tried iptables stop but no luck.
>>     could anyone assist me to troubleshoot.
>>     Advance Appreciate your help
>>
>>     -- 
>>     */Regards,
>>     Manikandan.C
>>     /*
>
>
>
> -- 
> */Regards,
> Manikandan.C
> /*


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

  




-- 

  
Regards,
Manikandan.C
  
  

  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] QMail Admin

2020-05-04 Thread Gary Bowling 

  
  


Nice, interested to learn if this might eventually be added to
  the repo for general use or if we will have to download and custom
  build?


thanks



On 5/4/2020 8:50 AM, Roberto
  Puzzanghera wrote:

Hi all,
  
  during coronavirus spare time I've found the time to improve a bit
  qmailadmin with a new responsive skin and also with the cracklib
  patch, which checks the pwd strenght.
  
  
  If useful feel free to download. Have a look here
  https://notes.sagredo.eu/en/qmail-notes-185/qmailadmin-23.html
  
  
  regards
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] letsencrypt certificate issue

2020-04-29 Thread Gary Bowling 

  
  


You need to create the right cert for the toaster from the
  renewed cert from letsencrypt. 



Something like this:


  cat
/etc/letsencrypt/live/mail.yourdomain.com/{cert,chain,fullchain,privkey}.pem
  > /var/qmail/control/servercert.pem
  
  chown vpopmail:qmail /var/qmail/control/servercert.pem
  chmod 640 /var/qmail/control/servercert.pem







On 4/29/2020 7:01 AM, David Bray wrote:


  
  I make up a composite certificate and
include lets-encrypt-x3-cross-signed.pem.txt


https://letsencrypt.org/certificates/
  
  
  I'm not sure if I still need to, but I must have at some
stage
  

  

  David Bray
  0418 745334
2 ∞ & <

  


  

  
  
  
On Wed, 29 Apr 2020 at 19:38,
  ChandranManikandan  wrote:


  Hi Friends,


It was working well before after getting the renewal
  date only the issue is happened.
Anyone having the same issue?
Appreciate your help.
  
  
  
On Wed, Apr 29, 2020 at
  4:52 PM ChandranManikandan  wrote:


  Hi Remo,


FYI
ssl_cert = panasiagroup.net/fullchain.pem
  ssl_key = panasiagroup.net/privkey.pem
  # the following will likely be the default at some
  point
  ssl_dh_parameters_length = 2048



  
  
  
On Wed, Apr 29, 2020
  at 11:48 AM Remo Mattei 
  wrote:


  You need to check the /etc/dovecot/toaster.conf
file that’s where the cert for outlook and thunder
lives. 


Remo 
  

  On Apr 28, 2020, at 20:38,
ChandranManikandan 
wrote:
  
  
Hi Friends,
  
  
  certbot renew command showing below
message
  Saving debug log to
/var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - -
Processing
/etc/letsencrypt/renewal/xxx.com.conf
- - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - -

The following certs are not due for
renewal yet:
  /etc/letsencrypt/live/xxx.com/fullchain.pem
expires on 2020-06-27 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - 
  
  


But outlook, thunderbird showing
  the certificate issue and certificate
  expire date is showing 28-Apr-2020 in
  thunderbird,
I have checked in website in the
  same certificate expiry date is
  showing 27-06-2020.


Do i anything done mistake.
How do i check and fix the above
  issue.
Could anyone help me.
Appreciate your help.

Re: [qmailtoaster] Alternative email filtering (Eset?)

2020-10-05 Thread Gary Bowling 

  
  


I don't know anything about eset. But, if I were looking for a
  paid alternative for virus, I would look at relay services. 



A relay service that provides virus scanning makes things very
  simple and once configured makes your email server administration
  the same as it is now. Your server just sends outbound mail to the
  relay and inbound traffic is routed to the relay and then
  forwarded to your server (your dns mx records point to the relay
  service).



This also makes it the relay companies responsibility to keep you
  off blacklists and to resolve any issues with blacklists.


I haven't done a search for relay companies, but I've thought
  about it. It would remove all the things that are a hassle about
  running a mail server, which is spam/viruses/blacklists/etc and
  place that responsibility on someone else.



Just my 2 cents. 



Gary



On 10/5/2020 8:39 AM, Janno Sannik
  wrote:

Has anyone
  tried/using alternative (maybe paid) service for virus scanning?
  
  
  I'm thinking of getting Eset file server or email for linux
  package. I'm really getting some viruses and Trojans going past
  clamav just to be hit on the head with eset workstation security.
  File security is around 155usd first buy and 80usd /yearly for the
  updates next year.
  
  
  So was thinking to get the file server client and run the CLI to
  play ball with qmail.
  
  
  Sample here:
https://forum.eset.com/topic/23639-is-there-any-working-cli-scanner-for-linux/
  
  
  Has anybody done that or how hard would be to add ESET to the
  pipeline? For me it does not seem too hard and I can make the
  legwork, but would rather get some input before going forward with
  it.
  
  
  
  Regards,
  
  
  Janno
  
  
  
  
  
  
-
  
  To unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com
  
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Non-Secure Protocols

2020-09-22 Thread Gary Bowling 

  
  


Good to know Eric. I'm about to do the same.


Gary



On 9/22/2020 11:02 AM, Eric Broch
  wrote:

I
  have all un-secure protocols turned off and always have.
  
  
  On 9/22/2020 8:59 AM, Gary Bowling wrote:
  
  


Question for others using the toaster.



Are you still supporting non-secure protocols? Such as pop3 on
port 110 or imap on port 143?



My concern is this. If you have non-secure protocols configured
on your phone, tablet, laptop, etc. And you travel to a hotel or
other establishment with wifi. It is a rather trivial matter for
other people on that wifi to steal your password.



If you have these protocols open, all it takes is for one user
to configure their phone/tablet/laptop to use them to get your
server easily hacked. Causing you to get on blacklists and
create all sorts of grief for you.



Due to this, I am contemplating removing these protocols from my
server, forcing all users to configure everything with secure
protocols. What is everyone else doing?



Thanks, Gary



PS - I realize there are other security issues with servers and
mail, just trying to address the wide open holes!


- To
unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com For additional
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
  
-
  
  To unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com
  
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Non-Secure Protocols

2020-09-22 Thread Gary Bowling 

  
  


Question for others using the toaster. 



Are you still supporting non-secure protocols? Such as pop3 on
  port 110 or imap on port 143?


My concern is this. If you have non-secure protocols configured
  on your phone, tablet, laptop, etc. And you travel to a hotel or
  other establishment with wifi. It is a rather trivial matter for
  other people on that wifi to steal your password. 



If you have these protocols open, all it takes is for one user to
  configure their phone/tablet/laptop to use them to get your server
  easily hacked. Causing you to get on blacklists and create all
  sorts of grief for you. 



Due to this, I am contemplating removing these protocols from my
  server, forcing all users to configure everything with secure
  protocols. What is everyone else doing?


Thanks, Gary


PS - I realize there are other security issues with servers and
  mail, just trying to address the wide open holes!

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] DKIM Verification Question

2020-06-02 Thread Gary Bowling 

  
  

  Thanks Eric. What is the config setting in local.cf to change the
  DKIM scoring? I don't find any setting in my /etc/spamassassin/
  directories that sets that score. Is the scoring for the stock
  EPEL local.cf different from what we have? I assume not since you
  said you didn't tailor any of that in QMT. 



I think that's a good move to use the stock spamassassin from
  EPEL.


As DKIM seems to be more pervasive these days, I might be tempted
  to increase the score in spamassassin if I can find the local.cf
  setting.



Thanks, Gary 



On 6/2/2020 11:56 AM, Eric Broch wrote:


  
  Hi Gary,
  My intent, which I articulated in another email on the list and
instead of reinventing the wheel, was exactly as you deduced in
your email, that is, to allow spamassassin to score DKIM which
it does; however, I have not done anything as far as a tailoring
configuration for QMT and was content to allow users that
scoring decision. My goal is to drop the specially created QMT
spamassassin (and clamav) rpm, which I've done in CentOS 8, and
use the stock rpm from EPEL.
  I think you can override default scoring for DKIM in
/etc/spamassassin/local.cf on COS7 and
/etc/mail/spamassassin/local.cf on COS8.
  Eric
  
  On 6/2/2020 8:09 AM, Gary Bowling
wrote:
  
  

What is everyone doing these days for DKIM verification, i.e.
  checking incoming mail for DKIM signatures?


Background
Many years ago, when DKIM was first introduced to the toaster
  (maybe it was even in the Shupp's toaster days), I installed
  and turned on incoming DKIM verification. Initially I set it
  to "reject" unsigned email and of course that was a disaster
  as it blocked most everything.


Back then, the choice was to have it verify emails, but not
  block them, or remove verification. I made the decision that
  checking without doing anything was a waste of resources, so I
  removed any DKIM verification. I don't remember how I did all
  this, as it was years ago.


Then at some point DKIM verification was added to
  spamassassin, or maybe it was always there but we didn't
  implement the plugin. At any rate, spamassassin DKIM
  verification was added to the toaster.


Which seems like a good thing as spamassassin can assign a
  score to DKIM verification which plays into whether a msg is
  marked as spam or not. The problem with it though, is the
  score for NOT being verified is very low, something like .01,
  which essentially does nothing. I can't find any "user" added
  parameter that would increase that score and don't really know
  if that's a good thing to try to do. If it were a good thing,
  I would think it would be a commonly used setting, which
  doesn't appear to be the case.


What to do in 2020?
So the question is, what to do about DKIM verification in
  2020? From the way my server is configured it appears to be
  useless. But maybe that's because I don't know how to best
  configure it.


Side Note
On a side note, I do use outbound DKIM and have DNS set up,
  etc. I have no idea if this is useful or not, but I'll leave
  it, hoping that somehow this reduces my probability of being
  rejected by some server out there. But from what I can tell,
  it really does nothing. Seems to me DKIM is nothing more than
  an exercise in futility and extra work for postmasters :)



-- 
  ____
  Gary Bowling
   The Moderns on Spotify 
  

- To
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] DKIM Verification Question

2020-06-02 Thread Gary Bowling 

  
  
What is everyone doing these days for DKIM verification, i.e.
  checking incoming mail for DKIM signatures?


Background
Many years ago, when DKIM was first introduced to the toaster
  (maybe it was even in the Shupp's toaster days), I installed and
  turned on incoming DKIM verification. Initially I set it to
  "reject" unsigned email and of course that was a disaster as it
  blocked most everything.


Back then, the choice was to have it verify emails, but not block
  them, or remove verification. I made the decision that checking
  without doing anything was a waste of resources, so I removed any
  DKIM verification. I don't remember how I did all this, as it was
  years ago.


Then at some point DKIM verification was added to spamassassin,
  or maybe it was always there but we didn't implement the plugin.
  At any rate, spamassassin DKIM verification was added to the
  toaster.


Which seems like a good thing as spamassassin can assign a score
  to DKIM verification which plays into whether a msg is marked as
  spam or not. The problem with it though, is the score for NOT
  being verified is very low, something like .01, which essentially
  does nothing. I can't find any "user" added parameter that would
  increase that score and don't really know if that's a good thing
  to try to do. If it were a good thing, I would think it would be a
  commonly used setting, which doesn't appear to be the case.


What to do in 2020?
So the question is, what to do about DKIM verification in 2020?
  From the way my server is configured it appears to be useless. But
  maybe that's because I don't know how to best configure it.


Side Note
On a side note, I do use outbound DKIM and have DNS set up, etc.
  I have no idea if this is useful or not, but I'll leave it, hoping
  that somehow this reduces my probability of being rejected by some
  server out there. But from what I can tell, it really does
  nothing. Seems to me DKIM is nothing more than an exercise in
  futility and extra work for postmasters :)



-- 
  ________
  Gary Bowling
   The
Moderns on Spotify 
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Clam AV - Epel

2020-08-10 Thread Gary Bowling 

  
  


Just tried "yum updating" my server. I recall some notes back and
  forth about updating clamav since we're moving to the epel
  version. Just want to make sure I don't screw something up. 



Below is what I got when I tried to update. I think what I need
  to do is remove the old clamav, clamav-lib, clamav-filesystem and
  then install them again via epel? Or should I just do a "yum
  update --skip-broken" ?


Thanks in advance for the advice.



Error: Package: clamav-0.102.3-1.el7.x86_64 (@epel)
     Requires: clamav-lib = 0.102.3-1.el7
     Removing: clamav-lib-0.102.3-1.el7.x86_64 (@epel)
     clamav-lib = 0.102.3-1.el7
     Updated By: clamav-lib-0.102.4-1.el7.x86_64 (epel)
     clamav-lib = 0.102.4-1.el7
  Error: Package: clamav-0.102.3-1.el7.x86_64 (@epel)
     Requires: clamav-filesystem = 0.102.3-1.el7
     Removing: clamav-filesystem-0.102.3-1.el7.noarch
  (@epel)
     clamav-filesystem = 0.102.3-1.el7
     Updated By: clamav-filesystem-0.102.4-1.el7.noarch
  (epel)
     clamav-filesystem = 0.102.4-1.el7
  Error: clamav-filesystem conflicts with
  clamav-0.102.3-1.el7.x86_64
   You could try using --skip-broken to work around the problem
   You could try running: rpm -Va --nofiles --nodigest




-- 
  ________
  Gary Bowling
   The
Moderns on Spotify 
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Clam AV - Epel

2020-08-10 Thread Gary Bowling 

  
  


Thanks Eric, that worked a charm. 



However, the update busted httpd. Turns out the httpd.conf file
  had this at the end.


Include /etc/httpd/conf/squirrelmail.conf


But that file no longer exists. Since it does exist in
  /etc/httpd/conf.d/ which gets loaded as well, I commented it out
  in the httpd.conf file. Seems to work and squirrelmail seems to be
  ok.


All is well. Thanks!



Gary





On 8/10/2020 8:05 PM, Eric Broch wrote:


  
  add --disablerepo=qmt-current 
  
  On 8/10/2020 5:57 PM, Gary Bowling
wrote:
  
  



Just tried "yum updating" my server. I recall some notes back
  and forth about updating clamav since we're moving to the epel
  version. Just want to make sure I don't screw something up. 



Below is what I got when I tried to update. I think what I
  need to do is remove the old clamav, clamav-lib,
  clamav-filesystem and then install them again via epel? Or
  should I just do a "yum update --skip-broken" ?


Thanks in advance for the advice.



Error: Package: clamav-0.102.3-1.el7.x86_64 (@epel)
     Requires: clamav-lib = 0.102.3-1.el7
     Removing: clamav-lib-0.102.3-1.el7.x86_64 (@epel)
     clamav-lib = 0.102.3-1.el7
     Updated By: clamav-lib-0.102.4-1.el7.x86_64 (epel)
     clamav-lib = 0.102.4-1.el7
  Error: Package: clamav-0.102.3-1.el7.x86_64 (@epel)
     Requires: clamav-filesystem = 0.102.3-1.el7
     Removing: clamav-filesystem-0.102.3-1.el7.noarch
  (@epel)
     clamav-filesystem = 0.102.3-1.el7
     Updated By: clamav-filesystem-0.102.4-1.el7.noarch
  (epel)
     clamav-filesystem = 0.102.4-1.el7
  Error: clamav-filesystem conflicts with
  clamav-0.102.3-1.el7.x86_64
   You could try using --skip-broken to work around the problem
   You could try running: rpm -Va --nofiles --nodigest




-- 
  ____
  Gary Bowling
   The Moderns on Spotify 
  

- To
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Clam AV - Epel

2020-08-10 Thread Gary Bowling 

  
  


No, didn't know about that. Guess I need to go back and read the
  list :)


Do I need to run it? 



Gary



On 8/10/2020 8:54 PM, Eric Broch wrote:


  
  Did you use the script I put on github?
  
  On 8/10/2020 6:26 PM, Gary Bowling
wrote:
  
  



Thanks Eric, that worked a charm. 



However, the update busted httpd. Turns out the httpd.conf
  file had this at the end.


Include /etc/httpd/conf/squirrelmail.conf


But that file no longer exists. Since it does exist in
  /etc/httpd/conf.d/ which gets loaded as well, I commented it
  out in the httpd.conf file. Seems to work and squirrelmail
  seems to be ok.


All is well. Thanks!



Gary





On 8/10/2020 8:05 PM, Eric Broch
  wrote:


  
  add --disablerepo=qmt-current 
  
  On 8/10/2020 5:57 PM, Gary
Bowling wrote:
  
  



Just tried "yum updating" my server. I recall some notes
  back and forth about updating clamav since we're moving to
  the epel version. Just want to make sure I don't screw
  something up. 



Below is what I got when I tried to update. I think what
  I need to do is remove the old clamav, clamav-lib,
  clamav-filesystem and then install them again via epel? Or
  should I just do a "yum update --skip-broken" ?


Thanks in advance for the advice.



Error: Package: clamav-0.102.3-1.el7.x86_64 (@epel)
     Requires: clamav-lib = 0.102.3-1.el7
     Removing: clamav-lib-0.102.3-1.el7.x86_64
  (@epel)
     clamav-lib = 0.102.3-1.el7
     Updated By: clamav-lib-0.102.4-1.el7.x86_64
  (epel)
     clamav-lib = 0.102.4-1.el7
  Error: Package: clamav-0.102.3-1.el7.x86_64 (@epel)
     Requires: clamav-filesystem = 0.102.3-1.el7
     Removing:
  clamav-filesystem-0.102.3-1.el7.noarch (@epel)
     clamav-filesystem = 0.102.3-1.el7
     Updated By:
  clamav-filesystem-0.102.4-1.el7.noarch (epel)
     clamav-filesystem = 0.102.4-1.el7
  Error: clamav-filesystem conflicts with
  clamav-0.102.3-1.el7.x86_64
   You could try using --skip-broken to work around the
  problem
   You could try running: rpm -Va --nofiles --nodigest




-- 
  ____
  Gary Bowling
   The Moderns on Spotify 
  

- To
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  

- To
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Clam AV - Epel

2020-08-10 Thread Gary Bowling 

  
  


Yes Remo, not a clamav thing. Just something that happened when I
  updated my machine. Just added it in case anyone else had the same
  problem. 



I also have now found that "mailman" was also enabled when I
  updated my machine. I started getting kicked back messages in the
  postmaster mailbox that were addressed to "mail...@mail.gbco.us"
  I've never used mailman for anything, so not sure how that got
  enabled. Was easy to take care of with a systemctl stop mailman
  and a systemctl disable mailman. 



Thanks, Gary




On 8/10/2020 8:49 PM, r...@mattei.org
  wrote:


  
  That should not depend on clamav
  
  
  Remo
  
Il giorno 10 ago 2020, alle ore 17:26,
  Gary Bowling  ha scritto:
  

  
  

  
  
  
  Thanks Eric, that worked a charm. 
  
  
  
  However, the update busted httpd. Turns out the httpd.conf
file had this at the end.
  
  
  Include /etc/httpd/conf/squirrelmail.conf
  
  
  But that file no longer exists. Since it does exist in
/etc/httpd/conf.d/ which gets loaded as well, I commented it
out in the httpd.conf file. Seems to work and squirrelmail
seems to be ok.
  
  
  All is well. Thanks!
  
  
  
  Gary
  
  
  
  
  
  On 8/10/2020 8:05 PM, Eric Broch
wrote:
  
  

add --disablerepo=qmt-current 

On 8/10/2020 5:57 PM, Gary
  Bowling wrote:


  
  
  
  Just tried "yum updating" my server. I recall some
notes back and forth about updating clamav since we're
moving to the epel version. Just want to make sure I
don't screw something up. 
  
  
  
  Below is what I got when I tried to update. I think
what I need to do is remove the old clamav, clamav-lib,
clamav-filesystem and then install them again via epel?
Or should I just do a "yum update --skip-broken" ?
  
  
  Thanks in advance for the advice.
  
  
  
  Error: Package: clamav-0.102.3-1.el7.x86_64 (@epel)
   Requires: clamav-lib = 0.102.3-1.el7
   Removing: clamav-lib-0.102.3-1.el7.x86_64
(@epel)
   clamav-lib = 0.102.3-1.el7
   Updated By: clamav-lib-0.102.4-1.el7.x86_64
(epel)
   clamav-lib = 0.102.4-1.el7
Error: Package: clamav-0.102.3-1.el7.x86_64 (@epel)
   Requires: clamav-filesystem = 0.102.3-1.el7
   Removing:
clamav-filesystem-0.102.3-1.el7.noarch (@epel)
   clamav-filesystem = 0.102.3-1.el7
   Updated By:
clamav-filesystem-0.102.4-1.el7.noarch (epel)
   clamav-filesystem = 0.102.4-1.el7
Error: clamav-filesystem conflicts with
clamav-0.102.3-1.el7.x86_64
 You could try using --skip-broken to work around the
problem
 You could try running: rpm -Va --nofiles --nodigest
  
  
  
  
  -- 
    ________
Gary Bowling
 The Moderns on Spotify 

  
- To
  unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
  For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

  
-
  To unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com

  
  
  
  -
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Clam AV - Epel

2020-08-10 Thread Gary Bowling 

  
  


Found the script and ran it. Appears to have cleaned up a few
  things and created the log directories/files. So thanks for that.
  



I assume that's a "one time run" thing and now it's all set to
  just yum update for the future?


Gary


On 8/10/2020 9:01 PM, Gary Bowling
  wrote:


  
  
  
  No, didn't know about that. Guess I need to go back and read
the list :)
  
  
  Do I need to run it? 
  
  
  
  Gary
  
  
  
  On 8/10/2020 8:54 PM, Eric Broch
wrote:
  
  

Did you use the script I put on github?

On 8/10/2020 6:26 PM, Gary Bowling
  wrote:


  
  
  
  Thanks Eric, that worked a charm. 
  
  
  
  However, the update busted httpd. Turns out the httpd.conf
file had this at the end.
  
  
  Include /etc/httpd/conf/squirrelmail.conf
  
  
  But that file no longer exists. Since it does exist in
/etc/httpd/conf.d/ which gets loaded as well, I commented it
out in the httpd.conf file. Seems to work and squirrelmail
seems to be ok.
  
  
  All is well. Thanks!
  
  
  
  Gary
  
  
  
  
  
  On 8/10/2020 8:05 PM, Eric Broch
wrote:
  
  

add --disablerepo=qmt-current 

On 8/10/2020 5:57 PM, Gary
      Bowling wrote:


  
  
  
  Just tried "yum updating" my server. I recall some
notes back and forth about updating clamav since we're
moving to the epel version. Just want to make sure I
don't screw something up. 
  
  
  
  Below is what I got when I tried to update. I think
what I need to do is remove the old clamav, clamav-lib,
clamav-filesystem and then install them again via epel?
Or should I just do a "yum update --skip-broken" ?
  
  
  Thanks in advance for the advice.
  
  
  
  Error: Package: clamav-0.102.3-1.el7.x86_64 (@epel)
   Requires: clamav-lib = 0.102.3-1.el7
   Removing: clamav-lib-0.102.3-1.el7.x86_64
(@epel)
   clamav-lib = 0.102.3-1.el7
   Updated By: clamav-lib-0.102.4-1.el7.x86_64
(epel)
   clamav-lib = 0.102.4-1.el7
Error: Package: clamav-0.102.3-1.el7.x86_64 (@epel)
   Requires: clamav-filesystem = 0.102.3-1.el7
   Removing:
clamav-filesystem-0.102.3-1.el7.noarch (@epel)
   clamav-filesystem = 0.102.3-1.el7
   Updated By:
clamav-filesystem-0.102.4-1.el7.noarch (epel)
   clamav-filesystem = 0.102.4-1.el7
Error: clamav-filesystem conflicts with
clamav-0.102.3-1.el7.x86_64
 You could try using --skip-broken to work around the
problem
 You could try running: rpm -Va --nofiles --nodigest
  
  
  
  
  -- 
________
Gary Bowling
 The Moderns on Spotify 

  
- To
  unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
  For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

  
- To
  unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
  For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

  
-
  To unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Freshclam error

2020-08-11 Thread Gary Bowling 

  
  


Since updating clamav, I'm getting these emails.


Subject: Cron 
  /usr/share/clamav/freshclam-sleep

ERROR: Problem with internal logger (UpdateLogFile =
  /var/log/clamav/freshclam.log).
  ERROR: initialize: libfreshclam init failed.
  ERROR: Initialization error!


But freshclam seems to be working, toaststat says everything is
  good, no problems with email, and the freshclam.log file is
  showing incremental updates/attempts.


Thanks, Gary 



-- 
  
  Gary Bowling
   The
Moderns on Spotify 
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] DKIM Verification Question

2020-06-03 Thread Gary Bowling 

  
  


To save you some searching. Here's a page with a lot of good
  info. It's about how to do all this on postfix, so it's not a
  cookie cutter for doing it on our toaster, but good info
  nonetheless. He also uses "opendmarc" to process DMARC things, but
  spamasssassin also has it built in as per my previous note. 



https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/


Gary


On 6/3/2020 11:12 AM, Eric Broch wrote:


  
  Thanks, Gary.
  I'll have a look
  
  On 6/3/2020 8:52 AM, Gary Bowling
wrote:
  
  

 

Further to this subject. I am learning that there are more
  pieces that can help us out. Spamassassin gives us a way to
  assign a spam score to messages with various DKIM results. But
  it doesn't know what the original sender wanted us to do with
  messages that have DKIM problems, therefore we just default to
  giving scores with some predetermined weighting.


There are two more tools, ADSP (Author Domain Signing
  Practices), and DMARC (Domain based Message Authentication,
  Reporting and Conformance). Which are both fancy ways of
  saying, "I want to tell other servers that messages from MY
  server should have DKIM and what to do if they don't"


For outbound mail, both ADSP and DMARC simply require you to
  set up DNS TXT records telling remote servers how to handle
  messages received from your server. If you want to use either
  of these, do a search for them and you'll find info on how to
  set up the DNS records. Without explanation of all the fields,
  here's what I put in my bind DNS.


_adsp._domainkey.mail  IN TXT    "dkim=all"

_demarc.mail    IN   TXT   "v=DMARC1; p=quarantine; rua=mailto:postmas...@example.com;
  ruf=mailto:postmas...@example.com;
  fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400;
  sp=quarantine"



For inbound mail, we can set up spamassassin to query DNS
  records for inbound mail and score them based on info that
  others might have configured in DMARC. It requires a plugin
  called AskDNS, but that looks to already be available in our
  spamassassin and also in the EPEL version of spamassassin, so
  it should just require us to assign scores. Here's what I have
  configured in my /etc/spamassassin/local.cf



ifplugin Mail::SpamAssassin::Plugin::AskDNS
  askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT
  /^v=DMARC1;.*\bp=none;/
  askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT
  /^v=DMARC1;.*\bp=quarantine;/
  askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT
  /^v=DMARC1;.*\bp=reject;/
  
  meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
  __DMARC_POLICY_REJECT
  score DMARC_REJECT 10
  meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) &&
  __DMARC_POLICY_QUAR
  score DMARC_QUAR 5
  meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) &&
  __DMARC_POLICY_NONE
  score DMARC_NONE 0.1
  endif # Mail::SpamAssassin::Plugin::AskDNS






    



On 6/2/2020 5:12 PM, Gary Bowling
  wrote:


  
  
  
  Yea, I had already looked in there, they aren't there. I
eventually found them in 
  
  
  
  /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/DKIM.pm
  
  
  Looks like the defaults are, 
  
    score DKIM_ADSP_ALL  2.5
  score DKIM_ADSP_DISCARD 25
  score DKIM_ADSP_NXDOMAIN 3

  score DKIM_ADSP_CUSTOM_LOW   1
  score DKIM_ADSP_CUSTOM_MED   3.5
  score DKIM_ADSP_CUSTOM_HIGH  8
  
  
  For right now, I'm going to adjust a few of these and also
adjust some of the SPF settings. Here's what I'm trying
right now in my /etc/spamassassin/local.cf
  
  
  
  
#Adjust scores for SPF FAIL
score SPF_FAIL 4.0
score SPF_HELO_FAIL 4.0
score SPF_HELO_SOFTFAIL 3.0
score SPF_SOFTFAIL 3.0
 
#adjust DKIM scores
score DKIM_ADSP_ALL 3.0
score DKIM_ADSP_DISCARD  10.0
score DKIM_ADSP_NXDOMAIN 3.0

Re: [qmailtoaster] DKIM Verification Question

2020-06-03 Thread Gary Bowling 

  
  
 

Further to this subject. I am learning that there are more pieces
  that can help us out. Spamassassin gives us a way to assign a spam
  score to messages with various DKIM results. But it doesn't know
  what the original sender wanted us to do with messages that have
  DKIM problems, therefore we just default to giving scores with
  some predetermined weighting.


There are two more tools, ADSP (Author Domain Signing Practices),
  and DMARC (Domain based Message Authentication, Reporting and
  Conformance). Which are both fancy ways of saying, "I want to tell
  other servers that messages from MY server should have DKIM and
  what to do if they don't"


For outbound mail, both ADSP and DMARC simply require you to set
  up DNS TXT records telling remote servers how to handle messages
  received from your server. If you want to use either of these, do
  a search for them and you'll find info on how to set up the DNS
  records. Without explanation of all the fields, here's what I put
  in my bind DNS.


_adsp._domainkey.mail  IN TXT    "dkim=all"

_demarc.mail    IN   TXT   "v=DMARC1; p=quarantine;
  rua=mailto:postmas...@example.com;
  ruf=mailto:postmas...@example.com; fo=1; adkim=r; aspf=r; pct=100;
  rf=afrf; ri=86400; sp=quarantine"



For inbound mail, we can set up spamassassin to query DNS records
  for inbound mail and score them based on info that others might
  have configured in DMARC. It requires a plugin called AskDNS, but
  that looks to already be available in our spamassassin and also in
  the EPEL version of spamassassin, so it should just require us to
  assign scores. Here's what I have configured in my
  /etc/spamassassin/local.cf



ifplugin Mail::SpamAssassin::Plugin::AskDNS
  askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT
  /^v=DMARC1;.*\bp=none;/
  askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT
  /^v=DMARC1;.*\bp=quarantine;/
  askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT
  /^v=DMARC1;.*\bp=reject;/
  
  meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
  __DMARC_POLICY_REJECT
  score DMARC_REJECT 10
  meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) &&
  __DMARC_POLICY_QUAR
  score DMARC_QUAR 5
  meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) &&
  __DMARC_POLICY_NONE
  score DMARC_NONE 0.1
  endif # Mail::SpamAssassin::Plugin::AskDNS




    
    
    



On 6/2/2020 5:12 PM, Gary Bowling
  wrote:


  
  
  
  Yea, I had already looked in there, they aren't there. I
eventually found them in 
  
  
  
  /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/DKIM.pm
  
  
  Looks like the defaults are, 
  
    score DKIM_ADSP_ALL  2.5
  score DKIM_ADSP_DISCARD 25
  score DKIM_ADSP_NXDOMAIN 3

  score DKIM_ADSP_CUSTOM_LOW   1
  score DKIM_ADSP_CUSTOM_MED   3.5
  score DKIM_ADSP_CUSTOM_HIGH  8
  
  
  For right now, I'm going to adjust a few of these and also
adjust some of the SPF settings. Here's what I'm trying right
now in my /etc/spamassassin/local.cf
  
  
  
  
#Adjust scores for SPF FAIL
score
SPF_FAIL 4.0
score
SPF_HELO_FAIL 4.0
score
SPF_HELO_SOFTFAIL 3.0
score
SPF_SOFTFAIL 3.0
 
#adjust DKIM scores
score
DKIM_ADSP_ALL 3.0
score
DKIM_ADSP_DISCARD  10.0
score
DKIM_ADSP_NXDOMAIN 3.0

  

  
Thanks,
Gary
  
  
  
  
  
  
  On 6/2/2020 12:29 PM, Eric Broch
wrote:
  
  

Gary,
The stock scores for spamassassin are in
  /usr/share/spamassassin/*.cf. 

# grep DKIM /usr/share/spamassassin/*.cf
For your local configuration you can override the scores in
  /etc/mail/spamassassin/local.cf on COS8 or
  /etc/spamassassin/local.cf on COS7. I know THAT one can
  manipulate scores to fit their needs with spamassassin,
  however, I have NEVER done it. This is me sloughing it off.
  ;-) The reason I like spamassassin DKIM verification is
  because it doesn't just reject bad DKIM which as you mentioned
  can have bad effects but scores it with other things for
  rejection.

If you find some configuration that suits you and your system
  I'd we willing to post in on the QMT web as a stock 'QMT'
  setting.
    Eric

Re: [qmailtoaster] DKIM Verification Question

2020-06-02 Thread Gary Bowling 

  
  


Yea, I had already looked in there, they aren't there. I
  eventually found them in 



/usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/DKIM.pm


Looks like the defaults are, 

  score DKIM_ADSP_ALL  2.5
    score DKIM_ADSP_DISCARD 25
    score DKIM_ADSP_NXDOMAIN 3
  
    score DKIM_ADSP_CUSTOM_LOW   1
    score DKIM_ADSP_CUSTOM_MED   3.5
    score DKIM_ADSP_CUSTOM_HIGH  8


For right now, I'm going to adjust a few of these and also adjust
  some of the SPF settings. Here's what I'm trying right now in my
  /etc/spamassassin/local.cf




  #Adjust
  scores for SPF FAIL
  score
  SPF_FAIL 4.0
  score
  SPF_HELO_FAIL 4.0
  score
  SPF_HELO_SOFTFAIL 3.0
  score
  SPF_SOFTFAIL 3.0
   
  #adjust
  DKIM scores
  score
  DKIM_ADSP_ALL 3.0
  score
  DKIM_ADSP_DISCARD  10.0
  score
  DKIM_ADSP_NXDOMAIN 3.0
  

  

  Thanks,
  Gary






On 6/2/2020 12:29 PM, Eric Broch wrote:


  
  Gary,
  The stock scores for spamassassin are in
/usr/share/spamassassin/*.cf. 
  
  # grep DKIM /usr/share/spamassassin/*.cf
  For your local configuration you can override the scores in
/etc/mail/spamassassin/local.cf on COS8 or
/etc/spamassassin/local.cf on COS7. I know THAT one can
manipulate scores to fit their needs with spamassassin, however,
I have NEVER done it. This is me sloughing it off. ;-) The
reason I like spamassassin DKIM verification is because it
doesn't just reject bad DKIM which as you mentioned can have bad
effects but scores it with other things for rejection.
  
  If you find some configuration that suits you and your system
I'd we willing to post in on the QMT web as a stock 'QMT'
setting.
  Eric
  
  On 6/2/2020 10:11 AM, Gary Bowling
wrote:
  
  


  Thanks Eric. What is the config setting in local.cf to change
  the DKIM scoring? I don't find any setting in my
  /etc/spamassassin/ directories that sets that score. Is the
  scoring for the stock EPEL local.cf different from what we
  have? I assume not since you said you didn't tailor any of
  that in QMT. 



I think that's a good move to use the stock spamassassin from
  EPEL.


As DKIM seems to be more pervasive these days, I might be
  tempted to increase the score in spamassassin if I can find
  the local.cf setting.



Thanks, Gary 



On 6/2/2020 11:56 AM, Eric Broch
  wrote:


  
  Hi Gary,
  My intent, which I articulated in another email on the list
and instead of reinventing the wheel, was exactly as you
deduced in your email, that is, to allow spamassassin to
score DKIM which it does; however, I have not done anything
as far as a tailoring configuration for QMT and was content
to allow users that scoring decision. My goal is to drop the
specially created QMT spamassassin (and clamav) rpm, which
I've done in CentOS 8, and use the stock rpm from EPEL.
  I think you can override default scoring for DKIM in
/etc/spamassassin/local.cf on COS7 and
/etc/mail/spamassassin/local.cf on COS8.
  Eric
  
  On 6/2/2020 8:09 AM, Gary Bowling
wrote:
  
  

What is everyone doing these days for DKIM verification,
  i.e. checking incoming mail for DKIM signatures?


Background
Many years ago, when DKIM was first introduced to the
  toaster (maybe it was even in the Shupp's toaster days), I
  installed and turned on incoming DKIM verification.
  Initially I set it to "reject" unsigned email and of
  course that was a disaster as it blocked most everything.


Back then, the choice was to have it verify emails, but
  not block them, or remove verification. I made the
  decision that checking without doing anything was a waste
  of resources, so I removed any DKIM verification. I don't
  remember how I did all this, as it was years ago.


Then at some point DKIM verification was added to
  spamassassin, or maybe it was always there but we didn't
  implement the plugin. At any rate, spamass

[qmailtoaster] Fail2Ban Loop for repeat offenders

2020-06-03 Thread Gary Bowling 

  
  


FYI in case someone else can use this info. 

In my recent review of my server and trying to tighten up
  security. I noticed that there were a number of IPs that showed up
  regularly in my fail2ban firewall rules. I have a fail2ban jail
  for vpopmail that looks at failed login attempts and blocks their
  IP addresses in iptables. 



One IP address in particular would attack my server, get banned
  by fail2ban, and when the bantime was up, the same IP  would start
  attacking again, and the loop would continue. 



In order to try to do something about these bots, I first looked
  at the "recidive" jail that is included with more recent versions
  of fail2ban. 



The recidive jail was created just for this problem. However
  recidive just adds an additional jail time for a repeat offender.
  So, for instance a 4 hour jail time might get increased to 1 week.
  But after a week it starts over.



In searching I found this article, which describes what I think
  is a better approach to the issue. 

https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/


This article describes how to build a series of increased jail
  times for a habitual offender. Eventually culminating in a year
  jail time.


Thanks, Gary 



-- 
  ____
  Gary Bowling
   The
Moderns on Spotify 
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Fail2Ban Loop for repeat offenders

2020-06-03 Thread Gary Bowling 

  
  


Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf
[INCLUDES]
  before = common.conf

# vi /etc/fail2ban/filter.d/vpopmail.conf:
  
  [Definition]
  failregex = vchkpw-smtp: vpopmail user not found .*:$
      vchkpw-submission: vpopmail user not found
  .*:$
      vchkpw-smtp: password fail .*:$
      vchkpw-submission: password fail .*:$
  ignoreregex =




In my jail.local, I have the following for my vpopmail config. 



[vpopmail]
  enabled = true
  filter = vpopmail
  port    = pop3,pop3s,imap,imaps,submission,465
  logpath = /var/log/maillog
  maxretry = 4
  findtime = 86400 ; 1 day
  bantime = 10800 ; 3 hours





On 6/3/2020 7:53 PM, Eric Broch wrote:


  
  can you share your vpopmail rules for fail2ban, config and
regex?
  
  On 6/3/2020 5:48 PM, Gary Bowling
wrote:
  
  



FYI in case someone else can use this info. 

In my recent review of my server and trying to tighten up
  security. I noticed that there were a number of IPs that
  showed up regularly in my fail2ban firewall rules. I have a
  fail2ban jail for vpopmail that looks at failed login attempts
  and blocks their IP addresses in iptables. 



One IP address in particular would attack my server, get
  banned by fail2ban, and when the bantime was up, the same IP 
  would start attacking again, and the loop would continue. 



In order to try to do something about these bots, I first
  looked at the "recidive" jail that is included with more
  recent versions of fail2ban. 



The recidive jail was created just for this problem. However
  recidive just adds an additional jail time for a repeat
  offender. So, for instance a 4 hour jail time might get
  increased to 1 week. But after a week it starts over.



In searching I found this article, which describes what I
  think is a better approach to the issue. 

https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/


This article describes how to build a series of increased
  jail times for a habitual offender. Eventually culminating in
  a year jail time.


Thanks, Gary 



-- 
  
  Gary Bowling
   The Moderns on Spotify 
  

- To
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Fail2Ban Loop for repeat offenders

2020-06-03 Thread Gary Bowling 

  
  


It seems to work. I'm also using the
  /etc/fail2ban/filter.d/dovecot.conf that is included with
  fail2ban. That should catch attempts on imap and pop3, but I've
  never had it actually trap anything. So I'm guessing there is
  something not quite right about it.


If you have something there that actually works, let me know.


Seems like most of the hacking on my server is trying to find
  smtp relays, so maybe it's not a problem. Manually looking through
  the dovecot logs I don't see a ton of attempts there. Nothing like
  the maillog where there seems to be an endless list of bots
  hacking away. 



Gary



On 6/3/2020 8:37 PM, Eric Broch wrote:


  
  Nice, easier than mine.
  
  On 6/3/2020 6:27 PM, Gary Bowling
wrote:
  
  



Sure, here's my /etc/fail2ban/filter.d/vpopmail.conf
[INCLUDES]
  before = common.conf

# vi /etc/fail2ban/filter.d/vpopmail.conf:
  
  [Definition]
  failregex = vchkpw-smtp: vpopmail user not found
  .*:$
      vchkpw-submission: vpopmail user not found
  .*:$
      vchkpw-smtp: password fail .*:$
      vchkpw-submission: password fail .*:$
  ignoreregex =




In my jail.local, I have the following for my vpopmail
  config. 



[vpopmail]
  enabled = true
  filter = vpopmail
  port    = pop3,pop3s,imap,imaps,submission,465
  logpath = /var/log/maillog
  maxretry = 4
  findtime = 86400 ; 1 day
  bantime = 10800 ; 3 hours





On 6/3/2020 7:53 PM, Eric Broch
  wrote:


  
  can you share your vpopmail rules for fail2ban, config and
regex?
  
  On 6/3/2020 5:48 PM, Gary Bowling
wrote:
  
  



FYI in case someone else can use this info. 

In my recent review of my server and trying to tighten up
  security. I noticed that there were a number of IPs that
  showed up regularly in my fail2ban firewall rules. I have
  a fail2ban jail for vpopmail that looks at failed login
  attempts and blocks their IP addresses in iptables. 



One IP address in particular would attack my server, get
  banned by fail2ban, and when the bantime was up, the same
  IP  would start attacking again, and the loop would
  continue. 



In order to try to do something about these bots, I first
  looked at the "recidive" jail that is included with more
  recent versions of fail2ban. 



The recidive jail was created just for this problem.
  However recidive just adds an additional jail time for a
  repeat offender. So, for instance a 4 hour jail time might
  get increased to 1 week. But after a week it starts over.



In searching I found this article, which describes what I
  think is a better approach to the issue. 

https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/


This article describes how to build a series of increased
  jail times for a habitual offender. Eventually culminating
  in a year jail time.


Thanks, Gary 



-- 
  
  Gary Bowling
   The Moderns on Spotify 
  

- To
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  

- To
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Squirrelmail quota

2020-11-27 Thread Gary Bowling 

  
  


Up until a recent update, I have always had a quota graphic in
  the upper left corner in squirrelmail. But with the recent
  updates, I no longer have this feature. 



I went to the squirrelmail plugins page and found the "check
  quota" plugin is the current plugin to do this. Reinstalled it and
  removed everything else relating to quota.



From looking at the squirrelmail config, I have the following
  listed. 



Plugins
    Installed Plugins
      1. delete_move_next
      2. squirrelspell
      3. newmail
      4. squirrel_logger
      5. check_quota
      6. compatibility


So it clearly shows that I have check_quota installed. but I
  still don't get a graph on my mail page. I don't get any errors or
  any indication of what might be wrong. 



Anyone else have quota display working in squirrelmail? 



Thanks, Gary 



-- 
  ____
  Gary Bowling
   The
Moderns on Spotify 
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Close to quota message or scam

2020-12-04 Thread Gary Bowling 

  
  


Yes, this is why I would like to get the quota graph working in
  squirrelmail again. This was the easy place for customers to see
  if they actually had a quota problem if they got these scam
  messages. 



Gary



On 12/4/2020 9:58 AM, Angus McIntyre
  wrote:

"Valued
  Customer" is such an obvious giveaway that I wouldn't bother
  looking any further. It's a very common phrase in scams of all
  kinds. Your message is a scam and it almost certainly came from
  outside your system.
  
  
  Incidentally, on the subject of quota messages, I did see an
  interesting case the other day. Mail was bouncing from one user
  and the bounce messages claimed that the message couldn't be
  delivered because the user was over their quota.
  
  
  I knew this couldn't be the case, because I don't have quotas and
  in fact the user in question was 'virtual': a non-existent user
  who was being processed by the catch-all and delivered directly to
  a mailbox (a sub-mailbox of another user who was having no trouble
  receiving mail).
  
  
  I finally tracked it down to a dovecot file -- 'dovecot-uidlist',
  if I remember correctly -- that had the wrong ownership. It was
  owned by root instead of vpopmail, so dovecot couldn't read it and
  was bouncing mail with that spurious 'over quota' message.
  
  
  This doesn't relate to your case -- which sounds like simple
  phishing -- but I thought I'd share it just for general
  enlightenment. If you get weird quota-related bounces, remember to
  check ownership and permissions.
  
  
  Angus
  
  
  
  
  Jeff Koch wrote on 12/4/20 9:41 AM:
  
  

One of our QT7 mailserver accounts got an email addressed to a
non-existent account that was picked up by his catch-all with
the subject


'Mail quota warning - You are close to your quota'


He's using about 0% of his quota which I confirmed by manually
checking the space used by his account. The header on this email
says almost nothing except the email came from Mailer-Daemon and
it's addressed to 'Valued Customer:;'


I've seen over-quota messages but never a warning message.  Is
there anything in QT7 that could be generating such a message.


Thanks,


Jeff Koch






  
  
-
  
  To unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com
  
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Future of qmailtoaster on CentOS?

2020-12-09 Thread Gary Bowling 

  
  


Maybe it's time to move to a new distribution, looks like we have
  at least until 2024 to do it. 



Maybe arch linux? Or is there something similar to the original
  CentOS project?



Gary



On 12/9/2020 11:29 AM, Jeff Koch wrote:


  
  Sorry - I was looking at the
  RHEL life-cycle dates - but looking at the correct dates
  perhaps it's better to stay with CentOS 7 
  
  Jeff

  On 12/9/2020 11:07 AM, Eric Broch
wrote:
  
  

I thought that it said that CentOS 7 would be support through
  2024 and 8 through 2021?

On 12/9/2020 8:11 AM, Jeff Koch
  wrote:


  
  It appears CentOS 8 will
  continue to be support through 2024 - but this is
  concerning news - Jeff
  
  On 12/9/2020 7:20 AM, Eric Broch
wrote:
  
  https://www.change.org/p/centos-governing-board-do-not-destroy-centos-by-using-it-as-a-rhel-upstream


On 12/9/2020 4:50 AM, Angus McIntyre wrote: 
Does anyone have any thoughts on the
  likely future of qmailtoaster given the new plans for
  CentOS? 
  
  (See https://centos.org/distro-faq/
  for more details) 
  
  I'd never actually heard of CentOS Stream before today,
  but having just painfully built a working toaster on top
  of CentOS 8, I'm a little apprehensive about the impact of
  the proposed changes. 
  
  Comments? 
  
  Angus 
  
  
- 
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
  
  For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  
  


- 
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


  
  

  
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Future of qmailtoaster on CentOS?

2020-12-11 Thread Gary Bowling 

  
  


One issue I have is that my toaster is hosted on a virtual
  machine at Linode. Others may use virtual solutions as well. 



These services offer virtual machines of several popular flavors,
  but you have to use whatever they offer. Linode offers servers in
  Centos, Alpine, Arch, Debian, Fedora, Gentoo, Slackware, Ubuntu,
  and OpenSUSE. To use their service, you choose a platform/OS and
  specs. It's built for you in their data center, then you log in
  and configure/install what you want.



So for Linode there is no Rocky-linux or FreeBSD. Not to say that
  Rocky won't be supported in the future. If it takes hold and many
  of the CentOS customers move that direction, I'm sure it will. 



It's just something to keep in mind and consider as this is moved
  forward.


gary



On 12/11/2020 8:52 AM, Eric Broch
  wrote:


  
  This looks like good news: https://github.com/rocky-linux
  On another note: IBM bought/acquired
Red Hat.
  
  
  On 12/10/2020 8:35 AM, Eric Broch
wrote:
  
  

Fellow QMT enthusiasts:
  
I became concerned about the future of CentOS a week or so
ago  (not a premonition just my natural paranoia)
prior to their announcement two days back and visited
centos.org to relieve my fears. I was confident at that
point that having gotten QMT/CentOS 8 ready I was good to go
for ~10 years. My confidence MAY have been hasty. I'm still
not sure what drawbacks 'stream' is going to bring, if any,
and like Angus am apprehensive. It's supposed to be an
intermediate environment between Fedora and RHEL. In my
opinion, to release CentOS 8 and then move it from
downstream to upstream after people have already migrated is
short-sighted at the very least, and its name Community
Enterprise OS (8) is now a misnomer. Living in somewhat of a
cocoon, I was completely unaware that RH "joined" CentOS.
I've heard some say that we've been freeloading off CentOS
for years and now it's time to pay up. Never mind that a
free kernel is used and we actually test the software and
report bugs. That said, I have REALLY enjoyed using CentOS
since the beginning. 
  
That said, having a look at the old spec files from
*-toaster designation days when we built the QMT for
specific platforms, Fedora, was among them along with Suse,
Mandrake, so, at the beginning QMT was used in a
non-Enterprise environment. Anyway...
  
Personally, I'm interested in both Debian and FreeBSD and
would like to go back halfway to multi-platform builds while
keeping the current QMT/CentOS 8 offering. This would
mitigate the problems, if there are any, we are seeing now
(hopefully). I guess it just depends on when (or if) the
mega-corps buy up all of the Linux distributions and hang us
all out to dry. Given the Felliniesque nature of the world
today nothing would surprise me anymore.
  
One advantage of having a ports like mail server is the
ability, if one is inclined to dig a little beyond binary
installs, to make changes on the fly without having to wait
for packages from the repo.
I've tried to install FreeBSD, although somewhat
half-heartedly, on Proxmox serveral times with no success.
If anyone has any hints I'm all ears...just my 2 cents.
So, if anyone is working on installing QMT on another
platform please keep us apprised of your successes. If you
feel like writing it up, I'll post it to the web site.
  
I'll be looking into converting to *.deb packages (like
rpm's, binary ease of install) in some way (I tried using
alien...on the website) which can be used on Ubuntu and
Debian Linux. Back to work for me...
  
Eric B.
  
On 12/9/2020 7:31 PM, Tony White
  wrote:

Hi
  all, 
    Anyone interested in BSD either Free or Open? 
  I am starting to work on building a FreeBSD version 
  of this for myself. Would like to know if anyone 
  else is interested. 
  
  best wishes 
    Tony White 
  
  On 10/12/20 6:49 am, Unai Rodriguez wrote: 
  Debian! 

-- unai 

On Wed, Dec 9, 2020, at 8:20 PM, Boheme wrote: 
I’ve been meaning to learn to
  compile all the source for Ubuntu

Re: [qmailtoaster] Future of qmailtoaster on CentOS?

2020-12-11 Thread Gary Bowling 

  
  


I'm almost embarrassed to say that I'm running mine on a
  $25/month server. I have about 1000 users over 7 domains. 



Here's a price list from Linode, but you can also customize it.


https://www.linode.com/pricing/


gary



On 12/11/2020 10:21 AM, Eric Broch
  wrote:


  
  What's the cost?
  
  On 12/11/2020 8:14 AM, Gary Bowling
wrote:
  
  



Yes, they give you an OS, with the amount of
  MEM/disk/processors/etc that you configure and purchase. Once
  you get that, you can log in with SSH and set up anything you
  like. There is also a console app from your account in case
  you have trouble getting in via SSH.



It's really a nice service and I've been very happy with it.
  Since your machine sits on top of a big architecture you never
  have to worry about hardware failures, hardware upgrades, etc.
  You can add storage, RAM, processors, etc to an existing
  machine at any time.


I was skeptical at first of running email on a virtual, but
  I've been using mine for about 3 years now and it's really
  been a good service. I would never go back to a real machine,
  all the hardware headaches are gone.



gary





On 12/11/2020 10:01 AM, Eric Broch
  wrote:


  
  Do they allow you to control the repos from which you
update? If so there should not be problem if Rocky is done
by then.
  
  On 12/11/2020 7:45 AM, Gary
Bowling wrote:
  
  



One issue I have is that my toaster is hosted on a
  virtual machine at Linode. Others may use virtual
  solutions as well. 



These services offer virtual machines of several popular
  flavors, but you have to use whatever they offer. Linode
  offers servers in Centos, Alpine, Arch, Debian, Fedora,
  Gentoo, Slackware, Ubuntu, and OpenSUSE. To use their
  service, you choose a platform/OS and specs. It's built
  for you in their data center, then you log in and
  configure/install what you want.



So for Linode there is no Rocky-linux or FreeBSD. Not to
  say that Rocky won't be supported in the future. If it
  takes hold and many of the CentOS customers move that
  direction, I'm sure it will. 



It's just something to keep in mind and consider as this
  is moved forward.


gary



On 12/11/2020 8:52 AM, Eric
  Broch wrote:


  
  This looks like good news: https://github.com/rocky-linux
  On another note: IBM bought/acquired
Red Hat.
  
  
  On 12/10/2020 8:35 AM, Eric
Broch wrote:
  
  

Fellow QMT enthusiasts:
  
I became concerned about the future of CentOS a
week or so ago  (not a premonition just
  my natural paranoia) prior to their
announcement two days back and visited centos.org to
relieve my fears. I was confident at that point that
having gotten QMT/CentOS 8 ready I was good to go
for ~10 years. My confidence MAY have been hasty.
I'm still not sure what drawbacks 'stream' is going
to bring, if any, and like Angus am apprehensive.
It's supposed to be an intermediate environment
between Fedora and RHEL. In my opinion, to release
CentOS 8 and then move it from downstream to
upstream after people have already migrated is
short-sighted at the very least, and its name
Community Enterprise OS (8) is now a misnomer.
Living in somewhat of a cocoon, I was completely
unaware that RH "joined" CentOS. I've heard some say
that we've been freeloading off CentOS for years and
now it's time to pay up. Never mind that a free
kernel is used and we actually test the software and
report bugs. That said, I have REALLY enj

Re: [qmailtoaster] Future of qmailtoaster on CentOS?

2020-12-11 Thread Gary Bowling 

  
  


Yes, they give you an OS, with the amount of
  MEM/disk/processors/etc that you configure and purchase. Once you
  get that, you can log in with SSH and set up anything you like.
  There is also a console app from your account in case you have
  trouble getting in via SSH.



It's really a nice service and I've been very happy with it.
  Since your machine sits on top of a big architecture you never
  have to worry about hardware failures, hardware upgrades, etc. You
  can add storage, RAM, processors, etc to an existing machine at
  any time.


I was skeptical at first of running email on a virtual, but I've
  been using mine for about 3 years now and it's really been a good
  service. I would never go back to a real machine, all the hardware
  headaches are gone.



gary





On 12/11/2020 10:01 AM, Eric Broch
  wrote:


  
  Do they allow you to control the repos from which you update?
If so there should not be problem if Rocky is done by then.
  
  On 12/11/2020 7:45 AM, Gary Bowling
wrote:
  
  



One issue I have is that my toaster is hosted on a virtual
  machine at Linode. Others may use virtual solutions as well. 



These services offer virtual machines of several popular
  flavors, but you have to use whatever they offer. Linode
  offers servers in Centos, Alpine, Arch, Debian, Fedora,
  Gentoo, Slackware, Ubuntu, and OpenSUSE. To use their service,
  you choose a platform/OS and specs. It's built for you in
  their data center, then you log in and configure/install what
  you want.



So for Linode there is no Rocky-linux or FreeBSD. Not to say
  that Rocky won't be supported in the future. If it takes hold
  and many of the CentOS customers move that direction, I'm sure
  it will. 



It's just something to keep in mind and consider as this is
  moved forward.


gary



On 12/11/2020 8:52 AM, Eric Broch
  wrote:


  
  This looks like good news: https://github.com/rocky-linux
  On another note: IBM bought/acquired
Red Hat.
  
  
  On 12/10/2020 8:35 AM, Eric Broch
wrote:
  
  

Fellow QMT enthusiasts:
  
I became concerned about the future of CentOS a week
or so ago  (not a premonition just my natural
  paranoia) prior to their announcement two days
back and visited centos.org to relieve my fears. I was
confident at that point that having gotten QMT/CentOS 8
ready I was good to go for ~10 years. My confidence MAY
have been hasty. I'm still not sure what drawbacks
'stream' is going to bring, if any, and like Angus am
apprehensive. It's supposed to be an intermediate
environment between Fedora and RHEL. In my opinion, to
release CentOS 8 and then move it from downstream to
upstream after people have already migrated is
short-sighted at the very least, and its name Community
Enterprise OS (8) is now a misnomer. Living in somewhat
of a cocoon, I was completely unaware that RH "joined"
CentOS. I've heard some say that we've been freeloading
off CentOS for years and now it's time to pay up. Never
mind that a free kernel is used and we actually test the
software and report bugs. That said, I have REALLY
enjoyed using CentOS since the beginning. 
  
That said, having a look at the old spec files from
*-toaster designation days when we built the QMT for
specific platforms, Fedora, was among them along with
Suse, Mandrake, so, at the beginning QMT was used in a
non-Enterprise environment. Anyway...
  
Personally, I'm interested in both Debian and FreeBSD
and would like to go back halfway to multi-platform
builds while keeping the current QMT/CentOS 8 offering.
This would mitigate the problems, if there are any, we
are seeing now (hopefully). I guess it just depends on
when (or if) the mega-corps buy up all of the Linux
distributions and hang us all out to dry. Given the
Felliniesque nature of the world today nothing would
surprise

Re: [qmailtoaster] Clamav-Freshclam Not starting after update

2021-07-11 Thread Gary Bowling 

  
  


I see where Chandran had this same issue a few weeks ago. What
  did you do to resolve it?


Thanks, Gary




On 7/11/2021 1:03 PM, Gary Bowling
  wrote:


  
  Running a toaster on CentOS 7, with everything updated every
couple of months. Just did an update on my server. The update
took me from 
  
  clamav-update-0.103.2-1.el7.x86_64   >  
clamav-update-0.103.2-2.el7.x86_64
  All the other clamav packages are also updated from/to the same
version, clamav, clamav-lib, clamav-filesystem.
  
  After a reboot, toastat gives me
  systemd service: clamav-freshclam:   [  FAILED  ]
  
  
  Then I took a look at.
  systemctl status clamav-freshclam
â clamav-freshclam.service - ClamAV virus database updater
   Loaded: loaded
(/usr/lib/systemd/system/clamav-freshclam.service; enabled;
vendor preset: disabled)
   Active: inactive (dead)
Condition: start condition failed at Sun 2021-07-11 12:48:21
EDT; 7min ago
   ConditionPathExists=!/etc/cron.d/clamav-update was
not met
 Docs: man:freshclam(1)
   man:freshclam.conf(5)
   https://www.clamav.net/documents
  
  
  
  The /var/log/clamav/freshclam.log just has this one line. 
  
  Sun Jul 11 12:29:07 2021 -> Update process terminated
  
  
  Any suggestions as to how to resolve this?
  
  
  Thanks, Gary
  
-
  To unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Clamav-Freshclam Not starting after update

2021-07-11 Thread Gary Bowling 

  
  
Running a toaster on CentOS 7, with everything updated every
  couple of months. Just did an update on my server. The update took
  me from 

clamav-update-0.103.2-1.el7.x86_64   >  
  clamav-update-0.103.2-2.el7.x86_64
All the other clamav packages are also updated from/to the same
  version, clamav, clamav-lib, clamav-filesystem.

After a reboot, toastat gives me
systemd service: clamav-freshclam:   [  FAILED  ]


Then I took a look at.
systemctl status clamav-freshclam
  â clamav-freshclam.service - ClamAV virus database updater
     Loaded: loaded
  (/usr/lib/systemd/system/clamav-freshclam.service; enabled; vendor
  preset: disabled)
     Active: inactive (dead)
  Condition: start condition failed at Sun 2021-07-11 12:48:21 EDT;
  7min ago
     ConditionPathExists=!/etc/cron.d/clamav-update was not
  met
   Docs: man:freshclam(1)
     man:freshclam.conf(5)
     https://www.clamav.net/documents



The /var/log/clamav/freshclam.log just has this one line. 

Sun Jul 11 12:29:07 2021 -> Update process terminated


Any suggestions as to how to resolve this?


Thanks, Gary

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Clamav-Freshclam Not starting after update

2021-07-11 Thread Gary Bowling 

  
  


Thanks, Gary



On 7/11/2021 4:01 PM, Eric Broch wrote:

If
  the service is running, updates are happening, but if the clamav
  developers are doing away with freshclam daemon, which seems
  likely, option 2 seems to be the way to go.
  
  
  On 7/11/2021 1:55 PM, Gary Bowling wrote:
  
  


Thanks Eric.



So I kinda of like having the service show up in toaststat as
it's an easy way to check things. Which would encourage me to
take option 1.



However, is the "new" way of doing it, to do it in cron? If it
is, then that's probably better as it makes my box more
"standard."



I'm not sure having the service show up in toaststat really
means anything anyway, it just says the service is running. Not
that the db is actually getting updated.



Thanks, Gary



On 7/11/2021 2:51 PM, Eric Broch wrote:

Freshclam doesn't start because
  databases are now updated by cron job
  '/etc/cron.d/clamav-update' in 'freshclam.service' file. If
  cron job file exists freshclam daemon is not necessary.
  
  
  Pick one of two options:
  
  
  1)
  
  
  vi /usr/lib/systemd/system/clamav-freshclam.service
  
  
  replace
  
  
  ConditionPathExists=!/etc/cron.d/clamav-update
  
  
  with
  
  
  #ConditionPathExists=!/etc/cron.d/clamav-update
  
  
  vi /etc/cron.d/clamav-update
  
  
  replace
  
  
  0  */3 * * * root /usr/share/clamav/freshclam-sleep >
  /dev/null
  
  
  with
  
  
  #0  */3 * * * root /usr/share/clamav/freshclam-sleep >
  /dev/null
  
  
  or
  
  
  2)
  
  
  vi /usr/bin/toaststat
  
  
  replace
  
  
  for sv in clamd@scan clamav-freshclam spamassassin ... ... ...
  
  
  with
  
  
  for sv in clamd@scan spamassassin ... ... ...
  
      On 7/11/2021 11:11 AM, Gary Bowling wrote:
  
  


I see where Chandran had this same issue a few weeks ago.
What did you do to resolve it?



Thanks, Gary




On 7/11/2021 1:03 PM, Gary Bowling wrote:


  
  Running a toaster on CentOS 7, with everything updated
  every couple of months. Just did an update on my server.
  The update took me from
  
  
  clamav-update-0.103.2-1.el7.x86_64   >
  clamav-update-0.103.2-2.el7.x86_64
  
  
  All the other clamav packages are also updated from/to the
  same version, clamav, clamav-lib, clamav-filesystem.
  
  
  After a reboot, toastat gives me
  
  
  systemd service: clamav-freshclam:   [  FAILED
  ]
  
  
  
  Then I took a look at.
  
  
  systemctl status clamav-freshclam
  
  â clamav-freshclam.service - ClamAV virus database updater
  
     Loaded: loaded
  (/usr/lib/systemd/system/clamav-freshclam.service;
  enabled; vendor preset: disabled)
  
     Active: inactive (dead)
  
  Condition: start condition failed at Sun 2021-07-11
  12:48:21 EDT; 7min ago
  
     ConditionPathExists=!/etc/cron.d/clamav-update
  was not met
  
   Docs: man:freshclam(1)
  
     man:freshclam.conf(5)
  
  https://www.clamav.net/documents
  
  
  
  The /var/log/clamav/freshclam.log just has this one line.
  
  
  Sun Jul 11 12:29:07 2021 -> Update process terminated
  
  
  
  Any suggestions as to how to resolve this?
  
  
  
  Thanks, Gary
  
  
-

Re: [qmailtoaster] Clamav-Freshclam Not starting after update

2021-07-11 Thread Gary Bowling 

  
  


Thanks Eric. 



So I kinda of like having the service show up in toaststat as
  it's an easy way to check things. Which would encourage me to take
  option 1.



However, is the "new" way of doing it, to do it in cron? If it
  is, then that's probably better as it makes my box more
  "standard."


I'm not sure having the service show up in toaststat really means
  anything anyway, it just says the service is running. Not that the
  db is actually getting updated. 



Thanks, Gary 



On 7/11/2021 2:51 PM, Eric Broch wrote:

Freshclam
  doesn't start because databases are now updated by cron job
  '/etc/cron.d/clamav-update' in 'freshclam.service' file. If cron
  job file exists freshclam daemon is not necessary.
  
  
  Pick one of two options:
  
  
  1)
  
  
  vi /usr/lib/systemd/system/clamav-freshclam.service
  
  
  replace
  
  
  ConditionPathExists=!/etc/cron.d/clamav-update
  
  
  with
  
  
  #ConditionPathExists=!/etc/cron.d/clamav-update
  
  
  vi /etc/cron.d/clamav-update
  
  
  replace
  
  
  0  */3 * * * root /usr/share/clamav/freshclam-sleep > /dev/null
  
  
  with
  
  
  #0  */3 * * * root /usr/share/clamav/freshclam-sleep >
  /dev/null
  
  
  or
  
  
  2)
  
  
  vi /usr/bin/toaststat
  
  
  replace
  
  
  for sv in clamd@scan clamav-freshclam spamassassin ... ... ...
  
  
  with
  
  
  for sv in clamd@scan spamassassin ... ... ...
  
      On 7/11/2021 11:11 AM, Gary Bowling wrote:
  
  


I see where Chandran had this same issue a few weeks ago. What
did you do to resolve it?



Thanks, Gary




On 7/11/2021 1:03 PM, Gary Bowling wrote:


  
  Running a toaster on CentOS 7, with everything updated every
  couple of months. Just did an update on my server. The update
  took me from
  
  
  clamav-update-0.103.2-1.el7.x86_64   >
  clamav-update-0.103.2-2.el7.x86_64
  
  
  All the other clamav packages are also updated from/to the
  same version, clamav, clamav-lib, clamav-filesystem.
  
  
  After a reboot, toastat gives me
  
  
  systemd service: clamav-freshclam:   [  FAILED  ]
  
  
  
  Then I took a look at.
  
  
  systemctl status clamav-freshclam
  
  â clamav-freshclam.service - ClamAV virus database updater
  
     Loaded: loaded
  (/usr/lib/systemd/system/clamav-freshclam.service; enabled;
  vendor preset: disabled)
  
     Active: inactive (dead)
  
  Condition: start condition failed at Sun 2021-07-11 12:48:21
  EDT; 7min ago
  
     ConditionPathExists=!/etc/cron.d/clamav-update was
  not met
  
   Docs: man:freshclam(1)
  
     man:freshclam.conf(5)
  
  https://www.clamav.net/documents
  
  
  
  The /var/log/clamav/freshclam.log just has this one line.
  
  
  Sun Jul 11 12:29:07 2021 -> Update process terminated
  
  
  
  Any suggestions as to how to resolve this?
  
  
  
  Thanks, Gary
  
  
- To
  unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com For additional
  commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
- To
unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com For additional
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
  
-
  
  To unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com
  
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Clamav-Freshclam Not starting after update

2021-07-11 Thread Gary Bowling 

  
  


Another point, I guess if we leave the cron in place.


It looks to me like we can just disable the
  clamav-freshclam.service. 



Is that correct? 



Thanks, Gary 



On 7/11/2021 4:03 PM, Gary Bowling
  wrote:


  
  
  
  Thanks, Gary
  
  
  
  On 7/11/2021 4:01 PM, Eric Broch
wrote:
  
  If
the service is running, updates are happening, but if the clamav
developers are doing away with freshclam daemon, which seems
likely, option 2 seems to be the way to go. 

On 7/11/2021 1:55 PM, Gary Bowling wrote: 
 
  
  Thanks Eric. 
  
  
  So I kinda of like having the service show up in toaststat as
  it's an easy way to check things. Which would encourage me to
  take option 1. 
  
  
  However, is the "new" way of doing it, to do it in cron? If it
  is, then that's probably better as it makes my box more
  "standard." 
  
  
  I'm not sure having the service show up in toaststat really
  means anything anyway, it just says the service is running.
  Not that the db is actually getting updated. 
  
  
  Thanks, Gary 
  
  
  On 7/11/2021 2:51 PM, Eric Broch wrote: 
  Freshclam doesn't start because
databases are now updated by cron job
'/etc/cron.d/clamav-update' in 'freshclam.service' file. If
cron job file exists freshclam daemon is not necessary. 

Pick one of two options: 

1) 

vi /usr/lib/systemd/system/clamav-freshclam.service 

replace 

ConditionPathExists=!/etc/cron.d/clamav-update 

with 

#ConditionPathExists=!/etc/cron.d/clamav-update 

vi /etc/cron.d/clamav-update 

replace 

0  */3 * * * root /usr/share/clamav/freshclam-sleep >
/dev/null 

with 

#0  */3 * * * root /usr/share/clamav/freshclam-sleep >
/dev/null 

or 

2) 

vi /usr/bin/toaststat 

replace 

for sv in clamd@scan clamav-freshclam spamassassin ... ...
... 

with 

for sv in clamd@scan spamassassin ... ... ... 
    On 7/11/2021 11:11 AM, Gary Bowling wrote: 
 
  
  I see where Chandran had this same issue a few weeks ago.
  What did you do to resolve it? 
  
  
  Thanks, Gary 
  
  
  
  On 7/11/2021 1:03 PM, Gary Bowling wrote: 
   
Running a toaster on CentOS 7, with everything updated
every couple of months. Just did an update on my server.
The update took me from 

clamav-update-0.103.2-1.el7.x86_64   >
clamav-update-0.103.2-2.el7.x86_64 

All the other clamav packages are also updated from/to
the same version, clamav, clamav-lib, clamav-filesystem.


After a reboot, toastat gives me 

systemd service: clamav-freshclam:   [ 
FAILED ] 


Then I took a look at. 

systemctl status clamav-freshclam 
â clamav-freshclam.service - ClamAV virus database
updater 
   Loaded: loaded
(/usr/lib/systemd/system/clamav-freshclam.service;
enabled; vendor preset: disabled) 
   Active: inactive (dead) 
Condition: start condition failed at Sun 2021-07-11
12:48:21 EDT; 7min ago 
  
ConditionPathExists=!/etc/cron.d/clamav-update was not
met 
 Docs: man:freshclam(1) 
   man:freshclam.conf(5) 
https://www.clamav.net/documents



The /var/log/clamav/freshclam.log just has this one
line. 

Sun Jul 11 12:29:07 2021 -> Update process terminated



Any suggestions as to how to resolve this?

Re: [qmailtoaster] Server Specs

2021-04-30 Thread Gary Bowling 

  
  


You can literally get something that will do that for $5/month
  from linode.com. Reliable service and great prices.


I have one from there that hosts about 4 domains and about 1000
  users for $20/month! And I've never had a problem. 



I would still recommend Centos 7 at this point, but you'll have
  to change in a few years. The landscape is changing and we'll see
  what wins out by the EOL of 7, which is June 2024. 



gabo



On 4/30/2021 7:21 PM, Scott Hughes
  wrote:


  I am looking to host a very small email domain (5-10 boxes max - all low usage). What is the best sized server and Linux flavor to use for this? I’m putting it on a vServer so I don’t want to pay for a lot of extra RAM and hard drive space that I don’t need.
-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Spamdyke RDNS Question

2021-07-16 Thread Gary Bowling 

  
  


I have an issue with mail getting rejected from a specific
  domain. It's getting rejected due to Spamdyke and RDNS. Here's the
  line out of the log. 



Jul 16 09:02:41 vm1 spamdyke[32358]: DENIED_RDNS_RESOLVE from:
  ***@**nd.com to: ***@**ion.com origin_ip: 50.**.**.98 origin_rdns:
  50-**-**-98-static.**.comcastbusiness.net auth: (unknown)
  encryption: (none) reason: (empty)


From looking at the log. It says spamdyke is blocking it due to
  RNDS not resolving. But then on the same line it shows the
  "origin_rdns" and it looks like a valid reverse dns to me.


Why is this getting blocked?


Gary

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Spamdyke RDNS Question

2021-07-16 Thread Gary Bowling 

  
  


Thanks, that's what I did. There clearly is something I don't
  understand about how denying reverse DNS works.


I whitelisted the IP and not the domain. My logic is. Someone
  from anywhere could try to fake the "domain" so whitelisting that
  might expose the server. The IP address belongs to Comcast
  Business and is likely to never belong to anyone else. So even
  thought that IP might eventually belong to someone else, it's not
  likely to belong to a bad actor.



Gary



On 7/16/2021 11:42 AM, Eric Broch
  wrote:

whitelist
  it in spamdyke
  
  
  On 7/16/2021 8:28 AM, Gary Bowling wrote:
  
  


I have an issue with mail getting rejected from a specific
domain. It's getting rejected due to Spamdyke and RDNS. Here's
the line out of the log.



Jul 16 09:02:41 vm1 spamdyke[32358]: DENIED_RDNS_RESOLVE from:
***@**nd.com to: ***@**ion.com origin_ip: 50.**.**.98
origin_rdns: 50-**-**-98-static.**.comcastbusiness.net auth:
(unknown) encryption: (none) reason: (empty)



From looking at the log. It says spamdyke is blocking it due to
RNDS not resolving. But then on the same line it shows the
"origin_rdns" and it looks like a valid reverse dns to me.



Why is this getting blocked?



Gary


- To
unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com For additional
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
  
-
  
  To unsubscribe, e-mail:
  qmailtoaster-list-unsubscr...@qmailtoaster.com
  
  For additional commands, e-mail:
  qmailtoaster-list-h...@qmailtoaster.com
  
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Spamdyke RDNS Question

2022-02-23 Thread Gary Bowling 

  
  


In my maillog I get messages like this. The user/domain/ip have
  been changed, but they are all valid:


spamdyke[10162]: DENIED_RDNS_RESOLVE from: fromu...@domain.com
  to: tou...@otherdomain.com origin_ip: 162.xxx.sss.yyy origin_rdns:
  server.domain.com auth: (unknown) encryption: TLS reason: (empty)


These messages get rejected by my server. My understanding is the
  messages are getting rejected by spamdyke due to un-resolvable
  reverse dns (DENIED_RDNS_RESOLVE).


However, further down in the same log message it lists
  "origin_rdns: server.domain.com" which IS the valid
  reverse dns of the domain that sent the message. 



So how can it be rejected by reverse DNS but then show the proper
  reverse DNS?? What am I missing here?


Thanks, GB

-- 

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Client Error Message

2022-07-07 Thread Gary Bowling 

  
  


Thanks Eric. No, it doesn't happen every time, it only happens
  once in a while and seems to be better since I fixed the DNS
  issue. So I may have had both issues contributing.


I also had it duplicate messages, basically re-downloading all
  the email from the server that was already downloaded once (POP
  mail).


So yes, maybe I'll either downgrade or go download the 102.0.1
  version.


Thanks, G



On 7/7/2022 9:12 AM, Eric Broch wrote:


  
  I'd downgrade if at all possible:
  "Thunderbird version
  102.0.1 is only offered as direct download from
  thunderbird.net and not as an upgrade from Thunderbird version
  91 or earlier. A future release will provide updates from
  earlier versions."
  https://www.thunderbird.net/en-US/thunderbird/102.0.1/releasenotes/

  At least until this is fixed.
  Does it happen every time  you send mail?
  
  
  On 7/7/2022 7:05 AM, Gary Bowling
wrote:
  
  



Thanks for that Finn, so maybe I have two problems. Hopefully
  they'll get the TB issue resolved soon. 



I will  have to say that TB has had a number of changes over
  the past year that I'm not fond of and overall operation
  doesn't seem as good as it used to be. Not sure what's going
  on over there, but it's not a good direction in my opinion. 



G


On 7/7/2022 8:55 AM, Qmail wrote:

Hi
  Gary. 
  
  I know You got a solution from Eric, but on the Mozilla forum
  many complains about TB ver 102.0 claiming 'missing space for
  new emails' (amongst other issues for the new release). 
  
  Chers, 
  Finn 
  
  Den 06-07-2022 kl. 20:55 skrev Gary Bowling: 
   
For some reason, over the past few days, I've been getting
this error from my email client, Thunderbird ver 102.0
windows 64 bit client. I've been using Thunderbird for
years, nothing in the settings, setup, or anything has been
changed in years. 



I have never seen this issue and am trying to figure out if
it's a server issue or a client issue. On my local machine,
I have two drives with 39G and 48G free space respectively.
On the server I have 63G free space. So the "disk space"
error doesn't make sense to me. 


Anyone ever see this or have any experience with it? 


Thanks, G 


-- 
  
  
- 
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
  
  For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  
  

- To
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

  1   2   >