Change email password on Directadmin with CLI / command line

It can happen that you don’t have access to Direcadmin’s GUI, but you have root access. I had this situation with one installation with very old OS on which the license was unable to update. So because of invalid license, control panel was not accessible. You can change email password from command line like this.

  • Go to virtual directory where passwords are saved
    myDA:~# cd /etc/virtual/mydomain.com/
    myDA:/etc/virtual/mydomain.com# 
  • You can generate new crypted passowrd like bellow. “mynewpassword” is new password.
    [root@server ~]# openssl passwd -1 -salt saltsalt mynewpassword
    $1$saltsalt$XCrU04m/7D.n5Ami6FbHo/

  • Copy generated hash from previous step and change it inside  /etc/virtual/mydomain.com/passwd

That’s it. You should be able to log in into the email account with a new password.

Found this here. Thank you very much!

Country block/allow with iptables and ipset

Here is a simple way to restrict access to your server from country’s that you don’t want to be able to connect to your services. On website www.ipdeny.com you can find IP lists for specific country’s. With a simple script, you can regularly update those lists so that they are up-to-date with new addresses. In my case, I needed a way to allow some services only available from specific countries. You can also change logic a little bit and blocking only specific county. 

This will work on Linux server with installed iptables and ipset. Ipset will contain all addresses provided from ipdeny.com. 

First, if you don’t already have it, install ipset.

[root@server ~]# dnf install ipset

Then, you’ll need to create ipset array which will contain all addresses. 

ipset create allow_cc hash:net family inet hashsize 1024 maxelem 65536

Continue Reading

mysql_secure_installation: command not found

It’s always a good idea to do basic MySQL security measures after installing fresh version of MariaDB server. For this task, I always used “mysql_secure_installation” command, which was part of installation. Some time ago, I’ve got stucked when trying to do so on MariaDB version 10.7. After some searching around, I guess command was changed.

[root@server ~]# mysql_secure_installation
-bash: mysql_secure_installation: command not found

This is a correct way on newer MariaDB versions:

root@server ~]# mariadb-secure-installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!
. . .

 

Find occurrences of the same string between two files with grep

I had this issue many times. Find the same occurrences of string between two different files so that you can pervent duplicates.

You should create foor loop that will take every line from file 1 and compare it to records in file 2.

for i in `file1.txt`; do grep -E "^$i\$" file2.txt; done

This will output only the exact strings that occurres in both files.

Letsencrypt/certbot fails when proxying with Apache ProxyPass

I had an issue on Directadmin server where client had nodejs application for which apache had to proxy on port 3001. Becouse of this, letsencrypt was not able to reach .well-known/acme-challenge/ and certificate registration/renewal failed. Solution is simple, you have to exclude proxy when requesting .well-known/acme-challenge/.

This was error whent trying to check .well-known/acme-challenge:

$ curl http://mydomain.com/.well-known/acme-challenge/test.txt 
{"errors":[{"message":"Route /.well-known/test.txt doesn't exist.","extensions":{"code":"ROUTE_NOT_FOUND"}}]}%

So I added “ProxyPass !” directive just before where I create proxy directive to port 3001. Like so:

. . .
<Location /.well-known/acme-challenge>
     ProxyPass !
</Location>

<Location />
     Require all granted
     ProxyPass http://127.0.0.1:3000/
     ProxyPassReverse http://127.0.0.1:3000/
</Location>
. . . 

Then I was able tu make request to .well-known/acme-challenge sucsessfully:

> $ curl http://mydomain.com/.well-known/acme-challenge/test.txt 
It works!

I hope this helps! 🙂

Dovecot fails to reload after upgrade / code=exited, status=226/NAMESPACE

If your Dovecot fails to reload/restart after upgrade, chances are that your kernel is too old. But you can try and fix this problem with simple step bellow.

This was in syslog log:

systemd[20406]: dovecot.service: Failed at step NAMESPACE spawning /usr/bin/doveadm: No such file or directory
dovecot.service: Control process exited, code=exited status=226
systemd[1]: Reload failed for Dovecot IMAP/POP3 email server.

This was Dovecot service status:

● dovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
Active: active (running) (Result: exit-code) since Tue 2021-09-07 19:31:12 CEST; 1 months 28 days ago
Docs: man:dovecot(1)
Process: 20406 ExecReload=/usr/bin/doveadm reload (code=exited, status=226/NAMESPACE)

To solve, you can try and edit dovecot service script and add coment to PrivateTmp variable.

root@mailmachine:~# vi /lib/systemd/system/dovecot.service

...
[Service]
Type=forking
ExecStart=/usr/sbin/dovecot
PIDFile=/var/run/dovecot/master.pid
ExecReload=/usr/bin/doveadm reload
ExecStop=/usr/bin/doveadm stop
#PrivateTmp=true
NonBlocking=yes
# Enable this if your systemd is new enough to support it:
#ProtectSystem=full
...

Directadmin – x509: certificate signed by unknown authority – Letsencrypt

DST Root CA X3 expired on September 30, 2021. Because of this I got invalid certificate error when visiting Directadmin login in Chrome. Certificate itself was valid. CA certificate is problem. What you have to do is update system CA certificates. Also update letsencrypt via custombuild if you didn’t already.

Error was:

[root@server]# /usr/local/directadmin/scripts/letsencrypt.sh renew my.server.com
Setting up certificate for a hostname: my.server.com
2021/09/30 14:49:15 Could not create client: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get "https://acme-v02.api.letsencrypt.org/directory": x509: certificate signed by unknown authority
Certificate generation failed.

You have to update system CA certificates ( Centos in this case ):

[root@server ~]# yum install ca-certificates -y
....
[root@server ~]# update-ca-trust

Then try to create new certificate for server hostname:

[root@server]# /usr/local/directadmin/scripts/letsencrypt.sh request_single my.server.com 4096
Setting up certificate for a hostname: my.server.com
2021/09/30 14:51:50 [INFO] [my.server.com] acme: Obtaining SAN certificate
2021/09/30 14:51:51 [INFO] [my.server.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/35702261650
2021/09/30 14:51:51 [INFO] [my.server.com] acme: Could not find solver for: tls-alpn-01
2021/09/30 14:51:51 [INFO] [my.server.com] acme: use http-01 solver
2021/09/30 14:51:51 [INFO] [my.server.com] acme: Trying to solve HTTP-01
2021/09/30 14:51:57 [INFO] [my.server.com] The server validated our request
2021/09/30 14:51:57 [INFO] [my.server.com] acme: Validations succeeded; requesting certificates
2021/09/30 14:52:01 [INFO] [my.server.com] Server responded with a certificate.
Certificate for my.server.com has been created successfully!
DirectAdmin certificate has been setup.
...

SNI support for Dovecot and Postfix

If you are in position that you need multiple SSL certificates for different domains on single mail server, you can do it with SNI. Of corse, on very old versions this is not supported. Check documentation first, if its supported for your version of Dovecot and Postfix.

Dovecot:

In case of incoming mailserver Dovecot it’s easy as listed bellow. I made file ssl-sni.conf in which I add SNI configurations for my domains. Then I included ssl-sni.conf in main dovecot config.

Create ssl-sni.conf and add your SNI definitions in it:

local_name mail.domain1.com {
ssl_cert = </etc/ssl/certs/domain1/fullchain.pem
ssl_key = </etc/ssl/certs/domain1/privkey.pem
}

local_name pop3.domain2.com {
ssl_cert = </etc/ssl/certs/domain2/fullchain.pem
ssl_key = </etc/ssl/certs/domain2/privkey.pem
}
...

Then include this in main dovecot config (you can add those configurations directly in dovecot.conf or 00-ssl.conf also. I just prefer separate this):

# SNI include
!include ssl-sni.conf

Postfix:

As for Postfix, configuration is also simple:

Inside /etc/postfix/, create file domain_ssl.map and add ssl definitions in it:

mail.domain1.com /etc/ssl/certs/domain1/privkey.pem /etc/ssl/certs/domain1/fullchain.pem
smtp.domain2.net /etc/ssl/certs/domain2/privkey.pem /etc/ssl/certs/domain2/fullchain.pem

Run postmap and restart Postfix:

[root@mail postfix]# postmap -F domain_ssl.map which will create domain_ssl.map.db
[root@mail postfix]# systemctl restart postfix

If everything is OK, you should now have SNI supported mail server.

Directadmin – ModSecurity: Request body (Content-Length) is larger than the configured limit (13107200)

I had problem with uploading files on Directadmin server with mod_security enabled. I set upload_max_filesize and post_max_size to 64M, and still recived error like this:

[Wed Aug 04 23:31:30.320425 1912] [:error] [pid 1418987:tid 140666332325632] [client 89.212.96.1:64983] [client 89.212.96.1] ModSecurity: Request body (Content-Length) is larger than the configured limit (13107200). [hostname "www.geekytuts.net"] [uri "/wp-admin/async-upload.php"] [unique_id "YQpCUpEZgUlp9rxIlbunrAAAnTQ"], referer: https://www.geekytuts.net/wp-admin/media-new.php

I found out that this behavior is not caused by any mod_security rules (Free ModSecurity Rules from Comodo) but by directive SecRequestBodyLimit setting . Default value is 12.5M and since I set 64M for file uploads, I changed this value the same – in bytes.

File which you want to modify is /etc/httpd/conf/extra/httpd-modsecurity.conf. In my case, I modifyed like this:

SecRequestBodyLimit 67108864
SecRequestBodyNoFilesLimit 1048576

Directadmin – Unrouteable address error on incoming mail

I had this stupid error the other day on Directadmin. I upgraded Exim to the latest version and then all mail sent to address@email.com which was on this server was bounced with the error “Unrouteable address”. From the past, I knew that errors like this can be due to exceeded mail limit. But in this case, this was happening only for one mail out of 50 others, and no limits were reached.

After some searching, I found out that there was an alias pointing to the email address itself, which was causing this error. I removed the forwarder (alias) and incoming mail started to work again on this mailbox.

2021-05-09 20:53:28 H=([1.1.1.1]) [2.2.2.2] F=<us11-99cb50d256-903kjsd32113@inbound.mailchimp.com> rejected RCPT <address@email.com>: Unrouteable address

So I had mail forwarder like:
address@email.com -> address@email.com

So when dealing with such an error, just remove the alias like described above.

© 2024 geegkytuts.net
Hosted by SIEL


About author